Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

World Economic Forum on Securing the Aviation Industry in the Age of Convergence

Aviation Cybersecurity

World Economic Forum Calls for Global Collaboration to Enhance Cyber Resilience in the Aviation Industry

Aviation Cybersecurity

World Economic Forum Calls for Global Collaboration to Enhance Cyber Resilience in the Aviation Industry

The aviation industry is unique. While going through the same digital transformation as other businesses, it is global by nature, transcends multiple jusidictions, and must collaborate internally with its own competitors.

Nevertheless, it is a hugely successful industry. According to the International Civil Aviation Organization (ICAO), the 4.1 billion passengers transported in 2017 are expected to grow to around 10 billion by 2040, while according to the International Air Transport Association (IATA), 35% of world trade by value is transported by air cargo, equivalent to $6.4 trillion of goods. It is a critical industry — critical for both local national security and the global economy.

The World Economic Forum (WEF) believes that the success — and safety — of the aviation industry is largely down “to the successful balance between regulatory and risk priorities.” But times, prompted by the Fourth Industrial Revolution and digital transformation, are changing; and WEF notes, “as technology is changing, so are the priorities of aviation stakeholders and more work is required to ensure optimal resilience.” And this is without the additional complications of new technologies such as unmanned aerial vehicles (drones).

Put simply, aviation is facing the same problems that all companies face when information technology and operations technology (OT) merge — but perhaps with higher stakes. If cybersecurity fails non-systemically (say, in an airline), lives could be lost. If it fails systemically (say, in one or more airports or air-spaces), a cascading effect could rock the global industry, adversely affect public confidence, and damage the global economy.

Against this background, WEF launched an initiative in January 2019 designed to improve cyber resilience in the aviation industry, and has now published the first major output from this initiative: Advancing Cyber Resilience in Aviation: An Industry Analysis (PDF). The work involved interviews, surveys and workshops with industry participants, trade associations, regulators, air navigation service providers, airlines, airports and OEM manufacturers as well as ICT and insurance businesses working with and supporting the industry.

“The end goal,” says the paper, “is resilience, which we define as the ability to quickly and efficiently identify and minimize the impact of an incident so as to allow an organization to continue its mission as effectively as possible.”

WEF ran its own survey examining the threats, risks and vulnerabilities most affecting the aviation industry. From the results, it “identified three primary domains of focus where collective action can be improved to identify and manage cyber risk.” These areas are ‘people’, ‘capital and risk management’, and ‘technology and operations’.

Advertisement. Scroll to continue reading.

‘People’ is an important starting point. From the survey into vulnerabilities (taken from incidents experienced over the previous 12 months), human behavior dominates. By far the biggest single vulnerability is phishing, augmented by other social engineering, erroneous data data sharing, misuse and abuse of legitimate access, loss or theft of equipment and other policy violations.

Organizations need to focus on people as much as IT systems and infrastructure, says WEF. “The aim should be to not only attract, engage and retain qualified cybersecurity professionals, but also to build a higher degree of ‘cyber IQ’ for all stakeholders and employees in an organization, particularly operational staff interfacing with critical systems.”

In the second area of focus, capital and risk management, WEF warns that there is a misalignment between the security team and the Board. One reason for this is the security team’s over-reliance on qualitative rather than quantitative reporting. Most of the teams use red/green or high/low indicators to risk in reporting to the Board. This, warns the WEF, can easily be misinterpreted. Very few security teams use the more definite quantitative methods such as OpenFAIR, QIRA, LossPIQ and CyberQuantified. This causes the misalignment, which in turn leads to non-optimal budgets — which also feeds back into the ‘people’ issue. How can senior leadership take ownership of the cybersecurity problem if they don’t fully understand or properly budget for what and where it is?

The technology and operations area of focus is the mainstream problem of convergence between IT and OT. It is a problem faced — to one degree or another — by all organizations engaged in business transformation; but it is particularly severe in aviation. “Compromise of aviation systems resulting in incorrect data flowing between aircraft, aircraft maintenance organizations, airports and air navigation systems could have a critical impact,” warns WEF. If this compromised the safety of an aircraft or airline, public safety and confidence in the industry would fall.

WEF’s recommendations in this area include enforcing security by design in the development of new connected devices and systems; taking an holistic and risk-based approach to defending against an responding to increasingly complex and frequent cyber-attacks; and understanding the concept of ‘shared isk’ and encouraging that understanding in the supply chain.

Key to everything, it says, is “how well the organization manages to integrate security as an inherent part of its DNA.” It’s not as if there are no good security guidelines already available —  such as NIST SP 800-30 and ISO/IEC 27005:2018. The problem is “the application of the guidance continues to fall short of what is required to ensure effective defense against cyberattacks.”

Over the course of the next year, WEF will engage “a multistakeholder community to co-design and pilot a common approach and methodology which will be shared with the Forum’s policy community.” In the meantime, the advice shared in this paper — although primarily directed at the aviation industry — will benefit any business in any sector currently engaging with business transformation.

Related: World Economic Forum Report Highlights Dangers of Digital innovation 

Related: World Economic Forum Announces Global Centre for Cybersecurity 

Related: UN Aviation Agency Concealed Serious Hack: Media 

Related: F-Secure Looks to Address Cyber Security Risks in Aviation Industry 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.