Cybersecurity readiness is of vital importance in the current data-protected society, including increasing obligations and directives designed to combat complex cyber threats.
The aviation industry was recently identified by the US Homeland Security Presidential Directive 7 (HSPD-7) as one of the 18 sectors that require an advanced cybersecurity solution.
HSPD-7 puts in place a national policy to give federal agencies the ability to ‘identify and prioritise critical infrastructure’ to increase protection against terrorism via cyber-attack.
The impact of cyber breach on a global scale
Airports and airlines are aware that cybersecurity solutions must protect not only critical operational data, but the personal data of passengers and personnel.
While an operational breach could potentially grind an airport to a halt and impact revenues, the implications of a failure to secure data and infrastructure are far-reaching at a global level.
It is clear that this is a fast-growing problem. In the past two years, there have been some examples of serious breaches, including the Perth Airport breach that gave a hacker security information and the building plans for the airport, the cyber-attack in the Ukraine that affected Odessa Airport and Kiev’s metro system and the Vietnam Airlines breach that allowed hackers to broadcast political propaganda using public screens and loudspeakers in two major airports.
With improved integration of airport systems happening around the world, and the reliance on connectivity, such as Cloud technology, to improve efficiency and operational performance, there is little surprise that this has led to the increase of potential system vulnerabilities, which still need to be addressed in earnest.
It was reported in the Frost and Sullivan report from 2016 that in the previous year, the cybersecurity market was valued at $1.6bn, with an estimated growth rate of 10% per year through 2015-2024. Industry experts note that this is a reflection of the global importance of cybersecurity and call for a holistic approach to planning.
The importance of planning for cybersecurity solutions
Jim Knaeble, global products management at Rockwell Collins, made some interesting points during a recent interview, when he noted that there is a ‘wide disparity in the level of cybersecurity preparedness in airports today.’
Some airports, it seems, have a plan in place, whereas in others, according to Knaeble, ‘cybersecurity is almost non-existent.’ There is, in addition, the separate issue that smaller airports may not have the resources or personnel to consistently monitor, analyse, identify or respond to potential network breaches.
There is a general consensus that the aviation industry needs a comprehensive approach to cybersecurity standards that can be adapted and, more importantly, embraced by all members of the community.
Plan development and the implementation of an adequate security solution can give the airport environment a solid, reliable platform from which to educate personnel and enforce the cybersecurity standards, so that the biggest causes of cyber breach can be minimised.
Knaeble believes that the example of the Vietnam Airlines breach perfectly demonstrates a lack of ‘proper security’ and highlights the need to put ‘enforcement policies in place.’
He stresses the need for a comprehensive approach to cybersecurity preparedness, as the needs of each airport are different, ‘there’s no “one size fits all” for airport cybersecurity’.
He said: “Each airport environment is unique. Conducting a proactive risk assessment can identify vulnerabilities so a holistic cybersecurity program can be established.”
Tackling these issues now is key in the prevention of a more serious breach in the aviation industry, which experts believe could be likely in the very near future, particularly as major data protection initiatives begin to take force around Europe later next month.
What the aviation industry is doing to help
There is little doubt in Knaeble’s mind what needs to be done, as he said: “The number one area that airports should be looking to invest in is creating a holistic cybersecurity program. This will ensure that all of their systems are being handled the same way, regardless of vendor.”
Aviation industry groups are coming together to launch initiatives designed to help airport operators in the prevention of cybersecurity breaches.
One of the largest is the introduction of the ACI World Airport IT Standing Committee (WAITSC), who is committed to address the education of personnel in creating a comprehensive approach to cybersecurity and in the drive to recruit cybersecurity professionals in more complex roles in both the short and the long-term.
Members of ACI plan to meet with IATA and A4A this month to debate cybersecurity, payments and PCI.
While the recruitment of cybersecurity professionals is just one area of interest, the long-term management of the challenges presented by increasingly sophisticated threats requires much more than simply education but will require a change in cybersecurity culture across the entire aviation environment.
Knaeble had a final comment to make as he said: “Airport cybersecurity will continue to be an industry priority for the foreseeable future. Moving forward, we’ll need to work together so that airports of all sizes can prioritise budgets, benchmark cybersecurity maturity against others, and educate airport stakeholders in the importance of a comprehensive cybersecurity program.”