Cyber-security is a very hot topic. A week does not go by without some large and important entity being hacked. This impressive array of entities included the NYSE, United Airlines and the US Government, all within in the same week. This does not give anyone a sense of comfort and safety. And the news is getting worse.
The United hack we now learn has been traced. That traced leads back to China – of course. Please follow the link to see just how significant the Chinese hack was.
For our readers, the most relevant story will be the United Airlines hack. Bloomberg states “Among the cache of data stolen from United are manifests.” While the airline has believes there is no connection between the hack and a July 8 systems failure that halted flights for two hours. United also did not rule out a possible, tangential connection to a systems outage on June 2.
Bringing down a global airline has massive disruptive impacts. The trickle down impact reaches far and wide – as cancelled flights cause passengers to not be where they need to be and difficulty re-booking those displaced. The loss of productivity is substantial. Operationally, flight crews also may run afoul of time limits and often can’t be replaced easily because they are located are in places they were not expected to be.
What this case illustrates is what can happen in a post 9/11 world – where you don’t have to destroy people and equipment – to make a point. Business today depends on computerization and, truthfully, without computers we can’t accomplish key tasks.
Cyber-security threats are one thing. But negative impacts from IT do not have to be malicious. In April of this year, American Airlines saw 70 flights delayed because of an EFB software update issue, in which the system didn’t know how to handle two charts, one effective through the next day and the other effective the day after. Even inadvertent system errors cause difficulties.
In discussing the cyber-security problem faced by commercial aviation with industry participants it quickly becomes clear how significant this issue is. Take, for example, an aircraft manufacturer. We live in a world where parts and pieces come from across the globe. Some vendors are small firms with 50 or fewer employees making a specific part. If an attack is planned and a perpetrator wants to take as long as possible to go unnoticed, such a small firm is the place to begin. Infect their network and, sooner or later, a virus or some other Trojan can work its way upstream. Almost certainly the IT infection will be able to travel far and wide before it hits a cyber-screening. There is also the possibility of viral transfers using USB drives, which probably the easiest way to infect a network. Most cyber infections we understand come from within a network – and a USB drive is perfect for that. The key is keeping threats out of aircraft, flight control computers, air traffic control, and other systems so that things continue to function normally.
We’ve heard much about the benefits, but little about the risks of the “Internet of Things”. Commercial aviation is rapidly moving towards e-Enabled aircraft, essentially IT devices that communicate. The result is an enormous amount of data flowing to and from aircraft. Since hackers love to foul-up data, this is a manifest area of concern. What is the industry going to do to ensure this data flow has a prophylactic? In addition – whose data is it? Does the airline own the data? Or perhaps an OEM? How about the lessor? Industry needs to know where the responsibility lies. Insurance companies want to know this because they are also at risk.
We foresee new capabilities emerging within the next two years devoted to protecting commercial aviation and its growing data flows. These capabilities will be both strategic and tactical.
On a tactical level every firm in the supply chain will have to deploy cyber-security to protect its network. This protection will have to meet a certain standard likely to be set by the OEM at the top of the supply chain. In fact it is likely that to stay in the supply chain the OEM will dictate the solution to be deployed to ensure consist standards all the way through the supply chain. How this cost will be recovered is unclear. Smaller suppliers may find this way more expensive than they can afford or recover in a satisfactory time frame. It is likely to get messy. But one infected sensor or computer could put an aircraft at risk.
On a strategic level the supply chains are going to have to regularly deploy simulated cyber-security “war games” to test their networks. United Airlines recently did something like this and rewarded hackers with miles for travel when they found holes in its network. But that hasn’t stopped problems.
Because threats to large IT systems (whether at an airline with global site network nodes, or an OEM with global suppliers acting as network nodes) will continuously evolve, the cyber solution will also have to continuously refine and evolve. Given the vulnerability of IT systems and the dependence on them, every firm in the commercial aviation business may soon need substantially larger IT budgets. There really is nothing that can be done about this threat that will avoid having to pay for better security software, tools, processes and procedures. The alternative is too disruptive to risk.
Major players in the industry have begun to address many of these issues, quietly and behind the scenes. There have been attacks that have been thwarted, and a couple of near misses as well. While the industry has begun to pay attention to the issue, the response is fragmented, uncoordinated, and hasn’t yet closed all of the potential holes in e-enabled aircraft systems.
Fortunately, the need for more attention is coming at a time when fuel costs have dropped, allowing airlines to afford the initial upgrades they need to put in place. But the firms in the OEM supply chains have massive backlogs to work through and may not have the funding to handle this because their cash flow depends on deliveries. Improving cyber-security while satisfying OEM requirements for lower costs could place an additional strain on the supply chain that produces e-Enabled components.
New tools are being developed to address these issues, including software that can detect potentially malicious code and prevent its installation on computers. But between the aircraft and the ground, there are a lot of computers and a lot of access points to protect.
Of course, the airplane isn’t the only potential source for an attack. Infrastructure, like air traffic control systems, real-time weather feeds and any element that impacts airline operations can also be at risk. Today, we don’t have a comprehensive framework to fully address these issues.
The solution, of course, is for the industry to develop a comprehensive framework before an unfortunate event occurs. In October we are co-hosting a cyber-security conference over one and ½ days in Washington DC. Additional details may be found here. This event will bring together experts from industry and government in a closed-door session to determine how we can better address the emerging threats on air transportation and the economy.
Solving cyber-security issues won’t be easy. But it begins with awareness – of the threat, of the potential impact, and of the risk mitigation and countermeasures that are available, both technologically and managerially, to combat them.
