PA’s Justin Lowe, a cybersecurity expert, is quoted in an article about cybersecurity in airports. The article draws on the theft of 4.5 million of Air India’s customers’ data which highlights how cybersecurity has become a major concern for the aviation sector.
The article explains that within the aviation industry, cybersecurity risks are extremely wide ranging as they depend on the type of operator and how they are hit. Justin explains: “If you think about airports, you can have quite a wide and sprawling set of IT environments that are quite difficult to secure.”
He continues: “A lot of times you’ll have itineraries and flight plans for high-profile individuals ahead of time and that’s not something you want hackers to have their hands on.”
Justin explains that over the last five to ten years cybersecurity threats have become a huge concern, mainly as a result of digitalisation processes becoming the norm in the sector. He goes on to say: “With the increased digitalisation you end up with a lot of additional connectivity and interconnectivity going on. That increases the risk to a lot of these systems, whereas if they were isolated as they had been previously, attacks wouldn’t spread to other systems because of inbuilt resilience.”
The article goes on to reference one of PA’s reports which highlights how, on top of additional connectivity, other factors – including customer-centricity and airports now becoming mega hubs – have contributed to the industry’s susceptibility to cybersecurity risks.
The article explains that physical risks also tend to be targeted, whereas in cybersecurity there is a higher risk of accidental attacks. “On the safety side, there is actually quite a commonality between safety and cybersecurity because it’s not just information systems that are at risk but also the operational technology,” explains Lowe. “An incident on the runway lighting could cause outages and severe disruption as well as implications for the airfield.”
The article concludes by looking at what aviation can do to protect itself. Justin explains that individual businesses need to work on preventative measures, such as taking risk assessments: “Operators need to look at what their cyber maturity is across their whole estate. And they need to look across all that operational technology as well as IT, looking at gaps [in cybersecurity] and the risk they pose.”