A major cyber security concern for airlines is the company reputation. Nobody wants to have their brand associated with hacking. In fact, large majority of cyber-attacks do not intend to compromise critical avionic systems or gain control over the aircraft. The more likely scenario is to have In-Flight Entertainment systems (IFE) or on-board Wi-Fi connectivity taken over by attackers. Hugo Teso, the Head of Aviation Cyber Security Services at F-Secure, says:
Incidents involving non-critical systems such as the IFE or In-Flight Connectivity (IFC) might end up in media with shocking headlines. For passengers, this will look bad. Even a breach like this will seriously damage the company image and financial performance. In aviation, trust is everything.
Modern aircraft are connected
Airplanes are not isolated elements. The aviation sector is increasingly dependent upon software-driven systems, internet connectivity and trustworthy digital data. The modern e-Enabled aircraft utilize IP-based communications and real-time connectivity with the airline and air traffic control. With e-Enabled aircraft, theresponsibility of cyber security has moved from the aircraft manufacturer to the operator. The operator is in charge of installing, configuring and operating aircraft-related systems in a secure way. Aside from the numerous benefits, connectivity creates exposure to cyber threats.
Legacy aircraft system updates increase the attack surface
The modern aircraft have a number of features and technologies that increase the attack surface and expose more systems to potential cyber-attacks, but they have been designed from the beginning with cyber security in mind. Legacy aircraft, on the other hand, used to be more obscure to the cyber criminals by using aviation specific technologies and keeping the most critical systems isolated. However, constant and mandatory upgrades expose legacy systems to a wide range of new threats. Adopting new technologies in legacy aircraft is necessary to match the market requirements and to keep up with the natural evolution of the industry.
How do the airline CEOs sleep at night?
For the airline industry, cybersecurity risk is a major concern. According to a PwC survey, for 85 percent of airline CEOs this risk is top of mind compared to 61 percent of CEOs in other industries, a difference of 24 percentage points.* Things in the aviation industry are changing faster than ever before, and companies need to follow the trend to stay competitive. This evolution should be considered foremost as an opportunity. Aviation companies have procedures and resources to cover new technologies in their traditional IT infrastructure, so it is only a question of extending these skills to the aviation assets and procedures. In order to succeed, it is essential to involve aviation cyber security experts. Andrea Barisani, the Head of Hardware Security at F-Secure finds there is lot of positive development:
Aviation is a very safety critical industry with a lot of public interest and sometimes bad press. One of the issues is that there is a lot of intrinsic secrecy. Very positive things are happening under the curtains, but these are rarely visible to the public. Design and testing take much greater role than the common perception.
Regulations keep us safe?
Some companies are waiting for international aviation agencies to create regulations to comply with. But being compliant will not prevent them from being breached. Regulations are an important starting point for cyber security, but cyber attackers move faster than regulators do. So a relentlessly proactive approach to cyber security is essential.
* 3 PwC, 2015 Global airline CEO survey, Getting clear of the clouds: Will the upward trajectory continue? Dec. 2015. https://www.pwc.lu/en/transport-logistics/docs/pwc-transport-logistics-global-airline-ceo-survey-2016.pdf