Like most global business sectors, commercial aviation is keenly aware that it has a cybersecurity problem. But unlike many businesses, it faces substantial threats on multiple fronts. Airlines have customer data to protect, while aircraft are becoming more connected to meet both passenger demand and new, data-driven operations and maintenance programs. Manufacturers and suppliers are plugged into each other, using connectivity to push new parts to the factory floor and spares to the hangar.
Considering the number of avenues a hacker could pursue to disrupt the system, it is no wonder that airline CEOs are more concerned than their corporate counterparts about cybersecurity threats. A recent PwC survey found that 85% of airline CEOs “expressed concern” over cybersecurity risk, compared to 61% in other industries.
“Overall, security procedures to date have been effective, safely integrating the many technological advances introduced to aircraft and airlines,” PwC says. “Yet the industry continues to see major technological advances that contribute to the complexity of protecting data and assets.”
Such concerns prompted the International Air Transport Association (IATA) to release its first cybersecurity toolkit in 2014. The kit includes tools that explain cyberthreats, a risk-assessment framework, and guidance for setting up a cybersecurity management system.
“Given our environment of rapidly evolving applications of technology, a systemic approach to understanding and addressing the potential risks is critical,” says Tony Tyler, IATA CEO. “And the challenge becomes even more complicated as airlines increase the use of outsourced systems and technology. An important part of the relationship with vendors and partners is developing a cybersecurity culture that is continuously evaluating and mitigating risks.”
Data from another survey suggests that despite the airline industry’s increased awareness, the broader aerospace and defense (A&D) sector has some holes to fill.
The 2016 Global State of Information Security Survey by PwC and tech publishers CIO and CSO, compiled input from some 10,000 senior executives from multiple industries. The survey shows that A&D companies experienced “security incidents” as often or more often than other respondents. For instance, 34% of A&D respondents reported experiencing “50 or more” incidents in the previous 12 months, compared to 32% of all respondents, while 42% of A&D companies reported 1-9 incidents, compared to 32% of all respondents.
Despite the reported frequency, A&D companies scored below all respondents in deploying safeguards. Only 40% of A&D companies report having “an overall security strategy,” 35% report having an employee training program, and 35% report having “security standards/baselines for third parties,” the survey found. In contrast, more than 50% of all respondents have such safeguards in place.
Aviation is working collaboratively on the problem. In addition to its toolkit development, IATA is part of a pan-industry effort, joining the International Civil Aviation Organization, Airports Council International, the Civil Air Navigation Services Organization, and the International Coordinating Council of Aerospace Industry Associations to develop a road map to unify cybersecurity improvement efforts.
The Aerospace Industries Association in 2013 published a “decision paper” outlining a cybersecurity framework for civil aviation. It suggests that industry adopt the same approach to cybersecurity as it has to reducing accident rates—a risked-based, multi-layered approach with government and industry collaboration.
“This risk-informed decision-making model demonstrates the effectiveness of government and industry working together to prioritize and standardize aviation safety enhancements to efficiently and effectively reduce risks,” AIA argues. “This collaborative model can also serve as a template for helping the aviation community understand the risk associated with continually implementing new innovative information and communications technologies that may not be keeping up with safety and security measures.”
Some suggest that such an approach is taking shape. Rockwell Collins’s senior director of strategy and business development, information management services, Joel Otto, says the emergence of aircraft like the Airbus A350 and Boeing 787, which produce mountains of data, requires a system-safety approach to cyber issues. “As we’ve gotten into these highly connected aircraft, looking at security vulnerabilities as part of an overall safety analysis is part of the approach now,” he says.
Much of the airline industry’s cybersecurity concerns focus on the increasing amount of data being moved between the aircraft and the ground—be it to meet inflight entertainment demand or support new operational functions. Otto points out that commercial aircraft have been transmitting data from air to ground for nearly 40 years, and engineers have been focused on potential vulnerabilities for just as long.
“What’s changed is not how we think about it but that the threats have evolved significantly and are moving very quickly,” he says. “Back in 1978,” when the air-to-ground ACARS digital messaging system made its debut at Piedmont Airlines, “there weren’t hackers participating in the active engagement of espionage and disruption that people try to propagate today.”
