By Carolina Ramírez-Taborda
Cyber-attacks are a fact of the global aviation industry’s ‘digital now’. Indian novelist Abha Dawesar coined the term ‘digital now’ as a reflection of how an abstract digital universe has become part of our identity – with nearly every facet of daily life connecting through technology.
While Dawesar’s ‘digital now’ began as social commentary, the fact is that technology continues to shrink the space between us and alter the way we live and work. Projections indicate that by 2020, there will be 7 billion people on the earth and 50 billion devices connected to the Internet (U.S. Census Bureau, 2010; Forrester research, 2003). That’s 6.5 web-enabled devices per person. The global aviation industry is trending in a similar fashion. This year, aviation will connect some 3.5 billion travellers with nearly 100,000 flights per day across 51,000 routes. In 20 years’ time, the number of passengers will have more than doubled, and aviation and related tourism will support some 82 million jobs and $3.7 trillion of GDP.
Our increasingly integrated aviation system is complex and reliant on information exchange. In our ‘digital now’, the foundation for progress is being built on the ‘Internet of Things’. The interconnectivity of electronics, software, sensors and networks will advance the development of aircraft, modernise airports, and interface with nearly every facet of the industry’s operations, including increasingly web-enabled passengers.
Dawesar hit on what makes cybersecurity such a challenging issue – the fact that in the industry’s ‘digital now’, cyber-threats constantly evolve with increasing intensity and complexity. The ability to achieve objectives and deliver business functions is increasingly reliant on information systems and the Internet, resulting in greater cyber-risks that could cause severe disruption to the industry’s business functions or operational supply chains, impact reputation, or compromise sensitive customer data and intellectual property. In short, what’s becoming increasingly evident is that all of the things made possible because of computers can be exploited for malign purposes.
Large-scale data breaches are trumpeted in the media with disturbing frequency. Major retailers, a Hollywood movie studio, financial institutions and various other public and private institutions have lost hundreds of millions of dollars and suffered damaged reputations. The global aviation industry, with its array of complex and increasingly integrated IT and communications technology, is an attractive target to those intent on doing cyber-mischief and theft – or worse.
In fact, airlines are the highest value target for fraudsters and close to 50% of all phishing attempts are made against airlines and airline passengers. During the first half of 2015, five airlines, two airport operators and one civil aviation authority have been publicly reported as victims of targeted online attacks.
These risks and the potential impact of cyber-attacks aren’t easily predictable in a statistical or actuarial way. Instead, the industry is challenged with anticipating the unexpected. That’s because cyber-threats constantly evolve with increasing intensity and complexity.
Many airports and airlines have implemented countermeasures to protect their IT systems and infrastructure from cyber-attacks. To keep pace, industry must continue to strengthen its operational resilience and ability to manage cyber-risks to critical services during normal operations and times of operational stress and crisis. In the ‘digital now’, being cyber-literate and well-coordinated across every facet – management, airports, vendors, and airlines (operations, flight crew, safety, security and IT professionals) – is necessary to developing effective countermeasures. A total aviation system approach to risk management is necessary.
IATA’s role in this regard is to assist airlines in developing a robust cybersecurity strategy and to help drive coordination of global efforts to address cyberthreats to aviation. An important part of IATA’s programme in this regard is the ‘Aviation Cyber Security Toolkit’, launched last year. Cyber-incidents can occur even in well-guarded organisations. So, when network defences are infiltrated, what’s ‘Plan B’?
Having a cyber-incident response plan and exercising it regularly will help enable timely response and minimise impacts. Identifying critical assets and associated impacts from cyber-threats are also critical steps to understanding specific risk exposure. Moreover, risk assessment results are a key input to identify and prioritise specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cyber-risks to an acceptable level. While intended primarily for airlines the toolkit is also applicable to airports, ground handlers and others in the industry.
Another IATA priority in this area is raising awareness of cybersecurity issues, identifying reporting streams and establishing information sharing mechanisms. Situational awareness of the global aviation industry’s cyber-risk environment includes timely detection of cyber-incidents, an awareness of current threats and vulnerabilities – as well as associated business impacts. Analysing, aggregating, and integrating risk data from various sources and participating in threat information sharing with industry and governmental partners will better position an industry to identify and respond to incidents quickly and ensure protective efforts are commensurate with risk.
Governments have resources, access to intelligence and an inherent responsibility to support industry’s cyber-security efforts. IATA continues to work closely with governments across the globe to facilitate information-sharing, best practices and to ensure that any regulations are undertaken in close cooperation with industry.
A highly positive development in this regard was the signing of a Civil Aviation Cybersecurity Action Plan in December 2014 by ICAO, IATA, Airports Council International, Civil Air Navigation Services Organization and the International Coordinating Committee of Aerospace Industries Associations (representatives of the regulators, the airlines, the airports, the ANSPs and the manufacturers). The goal of the Action Plan is to ensure that all industry stakeholders and governments promote a coherent and consistent approach to cybersecurity. All of the partners are working towards developing recommendations to be presented at the 39th ICAO assembly next year.