It should be common knowledge that passwords need to be complex, unique and difficult to guess. People know how to keep their data secure — right?
Even in a world where data breaches are commonplace, users frequently ignore best practices for cybersecurity. One analysis found that the password most commonly revealed in data breaches is “123456.” Too many people make poor choices about cybersecurity and put themselves and others at risk.
These problems aren’t unique to the consumer space. Aviation data systems protect the data — and lives! — of millions, yet many of these organizations have not implemented a system for managing the risk of cyberattacks. A 2016 survey found that only 40% of aerospace and defense companies have a comprehensive security strategy.
There’s work to be done in the aviation field to safeguard user data, protect intellectual property and defend aircraft and passengers from harm. The work starts with implementing cybersecurity best practices, and it continues with risk assessments and risk prevention strategies.
Today’s airlines face an ever-changing field of cyberattacks from criminals of all kinds. Ensuring the safety of passengers and their data has never been more challenging — or more crucial. Yet with the right training, systems and planning, aviation companies can provide the level of security their clients have a right to expect.
Table of Contents
- Cybersecurity in Civil Aviation
- Air Force Cybersecurity
- Using Airport Cybersecurity Best Practices
- Aviation Cybersecurity: Risk Prevention and Assessment
- Creating Safeguards for Aviation
Cybersecurity in Civil Aviation
In 2018, Hong Kong-based Cathay Pacific Airlines noticed suspicious activity on its internal network. Investigators discovered that a hacker obtained access to the personal information of 9.4 million customers. Credit card information, passport information and personal details were all exposed.
Cathay Pacific’s data breach, the largest in the history of the airline industry, demonstrates the importance of cybersecurity in civil aviation. Passengers lost faith in the airline’s commitment to safeguarding their data, and the company’s stock value slumped.
Cyberattacks can threaten an airline’s trade secrets as well. GE Aviation’s cybersecurity team recently coordinated with the FBI to thwart the attempt of a foreign government to steal the company’s trade secrets. If successful, this attack would have diminished GE’s competitiveness in the global aviation and aerospace market.
Airlines are responsible for protecting more than just the trade secrets and data of their passengers, though. They’re also responsible for protecting lives.
The United States Department of Homeland Security (DHS) announced a new initiative in 2017 aimed at thwarting renewed attempts by terrorists to hijack or bring down aircraft. DHS Secretary John Kelly asserted that terrorist interest in attacking the aviation sector has not diminished in the years following the 9/11 attacks but only increased.
Kelly called for “new measures across the board” that would ensure the safety of the public. These measures included enhanced screening approaches and increased passenger vetting, and they also challenged aviation partners to commit to systematic and ongoing cybersecurity efforts. Kelly recognized that the front lines for modern conflicts are often computer networks.
Cybersecurity is already an essential part of any aviation company’s security strategy, but its importance is only increasing as airlines embrace new technologies. Whether it’s supporting new operational functions or streaming inflight entertainment to passengers, more data is transferred between aircraft and the ground than ever before. These channels of communication each come with vulnerabilities that have to be assessed and mitigated.
There are many threats to airlines in today’s world. Thankfully, there are proven aviation cybersecurity strategies that can mitigate the operational risks that aviation companies face every day. Cathay Pacific’s reputation and stock price recovered as the company recommitted to cybersecurity best practices. Other companies can do the same.
Air Force Cybersecurity
If cybersecurity is important in the consumer airline space, it is vital in the Air Force. In 2018, the Air Force started a program to fundamentally reorient its IT staff, reframing their role away from servicing email systems and toward cybersecurity. Now, its IT professionals are part of mission defense teams that carry out the Air Force’s cyber operations.
Why the big change? The Air Force recognizes the crucial role of cybersecurity in accomplishing its core missions. As cyberattacks become an increasingly common tool for disruption and destabilization, the Air Force needs highly-trained teams devoted solely to using IT services for mission assurance.
The Air Force’s reshaping of its IT department is part of a defense-wide initiative to respond to threats to the aviation sector. The updated National Strategy for Aviation Security (NSAS), published by the White House in late 2018, recognizes that emerging technologies are threatening the aviation ecosystem, and it calls for federal, state and local authorities to work with the private sector.
The Air Force’s partners in the aerospace and defense (A&D) sector also have an essential role to play in cybersecurity, but a 2016 survey of 10,000 senior executives across many industries revealed that many A&D companies have been slow to adopt cybersecurity best practices. Only 40% of the A&D companies that responded had an overall security strategy.
Thankfully, the culture is changing at these companies. Another survey found that 85% of aviation CEOs were concerned about the risks posed by cyberattacks, a much higher figure than that expressed by CEOs in other industries.
Companies are realigning their thinking and recognizing that cybersecurity is not a one-and-done effort, but an ongoing and repeated process of training, risk assessment and risk prevention. As the Air Force and its private partners implement and reinforce their risk management practices, they create a culture and a strategy that will help keep Americans and their data safe and secure.
Using Airport Cybersecurity Best Practices
Industries around the globe have been re-assessing their cybersecurity strategies, if for no other reason than finances. One study expects the global costs of data breaches in 2019 to reach $2 trillion. With their expensive aircraft, crowds of passengers and databases of user data, airports are a prime target for the world’s criminals.
The good news is that airport cybersecurity best practices are very similar to cybersecurity best practices elsewhere. Broadly speaking, airports can protect their equipment, passengers and data by following three steps:
1. Train and Evaluate Your Staff
When most people think of a cyberattack, they tend to think of a Matrix-style virtual assault on a computer system. The truth is much more mundane. While virtuoso hackers do exist and they do commit cybercrimes, about 90% of all cyberattacks are the result of human error.
