29 October, 2020
Cyberattacks across all industries and countries regularly hit the headlines with record financial impacts, unquantifiable reputational damages and serious operational disruptions. Just last year, the World Economic Forum stated that cyberattacks are one of the top ten global risks of highest concern in the next decade.
The aerospace sector is a prime target for cybercriminals worldwide. In the last few years, a number of aerospace actors have been affected by cyberattacks ranging from theft of personal data, to operations disruption and even supply chain corruption.
The European Aviation Security Agency (EASA) estimates a monthly average of 1,000 airport cyberattacks.
In the face of this, the international regulatory framework is continuously being strengthened, bringing in new security and safety regulations and rapidly changing the requirements airlines and other aerospace stakeholders have to comply with. In October 2020, the American Federal watchdog urged the Federal Aviation Administration (FAA) to implement more actions to prevent cyberattacks on airplanes. In 2019, the International Civil Aviation Organization (ICAO) adopted the A40-10 Assembly Resolution, urging states to implement the Aviation Cybersecurity Strategy.
Only as strong as its weakest link
This surge of regulation updates is impacting not only the obvious areas of the aircraft ecosystem but also the whole value chain around aircraft operations. Theft or leak of passenger personal data are probably the most common attacks airlines have been facing in recent years. Although the number of attacks are high and extremely damaging for the airlines’ reputation, they are also the most critical to resolve, with many airlines currently investing heavily in the security of their IT systems.
Many other areas of the aircraft ecosystem can be compromised by a cyberattack and need to be managed accordingly. For several years now, the rise of a more connected, digital aircraft has increased risks of cyberattacks. Even though statistically less common, cyberattacks on the connectivity items of the aircraft are regarded as the most critical and impactful threats, prompting the need to mitigate the risk of a cybersecurity breach in this area.
The entire aviation value chain is therefore a potential target for cybercriminals, driving the need for a holistic approach to cybersecurity in aviation.
Impacting all areas of the business
The drive for new regulations around cybersecurity in aviation not only originates from the impact a cyberattack can have on companies and their employees but also society at large.
When we hear of a cyberattack the first thing that comes to mind is the financial impact on an organisation, for example, 1 hour operations disruption at a large airport at peak time has an estimated cost of $1m. In general, the cost of a cyberattack is estimated around $1m.
Aside from financial impacts, aviation actors also face serious credibility issues, which can negatively impact their reputation and brand image and lead to unquantifiable secondary financial impacts.
Recent examples of cyberattacks
In 2020, 10 000 customers of a European airline filed a legal suit, potentially leading to large financial compensation, after a cyberattack resulted in the disclosure of customer personal data.
In 2019, 6 flights of an American airline were cancelled because of a malicious cyberattack.
In 2020, a European airline suffered a personal data theft potentially affecting 380,000 people. The share price heavily dropped due to loss of credibility.
Shift in mindset
Raising pressure from international regulators and from the intensity of cyberthreats are driving airlines and other aviation actors alike to invest in cybersecurity measures.
In 2019, it is estimated the training of employees and the compliance with security and safety regulations represent the two main cybersecurity expenses for airlines. It is anticipated that the investments in these areas will significantly increase with the setup of a stronger regulatory framework.
Nonetheless, although this shift in mindset is occurring in the aviation industry, all actors are facing issues in effectively securing their operations. One of the main concerns raised is the need for more proactivity amidst the rising security threats.
Increasing employee awareness of cyberattacks and how to prevent them has become a rising challenge for airlines. Employees are often considered as the potential weakest link in the value chain. Giving them a key role to play in securing the entire ecosystem and reinforcing safety behaviours have become critical for aerospace actors.
Most threats result from a human error or behaviour
System complexity is also making it increasingly harder for aviation companies to globally manage security risks. Digitalisation, connectivity and automation all contribute to the difficulty of ensuring all areas of the ecosystem are protected from cyberthreats.
Another pain point is understanding and mastering the current and coming cybersecurity measures. The rapid evolution of regulations and standards require aerospace companies to constantly monitor and act on these regulatory shifts. The sheer amount of them is enough to create complexity that even the biggest structures struggle to master.
Additionally, National Airworthiness Authorities (NAA) can request evidence from airlines that Instructions and Assumptions from the Airbus Security Handbook are properly applied.
Non-exhaustive list of standards and regulations
- Airbus Security Handbook
- ICAO referential
- ISO 2700X
- NIS Directives
- Export Control
How can I avoid cyberattacks?
Train your team
Employee awareness is the single most important element in your defense against cyberthreats. With rising numbers of cyberattacks across the aviation industry, making your employees aware of security threats and helping them understand how to effectively protect your company is paramount. A variety of training is available on the market today to help you prepare your team and compensate for their lack of expertise.
Audit your security processes
Although it’s difficult to foresee how constraining future frameworks will be, regulatory entities such as EASA and FAA are planning to implement new regulations in the coming years. Mitigating the risk of non-compliance can be challenging. Today, many options are available to assess or audit your security implementations and ensure you have everything in place to avoid a possible attack or fine.
Secure your network
Protect your entire company’s IT infrastructure by setting up a layered approach to your defence. Typically, companies look into installing firewalls, antimalware, antivirus, identity and access control, etc. A holistic approach should be preferred when bringing in these different types of IT security solutions to avoid creating hidden back doors, which could still compromise your entire IT network.
Create a Security Operations Centre
A Security Operations Centre (SOC) allows you to control, monitor and detect any incoming threats to your system and respond to them in the most appropriate way. The SOC goes hand in hand with a defined set of rules and response measures for each type of incident. These need to be defined upfront and revised regularly to keep up with the evolving threats.
Set up a security framework
Documenting policies, procedures and processes that revolve around the airline’s cybersecurity organisation is key to ensure consistency and structure. This framework becomes the guiding principle all airline stakeholders need to follow and comply with. Anticipate future changes from regulatory enforcement bodies and set up your base framework that you will be able to build upon over time. If you’re not sure how to get started, different solutions are available to you to help you design the framework most adapted to your organisation.