The Aviation Industry Needs to Move Towards Cyber Resilience

2021 is a significant year for aviation. It marks the 20^th anniversary of the 9/11 attacks, the worst acts of unlawful interference in the history of aviation. It is also the Year of Security Culture for the ICAO community, which aims to enhance security awareness and foster a security culture throughout the industry. The importance of understanding the threat to aviation and promoting best practices in security throughout all aviation operations is imperative considering that the air transport sector continues to modernize and digitize.

Systemic risks and cascading effects

As a result, new and emerging cyber risks threaten the data, systems and technological infrastructure of airports, airlines and air navigation service providers as well as many other service suppliers.

“This digital penetration will only increase with time, especially considering the continuous innovation being seen in communications and applications, and the advent of new airspace users such as drones and Remotely Piloted Aircraft Systems,” noted Dr. Fang Liu, ICAO’s Secretary General, at a virtual event to launch the World Economic Forum (WEF) ‘Pathways to a Cyber Resilient Aviation Industry’ study.

The study describes how airlines, airports and aircraft manufacturers currently take different approaches to countering cyber-risks. It includes a warning that rising levels of interdependency within the industry “can lead to systemic risks and cascading effects.”

To address these emerging cyber risks and safeguard the aviation industry, the WEF collaborated with Deloitte and connected with leaders from 50 organizations including ICAO, NCSC, EASA, IATA, ACI, Eurocontrol and UK CAA to determine how the aviation sector can prepare against future security incidents and cyber-attacks. The study was developed in the framework of the WEF Cyber Resilience in Aviation initiative to create a streamlined and harmonized approach among all civil aviation authorities.

“The work of the World Economic Forum on aviation cyber resilience complements these global efforts led by the ICAO and is another excellent example of the importance of broad-based international collaboration among public and private stakeholders,” said Dr. Fang Liu.

Barriers to cyber resilience

The study identified various barriers to advancing cyber resilience across the industry. Although aviation stakeholders are determined to achieve higher cyber resilience levels, their efforts are hindered by various organizational, technical and regulatory barriers including:

• Under-investment in cyber resilience capabilities.
• Increased complexity of the value chain with ambiguous accountability.
• Fragmented approach at governance and policy levels.
• Lack of visibility and transparency across the supply chain.

Cybersecurity Action Plan

To reduce the cyber-attack surface and improve cyber resilience for a digitally connected aviation ecosystem, the coalition of aviation stakeholders and the ICAO Assembly have urged for the adoption of a Cybersecurity Action Plan that consists of the following actions:

1. Recognize the necessity of developing a comprehensive and agreed-upon cybersecurity vision.
2. Work towards a common baseline for cybersecurity standards and recommended practices.
3. Ensure that cybersecurity is part of aviation security and safety systems.
4. Ensure a variety of risk-assessment methodologies to ensure comparability.
5. Develop information-sharing platforms and mechanisms to allow prevention, early detection and mitigation of relevant cybersecurity events.
6. Ensure the qualification of personnel in both aviation and cybersecurity.
7. Increase awareness about cybersecurity.

“The aviation industry has developed a strong track record of safety, resilience and security practices for physical threats and must integrate cyber risks into this culture of safety and resilience,” said Georges De Moura, Head of Industry Solutions, Centre for Cybersecurity, World Economic Forum. “A common understanding and approach to existing and emerging threats will enable industry and government actors to embrace a risk-informed cybersecurity approach to ensure a secure and resilient aviation ecosystem.”

Pathways towards cyber resilience

To address barriers and challenges to cybersecurity, decisive and collective action is required. This report includes recommendations on three levels: international, national and organizational. To move forward, stakeholders at all levels must work together by anticipating gaps and building on each other’s strengths.

On an international level, the report suggests aligning regulations globally with an outcome-based guidance, establishing a cyber resilience baseline across the supply and value chains, encouraging continuous assessments and industry benchmarking as well developing information-sharing frameworks and standards.

On the national level, states must enable a systematic build-up of skills and cyber literacy of aviation employees as well as reward open communication practices about cybersecurity incidents and breaches.

Finally, on an organizational level, the report urges the adoption of two sets of cyber resilience principles:

• Organizational: Foster a culture of cyber resilience, integrate cyber resilience into business resilience practices and adopt a risk-based approach mindset that goes beyond compliance.
• Ecosystem-wide: Ensure systemic risk assessment, enable ecosystem-wide collaboration and establish industry-wide cyber resilience plans.

“Adopting a collaborative cyber-resilience stance and creating trust between cross-sector organizations, national and supranational authorities is the logical yet challenging next step,” said Chris Verdonck, Partner, Deloitte, Belgium. “However, if the effort is not collective, cyber risks will persist for all. Further solidifying an extensive and inclusive community and developing and implementing a security baseline is key to adapt to the current digital reality.”

The report concludes that for the aviation industry to prosper and realize the benefits of the ongoing digital transformation in a safe and secure manner, cyber resilience needs to be embedded in the culture and in business operation models. The proposed pathways can be the foundations on which aviation leaders and governments can build resilient and sustainable digital systems that are better prepared for future systemic shocks.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.