Awareness is Key to Aviation Cyber Protection
In September, two House committees held a joint hearing to examine cybersecurity threats to U.S. aviation and industry preparedness. During testimony, Michael Stephens, executive vice president of IT and general counsel at Tampa International Airport, outlined the size and scope of airport operations and the increasing role of technology and its accompanying threats.
“The ubiquitous use of technology has made airports, airlines and global aviation more efficient and has undergirded and facilitated the tremendous growth of global mobility, commerce and connectivity,” Stephens testified. “However, as a result of our increasingly interconnected and technologically dependent world, airports and airlines, like other industries face significant challenges from a looming cyber threat environment.”
These threats range from aircraft hacking, planes disappearing from air traffic control view and GPS jamming to ransomware attacks and other data breaches.
“Cybersecurity issues, if not addressed, are an existential threat to the aviation industry,” said Dr. Gary Kessler, a professor of Cybersecurity at Embry-Riddle Aeronautical University. “This is nothing we are going to fix quickly, but the first thing we need to do is acknowledge the issue and aggressively and proactively deal with it.”
Start at the Top
A recent study of 800 senior executives showed a disconnect between CEOs and technical officers on the frontline regarding cybersecurity issues. While this survey wasn’t aviation-specific, the issue is common among all industries.
Aviation leaders are tasked with keeping the business running, not necessarily being intimately aware of technology. Yet this knowledge can be a powerful resource when it comes to cybersecurity.
"Mid-level managers themselves have to be more acutely aware of cyber threats," said Dr. Kessler. “I think that it has to be infused throughout the organization. The number of cyber threats to any organization, in any industry, is pervasive and is going to continue to grow. We have to make everybody a better cyber-citizen."
This cybersecurity knowledge is vital because it directly impacts the business. According to IBM’s 2018 Cost of a Data Breach Study by Ponemon Institute, the average global cost of a data breach is $3.86 million, and the average cost for each lost or stolen record with sensitive information is $148.
Identify Support
Establishing a cabinet-level chief information security officer who regularly meets with the CEO or president is one way to ensure that security risks are consistently addressed at a high level.
Businesses can also join forces with industry organizations that are actively working to make flight safer and addressing cybersecurity, as well as identify internal cybersecurity threats. IBM’s 2016 Cyber Security Intelligence Index found that 60% of attacks came from insiders, whether unintentional or malicious.
“It’s all about awareness, and making sure that you are not only aware of current threats but how to stay abreast of these threats,” explained Dr. Kessler. “Frequently that means joining organizations that are involved in sharing knowledge.”
Some of these organizations include Aviation Information Sharing & Analysis Center (A-ISAC), Federal Aviation Administration (FAA), International Civil Aviation Organization (ICAO) and National Institute of Standards and Technology (NIST). These groups bring aviation stakeholders together to talk about cybersecurity issues and coordinate efforts.
“Aviation businesses shouldn’t wait for these organizations to give them guidelines,” said Dr. Kessler. “They should actively engage with those organizations.”
Embry-Riddle has unique degree and professional education programs for new and seasoned cybersecurity professionals. The university's offerings include a Master of Science in Cybersecurity Management & Policy, Graduate Certificate in Aviation Cybersecurity Management and Policy, and Aviation Cybersecurity Management professional education short course. Learn more at erau.edu.