Aviation is one industry currently undergoing a significant digital transformation. It is learning to adapt to and exploit new and emerging technologies. Everything from aircraft to airports are becoming much smarter.
On board aircraft, complex electronics and computer algorithms are helping reduce aircrew workload and assisting with safety critical functions. In airports themselves, digital technologies are appearing in more and more places and passengers are interacting directly with this critical infrastructure. Self-service baggage drops and automated boarding gates are two examples of how airports have embraced the digital revolution to improve efficiency and customer experience.
As these more advanced technologies emerge, we can expect our critical national infrastructure to become increasingly connected. Before adopting these new technologies and connecting the new with the old, businesses must first seek to understand the challenges and risks posed to their operations in order to realise maximum benefit from their investment. Historically, the aviation industry has had to focus on ensuring safety and physical security; however, recent digital transformation has meant that the sector has had to learn to adapt to a new type of threat - cyber-attack.
News outlets and government agencies alike are constantly warning us of new and evolving cyber threats. Vulnerabilities in interconnected systems are already being exploited for malicious purposes, having the potential to cause significant disruption to the businesses affected. Whilst the most damaging incidents are more often the result of a highly targeted cyber-attack, recent events in other sectors show this isn’t always the case. In early 2020, a ransomware attack that spread from within the corporate network caused a two-day outage at a US gas pipeline facility. The operational network in this case can be considered collateral damage, but it demonstrates how an incident can affect business operations if risks are not fully understood and mitigated.
Unsurprisingly, aviation operations have previously been impacted by cyber-attacks; in 2018, departure boards at Bristol Airport were taken offline for two days by a ransomware attack, whilst Polish airline LOT cancelled several flights from Warsaw’s Chopin Airport after becoming unable to file flight plans in 2015.
Given many of the systems associated with diverse processes like security screening to controlling aerodrome ground lighting are digital, even our critical aviation infrastructure is not immune to such threats. As we become increasingly reliant upon digital systems, we must ensure our critical assets remain resilient and that incidents cannot compromise activities, safety or security. The key cyber security challenges for aviation are around understanding the changing threat and adopting best-practice.
Cyber-security is a business enabler. By making it secure, we can also be confident that our critical infrastructure is safe and resilient to new and emerging threats, allowing society to realise the full benefit of a connected, digitalised world. To do so, organisations should think holistically about safety, operations, and security. When looking to adopt new, digital technologies, we encourage businesses to ensure:
Security, like safety, is built into everything from the start. By building security into a system from the outset, and ensuring it will be maintained over its lifetime, it’s possible to realise maximum benefit and maintain safety, without having to retrofit. For example, if an airport was looking to invest in a new terminal - and the associated systems and services - it is more cost-effective to include security at the requirements stage. This enables operators to build confidence that they meet all applicable legal and regulatory requirements (such as the NIS Regulations). By thinking about the overall security architecture of new systems and services, it is possible to ensure they are scalable, and that effective segregation is in place between operational systems and the standard IT environments.
Security is incorporated into day-to-day processes, business continuity and incident response plans. As outlined above, cyber security incidents do have the potential to affect the day-to-day operations of both airports and airlines. It is important that cyber incident response is fully integrated with the existing emergency/crisis/business continuity plans. The potential effects of a cyber incident include physical impacts, service disruption, or a loss of data. Such impacts not only require an immediate response, but implicate Public Relations, Legal, Regulatory, Human Resources and, potentially, Health and Safety. By ensuring response plans are comprehensive, it is possible for businesses to manage potential operational consequences.
Security risk should be understood and managed throughout the supply and support chain. Supply and support chains within the critical national infrastructure space are extremely complex and operators are often heavily reliant upon third party service providers. By making sure supply chain partners have suitable processes in place which take into account cyber and information security, it is possible to manage the risk. In all cases, the approach to supplier assurance should be proportionate, but practical steps include asking potential suppliers about their approach to cyber security (to understand risk levels) and ensuring their networks and equipment are operated/developed according to recognised good practice. For suppliers of less sensitive goods and services, accreditations such as Cyber Essentials may suffice, whereas those providing more operationally critical services may need ISO 27001 certification and development processes aligned to relevant international standards (such as ISO/IEC 62443).
Training and development of personnel is key to operating safely and securely. Ensuring operations and maintenance staff are appropriately trained and have access to clear operating instructions means they can operate safely and securely. So they are aware of the aims, objectives and expectations of the business, all personnel should undergo regular security awareness training. Where personnel hold more sensitive roles, more regular, specific training and accreditations may be required. One practical step to reduce risk to operational systems is the introduction of a passport process, whereby personnel must first complete the requisite training package in order to complete certain tasks. By keeping accurate training records, and ensuring personnel are suitably qualified and experienced, businesses can be confident that the human side of security is appropriately managed.
What it means to be secure varies from sector to sector and between businesses. Regardless, security should be considered a business enabler, directly supporting the achievement of organisational aims and objectives. In all cases, businesses should take a flexible approach to understanding and managing the cyber-security risks posed to their systems and implement proportionate measures that enable them to respond to the changing threat.
David Sylvester is a digital trust and cyber security expert at PA Consulting
Helping to protect and grow your organisation in a digital world