[co-authors: Evan Roberts and Ty lopez]
The boom in passenger travel this year reveals vulnerabilities in the airline industry’s critical infrastructure once again.
Since the widespread availability of COVID-19 vaccines, flights have once again been filled with passengers eager to travel. While the return to normalcy is a major relief for the airlines — air travel in June rose by 400 percent over the pandemic low in April of last year, according to the TSA — it also throws a spotlight on a lingering threat to both the industry and the nation’s infrastructure that’s only grown more dire during the pandemic: cyber attacks.
The rapid shift to digital work, shopping and communication ushered in by the pandemic has brought with it an alarming rise in cyber attacks, and we’ve repeatedly seen the devastating impact that such an attack can have on a company’s operational integrity and reputation. For the aviation industry, which is a key part of America’s critical infrastructure, such an attack represents not just a business risk, but a major vulnerability to the nation’s cyber defenses. And there is growing consensus that airlines in their current state are ill-prepared to defend against such attacks.
A dangerous combination of aging fleets and increased passenger connectivity is creating an attractive target for cybercriminals. As airlines strive to recover from the impact of the pandemic, it’s crucial that they take immediate cybersecurity measures to protect their business, passengers and nation’s infrastructure.
A Perfect Storm of Vulnerabilities
The threat of cyber attack is dynamic and constantly evolving. Cybercriminals are always in search of new vulnerabilities to exploit and new tactics to launch their attacks. Yet an overwhelming majority of commercial airplanes in operation today were designed more than a decade ago and still operate using legacy equipment that is not suited to combat today’s cybersecurity threats.
The threat posed by this outdated equipment was aptly demonstrated in 2017 when the Department of Homeland Security was able to remotely hack a Boeing 757 that was still on the ground. And they did so without inside help, using tools that are allowed to pass through TSA security. While updating aircraft hardware and software would help prevent such threats, doing so involves a long and bureaucratic process that can include thousands of hours of testing.
Further complicating the issue is increased connectivity in commercial aviation. Not long ago, passengers were required to power off all mobile devices on a commercial flight. But today, Wi-Fi is available on most flights, and passengers can access on-demand in-flight entertainment through their personal devices. This introduces additional access points that cyber actors can exploit. It also increases the risks to passengers’ personal data.
Though there is no magic bullet, there are steps that airlines can take now to minimize their exposure and mitigate the fallout from cyber attacks.
Adopting a “Crisis Ready” Mentality
Until large-scale fixes can be implemented, airlines need to approach cyber preparedness with a “crisis ready” mentality, much the way they do crashes or other operational disruptions.
But before airlines develop preparedness plans, they must first work to understand their cybersecurity risk profile. In other words, how would an attack specifically affect their business? Determining this will assist in crafting a more accurate and deployable incident response plan, which will help mitigate damages and ensure reduced business interruption.
Here are just a few examples of questions that airlines should be able to answer in anticipation of a cybersecurity incident:
- What is the escalation protocol if an incident is discovered?
- If necessary, who makes the decision to shut off parts of the network or ground planes?
- Who is responsible for notifying regulatory and law enforcement agencies?
- How should an incident be communicated to customer-facing employees if corporate email is down?
If a significant cyber attack does occur, communicating with regulatory agencies, law enforcement, staff, airports, press and customers in a consistent and timely manner will be crucial — as will knowing who’s on point to do the outreach to these groups. That means designating decision makers and incident response teams now, establishing escalation protocols and identifying alternate means of communicating with stakeholders in case of network disruptions.
Once a cyber-specific crisis communications plan is in place, airlines need to participate in tabletop exercises that simulate a real-life cybersecurity incident. Such exercises can make all the difference in the case of actual attack when the company has to operate quickly and efficiently from “muscle memory.”
The Urgency To Act Now
As with any large-scale threat, the most practical way to hedge against this risk is for the airline sector to study previous cybersecurity incidents against critical infrastructure, understand the lessons learned and proactively develop a plan of action to address worst-case scenario events. Though it is incumbent on the aviation industry and the government agencies overseeing it to address cybersecurity vulnerabilities in the long term, it is equally urgent that the individual airlines take whatever steps are available to them now to prepare for the crisis.
It’s a lesson that airlines have learned time and again: Preparedness is not just understanding potential threats. It is having a tested response plan ready, ensuring everyone knows their role and being able to jump into action at any time.