Combined with imminent cyber regulations in several jurisdictions, it makes appropriate aviation cybersecurity measures more important than ever.
There are three areas that airlines have to consider: passenger services, operations, and aircraft control.
Passenger services covers everything from the initial booking to identity management and a bespoke travel experience. Fraud, most particularly ticket sales, is the major concern and, in a normal year, costs airlines about $1 billion. But fake refund claims and exploiting airline Frequent Flyer Programs (FFP) have become just as prevalent as credit card crime.
Aside from dealing with fraud, airlines must work hard at securing passenger data. Everything the industry is trying to do to streamline and simplify the air travel experience involves the use of data. Everything collected must be balanced with data ethics and good practice calls for data minimization—only using the data that is needed.
Nevertheless, many of the advances in airport processes, such as biometric facilitation, require passengers to provide important personal details. Privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) set high standards for securing this data and most passengers seem happy to share information where necessary.
The latest IATA Global Passenger Survey found that:
- 73% of passengers are willing to share their biometric data to improve airport processes (up from 46% in 2019).
- 88% will share immigration information prior to departure for expedited processing.
- Just over a third of passengers (36%) have experienced the use of biometric data when traveling. Of these, 86% were satisfied with the experience.
However, data protection remains a key issue with 56% indicating concern about data breaches. And passengers want clarity on who their data is being shared with (52%) and how it is used/processed (51%).
“Privacy concerns are not unique to aviation but that doesn’t make any difference,” says Manon Gaudet, Assistant Director, Aviation Cybersecurity. “Aviation still has to address them and put cybersecurity measures in place.”
She insists, however, that this is not just about achieving compliance with regulations. “We don’t want checklist security,” she says. “Airlines must implement risk-based systems.”
Trust in data exchange is also at the heart of operational cyber issues. Data has to flow across the aviation value chain and that means systems talking to each other and all parties having confidence that the data is protected.
But trust is a concept that cannot be mandated by governments. Attaining it is therefore a challenge for the industry, especially as companies of all sizes, not to mention at varying cybersecurity levels, are involved.
Gaudet says that is critical for organizations to share vulnerabilities or fears so that the overall cyber ecosystem can be secured. Sharing knowledge helps prevent future attacks and creates cyber resilience. It means the weakest point in the end-to-end passenger experience can be brought up to a requisite level and keeps all companies ahead of attack trends and developments.
“Remember, attackers do not have trust issues,” says Gaudet. “Not only are they working with artificial intelligence and new techniques but also they offer services to each other to leverage different attack capabilities.”
As for aircraft systems, this is potentially the most serious aspect of cybersecurity efforts. Aircraft are increasingly connected to the ground and that opens up the possibility of attackers seeking to interfere with aircraft onboard systems including flight critical systems. All cybersecurity strategies must start with securing these.
For airlines looking to improve their cybersecurity, Gaudet’s advice is to “get in an expert. Don’t try to figure it out yourself,” she says. “There are lots of different attacks and lots of different ways an attack could impact an airline. You have to work through all the different scenarios especially those that could have an impact on safety.”
At the IATA Digital, Data and Retailing Symposium, Martin Ninnemann, Business Development Director at Unisys identified six key elements in implementing a cybersecurity strategy:
- Cryptographic protocols to ensure end-to-end protection of data flows.
- Virtual Communities of Interest to limit accessibility to the data.
- Cloaking, so that users can only see the infrastructure that they need to see.
- Dynamic isolation, which means identifying and shutting down a point of entry, such as a particular PC or server, ideally within seconds not minutes or hours.
- Integration with identity management systems to facilitate smooth operations.
- Transparency with applications so that existing proprietary systems can continue as normal.
All of the above, he suggested, can be done without changing existing architecture. There is no requirement to “rip out and replace”.
Gaudet adds a cybersecurity culture to the list. Fortunately, airlines do not have to create this from scratch. “A safety culture is already omnipresent throughout aviation and cybersecurity is just an extension of this,” she says. “It is not about creating a culture in isolation. It is connected to the idea of continuous safety improvement and airlines understand this completely.
“This will give airlines a human firewall,” she adds. “You can have all the technology in the world, but you must empower staff. Humans are one of airlines’ greatest defence against cyberattacks, but it can also be its weakness, so awareness and training is key.”
To assist airlines, there are a number of industry initiatives underway. A common approach to cybersecurity is essential. Not only will cooperation make the overall information network stronger but also it allows organizations to speak the same cyber language. Terms such as authentication needs to mean the same thing to all companies.
IATA established the Cyber Management Working Group (CMWG) to assess industry needs and provide appropriate guidance. There is also the Aircraft Interconnected Systems Cyber Security Steering Group (AISCS-SG), an informal forum that is particularly concerned with the interconnected systems related to flight safety.
IATA is also working with the International Coordinating Council of Aerospace Industries Associations (ICCAIA) on the Aircraft Cyber Security eXchange Restricted FORUM (rFORUM) to help airlines better understand the risks associated with the introduction of new technologies and to share those concerns with the Original Equipment Manufacturers (OEMs and Design Approval Holders (DAH).
At the ICAO level, there is the Secretariat Study Group on Cybersecurity (SSGC) and its different subgroups, which are busy revising the ICAO Cybersecurity Action Plan (CyAP) and the Trust Framework, including new Civil Aviation Secure Overlay requirements. The European Aviation Safety Agency (EASA) and EUROCAE are also consulting with IATA on new regulations.
“There is no shortage of effort,” concludes Gaudet. “But we need more input from airlines to develop the right guidance so that we can meet the industry’s needs in this critical area. All aviation organizations must get to a viable minimum level of cybersecurity because a single attack on one critical element could affect the entire industry.
“That doesn’t mean everybody has to implement the latest systems though. It is always about adapting because no airline can do a wholesale replacement of systems every year. The fact is we can never achieve 100% cybersecurity. But we can lower the risk and it is essential that we do that. Critical digital systems that are part of the civil aviation infrastructure must be protected as best we can.”