Simple phishing or spam emails allow Trojans into the system, while a more aggressive spam bombardment of a network causes a distributed denial of service, effectively shutting down the network. Then there is the theft of login passwords, the theft of funds, and even bribery and ransom.
“It is difficult to explain something that you cannot see,” says Adam Troczynski, IATA’s Manager, Aviation Security. “There is no clear definition of cybersecurity in ICAO Annex 17 or in any other international regulatory framework or guidance, and although we see that the problem is growing it is difficult to pin down exactly what we need to be guarding against. While certain business sectors such as banking may have had more experience of cybercrime, aviation industry specificity needs to be considered.”
However nebulous it may be, cybersecurity is something that aviation needs to get to grips with sooner rather than later. Increasingly sophisticated and integrated IT systems have been put in place by airlines to improve operating efficiency. The heavy reliance on these systems leaves the industry vulnerable to online hackers.
During the first half of 2015, at least five airlines, two airport operators and one civil aviation authority have been publicly reported as victims of online attacks. At this stage, the intent of many of the cyberattacks on the industry is not clear. Most do not appear to be targeted or have any particular motive. But there is a concern that a future wave of attacks could be much more damaging. Given that hackers can spend weeks or months operating undetected within a victim’s network before striking, some airlines could already be at significant risk. Troczynski makes a distinction between inflight cybersecurity issues and the general cybersecurity issues facing airlines as a whole.
The safety of the aircraft is of ultimate importance and cannot be compromised. Work to ensure that all aircraft systems remain safe from potential attacks includes working with the manufacturers of inflight entertainment systems and Wi-Fi providers. With an e-enabled aircraft, the system network becomes a part of the aircraft itself—for example where maintenance issues are being handled remotely from a desk on the ground. As for more general threats, there are three areas to consider surrounding the protection of data and systems:
- Data integrity—ensuring that data is correct has not been corrupted;
- Data and systems availability—ensuring that data and systems are available when and where they are required;
- Data confidentiality—ensuring that data is stored securely.
The challenge is aligning the different priorities of different departments. Passenger data availability is vital for the operations departments to work efficiently, for example, but is not a particular issue for aviation safety, especially if aircraft and their passengers are safe on the ground. Similarly, data confidentiality is not a great concern for certain aspects of operations, which thrive on sharing information, but is a massive issue to the departments holding passengers’ personal information and
Cybersecurity threats are not so different from other physical security threats, suggests Troczynski, and should be considered and assessed as risks right across the organization. Where there is a connected network, there is a potential threat. What is different about cybersecurity is the availability of the means to execute attacks. “The tools are available on the Internet and all you need is a computer, a network, an intention, and the skills,” says Troczynski. “Risk assessment needs to take into account which is easier—hacking into an organization’s computer network or building a complex explosive device.”
He says that best practice points airlines toward a risk management process that benefits most from a top-down approach. Top management needs to be aware of and understand the challenge of cyber-security, but also needs to be able to balance the risks to each department and allocate resources where they are most needed.
But sharing information about cyberattacks is one of the greatest defense mechanisms for the industry as a whole. Stephen Darnley, IATA’s Corporate Treasurer, takes the analogy of a Roman centurion. “On his own he was fearsome, but not invincible,” he explains. “However, when a group of centurions came together and closed shields to create the ‘tortoise formation’ they became a formidable defensive structure. It is the same with airlines: individually, they will be at risk, but sharing information will help to protect the entire industry. We have seen the banking industry and other industries starting to do this, and international police forces have long known the power of sharing information.”
Government support would also make it more difficult for hackers to operate. “Governments need to adopt threat-based, risk-managed and outcome-focused frameworks that are balanced against industry capabilities and sustainability,” notes Tony Tyler, IATA’s Director General and CEO. “This is a much better way to address evolving threats than prescriptive measures that are not able to adapt to the constantly shifting cyber arena.”
Though airlines recognize the value of acting together, there are understandable concerns over privacy. The whole question of data security, and the sensitivity surrounding passenger data, make the issue challenging. But, ultimately, sharing intelligence is vital in the fight against cyber criminals. “We believe that data sharing is an important part of a security program,” says Dan Glass, Chief Information Security Officer with American Airlines. “That is why we are a founding member of the Aviation Information Sharing Analysis Center (A-ISAC). A-ISAC is a public and private partnership created to share cybersecurity intelligence between those in the aviation industry and other industry ISACs.”
IATA is already engaging with the A-ISAC and envisages the establishment of other regional intelligence sharing-services in Europe and later in Asia-Pacific. It has access to the issues that these regions are discussing and, as other regional ISACs are developed, IATA will be able to liaise between them.
A further boost for intelligence sharing was the December 2014 signing of the Civil Aviation Cybersecurity Action Plan by IATA, ICAO, Airports Council International, Civil Air Navigation Services Organisation, and the International Coordinating Committee of Aerospace Industries Associations. The goal of the Action Plan is to ensure that all industry stakeholders and governments promote a coherent and consistent approach to cybersecurity. All of the partners are working towards developing recommendations to be presented at the 39th ICAO Assembly next year.
“As one of the most complex and integrated systems of information and communications technology in the world, the global aviation system is an attractive target for a large-scale cyberattack, or for a targeted attack on some of its most vital elements,” concludes Tyler.
“While we cannot eliminate cyber risk, we must manage it. This can of course be done, but it will require a deeper collaboration between authorities, industries and the academic world through an effective information sharing program that will leverage the collective power of the key players in the aviation industry.”