The aviation industry is a marvel of complexity, coordinating intricate schedules, unpredictable weather patterns, and the seamless flow of information across digital networks. From customer interactions to internal communications, the industry’s reliance on these digital systems is paramount for maintaining ongoing and reliable operations. Ensuring the cybersecurity of these systems is thus critical. With news today that Delta estimates the CrowdStrike outage will cost the company $500 million, this digital dependence is ever clear. As is the danger of system failure.
With this reality established a report worth noting. SecurityScorecard researchers conducted an in-depth analysis of cyber risks within the aviation industry. The study, The Cyber Risk Landscape of the Global Aviation Industry, 2024, focused on airlines and their associated vendors, including manufacturers, ground-handling service providers, and aviation-specific IT providers. Historically, the aviation industry’s security measures have prioritized physical risks. However, the recent findings underscore the urgency of integrating cyber risk management into the industry’s safety protocols. Following is our summary; link to the full report is here.
New Regulations
In response to growing cybersecurity concerns, regulatory bodies have introduced new measures. In the U.S., the Transportation Security Administration (TSA) implemented cybersecurity requirements for airports and airlines in March 2023. Similarly, the European Union’s Implementing Regulation 2023/203, which will take effect in 2026, aims to enhance information security risk management in aviation.
Key Findings
Security Scores
The report reveals that the aviation industry, on average, receives a “B” grade for cybersecurity. Airlines generally have higher security ratings than other sectors within the industry, such as manufacturers and aviation-specific IT vendors. However, these vendors still pose significant third-party cyber risks to airlines.
Application Security
Application Security is identified as the top weakness in the aviation sector’s attack surfaces, with issues like HTTP usage in redirect chains and missing attributes in session cookies being prevalent. These vulnerabilities significantly impact overall security scores.
Third-Party Breaches
The analysis shows that third-party breaches are a critical concern. For instance, aviation-specific software and IT vendors have the lowest security scores, making them high-risk entities for airlines. The study highlights that software and IT products are responsible for up to 75% of third-party breaches across all industries.
Publicly Reported Breaches
7% of the organizations in the study sample had publicly reported breaches in the past year. Additionally, 17% had at least one compromised device, and 3% had both breaches and compromised devices. This indicates a substantial risk of cyber incidents within the industry.
Impact of Third-Party Breaches
Despite higher security scores, airlines experienced 4% more breaches and compromises than the industry norm. This discrepancy is attributed to the lower scores and higher risks posed by their vendors.
Performance Correlation
The report establishes a correlation between security performance and industry rankings. Airlines with the best performance ratings from industry analysts and consumer publications also have above-average security ratings. Interestingly, budget airlines perform nearly on par with full-service airlines regarding security scores.
Ransomware Threats
Ransomware remains the top cyber threat to the aviation industry. Incidents involving ransomware often result in the theft of passenger data, used either for financial fraud or intelligence purposes.
Methodology
SecurityScorecard’s research compiled a sample of 250 organizations, including top-rated commercial passenger airlines, aircraft manufacturers, aviation services providers, and aviation-specific software and IT vendors. Each organization’s security score was evaluated based on its attack surface signals, with a detailed analysis of the lowest-scoring security factors and specific issues impacting their scores.
Cybersecurity Recommendations
Prioritize Software & IT Vendors
Airlines should focus on managing third-party risks associated with software and IT vendors. These vendors pose significant risks due to their lower security scores and higher likelihood of enabling breaches.
Comprehensive Third-Party Risk Management
Third-party risk management should extend beyond vendors to include customers and other partners. This comprehensive approach is essential for mitigating risks from all potential sources of cyber threats.
Improve Application Security and DNS Health
Special attention should be given to enhancing application cybersecurity, particularly addressing vulnerabilities in session cookies and ensuring robust DNS health. Implementing secure attributes in session cookies and maintaining SPF records can significantly reduce the risk of cyber attacks.
Protect Intellectual Property and Passenger Data
Organizations must prioritize protecting high-value assets such as aerospace intellectual property and passenger data. Enhanced security measures around these assets can help detect and prevent attempts to compromise them.
Avoid Paying Ransoms
While paying ransoms may seem like a quick fix, it comes with significant risks, including the possibility of not recovering data and encouraging further attacks. Legal advice should be sought before considering ransom payments.
Conclusion
The aviation industry’s cybersecurity landscape is complex and fraught with challenges. By prioritizing third-party risk management, improving application security, and protecting critical assets, the industry can enhance its resilience against cyber threats and ensure safer aviation operations in an increasingly digital world.
Source: The Cyber Risk Landscape of the Global Aviation Industry, 2024.
Other News: Supply-Chain Risk Continues to Bedevil Large Companies and their Cyber Insurers (Opens in a new browser tab)