Given the range of threats and the catastrophic impact a cyberattack could have on an airline, strategising to reduce the risk of breaches and implementing plans to deal with them once they occur should be prioritised at board level.
In particular, should an airline suffer a cybersecurity attack, this might not solely result in the loss of data, whether that be customer records, financial details of customers or sensitive details about company revenue; rather it could well impact an airline’s core operations, with cyberattacks having the potential to seriously disrupt and endanger the safety of flights.
A specific challenge for airlines which heightens their cybersecurity risk is the incredibly diverse nature of their business in terms of geography, business lines (passenger and cargo), complex public and private systems, and significant interfaces with other bodies in the industry. This is an environment with many access points and potential points of weakness.
The Regulatory Landscape
As the industry responds to these threats, there is currently no uniform benchmark standard(s) or regulation for bodies to aim toward.
At a regulatory level, there are some principles of general application primarily in relation to the security of data (for example the risk-based approach to security envisaged by the European Economic Area’s Data Protection Directive); however they are of very general and high level application, and not specific to the industry.
Aviation regulators and industry officials are in fact pressing for greater collaboration between governments and airlines to protect the industry from cyber breaches, as was evidenced by the briefing of European ministers by the head of the European Aviation Safety Agency in early July.
From a standards perspective, there are a variety of initiatives: for example, aircraft manufacturers are providing guidance on best practice but these only go so far, and none of these initiatives offer a holistic approach to the risks posed.
For each individual airline, the key is a harmonised, coordinated approach across the entire company, including all geographies, business units and the supply chain.
A federated or autonomous organisation in terms of purchasing standards and contract terms, technology standards, and internal governance or policies will struggle to create an effective approach to cyber security. The weakest link in the organisation will open up the rest to potential attack. Specific coordinated activities across an airline should include:
• Central determination of technology standards, policies and procedures to be applied across the IT environment, to be applied to own-hosted environment, and any third-party-hosted systems. As part of this, contract risk should be transferred to third party suppliers as appropriate.
• Full audit of existing IT systems with assessment of coverage gaps and overlap, but also compliance with the new standards. Poor interoperability between both hardware and software leads not only to customer service weaknesses, but also security vulnerabilities.
• Review of supply chain arrangements across the organisation, and, again, contract risk should be transferred to third party suppliers as appropriate.
• Establishment of internal governance to proactively and reactively address cybersecurity issues, from the c-executive (whether this is a Chief Risk Officer or another officer tasked with this responsibility) down through the organisation without gaps or competing committees or initiatives.
• Focus on employee and consultant arrangements, including training, screening and vetting, and authorisation and access permissions. (Humans are typically the weakest link in any cybersecurity chain.)
• If an available avenue, have legal and compliance teams work proactively with local regulator(s) in order to help shape and drive the legislative framework that is inevitably being developed in this space.
Careful planning and preparations upfront, will not only limit damage should a breach occur but can also help avoid or minimise any regulatory sanctions, be good for an airline’s reputation, and vastly improve a passenger’s trust and confidence.