Germanwings Pilots as Privileged Users

The tragic and apparently intentional crash of Germanwings Flight 9525 in the French Alps serves to highlight the many and varied risks organizations have to manage in the face of compliance regulations, both domestic and international, for the protection of customers and their assets.

During a low activity phase of the flight, the Pilot left the co-pilot alone in the cockpit, which is allowable in Europe.  The young German copilot, Andreas Lubitz, apparently locked the cockpit door, preventing the Pilot or anyone else from entering.  He then set the autopilot system to descend rapidly, dooming the plane to crash into the rugged French Alps at more than 400 MPH.  No survivors have been found, and investigators are now uncovering information about Lubitz that indicates he hid some health issues and also had previous treatment for depression which was known to Lufthansa officials. It is also surprising that there were not more systems on the aircraft that would prevent or slow the rapid descent that Lubitz had dialed in - controls that would monitor or alert officials to the questionnable actions of privileged insiders.

Now it has been reported that Lufthansa could be exposed to "Unlimited risk" in the form of unlimited lawsuit damages from families of victims, according to the New York Times.  This would effectively bankrupt the company and ruin the business.  As a pilot,  Lubitz had a special role in the organization with special, elevated responsibilities, and misuse of those responsibilities has caused dramatic and extreme harm to customers and ultimately, maybe the start of the end for the Lufthansa airline.

Lubitz represented a kind of "insider threat" to Lufthansa.  Thinking of the plane as a system, the Pilots have a kind of "privileged access" when you consider the responsibility they carry to the passengers and crew.  From a risk management perspective, studies have long identified that the insider with elevated access privileges represents the largest potential risk to the organization from the standpoint of an information security breach and material loss.  Privileged users often have low level access to many systems and applications with powerful permissions that allow them to  modify data, make configuration changes, and view information intended to be private.  

An Identity and Access Management assessment can help identify the specific risks of Privileged User Access and call out specific gaps in both internal user and privileged user access controls, locate potential conflicts in the access privileges held by users that require segregation of duty, and identify gaps in process and tools related managing access to applications and systems by internal users.

Following an IAM assessment based on the relevant regulatory framework, IAM professionals can provide control strategies, solutions and implementation roadmaps to help ensure a proper control framework is implemented to  mitigate the risk of inappropriate user and privileged insider access.

The state of Lubtiz's mental health may become centrally important in future legal proceedings around the Germanwings crash, and the extent to which this incident influences how much employers should know about an employee's medical history and mental health remains to be seen, but it is clear that there needs to be more monitoring and controls in place to manage Privileged user access in that context.  From an IT perspective, taking decisive action to assess and improve an organization's Access Control framework for both Internal and Privileged users, will have a dramatic and positive effect on an organization's risk posture.

Rate this article: 
No votes yet

There are 3 Comments

The event very clearly demonstrates the relationship between risk management cost and benefit. Leaving only one person on the flight deck was just one failed risk management strategy. The airline claims that it did not know why Lubitz took a nine-month hiatus during his training. They did know that he suffered from depression, but cleared him for pilot duty just the same. More recently, he was seeing a doctor, but the doctor's reports were not going directly to the airline. You can almost see the "cost-cutting" that lurks below the surface here.

To the cost cutting observation, I must say that the cost for an attacker is just the incremental cost of finding one new weakness, but for the defenders the cost is the cumulative cost of protecting against all known *and unknown* attacks. "Penetrate and Patch" was acceptable in IT but is it socially repungant in safety.