Nothing could be more clichéd than saying that online threats and cyber terrorism are on the rise and have impacted every business across the globe. Cybersecurity threats are not just a financial challenge but also a threat to the market credibility and brand image of a company. Given the competitive nature of markets today, no firm can afford to risk either of the two. The travel industry and specifically, the airline industry is no stranger to such attacks as well. IATA estimates that cyberattacks cost the global economy about $460 billion a year.
So what are the airlines doing about this? There is a lot of cognizance of the challenge, for starters. Cybersecurity is one of the top three IT priorities for both airlines and airports, according to the 2017 SITA Air Transport IT Trends Insights report. Airlines are expected to invest nearly $33 billion in IT this year, with 95% of airlines and 96% of airports stating that cybersecurity will take up a sizeable portion of that spend in the next three years. At the same time, only 35% of airlines and 30% of airports are prepared today to deal with any cybersecurity threats, says the report. Luc Tytgat, Director of Strategy and Safety Management at the European Aviation Safety Agency (EASA) says that we have to be prepared for the worst. Aviation systems are subject to an average of about 1,000 attacks each month.
This is why the alarm bells are ringing!
Challenges Tied to Big Data
The airline industry in particular is also privy to significant amounts of data generated through new-age technologies such as the Internet of Things (IoT). Compromising this data during a cyber-attack poses several challenges to airlines. The airline industry gathers vast amounts of data – passengers, flights, aircraft, financial information, and so on. IATA estimates that 3.7 billion people traveled by air in 2018 and there is expected to be a steady increase in this number every year reaching 8.2 billion in 2037. So imagine the amount of data available across the airlines they used. Breach of this data would not just mean the loss of brand image, credibility, and revenues, but also pose legal risks. With the proliferation of data and the ensuing risks, cloud solutions can be a critical tool to prevent data thefts.
Blockchain is a relatively new but revolutionary technology that can enhance cybersecurity tremendously. This emerging technology presents a critical tool in data protection across the airline supply chain. Blockchain essentially removes the human element, thereby reducing the risk of cyber threats while providing end-to-end privacy and encryption. With elements such as authorized access requirements, Blockchain provides the necessary blanket for protecting critical data such as passenger details, flight information, and crew logs.
Standards are Here, But Not Quite Enough
There is already a significant amount of efforts put into detection and prevention through standards formulated by agencies such as the National Institute of Standards and Technology (NIST), the Federal Information Processing Standards (FIPS), the International Organization for Standardization (ISO), and the Information Systems Audit and the Control Association (ISACA) Control Objectives for Information and related Technology (COBIT). However, implementing these standards alone is not enough. The aviation industry and airlines, in particular, are vulnerable from several angles - original equipment manufacturers (OEMs), maintenance, repair, and overhaul (MRO) providers, air traffic controllers, airport authorities and operators, and third-party suppliers such as ground handlers, catering, IT, etc. To implement proactive and preventive measures, an organization-wide cybersecurity strategy is required. Cyber-attacks can’t always be prevented. But early detection through competent and advanced monitoring of networks and protecting data are some of the critical strategies to implement.
Technology Investment is the Need of the Hour
Given the variation in the industry, ‘reasonable security ’ measures can mean different things. The organization must decide for themselves what is reasonable. Cyber threats are omnipresent and evolving faster than the tools and technology available to combat them.
The aviation industry must consider tools, technologies, and processes in three critical areas to strengthen their cyber security programs. These include:
- Threat and Vulnerability Management
- Identity and Access Management
- Security Crisis and Incident Response
Early detection and timely prevention of cyber-attacks can only be done with the help of investments in the right tools and qualified and experienced experts. IATA’s Aviation Cyber Security Toolkit followed by a series of workshops on the subject. IATA also supports airlines through the Civil Aviation Cybersecurity Action Plan.
Along with technology, information sharing is a critical factor in cybersecurity. Several governmental and aviation industry bodies have taken up key initiatives to mandate and encourage information sharing across geographies and sectors. For instance, AVIATION ISAC is a focused information sharing initiative for the aviation sector. The Cyber Information Sharing and Collaboration Program (CISCP) is the US government Department of Homeland Security’s (DHS's) flagship program for public-private information sharing. Through the CISCP, participating companies can share information about cyber threats, incidents, and vulnerabilities. There are several other initiatives such as the Domain Intelligence Integration and Analysis Center and the Cyber Security Framework of the National Institute of Standards and Technology. In Europe, the European Aviation Safety Agency (EASA) and CERT-EU signed up to create the European Centre for Cyber Security in Aviation (ECCSA) as an information sharing and management platform for aviation across the EU.
As an elevated risk, a cybersecurity challenge is on the entire aviation industry’s agenda. Given the wide network of supply chain and the impact on customer engagement due to a cyber-attack, airlines and airports need to invest in refining their existing strategy to deal with cyber threats. While building on the efforts made thus far, the stakeholders would do well to consider key recommendations made by experts and agencies worldwide to strengthen the mandate of cybersecurity.