Digital risk in aviation
The aviation industry is as vulnerable to hackers as any other, but new regulation aims to guard against cyber risk.
On 8 March 2014, Malaysia flight MH370 went missing with 239 people on board. To this day nobody knows what happened to it. While there’s no proof that the missing plane was the victim of cybercrime, it is suspicious that the black box and other transmitters stopped working, enabling the plane to disappear completely.
Subsequent to the above incident, an American security firm claimed that a hacker could take over a plane’s flight controls via the USB port that forms part of some airlines’ in-flight entertainment systems.
Which brings us to the thinking behind US President Donald Trump’s ban on passengers from certain countries taking their mobile devices on board aircraft, which was subsequently followed by Britain; it’s also been proven to be possible to hack into the plane’s system using a smart devices and the plane’s own WiFi network.
Closer to home, there’s the example of the multi-million rand armed heist at OR Tambo International Airport in March. Security was breached and people had access to information and areas that they shouldn’t have been permitted to access.
While these are extreme examples of the vulnerability of the aviation industry to cybercrime, there are other weaknesses that criminals could exploit that could be hugely damaging to an airline’s ability to carry out business as usual, such as hacking into the ticketing system, for instance. There’s a clear need to defend against cyber criminals, whose activities disrupt day-to-day operations, cause reputation damage and can even cost lives, in extreme cases.
In July this year, amendment 15 to annexure 17th of the ICAO (International Civil Aviation Organisation) standard comes into effect as an official recommendation. Annex 17 is the international civil aviation security standard, and amendment 15 speaks to cybercrime specifically. As per the procedure of ratifying international civil aviation standards, this recommendation is expected to become an ICAO standard within 06 – 24 months. Once ratified as a standard, all member states of ICAO will be obliged to pass the standard into local civil aviation legislation. In effect this recommendation makes it clear to the industry that cyber risk is being taken seriously by regulators. Once the recommendation is passed as a standard and ratified into legislation, it will serve as a minimum compliance requirement to be adhered prior to any aircraft taking to the skies.
Henry Peens, Associate Director: Risk Advisory Africa, Deloitte, says, “There has been an increase in crimes that have adversely affected the safety of civil aviation, resulting in ongoing updates to legislation around aviation security. We’re seeing a new breed of cyber criminals that are embarking on cyber terrorism and cyber warfare campaigns, and amendment 15 seeks to limit their access to the aviation industry and all of its suppliers.”
Roger Truebody, Senior Manager: Risk Advisory Africa, Deloitte, explains, “Digital innovation in aircraft presents enormous benefits and opportunities for operators but it also creates an opportunity for cyber criminals. So while airlines benefit from innovations such as automated routing, communication with the ground and the ability to detect other aircraft in the vicinity, they also become more vulnerable and exposed to cyberattacks.”
The need for a cyber risk programme is undeniable, and Peens says that various types of cybersecurity processes and controls should be implemented. “Under amendment 15, everyone involved in the aviation industry – directly or indirectly – will have to adhere to international compliance from a cyber security and information security point of view. This affects all supply chain industry partners, and not just the airline carriers themselves.”
The risks that need to be defended against are many, but include theft of intellectual property, financial fraud, reputation damage, disruption to business, threats to health and safety and, as mentioned previously, terrorism.
Truebody says, “If you consider that an aircraft is basically a flying data centre running multiple networks and communication protocols, you can see how it might be vulnerable to hacking. And with the growth of devices such as smart watches and other wearables that can connect to the internet, there definitely needs to be some degree of compliance and regulation.”
The first step in implementing any kind of compliance is to assess and understand the risk you face in the cyber security space, only then can you remediate, says Truebody.
Steps to combatting cyber threats:
- Self-assessment via completion of a cyber capability questionnaire. This is an internal process that the business carries out to determine its current capabilities to cope with a cyberattack. Simply put, how secure is your business?
- Seek confirmation of the above findings through external assessment that compares you to your peers and to international standards and role-players, including a gap analysis and resulting in a set of recommendations.
- Develop a roadmap that’s essentially an action plan to improve the security posture of your environment. The external assessor will provide the recommendations as well as assistance with compliance.
Peens ends off by pointing out, “This could become a key differentiator in a highly competitive space. Prospective customers will be reassured to know that the airline is legally compliant, and this could certainly influence their choice of carrier, particularly for regular travellers.”