Four Threats To Aviation Security – and Four Responses

Uploaded on 2016-07-12 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Transport & Travel, TECHNOLOGY--Hackers, TECHNOLOGY--Resilience

From terrorist attacks to geopolitical posturing, if there is one industry that tends to find itself dragged onto the frontline of global security and cyber risks, it is aviation.

While flying has always been one of the safest ways to travel, thanks to its wide-ranging international regulatory frameworks, aviation incidents have an outsize impact on the public consciousness. From recent airport attacks in Brussels and Istanbul to the shooting down of MH17 over Ukraine, horrifying images are more powerful than reassuring statistics.

Emerging technologies, the changing character of war, a widening cast of actors and growing reliance on cyber are changing the nature of the threats – creating pressure on the industry to make sure it maintains its safety level, with the number of air travellers projected to nearly double in the next 20 years.

Here are four ways in which the likely evolution of the international security landscape over the coming years will affect aviation – and four recommendations for how the industry should react.

The threats

1. Technology is rapidly democratizing the ability to inflict large-scale damage. Attacks that would once have been within the purview of only a few major states are becoming conceivable for a much wider range of non-state actors and individuals.

2. The merging of cyber and physical creates new vulnerabilities. The democratized capacity to wreak large-scale havoc is closely related to the merging of the virtual world with the physical: increasingly, remote attacks can cause serious real-world disruptions.

Many systems in civilian aviation are potentially hackable: reservation systems, flight traffic management systems, access control management systems, departure control systems, passport control systems, cloud-based airline data storage, hazardous materials transportation management, cargo handling and shipping.

And that’s before we get to computers on aircraft – flight control systems, GPS-based navigation systems, fuel gauges and fuel consumption systems, maintenance computers, and so on. The potential points of cyber vulnerability in aviation are many and growing.

3. As computers do more, human skills erode. Alongside militaries and self-driving car makers – as brought into focus by the recent death of a Tesla driver using “Autopilot” mode – the aviation industry is grappling with the “paradox of automation”.

Automated systems are becoming able to handle more and more situations, meaning that humans need to step in only when something unusual and unexpected occurs. But when humans have less opportunity to practise and hone their skills, they become less and less capable of reacting quickly and appropriately in crisis conditions.

Increasingly, researchers are realising that the most vulnerable points in many systems are those at which humans interact with automated procedures.

4. Aviation remains a high-value target. Whether between nation states or also involving non-state actors, modern conflicts are increasingly not confined to conventional battlefields – they tend to spill over into civilian domains.

As civilian aviation is so critical to the smooth functioning of economies – and as aviation-related incidents have such an impact on the media, especially with new technologies enabling the rapid spread of information and misinformation – it is likely to remain an enticing target for attackers who want to cause maximum disruption.

The recommendations

1. Too much compliance can be a bad thing. There is still a tendency to focus safety efforts on compliance with existing regulations. However, as regulations tend to take time to reflect awareness of new vulnerabilities, this can lead to evolving threats being overlooked, impairing preparedness.

2. Companies should think like attackers, not defenders. The best way to prepare for tomorrow’s attacks, rather than merely prevent a repeat of yesterday’s, is to think like an attacker.

In the cyber domain, much of the industry could still do much more to work with “white hackers”, who can help them identify and re-frame their understanding of vulnerabilities.

In the physical space, too much still hinges on experiences and not enough on scenarios. Often the response to one attack is to change security procedures in a way that merely shifts the vulnerability. Adding another security checkpoint doesn’t help if it creates queues before the checkpoint which are vulnerable to an Istanbul- or Brussels-type attack.

This is not a new observation. A 2003 study by RAND on ”Designing Airports for Security” found that reducing baggage drop waits from 15 minutes to one minute could halve casualties in a bomb attack. But much more attention is still typically paid to tightening security checks than reducing the crowding that can happen before them.

