Aviation is a complex business with systems to match.
The countless entry points and interfaces make it vulnerable to cybersecurity threats. Moreover, many of those systems are dated and were never designed to counter modern cybercrime.
Without the benefits of security-by-design, aviation has some critical decisions to make. Whether to make the reporting of cyber attacks mandatory is perhaps the most critical of all.
If an attack isn’t reported then other airlines and partners in the aviation value chain cannot use it to improve their defenses
Reporting and communication is one of three pillars in IATA’s cybersecurity strategy, alongside risk management and advocacy.
But it is thought that many of the most sophisticated and damaging cyber attacks have not been publicly disclosed.
If an attack isn’t reported then other airlines and other partners in the aviation value chain cannot use it to improve their defenses.
They could be hit by the same attack and their risk assessment of cyber threats will include unnecessary guesswork.
It is also true that suffering a cyber attack in the public eye is a powerful incentive to ensure the necessary resources are put into preventing further cybercrime
Prevention, though, is only part of the solution. Firewalls are not enough on their own. Rather, experts now lean toward detection as a surer method of regaining the advantage over cyber criminals.
The reasoning is simple: a hack is a one-time event. One opening, exploited once. System defenses, on the contrary, must work every second of every day. If you only consider prevention, attacking is simple, defending is hard.
When you are assigned a username and a password by your employer, you have a key to the kingdom
By using detection as well as prevention, it increases an organization’s capability to efficiently identify hacking attempts and react to those.
Tracing the source of an attack can yield valuable information and potentially limit damage.
Technological solutions are essential and improving all the time. Software-designed-networking, for example, will provide flexibility and control over Internet traffic flows.
But cybersecurity is as much organizational as it is technical.
“Cybersecurity is not just an IT thing but is everybody’s responsibility,” says Gulshan Kisoona, Manager, IT Security and Compliance, Air Canada and a Certified Information Systems Security Professional.
“When you are assigned a username and a password by your employer, you have a key to the kingdom. The slightest carelessness with the handling of that key opens the door to the kingdom.”
Critical operational and business functions need to be properly assessed and a risk-benefit tolerance identified.
In an interconnected world, cybersecurity is the cost of doing business
That is a multi-disciplinary activity. These functions can be difficult to value precisely.
Exactly how devastating would the loss of real-time flight information be? And what are the chances of that happening?
Resource allocation and threat response can be difficult things to judge and is probably beyond an IT department’s remit.
The industry is moving in the right direction. IATA has published a cybersecurity toolkit and runs workshops on the subject.
It is also supporting the airlines through the Civil Aviation Cybersecurity Action Plan. And Information Sharing and Analysis Centers are coming online in the United States and Europe to promote an open cyber culture.
Ultimately, passengers cannot lose trust in the aviation system. Each player in the value chain is dependent on the other to be secure. Airlines need airports and air traffic management.
In an interconnected world, cybersecurity is the cost of doing business.