This blog was written by an independent guest blogger.
The COVID-19 pandemic has unveiled numerous vulnerabilities and shortcomings in the airline industry. What’s worse for aviation in particular over other industries is how airports have essentially served as the portal for the virus traveling from one country to another across the globe.
As a result of severe travel restrictions implemented by nearly every country, airline companies have been hit hard and forced into a dire financial situation. It’s very likely that going forward, airports will be forced to implement stricter screening before permitting boarding, in addition to needing more government bailouts and loans to stay afloat.
But one of the more overlooked areas where airline companies and airports have been hit hard during the coronavirus pandemic is when it comes to cybersecurity and data privacy.
It’s very typical of hackers to take advantage of major crises to spread malware, steal company and customer data, and cause chaos. Unfortunately, the current crisis has been no different.
As airports and airline companies work together to devise strategies on how to properly re-open, an Assure cybersecurity audit model has been created in conjunction with Crest to help strengthen cybersecurity for the aviation industry in general. Specifically, the Assure scheme aims to enable the aviation industry to better manage their cybersecurity risks, and without compromising aviation safety or resilience.
In this article, we’ll explore the current cyber threats that airports and airlines are facing, how prepared they are to meet those threats, and how exactly the Assure model could benefit the aviation industry in general.
Why is cybersecurity an issue for the airline industry?
Cybersecurity is a fundamental issue for the airline industry because airlines are incredibly vulnerable to cyberattacks.
One reason for this is the large number of wireless devices that almost all modern airliners utilize. These include in-flight entertainment systems (IFEC), electric flight bags (EFBs), IoT devices intended to automate repairs or increase fuel efficiency, and any other Wi-Fi connectivity systems installed on the plane. In other words, each individual airplane has numerous targets that cybercriminals can go after to gain access to systems and any data stored within them.
It’s not much better at airports, and if anything, airports are actually more vulnerable than airplanes are. According to the Airports Council International (ACI), addressing cybersecurity concerns needs to be a core priority for airports as they attempt to resume normal and business operations.
Specifically, the ACI urges airports to utilize a common information-sharing approach, secure connectivity with cloud-based virtual private servers, secure IT infrastructure for remote access, and teach effective cybersecurity practices to the airport workforce and not just cybersecurity personnel.
ACI World Director Angela Gittens described the purpose of these recommendations:
“A key aspect for airports, especially with larger numbers of staff accessing IT systems remotely, is the implementation of cyber resilience for business continuity. It is imperative for airports to have up-to-date cybersecurity policies and procedures which should be made available and apply to not only the IT and cybersecurity personnel but the workforce in general.”
In an era where people feel the American government may not be taking cybersecurity seriously enough, defenses against hackers and cybercriminals for the airline industry are left in the hands of other organizations to come up with new strategies on their own.
One of these strategies is the Assure scheme.
What is Assure and how can it help?
Assure is a cybersecurity scheme devised by the accreditation body CREST and the Civil Aviation Authority (CAA) of the United Kingdom. Assure aims to help the aviation industry better manage their security risks without compromising access or safety.
The Director of Aviation Security at the CAA, Peter Drissell, explained:
“By working with CREST to develop the Assure accreditation scheme, the aviation industry has access to the highest levels of skill, knowledge, and competence to face the changing threat landscape and encourage a proactive approach to cybersecurity.”
The CAA hopes that Assure will play a significant role in helping the aviation industry to better manage security risks going forward. Assure will also enable aviation organizations to acquire accredited cybersecurity capabilities. These capabilities will then allow them to better assess their defensive measures against cybercriminals.
Under Assure, accredited security professionals will need to have Crest membership and demonstrate extensive knowledge of cyber audit and risk management, industrial control systems and operational technology, and technical cybersecurity. They can then contract with an Assure-accredited supplier to have their assessments audited.
Cybercriminals are always seeking to exploit vulnerabilities at airports and ways to breach cybersecurity defenses. Public Wi-Fi at airports, for instance, poses a major security risk due to ad hoc connections, unencrypted networks, malware attacks, and a username and password theft, among others.
It’s hoped that Assure teams, with their knowledge of the aviation industry and broad expertise in cybersecurity, will put airports in a much stronger position to defend against cyberattacks.
Besides the airline sector, Crest has also been working alongside the utilities, telecommunications, and banking sectors as well to develop more effective and efficient cybersecurity testing and accreditation schemes. This will help to create a more coordinated, and community-based effort as a whole to help protect against the increased cybersecurity risks created by COVID-19.
It’s clear that the airline industry has a lot of work to do in order to become more prepared for the increased risk of cyberattacks both during and following the COVID-19 pandemic. Airlines and airports face numerous cybersecurity vulnerabilities because of the industry’s heavy reliance on third-party vendors for hosting data and information technology for facilitating operations.
Airlines, air navigation systems providers, and airports in particular stand to benefit hugely from the Assure program to better manage their cybersecurity risks and without sacrificing aviation resilience or access.