Defending aviation from cyber attack

Defending aviation from cyber attack
(Image credit: Pixabay)

Cyber security threats faced by the aviation industry from cyber criminals represents one of the sector’s most serious challenges. A major attack can compromise passenger safety and cause massive financial and commercial damage across the industry.

About the author

Scott Nicholson, Delivery Director at Bridewell Consulting.

Air transportation's importance in the economy as critical national infrastructure, combined with its interconnectivity and complexity, makes it an attractive target for cyber criminals. Their target list stretches from air traffic control systems and the aircraft themselves, to the airline companies and airports. All of this is why cyber security was spotlighted by the World Economic Forum (WEF) in January as one of the biggest challenges facing the industry.

The nature of the threat

Although the media focuses on terrorism as the main threat because of the associated fear of loss of life, disruption and chaos, the most likely threats to aviation are from the same sorts of threats that affect other businesses, such as phishing attempts, data breaches or ransomware. This threat is a lot less invasive, but just as damaging. 

An illustration of this occurred when electronic flight information screens at Bristol Airport were taken offline in 2018 as a security measure against what the airport described as a ransomware style attack. The airport used whiteboards to replace information screens and deployed extra staff to cover the gap. 

In this case flights were unaffected in the end and the airport described the hack as opportunistic, rather than targeted. However, a cyber attack has the potential to wreak major-scale havoc on major transport hubs worldwide and lead to huge numbers of delays, flight cancellations and heightened security alerts. The threat is certainly not going away and in fact is only growing in importance as a challenge for business.

Priorities for airline CIOs

In fact, the cyber security issue has risen to become a top five issue for the boardroom. According to a 2019 SITA report Air Transport IT Insights, airline CIOs are focusing their IT strategies on digital transformation, with cloud services (100%) and cyber security initiatives (96%) being the greatest areas for investment. The report found cyber security as a high priority, ranking second on the agenda of airline CIOs, with 86% having a major cyber security program in place and another 10% running a pilot. 

In the report SITA highlighted an emerging technology trend showing 72% of airlines are prioritising ‘threat intelligence’ investment to help them collect and analyse threat data. This was ranked third, up from 2018. Although cyber security is clearly being taken seriously in the boardroom, there is one area where much work is still to be done to bolster businesses’ cyber defences, and that is in having the right individuals in place with the right training, skills and expertise to be able to deal with the threat.

Coping with the cyber skills shortage

Aviation is a business that at its heart is based around an immense IT infrastructure requiring specialist expertise to operate effectively. Parallel to the industry’s challenge in dealing with the cyber security threat is the need to take the necessary steps to overcome the widely acknowledged skills gap in cyber security. 

This skills shortage is perhaps even more of a problem in aviation than for many other industries. This is because in addition to using traditional IT, airports typically function with SCADA (Supervisory Control and Data Acquisition) operational technology (OT) to support key services such as runway lighting and utilities. When you apply SCADA to the skills gap it gets even wider because the skills are more specialized. It means aviation companies have the additional burden of finding someone who understands operational technical and SCADA based process control networks on top of cyber security. This combination of skill and expertise is rare.

In addition, as computers do ever more, human skills erode creating a struggle for the aviation industry to overcome the so-called “paradox of automation”. In a growing number of areas humans now need to step in only when something unusual and unexpected occurs. With less opportunity to practice and develop their skills, workers become less capable of reacting quickly and appropriately in crisis conditions. 

Therefore, it’s not surprising that according to the SITA air transport report, investing in ‘employee awareness and training’ is a key component when it comes to improving cybersecurity – with 79% of airports stating it as an investment priority. It’s also understandable that more and more enterprises are deciding to link up with a third-party to help take up the strain when it comes to finding expertise in both security and engineering, and help put in place a successful cyber security strategy.

Taking the right steps

In developing their cyber security strategy, aviation businesses need to understand their supply chain and ensure their own cyber security is robust and reliable. They need to know who has access to which systems, and make sure that vendors have the right practices and procedures in place to deal with the cyber threat. There are several steps the industry can take to secure infrastructure, mitigate risk and ensure resilience in the face of the growing cyber threat. 

To support businesses in this endeavour, the Civil Aviation Authority in the UK recently launched the ASSURE framework. Developed in collaboration with the Council for Registered Ethical Security Testers (CREST), the ASSURE scheme is designed to enable the aviation industry, including airlines, airports and air navigation service providers, to manage cyber security risk without compromising aviation security or resilience.

Everything must be done to limit the threat and make it as difficult as possible for attackers to breach the organisation’s security systems. Achieving this cannot be done without IT teams and OT teams working together on cyber security. Clearly defined layers of network segregation provide a solid foundation to reduce the attack surface and limit an attacker’s ability to move laterally within their network.

Partnering with a trusted cyber security expert

Working with a third-party specialist can add real value in this area because they have both the cyber security know-how and the engineering experience, and by blending the two together they can plug all of the gaps that aviation organisations typically have in-house. These are the first steps that need to be taken to protect the industry from the current threat and from the challenges it will face for years to come.

Scott Nicholson

Scott Nicholson, Delivery Director at Bridewell Consulting.

He is an experienced Cyber Security and Privacy leader that has operated across public and private sector organisations globally.

Scott is Bridewell's Delivery Leader and brings a significant amount of experience within the information security and data privacy profession.

He also provides security leadership services and operates as Data Protection Officer (DPO) across a number of our key clients in different industries. He is also a Fellow of Information Privacy (FIP) with the IAPP and actively involved in driving privacy improvements in the industry.

He has delivered security and privacy solutions on a global scale within a number of sectors such as central government, police, financial services, retail, oil and gas and has also worked with a number of software development companies, cloud service providers and some of the largest hosting companies in the world.

He is responsible for the delivery and growth of our Cyber Security, Information Security and Assurance, Privacy, Penetration Testing and managed security services portfolio.

He has operated across a number of industries providing a vast mixture of leadership and hands on technical delivery of solutions to deliver compliance programmes such as ISO27001:2013, PCI DSS, NIST, Cyber Essentials Scheme, PSN, PSNP and CESG (now NCSC) guidance.

He is extremely passionate about cyber/information security and privacy, in particular when it comes to delivering a high quality service for Bridewell’s clients both when he is involved in delivery of a service himself or when he is overseeing members of the Bridewell team.

He has spoken at various security and privacy events across the UK, written a number of published articles on key concerns in the industry and was also part of an important cloud security publication in the Sunday Times