Cyber Threats

Pillsbury attorney, Brian Finch has cited a number of cyber incidents in the industry. Loss of data such as customer records, financial details of customers or sensitive details about company revenue are of paramount concern. It could also impact an airline’s core operations, as cyberattacks can seriously disrupt the safety of flights. The Legal 500’s recent study on cybersecurity underscores this trend, stating that a minimal technology response is no longer sufficient.

"Pervasive and instantaneous network connectivity, once limited to IT environments, is now a part of the global aviation culture."

—Boeing Cybersecurity Team

Airlines face a specific challenge that heightens their cybersecurity risk: the incredibly diverse nature of their business in terms of geography, business lines, complex public and private systems, and significant interfaces with other bodies in the industry.

This is an environment with many access points and potential points of weakness. As members of Boeing’s cybersecurity team have said, “pervasive and instantaneous network connectivity, once limited to IT environments, is now a part of the global aviation culture.”

As the industry responds to these threats, there is currently no uniform benchmark standard or regulation for bodies to aim toward.

Regulations and Standards in the Sector

• At a regulatory level, there are some principles of general application primarily in relation to the security of data; however, they are of very general and high-level application, and not specific to the industry.
• From a standards perspective, there are a variety of initiatives: Aircraft manufacturers are providing guidance on best practices. But these only go so far, and none of these initiatives offer a silver bullet in light of the risks posed.

The risks presented were possibly best summarized by Adrian Kubicki, spokesperson for LOT Polish Airlines in the wake of their DDoS incident, “[LOT is using] state-of-the-art computer systems, so [this event] could potentially be a threat to others in the industry.”

Specific Steps to Take

For each individual airline, the key to minimizing cyber incidents, and therefore losses, is implementation of a harmonized, coordinated approach across the entire company, including all geographies, business units and the supply chain.

Specific coordinated activities across an airline should include:

• Central determination of technology standards, policies and procedures to be applied across the IT environment, to own-hosted environment, and to any third-party hosted systems.
• Full audit of existing IT systems with assessment of coverage gaps and overlap, and also compliance with the new standards.
• Review of supply chain arrangements across the organization, and, again, contract risk should be transferred to third-party suppliers, as appropriate.
• Establishment of internal governance to proactively and reactively address cybersecurity issues, from the C-level executive (whether the Chief Risk Officer or another officer tasked with this responsibility) down through the organization without gaps, or compliance teams that work proactively with local regulator(s) in order to help shape and drive the legislative framework that is inevitably being developed in this space.
• Focus on employee and consultant arrangements—including training, screening and vetting—and authorization and access permissions.

Upfront planning will certainly help to limit damage should a breach occur, but it can do far more. It can help avoid or minimize regulatory sanctions, enhance the airline’s reputation, raise passenger trust, and most important, improve safety.