All manner of mistakes can expose your systems to outside exploits. People make foolish decisions with their passwords. They accidentally lose their laptops or phones in public places. They get disgruntled and negligent.
All too frequently, people also just give hackers sensitive information. In a typical phishing attack, attackers impersonate a member of your organization to convince another member to divulge sensitive information. Sadly, these attacks are extraordinarily effective. A 2017 FBI investigation found that American businesses were collectively losing $500 million a year to phishing attacks.
What can airports and other businesses do to mitigate their exposure to cyberattacks through human error? There’s no magic bullet, but the most secure enterprises are those that commit to ongoing training and evaluation of staff.
Can your employees discern the difference between a phishing email and a real one? Does your IT staff have the skills they need to respond to today’s threats? Are your employees making safe choices with sensitive hardware? Your organization can only answer those questions affirmatively if it has committed to regular cycles of training and evaluation.
2. Monitor Activity and Map Your Data Flow
It’s a common-sense truth and a scientifically-proven tendency: You won’t see what you’re not looking for. Airports can only identify and respond to cyberattacks when they are actively looking for such attacks.
This process starts with an updated analysis of your organization’s data flow. Where is your organization’s data? In the cloud? In on-site servers? Where and how is data backed up? Who has access, and from where and with what devices? With your network fully mapped, you can monitor all possible access points and appropriately log user activity.
This can be a complicated process in today’s bring-your-own-device business environment, but it can be done. With detailed monitoring and logging of user activity, your organization can respond to cyberattacks as they’re happening.
3. Create a Reactionary Strategy
Finally, you need to have a plan in place for what to do in the event of a breach. Recent history is littered with the stories of companies that failed to respond appropriately to a cyberattack. In 2017, the CEO of Equifax resigned after the company’s botched handling of a data breach. What was the public’s major complaint about Equifax’s response to the cyberattack? The company waited 40 days before informing the public about the compromised data.
Airports, like all businesses entrusted with consumer data, need to have a detailed plan of action prepared for the event of a breach. This plan should include a timely announcement to the affected public in addition to specific methods for identifying the breach, locking out the intruder and limiting further damage.
The key word for all three of these steps is risk. Best practices for cybersecurity involve risk assessment and risk prevention. To better manage the risks they face in today’s always-connected world, airports need to invest in risk assessments that will identify potential vulnerabilities. With a clear understanding of potential risks, airports can then implement strategies to limit their exposure to those risks.
Aviation Cybersecurity: Risk Prevention and Assessment
While there are many similarities between cybersecurity practices in aviation and cybersecurity practices in other industries, professionals in aviation face unique challenges.
Innovative new technologies in the aviation field promise to enhance communication, but they also open up new potential vulnerabilities. One such technology is the electronic flight bag (EFB), a tablet-based replacement for the bulky binders that pilots historically brought along for every flight. While convenient, EFBs pose a security risk that airlines need to assess and mitigate. Unfortunately, a recent survey found that many airlines have not created such a plan.
However, there are stakeholders in the aviation field who are proactively assessing the cybersecurity risks of upcoming technologies. The Federal Aviation Administration, for example, is in the process of modernizing air traffic control systems from a radar-based system to a system based on the global positioning system (GPS). While GPS has many advantages, it is also connected to the internet. The General Accounting Office (GAO) expressed concern about the system, noting that it is more vulnerable to outside attack.
The GAO’s comment here shows that the industry is implementing a risk management model of aviation security that analyzes systems for vulnerabilities and constructs risk prevention plans to mitigate those vulnerabilities. This approach has been shaped by a framework established by the National Institute of Standards and Technology (NIST), which was charged by the White House in 2013 to establish guidelines for the private sector regarding risk-mitigation and response programs.
Boeing, for example, has enthusiastically embraced the NIST Cybersecurity Framework. In a statement, the company touted its “holistic and integrated” cybersecurity strategy, noting that this risk-based framework has enabled it to reduce cybersecurity across all of its business units.
The holistic approach is vital for early detection and response to a cybersecurity incident. When organizations conduct a post-mortem analysis following a security breach, they typically conclude that their monitoring systems were insufficient. The problem isn’t always a lack of monitoring. Rather, it’s a failure to develop tools that holistically correlate events and data across the company’s various systems.
New technologies present new challenges, certainly, but resisting change is not the answer. Instead, aviation companies need to systematically assess the risks associated with implementing new technologies. This is the primary task assigned to the private sector in 2018’s National Strategy for Aviation Security (NSAS). As the NSAS addresses the private sector, it first and foremost calls for a “strong security culture” that partners with the government to meet today’s security challenges.
More specifically, the NSAS calls for aviation companies to coordinate security planning with their disaster recovery planning. Reactionary plans are vital, of course, but cybersecurity cannot be an entirely reactive process. Risk assessment and risk prevention are the strategic planning models that will allow aviation companies to identify and thwart potential attacks.
Creating Safeguards for Aviation
One of the greatest threats to airlines are cyberattacks, yet the new technologies that attackers are trying to exploit are also enabling exciting new possibilities in the field of aviation. A risk-management cybersecurity model is vital for aviation companies as they embrace new technologies to improve customer experience, streamline air traffic control and coordinate today’s international transportation needs.
Cybersecurity experts agree that it’s not a question of if you’re going to be hacked, but when. While this is a troubling reality for an industry charged with the safeguarding of human life, valuable cargo and passenger data, it’s also an unavoidable facet of today’s always-connected world.
BlackStratus is ready to help your organization comply with regulatory standards and ensure the safety of your networks, data and clients. Enterprises around the globe trust our security and compliance platform to deliver unrivaled security visibility. There are many risks in the aviation field, but with the right partner, those risks can be assessed and prevented. Contact us today to get started planning your cyber security strategy.