3 I ATA L E G A L S Y M P O S I U M
The keys to the kingdom If passengers are to retain trust in the aviation system, it’s vital the industry is robust against cybersecurity threats
A
viation is a complex But cybersecurity is as much business with organizational as it is technical. systems to match. “Cybersecurity is not just an IT The countless entry t h i n g b u t i s e v e r y b o d y ’s points and interfaces make it responsibility,” says Gulshan vulnerable to cybersecurity threats. Kisoona, Manager, IT Security and Moreover, many of those systems Compliance, Air Canada and a are dated and were never designed Certified Information Systems to counter modern cybercrime. Security Professional. “When you Without the benefits of securiare assigned a username and a ty-by-design, aviation has some password by your employer, you critical decisions to make. have a key to the kingdom. The Whether to make the reporting slightest carelessness with the of cyber attacks mandatory is handling of that key opens the door perhaps the most critical of all. to the kingdom.” Reporting and communication is Critical operational and busione of three pillars in IATA’s cyness functions need to be propbersecurity strategy, alongside risk erly assessed and a risk-benefit management and advocacy. But it tolerance identified. That is a Cybersecurity and Data Protection: is thought that many of the most multi-disciplinary activity. These Risks, Challenges and Looking Ahead sophisticated and damaging cyfunctions can be difficult to value in the Aviation Industry and Beyond berattacks have not been publicly precisely. Exactly how devastatdisclosed. ing would the loss of real-time Tomorrow, 14:35-15:50 If an attack isn’t reported then flight information be? And what The Panel: Martin Fanning, Partner, Dentons – Moderator other airlines and other partners in are the chances of that happening? Gulshan Kisoona, Manager, IT Risk and Compliance, Air Canada the aviation value chain cannot use Resource allocation and threat Julian Homerstone, General Counsel, Virgin Atlantic Airways it to improve their defences. They response can be difficult things Jenna F. Karadbil, Partner, Law Office of Jenna F. Karadbil, Esq. could be hit by the same attack and to judge and are probably beyond their risk assessment of cyber threats an IT department’s remit. Alan D. Meneghetti, Partner, Locke Lord LLP will include unnecessary guesswork. The industry is moving in the It is also true that suffering a cyber right direction. IATA has pubattack in the public eye is a powerful incentive to By using detection as well as prevention, it lished a cybersecurity toolkit and runs workensure the necessary resources are put into pre- increases an organization’s capability to shops on the subject. It is also supporting the venting further cybercrime. efficiently identify hacking attempts and react airlines through the Civil Aviation CybersePrevention, though, is only part of the solu- to those. Tracing the source of an attack can curity Action Plan. Also Information Sharing tion. Firewalls are not enough on their own. yield valuable information and potentially and Analysis Centers are coming online in Rather, experts now lean toward detection as limit damage. the United States and Europe to promote an a surer method of regaining the advantage over open cyber culture. cyber criminals. Organizational issue Ultimately, passengers cannot lose trust in The reasoning is simple: a hack is a one-time Technological solutions are essential and the aviation system. And each player in the event. One opening, exploited once. System de- improving all the time. Software-designed- value chain is dependent on the other to be fences, on the contrary, must work every second networking, for example, will provide secure. Airlines need airports and air traffic of every day. If you only consider prevention, flexibility and control over Internet traffic management. In an interconnected world, attacking is simple, defending is hard.
flows.
cybersecurity is the cost of doing business.
W W W. I A T A . O R G