Aviation safety rates are among the highest in transportation, according to the International Air Transport Association (IATA), with nearly 4.1 billion travelers flying safely on 41.8 million flights, in 2017. While incidents do occur, aircraft system improvements, such as enhanced weather radar and improved situational awareness have made a significant difference in the safety of flight. The processes and procedures put in place throughout the industry have contributed to this, making air travel in the U.S.- and globally – one of the safest methods of travel.
While the safety of an aircraft is still a top priority, the industry, which has been working on cyber protection as a certification since the early 2000s, now has to consider how to protect against a new threat, as hacking activities become more common. As aircraft become more connected, cybersecurity threats have expanded and can impact the entire aviation ecosystem, from making travel reservations, through the airport check-in and screening process, all the way to the aircraft and the communications between air and ground.
Cybersecurity is one of the hottest topics of conversations in the industry, which was evident at the Farnborough Airshow 2018, where airline executives were looking closely at cyber threats in the air as well as on the ground. In the aviation industry, there are critical computer systems that allow for data and communications to be delivered between ground and flight operations. As the industry relies heavily on these systems, cybersecurity has quickly become a focus for aviation leaders as a pending threat impacts the safety of flight, efficiency of the system, and reputation of the industry.
Akbar Al Baker, Group Chief Executive of Qatar Airways was recently interviewed at Farnborough, saying that while no one in today’s modern world of the Internet can be one hundred percent secure against attacks, “we have systems within the airlines to mitigate hackings.”
Yet, it’s not only airlines that are concerned with pending threats. Airports also have many vulnerabilities that would impact the travel experience if hacked. Dominic Nessi, a senior aviation consultant and founder of AeroTech Partners concurs. “If you are an airport executive, you may be wondering what it takes for your organization to become completely cyber-secure. Well, the first thing to understand is that you can never be completely cyber-secure,” he wrote in a recent blog post. “Even if you could figure out how to do it, it would be short-lived, as the technology environment changes daily at the same time that new vulnerabilities occur, and new threats emerge.”
The ongoing connectivity of systems means more access points and vulnerabilities. Today’s connected aircraft has data constantly traveling between the aircraft to air traffic controllers for flight paths and weather updates, or between the aircraft to the manufacturer for maintenance details and more. Now in the cabin, each passenger also opens up a new access point as they connect into Wi-Fi with their own devices. So how do aviation leaders protect against the latest threat?
Joel Otto, Vice President of Strategy and Business Development for Rockwell Collins Information Management Systems business unit, noted that the standards and process that have been used for safety are being used in a similar fashion for cybersecurity.
“We need to think about cybersecurity as a parallel process to safety.” Otto stressed that cybersecurity solutions can not be a one-and-done checkbox, but rather a lifecycle process that is built into the product or system. While there are many legacy aircraft where security wasn’t thought of from design and conception, any new upgrades or retrofits are done with cybersecurity in mind. And he noted that every new aircraft has security built in and designed from the start.
The aviation industry also has the benefits of decades of safety experience, training, and process in place. While there might be a cyber threat that occurs while in the air, having highly trained pilots that are interacting with the systems can lessen the impact. “What sets us apart are the checks and balances that are already in place from pilots to air traffic controllers, to independent maintenance and more,” Otto told us. “If a flight path doesn’t seem right or a system seems off, one of those many checks and balances would say something. The highly trained human factor adds in another layer of mediation and process to protect against a cyber attack.”
As the industry looks forward, now is the time to take the mandates, certifications, and minimum requirements for safety, which have made air travel one of the safest methods of transportation in the United States, and apply it to cybersecurity, according to Otto. “Having a minimum requirement of security protocols in place allows for manufacturers to demonstrate that they are building safe and secure systems.”
As new threats emerge, Otto said there should be a process in place to identify the new threat, understand the risk, monitor and mitigate. “It’s not significantly different than what we do for safety where we monitor critical pieces of equipment and if they operate outside of certain thresholds, we alert the pilot or reconfigure the system to address the issue.”