Why Aviation Cybersecurity Needs to Level UpPartner, Transportation and Operations at Oliver Wyman Partner, Digital and Financial Services at Oliver Wyman
Many of the biggest players in the aviation industry have extensive cybersecurity in place to defend against hackers, but is that enough? The answer is simple: no.
As we have seen in many recent attacks by Russian state-sponsored hackers and others that have targeted infrastructure industries like aviation, cybercriminals go after the weakest links in the chain to penetrate the larger systems. In March, for instance, the United States Department of Homeland Security and the Federal Bureau of Investigation issued an alert warning of Russian cyber espionage against the nation’s electricity grid and various infrastructure industries, including aviation. The hacks began as early as March 2016, and their access point to critical infrastructure was “peripheral organizations such as trusted third-party suppliers with less secure networks.”
In these assaults, the hackers collected information on how the infrastructure networks were organized and what systems’ controls they had in place. While no sabotage appears to have been perpetrated during the hackers’ two-year tour around the nation’s most critical computer systems, the unsettling question remains: What were the Russians going to do with the data they collected?
More recently, the U.S. and UK intelligence services notified the public that Russian hackers also may be infiltrating home devices with the intent of one day commandeering this army of computers to attack national infrastructure. Again, it’s a stealth war using combatants oblivious to their potential roles.
Holes in Cyber Defenses
The recent attacks suggest that cybersecurity may no longer be a company-by-company concern, but rather a risk management challenge for an entire industry to tackle en masse. This is particularly true for an industry such as aviation. While major aircraft manufacturers and airlines make obvious targets because of the potential they represent to conspicuously disrupt international commerce, they also rank high on hackers’ to-do lists because they maintain global, highly interconnected supply chains that, over the past few years, have been aggressively digitizing operations. More digitization means more attack surface for hackers. The many links on aviation’s supply chain—some big, many small to midsize—all become potential vulnerabilities for aerospace giants, given the daunting task of ensuring that all vendors with access insist on the same level of rigor in both their cybersecurity and their employee training.
In a 2018 Oliver Wyman survey of aviation’s maintenance, repair and overhaul (MRO) industry, responses revealed potential holes in the bulwark. For instance, while 67 percent of respondents said their company was prepared for a cyberattack, fewer than half were able to say whether they had conducted a cybersecurity review in 2017. Only 9 percent of independent MRO providers; 50 percent of airframe, engine and component manufacturers and 41 percent of airlines confirmed that they have established security standards for third-party vendors. That leaves potentially many companies without a clear view into the digital security of vendors, almost all of which maintain credentials to log onto their systems.
Exhibit 1: Which Cybersecurity Safeguards Has Your Company Implemented?
That lack of knowledge can lead to disaster as the Russian infiltrations indicate and as many major corporations have discovered over the past five years. In 2013, for instance, hackers used the stolen credentials of a heating, ventilation and air conditioning vendor to penetrate the network of retail giant Target to steal the data of 70 million customers and information on 40 million payment cards. The cost to Target: close to $300 million.
With an Aim to Create Chaos
While cybercriminals in earlier decades seemed motivated by the money that could be made off of stolen data, recent breaches seem more intent on creating organizational chaos. In June 2017, hackers—believed by the CIA and UK intelligence to be Russian military—attacked Ukraine with software that literally wiped out data and disrupted operations in the banking system, government ministries and metro, as well as at the former Chernobyl nuclear power plant.
From there, the wiper ransomware, named NotPetya, infected computer systems around the world, including those of Danish shipping conglomerate Maersk. This led to serious delays at major ports such as Rotterdam, Mumbai and New York and New Jersey and the temporary shutdown of the largest terminal at the port of Los Angeles. Attacks like these should prompt transportation companies to reassess their level of cyber preparedness.
Exhibit 2: Which Cybersecurity Safeguards Has Your Company Implemented?
To achieve a comprehensive, unified cybersecurity and risk management strategy for the industry, MRO providers should seriously consider taking several actions. First, companies within the industry should conduct independent audits of existing cybersecurity programs. This includes asking a number of questions: Who and what have access to a company’s computer network and infrastructure? Which managers are responsible for each phase of executing cybersecurity protocol? Has a real-time detection process and response mechanism been delineated? Does an oversight process exists to ensure procedures are followed and documented?
Establishing Industry Standards
The industry as a whole also needs to develop a clear framework for mitigating and managing cyber risks. The National Institute of Standards and Technology (NIST) has developed a set of industry-specific standards and best practices intended to be leveraged in designing such a cybersecurity framework. Yet, no clear framework exists for the aviation MRO community today.
Exhibit 3: Which Cybersecurity Safeguards Has Your Company Implemented?
Finally, the industry must work across companies to fortify their information technology systems—both infrastructure and upkeep—and create a security-minded culture. While no solution is guaranteed to avert any and all attacks, developing a holistic approach to the risk management of cybersecurity that’s shared across the industry—and updating it regularly—may give companies a leg up. Certainly, cybercriminals aren’t standing still.