Cybercrime

BY GRAHAM NEWTON

Combined with imminent cyber regulations in several jurisdictions, having appropriate aviation cybersecurity measures are more important than ever.

The industry faces threats from individual hackers and organized crime, up to statesponsored actors. There are three areas that airlines have to consider: passenger services, operations, and aircraft control.

Passenger services covers everything from the initial booking to identity management and a bespoke travel experience. Fraud, most particularly ticket sales, is the major concern and, in a normal year, costs airlines about $1 billion. But fake refund claims and exploiting airline Frequent Flyer Programs (FFP) have become just as prevalent as credit card crime.

Aside from dealing with fraud, airlines must work hard at securing passenger data. Everything the industry is trying to do to streamline and simplify the air travel experience involves the use of data. Everything collected must be balanced with data ethics and good practice calls for data minimization—only using the data that is needed.

Nevertheless, many of the advances in airport processes, such as biometric facilitation, require passengers to provide important personal details. Privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), set high standards for securing this data and most passengers seem happy to share information where necessary.

The latest IATA Global Passenger Survey found that: 73% of passengers are willing to share their biometric data to improve airport processes (up from 46% in 2019).

prior to departure for expedited processing.

Just over a third of passengers (36%) have experienced the use of biometric data when traveling. Of these, 86% were satisfi ed with the experience.

However, data protection remains a key issue with 56% indicating concern about data breaches. And passengers want clarity on who their data is being shared with (52%) and how it is used/processed (51%).

“Privacy concerns are not unique to aviation but that doesn’t make any diff erence,” says Manon Gaudet, Assistant Director, Aviation Cybersecurity. “Aviation still has to address them and put cybersecurity measures in place.”

She insists, however, that this is not just about achieving compliance with regulations. “We don’t want checklist security,” she says. “Airlines must implement risk-based systems.”

Trust in data exchange is also at the heart of operational cyber issues. Data has to fl ow across the aviation value chain and that means systems talking to each other and all parties having confi dence that the data is protected.

But trust is a concept that cannot be mandated by governments. Attaining it is therefore a challenge for the industry, especially as companies of all sizes, not to mention at varying cybersecurity levels, are involved.

Gaudet says that is critical for organizations to share vulnerabilities or fears so that the overall cyber ecosystem can be secured. Sharing knowledge helps prevent future attacks and creates cyber resilience. It means the weakest point in the end-to-end passenger experience can be brought up to a requisite level and keeps all companies ahead of attack trends and developments.

“Remember, attackers do not have trust issues,” says Gaudet. “Not only are they working with artifi cial intelligence and new techniques but also they off er services to each other to leverage diff erent attack capabilities.”

As for aircraft systems, this is potentially the most serious aspect of cybersecurity eff orts. Aircraft are increasingly connected to the ground and that opens up the possibility of attackers seeking to interfere with aircraft onboard systems including fl ight critical systems. All cybersecurity strategies must start with securing these.

For airlines looking to improve their cybersecurity, Gaudet’s advice is to “get in an expert. Don’t try to fi gure it out yourself,” she says. “There are lots of diff erent attacks and lots

of diff erent ways an attack could impact an airline. You have to work through all the diff erent scenarios especially those that could have an impact on safety.”

At the IATA Digital, Data and Retailing Symposium, Martin Ninnemann, Business Development Director at Unisys identifi ed six key elements in implementing a cybersecurity strategy: 1. Cryptographic protocols to ensure end-toend protection of data fl ows. 2. Virtual Communities of Interest to limit accessibility to the data. 3. Cloaking, so that users can only see the infrastructure that they need to see. 4. Dynamic isolation, which means identifying and shutting down a point of entry, such as a particular PC or server, ideally within seconds not minutes or hours. 5. Integration with identity management systems to facilitate smooth operations. 6. Transparency with applications so that existing proprietary systems can continue as normal.

All of the above, he suggested, can be done without changing existing architecture. There is no requirement to “rip out and replace.”

Gaudet adds a cybersecurity culture to the list. Fortunately, airlines do not have to create this from scratch. “A safety culture is already omnipresent throughout aviation and cybersecurity is just an extension of this,” she

says. “It is not about creating a culture in isolation. It is connected to the idea of continuous safety improvement and airlines understand this completely.

“This will give airlines a human fi rewall,” she adds. “You can have all the technology in the world, but you must empower staff . Humans are one of airlines’ greatest defence against cyberattacks, but it can also be its weakness, so awareness and training is key.”

To assist airlines, there are a number of industry initiatives underway. A common approach to cybersecurity is essential. Not only will cooperation make the overall information network stronger but also it allows organizations to speak the same cyber language. Terms such as authentication needs to mean the same thing to all companies.

IATA established the Cyber Management Working Group to assess industry needs and provide appropriate guidance.

IATA is also working with the International Coordinating Council of Aerospace Industries Associations on the Aircraft Cyber Security eXchange Restricted FORUM to help airlines better understand the risks associated with the introduction of new technologies and to

share those concerns with the Original Equipment Manufacturers and Design Approval Holders.

At the ICAO level, the Secretariat Study Group on Cybersecurity and its diff erent subgroups are busy revising the ICAO Cybersecurity Action Plan and the Trust Framework, including new Civil Aviation Secure Overlay requirement. The European Aviation Safety Agency and EUROCAE are also consulting with IATA on new regulations.

“There is no shortage of eff ort,” concludes Gaudet. “But we need more input from airlines to develop the right guidance so that we can meet the industry’s needs in this critical area. All aviation organizations must get to a viable minimum level of cybersecurity because a single attack on one critical element could aff ect the entire industry.

“That doesn’t mean everybody has to implement the latest systems though. It is always about adapting because no airline can do a wholesale replacement of systems every year. The fact is we can never achieve 100% cybersecurity but we can lower the risk and it is essential that we do that. Critical digital systems that are part of the civil aviation infrastructure must be protected as best we can.”