FLYING INTO THE FUTURE

Next Article

WHY YOU NEED A SMART VENDOR STRATEGY

FLYING INTO THE FUTURE PASCAL BUCHNER, ITS DIRECTOR & CIO, IATA, TALKS ABOUT THE MOST PRESSING ISSUES AFFECTING CYBERSECURITY IN AVIATION.

What is the nature of cybersecurity challenges in the aviation sector? Is it the same as other industries?

It is not the same. An aircraft’s integrity is even more critical because you are subject to regulations or what we call airworthiness. The biggest challenge we’d to address two years ago was the arrival of e-enabled aircrafts with lots of operational technologies, and we had to guarantee the same level of safety as what we have today. Now, the introduction of new planes is slowing down due to the pandemic. At present, one of the concerns is the protection of passengers’ data privacy, especially with the presence of medical staff to allow people to board aircrafts. We have to make sure that regulators will not penalise airlines in the event of a data breach. However, this is a temporary risk as a result of Covid-19, and the long-term risk is to maintain the integrity of aircraft and address any interference from bad actors; it is not just the command and control system, but you have to ensure all the feeds coming into an aircraft from sources such as traffic management systems are protected. The regulators are increasing cybersecurity obligations that airlines must comply with. For example, in Europe, IACA is working on a cybersecurity regulation that will be mandatory by 2023.

Do you have a framework to assess the cybersecurity posture of an aviation organisation?

There are a couple of cybersecurity frameworks, and one that is mandatory is from ICAO, which is the organisation that governs civil aviation authorities in every country. Another advanced guidance is the CAF (cyber assessment framework for aviation) from the UK Civil Aviation Authority. We are working with ACI, ICAO, and IATA on the cybersecurity best practices, and all of us advocate the same thing – you need to have a 360 approach to cybersecurity and address all aspects of it, including people, culture, leadership, and open and transparent communication about vulnerabilities. When it comes to cybersecurity frameworks, the aviation and automotive industries lead the space because of all the automation we have in vehicles now.

Is it going to be one single standard framework for cybersecurity?

Yes, because you have to include the whole supply chain. Airlines can’t implement something without airports and air traffic management doing the same thing. If one level is weaker, it will lead to vulnerabilities.

Isn’t cybersecurity a big challenge for smaller airports?

It is a challenge not just for smaller airports but airlines as well. When you are a major airline with a large fleet and significant resources, your cybersecurity maturity is higher than a smaller airline with less than ten aircraft. This is why we both – IATA for airlines and ACI for airports – provide guidance to our members on what they need to do to improve their security posture. We will validate or give accreditation to service providers to implement the framework for smaller airports and airlines without the required resources. We will also provide training to our members to develop awareness around what they have to implement.

The pace of digital transformation in the aviation sector has accelerated. Is cybersecurity keeping pace?

We are lagging because bad actors are always ahead of us; it is a catchup business. They have better communication and are more innovative, but we are closing the gap. Finally, we are starting to understand them, and we have realised that the main challenge before us is communication and information sharing. Now, we have the structure to share sensitive information to understand what the threats are and ways to mitigate them.

Do you work closely with the security research community?

We are advocating that we have to be more open to the research community, and our vision is to manage cybersecurity with transparency. It is true that our industry is sensitive about bad press, and in the past, there have been some instances where things have been blown out of proportion by the research community. We’d found vulnerabilities thanks to researchers, but they were not critical or couldn’t have been exploited. But, what we saw in the press was totally different, with some researchers claiming it could be used and weaponised. It was science fiction. We are open to working with researchers, but they will have to come to us when they find a vulnerability and give us some to fix it before going to press.