The “Impossible Landing”: Piloting Through a Cyber Crisis
By: Mark Sangster, VP Chief of Strategy
As I wrote in my book, No Safe Harbor: The Inside Truth About Cybercrime and How to Protect Your Business, there is no aviation safety corollary of the National Transportation Safety Board (NTSB) and Federal Aviation Authority (FAA) when it comes to determining systemic causes and mandated continuous improvement in the cybersecurity world. Yet, we can often learn from aircraft investigations and find the parallels that help us improve how we protect our businesses.
And there is no better case from the aviation world than the “Impossible Landing” story. While preparing for a workshop tour in Iowa, I was reminded of the crash of United Airlines Flight 232 at Sioux City. While there was a tragic loss of life, their sacrifice was at least, to some degree, countered by the fact that the events of the crash landing improved the way flight crews work together in the face of catastrophic incidents and collaborate to avoid disaster.
Let’s explore the story and learn how we use hard-won lessons to improve our profession.
The Impossible Landing
Approximately one hour into the flight, while the plane was in a shallow right turn at an altitude of 37,000 feet, the fan disk of the tail-mounted engine disintegrated. The engine debris penetrated the aircraft’s tail section in numerous places, severing lines that supplied fluids to the three redundant hydraulic systems. The pilots found themselves unable to steer the airport, climb or descend, nor extend the flaps and slats necessary to fly at the slower speeds required for a safe landing. This would be like driving down the interstate and simultaneously losing power steering and brakes.
Through experimentation, the flight crew, with the assistance of a check-pilot flying as a passenger, used the throttles to steer the plane using alternating power sent to the left and right wing-mounted engines. Check-pilot Dennis Fitch crouched on the floor between the pilots, controlling the engine throttles to “steer” the plane.
Having declared an emergency, the pilots made numerous loops to the right (due to the damage) and slowly headed for the nearest airport with emergency services, Sioux Gateway Airport. Air Traffic Controllers at Sioux Gateway guided the pilots to the airport.
Somehow with a stricken aircraft on final approach to the airport, Captain Al Haynes remains composed enough to joke, as the ATC recording proves:
ATC: United 232 heavy roger, and advise when you have the airport in sight
Pilot: Have the runway in sight, we’ll be with you shortly, thanks a lot for your help.
ATC: United 232 Heavy…The wind is…You are cleared to land on any runway…
Pilot: (Laughter) Ha ha! You want to be particular and make it a runway, huh?
Without control of critical flight surfaces and using only the engines to steer the aircraft, the DC-10 approached the airport at 220 knots (25 mph), twice the safe speed for a normal landing.
Moments before landing, the roll to the right suddenly worsened significantly, and the aircraft began to pitch forward into a dive. Check pilot Fitch attempted to compensate, but the engines could not respond in time, and the plane impacted the ground with its right wing, spilling fuel, which ignited immediately. The tail section broke off from the impact force, and the rest of the aircraft bounced several times, shedding the landing gear and engine nacelles and breaking the fuselage into several main pieces. On the final impact, the right wing was torn off, and the central part of the aircraft skidded sideways, rolled over onto its back, and slid to a stop upside-down in a cornfield to the right of the runway.
Following the accident, the NTSB determined the probable cause as a defect in the engine and failures on the part of United Airlines’ inspection and quality control procedures. The catastrophic disintegration of the engine damaged the hydraulic systems and left the flight crew unable to control the aircraft’s flight.
In an impossible situation, what made the difference? Speaking at a NASA luncheon two years later, Captain Al Haynes (yes, he and the other flight crew survived) praised Crew Resource Management (CRM). CRM is primarily used for improving aviation safety and focuses on interpersonal communication, leadership, and decision-making in aircraft cockpits. CRM is used in high-risk industries, including aviation, medicine, and mining. While retaining a command hierarchy, the concept was intended to foster a less-authoritarian cockpit culture in which co-pilots are encouraged to question captains if they observe them making mistakes.
The lack of CRM was cited in the investigation of the crash of several flights, including United Airlines Flight 173, a scheduled flight from John F. Kennedy International Airport in New York City to Portland International Airport in Portland, Oregon. On December 28, 1978, the aircraft flying this route ran out of fuel while troubleshooting a landing gear problem and crashed in a suburban Portland neighborhood, killing ten on board. The captain was fixated on the landing gear and disregarded his fellow crew members’ concerns about dangerously dwindling fuel reserves.
