The airline industry is collaborating on cyber security as it faces a growing reliance on technology and IT systems. In this article we interview Pascal Buchner, CIO at International Air Transport Association (IATA).
Is cyber risk a priority for airlines, if so why?
Yes, because the airline industry relies on computer systems extensively in their ground and flight operations. Some systems are directly relevant to the safety of aircraft in flight, others are operationally important, and many directly impact the service, reputation and financial health of the industry. There is no question that automation significantly enhances safety and aircraft capabilities while simplifying many routine tasks. But as a result, the number of entry points into systems is increasing steadily.
What concerns the industry the most?
The main concerns today are related to financial fraud within the reservation systems and the business continuity of ground systems. Cyber security is not considered a safety issue as impacts are more in terms of financial loss, operation disruptions and reputation of the airline. The aircraft itself is secure as the critical avionic systems are totally segregated from other embedded systems that might be vulnerable such as the inflight entertainment system. However, he entire supply chain needs to be addressed to make sure that the integrity of the aircraft is preserved through the maintenance and the operation activities.
We are also concerned by the different communication links from the ground to the aircraft and it will be key to implement basic controls such as authentication and encryption to protect the aircraft against spoofing and jamming. The next generation of air traffic management systems will bring new requirements in terms of risk management that will need to be addressed.
Do airlines have robust systems for cyber risk?
Many airlines and airports have robust systems in place to address common hacking threats, but they haven’t always taken a holistic approach to the IT environment or considered the broader threat to the aviation system.
What is IATA doing in this area?
IATA has developed a three-pillar strategy to understand, define and assess the threats and risk of cyber-attacks, the basis for appropriate regulation and the mechanisms for increased cooperation throughout the industry with the support of governments. Other areas of involvement include the organisation of workshops aimed at raising industry and regulator awareness and ongoing cooperation with member airlines to assess industry needs.
How are airlines responding to the cyber threat?
Airlines cannot respond only individually as they need to be able to perform a global threat assessment. The most profitable airlines have implemented very mature cyber security activities and are sharing already within the Aviation Information Sharing and Analysis Center (A-ISAC). In May, ISAC announced a partnership with IATA and a new tiered membership structure designed to increase accessibility to the organisation’s premier global cyber threat sharing network.
A-ISAC and IATA are also to hold a summit in Miami in November 2017 to ring together the best experts from the industry, the academy and the authorities to exchange on continuous cyber security. The continuous cyber security framework aims to build a cyber security roadmap for the aviation industry, including a common, system-wide threat analysis capability and a cross-industry risk management methodology.
What is being done to increase international co-operation?
In December 2014, IATA, the International Civil Aviation Organisation (ICAO), Airports Council International (ACI), the Civil Air Navigation Services Organisation (CANSO),and the International Coordinating Council of Aerospace Industry Associations ICCAIA), agreed on a common roadmap to align their respective actions on cyber threats. A high-level coordination mechanism has been established through the Industry High Level Working Group (IHLG) which concentrates on the delivery and the promotion of the industry position on cyber security.
In co-operation with other IHLG participants, a proposed declaration on cyber security has been developed and adopted by the 39th ICAO Assembly. The declaration calls upon States to define and align cyber security responsibilities within respective governments and adopt a flexible, outcome-focused approach.
Does IATA provide any practical guidance?
In 2015, IATA published the second edition of the Aviation Cyber Security Toolkit to assist airlines in raising awareness and understanding and better defining the cyber risks to their organisations. The toolkit includes a situational assessment of cyber security in the industry, a framework for assessing risk and guidance material for setting up a cyber security management system.
What role might insurance play?
Cyber security insurance might be important to cover the response activities to recover from a cyber-attack, if the premium is affordable without too many exclusions. The continuous cyber security could be one framework helping airlines and insurers to find an agreement on mitigating the risk, so it can be insured.
Download Cyber Decoder – June 2017
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org