Cyber Resilience in the Aviation Industry
Data security is one of the top concerns for the aviation industry, and it is imperative for airline companies to mitigate risks and protect their sensitive data from cyberattacks.
In recent years, data breaches in the aviation industry have grown more chaotic as the range of cyber threats keeps widening. With the Covid 19 pandemic having grounded most airline businesses, cyber threat actors make the situation worse for the aviation industry.
Recent cyberattacks on the aviation industry
Among the recent cyberattacks on the aviation industry, a Hong Kong-based airline lost 9.4 million passenger records, and a UK-based airline lost 9 million customer records to hackers. More recently, passenger records, including sensitive data such as credit card information and frequent flyer data of about 4.5 million customers of an Indian airline was breached.
Alongside this, an airline technology provider’s server was breached in a cyberattack that involved passenger data stored in the passenger processing systems, affecting major airlines.
Such cyberattacks on the aviation industry result from two evident motives: nation-state actors threatening host countries of airline companies and financially motivated attacks related to passenger data.
Emerging cyber threats for airlines and consequences
Threat vectors affecting the aviation industry have increased in number and diversity in the recent few years. Moreover, these cyber threats in the aviation industry range from targeted to widespread attacks.
While targeted cyber threats are intensified by the chase for passenger data of specific airline companies, widespread attacks such as WannaCry and NotPetya are industry-wide incidents because of vulnerabilities in commonly used software and airline platforms.
Based on the type of threat, major systems of airline companies that are frequently exposed to cyber threats are:
- Aircraft IP networks of flights
- Digital Air Traffic Controls (ATCs) and traffic management systems
- Flight-By-Wire systems
- In-flight interface devices
- Flight history servers
- Fleet and route planning systems
- Passenger reservation systems and frequent flyer or loyalty programs
- Ticket booking portals.
For example, the increased adoption of commercial off-the-shelf (COTS) software in the aviation industry that is customized for use does not exhibit the level of cyber resilience required for airline businesses. To illustrate, a graphic processor licensed from the video game industry may not act as a secure system for the airline industry.
Some of the common cyber threats in the aviation industry are ransomware attacks, phishing attacks, insider threats, DDoS attacks, and Advanced Persistent Threats (APTs).
Any disruption arising from the above-mentioned cyber threats in the aviation industry can have a ripple effect on international relations while triggering significant financial damage and compromising safety. Moreover, data breaches in the aviation industry drive away customers and lead to government investigations and legal litigations that tank stock prices.
Sensitive data in the airline industry and related cybersecurity guidelines
In the face of evolving cyber threats, the air transportation industry realizes the need for a robust cybersecurity framework.
While a few standardization programs such as ISO/IEC 27001:2013 are helping the aviation industry act by safety ground rules, they do not consider incident response needs of an in-flight cyberattack.
Some of the international organizations such as International Civil Aviation Organization (ICAO), National Cyber Security Centre (NCSC), European Union Aviation Safety Agency (EASA) Airport Council International (ACI) World, International Air Transport Association (IATA), and the European Organisation for the Safety of Air Navigation (Eurocontrol) have collaborated with the World Economic Forum (WEF) to define a baseline of best cybersecurity practices in the aviation sector.
While most of the cybersecurity activities by airline companies are focused on mitigating risks of data breaches, the real challenge is to secure data transmission between ground and aircraft, both in the airport and in the flight, as well as between communication devices and onboard sensors.
A robust framework must be devised to address emerging threats in the complete ecosystem of the aviation industry that comprises airlines, airports, manufacturers, satellite providers, air navigation service providers, and telecom providers. While the formulation of such an initiative remains unclear, the aviation industry must be prepared to detect and respond to cyber threats.
How to protect the airline industry from cyberattacks?
In the aviation industry, any unaddressed risk could pose major implications for the safety of passengers, as well as financial losses for airline companies. From national defence to the transport of emergency cargo such as Covid 19 vaccines, the role of aviation remains a key element. And in such a situation, airline companies must strive to achieve cyber resilience.
We define cyber resilience as the ability to predict, detect, respond, and recover from cyber threats. In the context of the aviation industry, cyber resilient airlines should display attributes of complete preparedness and adaptability to address cyber threats and recover from a cyberattack proactively.
Here are the areas that the aviation industry must focus on building cyber resilience.
- Protect endpoints by securing access to network devices and systems.
- Secure aviation data on the cloud by implementing third-party audits like SOC1 and SOC2.
- Establish Identity and Access Management (IAM) based on cryptographically protected multi-factor authentication for operators.
- Use end-to-end encryption across customer data, passenger information, employee data, and payments information.
- Encrypt real-time communications between flight and ground -based air traffic control systems.
- Assess all aviation applications for vulnerabilities including in-flight and cockpit systems.
- Incorporate threat intelligence and incident response to detect potential adversaries in advance and proactively respond and contain cyber threats.
With risks spanning across the complete aviation supply chain, proactive cyber detection and response capability is, and will continue to be, critical to airline companies for countering risks arising from other industry players.
While it is imperative for airline companies to consider cyber risks in the broader context, the first step for the aviation industry to attain cyber resilience is to protect customer and employee data, including national IDs, passport information, payments information, and other Personal Identifiable Information (PII).
For the aviation industry to realize the digital dividends in a post-Covid era, airline companies must develop and nurture capabilities to be resilient against cyber threats. Senior leaders and executives in airline companies must start by thoroughly assessing their cyber preparedness of both systems and staff to gauge the gaps in their cyber program.