“Learning from cyberattacks will allow us to successfully prevent them,” says Carolina Ramirez, Global Director, Aviation Security and Facilitation.
There is certainly plenty of evidence out there. Major data breaches are on the rise while new malware programs number in the millions every year. It is estimated that these cyberattacks cost the global economy about $460 billion a year.
But for aviation, it is not just about money. As an industry that relies heavily on technology both on the ground and in the air, cyberattacks threaten the safety and security of passengers. Moreover, they can disrupt operations and significantly damage an airline’s reputation.
In 2015, at least five airlines and two airport operators suffered cyberattacks, according to reports.
“The lessons learned and the experiences gained from these events provide an important source of knowledge, which can help airlines and their partners in the value chain be better prepared to assess their risks and proactively avoid incidents in the future,” says Ramirez.
Reporting and communication is one of three pillars in IATA’s cybersecurity strategy, alongside risk management and advocacy. The strategy is designed to help airlines combat cybercrime and details the challenges and potential solutions.
For example, a first step toward more extensive reporting is clarifying exactly what needs to be communicated. “There can be internal reporting, reporting between airlines on specific threats, as well as reporting across the industry value chain involving airlines companies, airline manufacturers, air navigation service providers, airports, and so forth,” says Ramirez. “Additionally, there can be reporting via an authority or to an authority, similar to detailing safety incidents.”
This is very much work in progress, however. Ramirez accepts that information sharing in aviation regarding cybercrime is not yet as mature as it is in other industries, such as finance.
The sooner aviation achieves this maturity the better. Menny Barzilay, CEO of cybersecurity consultancy, FortyTwo, says it makes no sense for airlines to work separately if they have similar policies and processes, similar challenges, and similar solutions.
“This is not cost effective nor smart,” he says. “We are living in an interconnected world. Our digital environment consists of IT solutions, vendors, partners, employees, customers, critical infrastructure suppliers, and others. Vulnerabilities in one organization can lead to an attack against a supplier, which will afterwards lead to an attack against all of this supplier’s customers, which will lead to an attack… well, you got the picture.”
Barzilay accepts the difficulties in working together but believes this is no excuse for not starting the process. “We should meet and discuss threats, new attack scenarios, new technologies, and much more,” he suggests. “After a while we should start thinking about sectorial solutions for attack prevention and information sharing.”
There has been some progress. IATA has released a cybersecurity toolkit, now in its second version, and followed this up with a series of workshops on the subject. Although intended for airlines, it is applicable to airports, ground handlers, and others in the value chain. Ramirez also reveals that new services are
under development that tackle business resilience issues for airlines that suffer an attack. This should prove especially useful for small to medium-size airlines.
IATA is also supporting the airlines through the Civil Aviation Cybersecurity Action Plan. The association is a signatory alongside ICAO, Airports Council International, the Civil Air Navigation Services Organization, and the International Coordinating Committee of Aerospace Industries Associations. The goal of the Action Plan is to ensure the industry and governments develop a coherent and consistent approach to cybersecurity. The partners will present their recommendations to the 39th ICAO Assembly later in 2016.
Another development being scrutinized is the Information Sharing and Analysis Centers (ISACs) coming online in the United States and Europe. While these have some way to go to reach maturity they are at least the first step toward an open cyber culture.
Tell us everything
The question though is whether this will be enough. Barzilay is among those who believes that making the reporting of cyberattacks mandatory might be the best way forward.
“In many organizations, cybersecurity is still considered to be a technological problem and not a business issue,” he says. “This is a mistake. Today, there is no business without technology and there is no technology without cybersecurity.” A law that requires a company to report cyberattacks would therefore force CEOs and senior management to discuss cybersecurity issues and their potential effect on the business.
Barzilay also notes that many of the most interesting and sophisticated cyberattacks were not disclosed to the public. “This creates two major problems,” he says. “First, another organization cannot improve their security solutions based on the lessons learned from the attack. That means that the same attack can be effective many times before someone discovers it. Second, public criticism is an effective incentive for senior management to act and invest the needed resources in addressing cybersecurity issues.”
IATA’s Ramirez counters that aviation is not yet at a stage where mandatory reporting makes sense. “Instead reporting should be recommended and outreach work should be done to promote a reporting culture,” she says. “The reporting is sensitive enough, regardless of whether the reports are on successful or unsuccessful attempts, to affect consumer confidence and thus need to be handled very carefully and anonymized.”
The use of such terms as mandatory or recommended can be equated to ICAO Standards and Recommended Practices (SARPs) and, globally speaking, ICAO would be the only place to implement such SARPs. At the moment though, there is very little consensus to make reporting a recommended practice on the global level.
“Who would manage it, who would provide for anonymity and data security?” asks Ramirez. “Moreover, it is proven that the larger the group the less appetite to share useful data, so a global data sharing mechanism is simply a utopian ideal for the time being.”
However it is achieved, the industry needs to work out ways to stay ahead of the cybercriminal and develop cybersecurity methodologies that put airlines ahead of the curve. A risk-based and outcome-focused strategy that adheres to the principles of Smarter Regulation is an excellent start and would provide the flexibility necessary to be effective in such a dynamic sector.
Why airlines are vulnerable
Two rules of thumb used in cybersecurity show why airlines must take the cybersecurity threat seriously.
First, complex systems are more vulnerable. It is harder to protect a building than to protect a room and harder to protect a city than a building. Many airlines have city-sized networking. Second, security-by-design is the most effective why of securing things. The aviation industry, however, contains many legacy systems that were not designed to face current threats and were oftentimes developed without considering the security implications.
Of course, airlines are not the only companies that failed to anticipate the rise of the Internet and its associated dark side. It is quite probable the Internet would have been designed in a completely different way if its ubiquity was assured. One potential redesign solution is software-designed-networking, an umbrella term for an emerging architecture that provides more flexibility and control over Internet traffic flows. While this might be the light at the end of the tunnel, that tunnel is very long and software-designed-networking has some way to go to reach maturity.