Cyber Security

By Tony Tyler

Throughout its century of growth the success of the commercial aviation business has been built on cooperation. Every flight that takes off or lands is the result of working together and sharing information among many different entities such as airlines, airports, ground handlers and air navigation service providers (ANSPs).

Yet the very nature of our collaboration means that our industry is vulnerable to cyberattack. Each day seems to bring fresh news of a security breach or data theft. Damage from such attacks can run into hundreds of millions of dollars and leave a company’s reputation in tatters. A successful cyberattack on an airline could paralyse operations and result in thousands of stranded passengers

Cybersecurity is a new and dynamic threat and we will likely always be on a steep learning curve. One thing we do know is that we are only as strong as our weakest link. An airline is dependent on its ANSP and airport partners to be highly engaged in cybersecurity. Many airlines and airports have robust systems in place to address common hacking threats. The challenge is the evolution of the threat. Cyber experts have to improve their expertise constantly in order to remain vigilant and keep ahead of hackers. What we are facing is close to asymmetric warfare in which it is easier to attack than to defend. In order to assess the broader threat to the aviation system, there is a need to adopt a holistic approach which would include all our IT infrastructure as well as that of our partners.

To that end, the AVSEC World conference in October 2015 will for the first time be a joint effort between IATA and Airports Council International (ACI). Our aim is to reinforce the collaboration, cooperation and communication between the different elements of the air transport chain, to minimise cyber risks. Safety is the top priority for everyone associated with aviation. IATA’s role in this regard is to assist airlines in developing a robust cybersecurity strategy and to help drive coordination of global efforts to address cyber threats to aviation. To achieve this, we have put in place a three-pillar strategy that comprises:

– Working to understand, define and assess the threats and risk of cyberattack,
– Raising awareness of cybersecurity issues and identifying reporting and information sharing mechanisms,
– Advocating for appropriate regulation and mechanisms for increased cooperation throughout the industry and with Governments.

Given our environment of rapidly evolving applications of technology, a systemic, coordinated approach to understanding and addressing the potential risks is critical. And the challenge becomes even more complicated as airlines increase the use of outsourced systems and technology. An important part of the relationship with vendors and partners is developing a cybersecurity culture that is continuously evaluating and mitigating risks. Some of this is addressed in the Aviation Cyber Security Toolkit which we launched last year. The Toolkit proposes solutions to run internal analysis of current cyber risks to help security stakeholders identify ways to protect their vital IT infrastructure. It is intended for airlines but is also applicable to airports, ground handlers and others in the value chain.

Industry cooperation, while an absolute necessity, by itself will not get us where we need to be. Governments have resources and access to intelligence that the private sector can never achieve. They also have a responsibility to use these resources to support industry efforts.