3. Cooperation on security concerns, in the physical and cyber domain, makes everyone stronger. Individual companies need to avoid seeing their own resilience against attacks as a source of comparative advantage: that creates the potential for individuals with malicious intent to shop around for the weakest link, and any successful attack undermines the sector as a whole.

While aviation players are typically aware of the need to share their discoveries on previously unknown vulnerabilities and best practices for dealing with them, especially in the cyber domain, there is nonetheless a need for better mechanisms to facilitate this collaboration.

4. We need to rethink border security for the digital age. Although attacks can increasingly be mounted remotely, aviation safety is still improved by better knowledge about passengers – and the current approach to cross-border movement is decidedly 20th century.

Much more could be done to manage risks while also creating a more seamless travel experience through facilitating what some have coined a “global trusted traveller programme” to expedite secure cross-border movements, establishing standards on the sharing and use of data, traveller analytics and border controls – for example, ensuring speedy and universal flagging of travel documents reported as lost or stolen. This could also be an important part of the process of addressing the challenges above.

The travel industry overall, and the aviation industry in particular, is at a crossroad. With security concerns intensifying, the security of flying increasingly depends on cross-industry and multistakeholder dialogues and collaboration to tackle new and shared vulnerabilities.

Anja Kaspersen is Head of International Security, World Economic Forum

WEF

« NATO & Pentagon Want Bitcoin Technology
The Global War of Narratives and the Role of Social Media »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

CrowdStrike

CrowdStrike

CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks.

Falanx Cyber

Falanx Cyber

Falanx Cyber provides enterprise-class cyber security services and solutions. We deliver end-to-end cyber capabilities, either as specific engagements or as fully-managed services.

CyberPrism

CyberPrism

CyberPrism provides SaaS solutions using proprietary technology, underpinned by industry-leading technical practitioners to protect OT within Government, Maritime and Industrial markets.

ProtonMail

ProtonMail

ProtonMail is an easy to use secure email service with built-in end-to-end encryption and state of the art security features.

Cyberra Legal Services (CLS)

Cyberra Legal Services (CLS)

Cyberra Legal Services provides cyber law advisory, cyber crime consultancy, cyber law compliance audit, cyber security, cyber forensics and cyber training services.

CipherMail

CipherMail

CipherMail provides email security products which allow organizations world wide to automatically protect their email against unauthorized access both in transit and at rest.

United Nations Office on Drugs & Crime (UNODC)

United Nations Office on Drugs & Crime (UNODC)

UNODC promotes long-term and sustainable capacity building in the fight against cybercrime through supporting national structures and action.

EuraTechnologies

EuraTechnologies

EuraTechnologies, the French incubator and accelerator, is a centre of excellence and innovation for startups and entrepreneurs with a focus on Digital, Data, Cybersecurity and IoT.

ADGS

ADGS

ADGS is a deeptech company focused in the fields of Agent-Based simulations (Emergent Behavior), Cybersecurity and Biometrics, Social Dynamics, Natural Language Processing and Artificial Intelligence.

CloudCover

CloudCover

CloudCover is a software-defined cybersecurity risk solution that provides risk awareness, risk analytics, and data security in real time.

Great American Insurance Group

Great American Insurance Group

Great American's Cyber Risk Division offers cyber solutions for small and medium-sized businesses.

Securious

Securious

If you need to improve your cyber security or achieve cyber security accreditations, Securious provide an independent service that will identify and address your issues quickly and efficiently.

DarkFeed

DarkFeed

DarkFeed is a Threat Intelligence provider that monitors the darknet in real-time, where hackers and Cyber criminals are most active.

V3 Cybersecurity

V3 Cybersecurity

V3 Cybersecurity is a unique company focused on contextualization of security programs from a business perspective. Our mission is to provide enterprise IT Risk Management capabilities.

Cloud Software Group

Cloud Software Group

Cloud Software Group provides mission-critical software to enterprises at scale.