Ilyas Mansha, Managing Director of LeapTronx, explores the challenges facing aviation and explains the importance of aligning boards, organisations and suppliers to help mitigate cyber risk.
Air travel is considered one of the safest modes of transportation. Many hours of expert training, advanced technology, control and navigation systems play a key role in making sure that risks to passenger safety are significantly reduced. As with every industry, the aviation sector has undergone significant transformative steps in using digital services. There are innumerable benefits to flight operations, maintenance, cost reduction, automation of passenger services and enhanced security measures. However, there are also a number of growing risks that demand increased awareness and mitigation.
Digital change in aviation
Aircraft and airport technology has continued to adopt the Internet of Things (IoT) and indeed the Internet of Flying Things (IoFT), a heavily connected and always-on sensory ecosystem. An example of this would include an aircraft automatically connecting to a gate on arrival for upgrades to its software and better diagnostics of issues onboard.
Airports have also been transformed. Air traffic control systems which were previously designed to be handled manually have now been entirely digitised. In some cases, air traffic control system operators are not even required to be present at an airport as supporting systems can function remotely.
The nature of aircraft will also evolve in the future to being entirely automated. In 2016, Uber published a paper on a project called Elevate. The paper outlined the feasibility of an on-demand aviation transportation system. Subsequent annual Elevate summits which the company hosted from 2017 to 2019, helped advance the concepts of Electric Vertical Take-Off and Landing (eVTOL) aircraft and Urban Air Mobility (UAM). These claim to offer an Uber style air taxi service. Most importantly, these aircraft will rely entirely on technology to implement safe travel.
Airlines have been heavily investing in digital self-service due to the cost pressures of low-cost carriers. This is most evident in the growing popularity of self-service apps.
Economic growth, politics and consumer needs continue to impact the direction of the sector. Security is also a vital element when it comes to addressing aviation’s future challenges.
Challenges as a result of automation
As we rely more on automation, we need to be cognisant of the risks, including loss of data, misinformation, spoofing and critical system failure.
In terms of aviation cyber security, in the UK the Department for Transport sets the strategy, the CAA provides regulation, the National Cyber Security Centre (NCSC) supports critical national infrastructure and the Information Commissioners Office (ICO) upholds the information rights of citizens and enforces data protection regulation.
The industry has invested in guidance, standards and regulation for cyber security. However, this needs to cascade down across a complex ecosystem of manufacturers, airlines, airports, operators and niche suppliers. This ecosystem of organisations, for just a medium sized airport, could run into hundreds of different entities.
The Network and Information Security Directive 2 (NIS2), applicable for Europe, came into force in January 2023 and requires not only providers of critical services but also their suppliers to comply with certain requirements.
Another challenge is that an aircraft on average has a lifespan of about four decades. During this period, it needs to be maintained and kept secure from vulnerabilities whilst technology continues to expand faster. Refreshing an aircraft’s systems may take months.
Be part of something bigger, join BCS, The Chartered Institute for IT.
As we know, there is a significant shortage of experienced cyber security professionals in all industries globally and aviation has not been the domain of choice for cyber professionals. Skilled professionals are essential to help the industry keep pace with evolving threats from adversaries seeking to exploit systems. As these systems become more connected to the outside world the risk of contagion from malware cannot be ignored. The aviation industry competes with other sectors for cyber security expertise, and Gartner predicts that by 2025, lack of talent or human failure will be responsible for over half of significant cyber security incidents.
Shoots of hope
As someone who has spent most of his career with critical national infrastructure clients on the front-line and across many sectors. I would say that aviation has a few competitive advantages. I see the following:
- The extent of international cooperation is astonishing and exemplar for other industries. The infrastructure to build an understanding and communication required across a truly global and moving supply chain is firmly established. This is necessary for technology operability, safety and the very nature of the industry. This provides a strong backbone for information sharing across the ecosystem. There is also an aviation Information Sharing and Analysis Centre (ISAC) community
- Heavy focus on safety, standards and regulation. Safety is high on the list of priorities for those working in this industry. This is very important in aligning with a good cyber security culture as it leads to a better spatial awareness of hazards and risks
- A culture of deep reflection on past incidents or near misses. The industry has an established framework for independent analysis of previous incidents and a history of learning from the past. We have benefited in our lifetime from lessons learnt from prior incidents. A part of this is a culture of logging of events (Blackbox) which can used for further analysis. Again, this type of self-reflection for betterment is an important attribute for handling the cyber challenge
- Threat awareness is high. The industry has had to deal with physical threats and changing techniques from attackers, for example, hostage scenarios, 9/11 and the use of liquid bombs onboard planes. The industry has reacted to change and put in place mitigating measures with agility. This is a positive attribute
- Crisis management and incident response. The aviation sector has a culture of business continuity and resilience. There are often contingency processes identified for many critical scenarios
The way forward
The industry is evolving fast. My message to the senior leadership and c-suite is that transformation needs to be tied with security as an enabler. Stable security foundations and hygiene will increase resilience and consumer confidence and accelerate successful transformation opportunities and overall safety. A higher standard of cyber hygiene should be demanded from partners and suppliers, so that a culture of security becomes normal. In the UK, according to the responsibilities outlined by the Department of Transport, the board are, amongst other things, responsible for knowing about the security risks to their critical assets.
Those responsible for leading transformation should consider security at the very inception of new systems and designs. This is referred to as ‘Security By Design’. This should include threat modelling of systems. Building security in from the outset is proven to be cost effective, but also important to the behavioural psychology of an organisation. Whilst some in cyber security would encourage you to spend more on cyber — and that might be necessary in some instances —my perspective is different. I believe we should spend smartly, re-training and fusing teams with cyber, tech and practical industry experience. This would better help the aviation industry navigate its future challenges.
LeapTronX is collaborating with aviation leader INK+ and their partners to address this challenge for the future. Ilyas would very much welcome further dialogue on this topic.