Cyber Resource Management
What can we learn from United Airlines flight 232 and its crew that achieved what no one else could? While not an immediate threat to life, cyber incidents like ransomware and data breaches, create a crucible of stress and emotional responses. We simultaneously witness the best and worst of people. We see their light and their shadow. Dominant personalities take over, passive-aggressive personalities find subversive ways to maintain control, heroes take risks, and martyrs sacrifice, often making fatigue-driven or fear-fueled mistakes.
Conflicting personalities and human biases cause friction, erode trust, and often disrupt response activities. In his best-selling book, The Five Dysfunctions of a Team: A Leadership Fable, Patrick Lencioni describes five signs of group dysfunction:
Absence of trust
A reluctance to be vulnerable and unwilling to admit mistakes, weaknesses, or needs for help within the group.
Fear of conflict
Teams seek artificial harmony, with insincere agreement from honest debates and investigations.
Lack of commitment
Feigning buy-in and commitment to group decisions, creating conflicting or ambiguous directions across the company.
Team members avoid responsibilities and actions based on group decisions to engage with other team members or take remediation actions.
Inattention to results
Team members focus on personal success, status, and ego before team success.
When it comes to team harmony, the team leader and executives need to recognize the simple warning signs and address the team dynamic:
- Personal status (or ego) trumps organizational results
- Personal popularity pips holding people accountable
- Decisions are ambiguous, and consequences are not certain
- Favoring harmony at the expense of healthy conflict, debate, and differing viewpoints
In most cases, incident response teams are built on functional leads critical to the investigation, communication, and remediation of the incident. Planning and practice help prepare team members for the inevitable fire alarm. Consider investing in a Myers-Briggs Type Indicator® (MBTI®) or Birkman Method assessment of individuals and the team. This helps individuals better understand their interpretation of the world and stress responses, and the team identifies member characteristics and interpersonal challenges. Many personality coaches will provide individual and group assessments to identify tendencies and pitfalls in group dynamics.
Establishing clear expectations, formal reporting, updates, and documented decisions with assigned actors, timelines, and outcomes reduce the opportunity for soured team dynamics.
Like captain Al Haynes did that day in 1989, we must maintain our composure, recognize our circumstances, and work to collaborate toward a response. It’s about collecting unbiased information to make informed decisions, tested to minimize the negative impact on the organization.
While it’s easier to blame people, it’s often a short-sighted approach that prevents us from identifying the systemic issues that led to the cyber incident. Another aviation authority, Sidney Dekker, describes techniques to reduce human bias, focus on contributing factors, and develop new procedures, technology, and training to reduce future risk.
When building teams, it’s essential to resist our instincts and self-reflect to identify biases, learning styles, and tendencies. In the heat of a situation, it is critical:
- Remain calm, consider your own behaviors and emotions, and empathize with others
- Seek multiple sources of information and interpretations of data
- Avoid factions and discourage recruiting allies against specific viewpoints or individuals
- Connect to people on a personal level before incidents and remember the human element
- Eliminate judgment and blame. Focus on facts and desired outcomes.
- Be respectful and professional. What is said in the heat of the moment does not dissipate as the temperature does.
Ultimately, challenging personalities cannot eclipse the best interests of the organization. Restrict ego, focus on factors not fault, and use the guidelines set forth by Sidney Dekker: focus on the what and not the who, understand the why, and seek forward accountability.
Beyond crew resource management, the sacrifices that day led to industry changes in how engine components are manufactured and inspected, aircraft designs to increase resilience in even redundant systems, and safety regulations related to young children traveling on commercial flights.
Built along the Missouri River in Sioux City, the Flight 232 Memorial commemorates the heroism of the flight crew and the first responders who saved lives following the crash landing. Almost 300 Iowa Air National Guard members raced to the crash site and provided pivotal medical aid that contributed to the high number of survivors. The memorial features a statue of Iowa National Guard Lt. Col. Dennis Nielsen from a news photo taken that day while he was carrying a three-year-old to safety.
We can’t change the outcome of past events. But we can learn from them. Memorials give us a place to remember and reducing future losses and improving how we protect our business gift us the opportunity to honor those who sacrifice for us.