World Economic Forum Calls for Global Collaboration to Enhance Cyber Resilience in the Aviation Industry
The aviation industry is unique. While going through the same digital transformation as other businesses, it is global by nature, transcends multiple jusidictions, and must collaborate internally with its own competitors.
Nevertheless, it is a hugely successful industry. According to the International Civil Aviation Organization (ICAO), the 4.1 billion passengers transported in 2017 are expected to grow to around 10 billion by 2040, while according to the International Air Transport Association (IATA), 35% of world trade by value is transported by air cargo, equivalent to $6.4 trillion of goods. It is a critical industry — critical for both local national security and the global economy.
The World Economic Forum (WEF) believes that the success — and safety — of the aviation industry is largely down “to the successful balance between regulatory and risk priorities.” But times, prompted by the Fourth Industrial Revolution and digital transformation, are changing; and WEF notes, “as technology is changing, so are the priorities of aviation stakeholders and more work is required to ensure optimal resilience.” And this is without the additional complications of new technologies such as unmanned aerial vehicles (drones).
Put simply, aviation is facing the same problems that all companies face when information technology and operations technology (OT) merge — but perhaps with higher stakes. If cybersecurity fails non-systemically (say, in an airline), lives could be lost. If it fails systemically (say, in one or more airports or air-spaces), a cascading effect could rock the global industry, adversely affect public confidence, and damage the global economy.
Against this background, WEF launched an initiative in January 2019 designed to improve cyber resilience in the aviation industry, and has now published the first major output from this initiative: Advancing Cyber Resilience in Aviation: An Industry Analysis (PDF). The work involved interviews, surveys and workshops with industry participants, trade associations, regulators, air navigation service providers, airlines, airports and OEM manufacturers as well as ICT and insurance businesses working with and supporting the industry.
“The end goal,” says the paper, “is resilience, which we define as the ability to quickly and efficiently identify and minimize the impact of an incident so as to allow an organization to continue its mission as effectively as possible.”
WEF ran its own survey examining the threats, risks and vulnerabilities most affecting the aviation industry. From the results, it “identified three primary domains of focus where collective action can be improved to identify and manage cyber risk.” These areas are ‘people’, ‘capital and risk management’, and ‘technology and operations’.
‘People’ is an important starting point. From the survey into vulnerabilities (taken from incidents experienced over the previous 12 months), human behavior dominates. By far the biggest single vulnerability is phishing, augmented by other social engineering, erroneous data data sharing, misuse and abuse of legitimate access, loss or theft of equipment and other policy violations.
Organizations need to focus on people as much as IT systems and infrastructure, says WEF. “The aim should be to not only attract, engage and retain qualified cybersecurity professionals, but also to build a higher degree of ‘cyber IQ’ for all stakeholders and employees in an organization, particularly operational staff interfacing with critical systems.”
In the second area of focus, capital and risk management, WEF warns that there is a misalignment between the security team and the Board. One reason for this is the security team’s over-reliance on qualitative rather than quantitative reporting. Most of the teams use red/green or high/low indicators to risk in reporting to the Board. This, warns the WEF, can easily be misinterpreted. Very few security teams use the more definite quantitative methods such as OpenFAIR, QIRA, LossPIQ and CyberQuantified. This causes the misalignment, which in turn leads to non-optimal budgets — which also feeds back into the ‘people’ issue. How can senior leadership take ownership of the cybersecurity problem if they don’t fully understand or properly budget for what and where it is?
The technology and operations area of focus is the mainstream problem of convergence between IT and OT. It is a problem faced — to one degree or another — by all organizations engaged in business transformation; but it is particularly severe in aviation. “Compromise of aviation systems resulting in incorrect data flowing between aircraft, aircraft maintenance organizations, airports and air navigation systems could have a critical impact,” warns WEF. If this compromised the safety of an aircraft or airline, public safety and confidence in the industry would fall.
WEF’s recommendations in this area include enforcing security by design in the development of new connected devices and systems; taking an holistic and risk-based approach to defending against an responding to increasingly complex and frequent cyber-attacks; and understanding the concept of ‘shared isk’ and encouraging that understanding in the supply chain.
Key to everything, it says, is “how well the organization manages to integrate security as an inherent part of its DNA.” It’s not as if there are no good security guidelines already available — such as NIST SP 800-30 and ISO/IEC 27005:2018. The problem is “the application of the guidance continues to fall short of what is required to ensure effective defense against cyberattacks.”
Over the course of the next year, WEF will engage “a multistakeholder community to co-design and pilot a common approach and methodology which will be shared with the Forum’s policy community.” In the meantime, the advice shared in this paper — although primarily directed at the aviation industry — will benefit any business in any sector currently engaging with business transformation.