By Dassie Persaud-van der Westhuizen | September 6, 2022 Estimated reading time 7 minutes, 19 seconds.
It is undeniable that the digital transformation of the aviation industry over the past two decades has made air travel more efficient. However, the integration of continuously evolving technologies across the industry has not been risk-free. Instead, new technologies are a double-edged sword serving as additional entry points for cybercriminals to cause disruptions, especially as attackers are intent on becoming more skilled each year.
Perhaps you have noticed the increasing frequency with which airlines, airports, and other aviation organizations that suffer from cyber attacks make news headlines. Or maybe you have been notified that your data was compromised during one of these events, and it left you wondering what cybersecurity is and how it fits into the aviation industry?
Introducing Cybersecurity Risks and Safety Concerns
The International Air Transport Association (IATA) defines aviation cybersecurity as “the convergence of people, processes, and technology that come together to protect civil aviation organizations, operations, and passengers from attacks.” Effective cybersecurity measures should protect organizations from various types of attacks, including from two of the most prevalent areas of cyber risk in the aviation industry: standard IT and operational technologies (OT). Standard IT comprises risks that all organizations face by adopting tools such as email correspondence and HR systems available in this digital age. Typical examples are attacks in the form of ransomware or phishing.
OT is specific to the aviation industry and targets devices allowing for smooth daily operations. The in-flight entertainment and Wi-Fi systems (IFEC) are excellent examples, as they introduce hacking opportunities to manipulate systems with the additional connections granted. The electronic flight bag (EFB) for pilots is another entry point if airlines do not safeguard the devices. Modernizing air traffic control, such as the Next Generation Air Transportation System (NextGen) rollout by the FAA, poses several risks, too.
Criminals with the ability to monetize personal data are particularly interested in attacking sophisticated online loyalty programs storing passenger data. Cyber espionage is another emerging threat targeting trade secrets with devastating consequences for organizations. Since it usually takes more than 197 days to identify a cyber attack, copious amounts of confidential information can be stolen during that period.
The Economic Impact of an Attack
Each cybersecurity breach is estimated to trigger a direct financial loss of a minimum of $1 million. Precedents highlighting the financial repercussions of a breach include:
- An unnamed massive airline that fell victim to a compromised IT system in 2017. Over three days, 726 flights were cancelled, causing a US$115 million loss (excluding reputational damage).
- The 2018 British Airways (BA) attack where data from up to 500,000 passengers were stolen. This incident cost the airline US$26 million in penalties authorized by the Information Commissioner’s Office (ICO) after the General Data Protection Regulations (GDPR) were adopted the same year. The ICO originally intended to fine the airline US$211 million, but took into account the economic impact of Covid-19. In addition, passengers could submit personal damage claims.
- In 2022, Sunwing Airlines was cornered into delaying flights for days after its third-party provider – Airline Choice – experienced a cyber attack which disabled the check-in system. In turn, Sunwing staff had to manually complete boarding passes and flight preparations. The delays left passengers stranded in some destinations and others forced to cancel holidays.
Often, intellectual property (IP) is targeted during cyber attacks instead of physical assets. These trade secrets include information about loyalty programs, websites, social media, and aircraft designs. For example, the Chinese aircraft manufacturer COMAC allegedly stole IP from a range of companies to produce an airliner to satisfy the demands of the rapidly growing Asian aviation market. The COMAC aircraft could compete with Boeing and Airbus equivalents at half the price.
Cybersecurity and Social Sustainability Threats
Failing to prevent losses during cyber attacks does not only have economic impacts – but it can also reduce customer loyalty and cause those customers more than just a simple inconvenience. In the aforementioned British Airways example, one passenger who suffered from leaked credit card details believes that the event led to attempted fraudulent credit card transactions. As a result, he supported the hefty penalty imposed on the airline. Naturally, his confidence in the airline was diminished by this experience.
Moreover, penetrating a network can affect the safety of the entire supply chain after the attacker decides to broaden a disruption. The Sunwing example highlights the disruption to the supply chain caused by a cyber attack. It can be argued that events like this could trigger distrust in business partnerships and generate brand harm. Finally, a cyber attack may trigger feelings of unease and fear of lost personal data amongst employees.
The Path Forward
Effective cybersecurity is essential for aviation organizations to continue benefiting from the double-edged sword of evolving technologies. To combat these threats, industry leaders, such as ICAO and IATA, have alerted the industry to some economic and social risks and have taken steps to develop proactive industry-wide cybersecurity strategies. For example, the defense proposed by IATA targets the entire lifecycle of an aircraft — “design, certification, operations, and maintenance” — and focuses on four principles: developing a cybersecurity culture, transparency and trust, communication and collaboration, and a trained workforce.
In the meantime, aviation organizations should learn from the mistakes of others (such as those listed above) and layer up their cyber defenses to prevent making news headlines in the future for the wrong reasons.