Otto also emphasizes that focusing too much on the air-to-ground connection’s vulnerabilities misses the point.
“The biggest misconception that I see is not thinking about it as an end-to-end solution, from the systems hardware on the airplane all the way to the systems, people and processes that airlines use to execute their business every day,” he says. “The constraints of one air-to-ground link isn’t the whole story. People want to break it up into smaller chunks of problems, but that does not always work.”
Otto notes that security goes beyond keeping data safe—it includes ensuring data gets to where it needs to be, when it needs to be there. Relying on open systems like the Internet means relinquishing at least some control, which introduces a different type of cyber risk.
“If I don’t control that path or have someone who is managing that entire path for me, I don’t know what can happen,” Otto says. “There are a lot of places [where] things can stumble. The [connectivity] evolution is an end-to-end problem—it’s not just a focus on air-to-ground technology.”
Taking a macro approach aligns with pan-industry efforts to tackle cybersecurity vulnerabilities. In the U.S., the Department of Commerce’s National Institute of Standards and Technology (NIST) is spearheading an effort to create a voluntary framework for securing critical infrastructure. As the agency responsible for creating computer and IT-related standards for the government, NIST often sets the information security bar for private-sector companies. A White House Executive Order signed in 2013 put NIST at the center of the framework project, and the agency sought input from some 3,000 representatives from industry, government and academia. The result was the initial framework, released in 2014.
The 40-page document focuses on three components that make up the framework. Its “Core” offers standards, practices and guidelines built around five functions—identify, protect, detect, respond, and recover—that are elements of an effective risk- mitigation and response program. The framework’s “Implementation Tiers” help an organization evaluate its general cybersecurity risk-management practices. The “Framework Profile” helps organizations put their practices to the test in specific scenarios and evaluate the outcomes.
NIST says that the framework is a “living document,” and the agency is constantly seeking feedback to improve the standards.
Boeing, a regular contributor to the NIST effort, “has found the framework useful in many ways,” the aerospace giant notes in recent feedback provided to the agency.
“Boeing played a key role in the development of the NIST Cybersecurity Framework, and Boeing Commercial Airplanes has utilized the Core and Implementation tiers from the framework since 2013 as a means for assessing risk and identifying improvements needed for the aviation industry in a series of targeted use case studies and tabletop exercises,” the company states. “Boeing Commercial Airplanes has derived the greatest benefit from developing a holistic and integrated view of cybersecurity for its airplane products and business operations across each of the Core Functions and categories from the NIST Cybersecurity Framework, which encourages industry to cover all identify, detect, protect, respond, and recover functions in its approach.”
The airframer adds that its Commercial Airplanes division used the framework “as a reference model for our aviation information security protection efforts,” as well as when coordinating with external organizations. “Boeing Commercial Airplanes has already significantly reduced its airplane product, business operations, and manufacturing process cyber-security risks through leverage of the NIST framework,” the Chicago-based company adds.
By deploying Exostar’s Partner Information Manager (PIM) to help it assess and monitor risk among its partners, Boeing also has taken steps aimed specifically at its supply chain. Formed in 2000 by Boeing, BAE Systems, Lockheed Martin, Raytheon and Rolls-Royce as a supply-chain portal, Exostar has evolved into a cloud-based platform responsible for securely connecting supply chains. The shift started in 2007, when the U.S. Defense Department called the manufacturers in to discuss leaks of proprietary data through their supply chains. The five companies, plus Northrup Grumman, teamed up to improve supply chain security.
Among the tools developed: a managed-access gateway that allows some 100,000 suppliers to share information through a single gateway—Exostar. A working group developed PIM, which establishes common cybersecurity standards and definitions for suppliers. A single questionnaire sets companies up in PIM, and provides the OEMs visibility that they have lacked in the past. Benefits for suppliers include reducing audits and showing compliance to multiple top-tier partners through one concentrated effort.
“Understanding a supplier’s cybersecurity maturity level allows Lockheed Martin to make informed decisions on how best to manage their risk throughout our global, multitier supply chain,” says Jim Connelly, vice president and chief information security officer at Lockheed Martin and chairman of Exostar’s Security Steering Committee. “Exostar’s PIM enables us to implement a consistent, efficient, cost-effective process to measure, assess and mitigate risk in real time and over time.”