Headline
Fight or Flight: How to Keep Cyberattacks From Taking Off
As industries around the world act to mitigate the increase in cyber threats, the aviation sector should be leading the cybersecurity uprising, explains William “Hutch” Hutchison, CEO of SimSpace.
Source: Allen Creative/Steve Allen via Alamy Stock Photo
COMMENTARY
Over the last three years, the global aviation industry has been left reeling by a post-pandemic sucker punch that hit the sector with over $185 billion in losses. Once a bastion of American prosperity, airlines were forced into survival mode, cutting staff from their workforce and flights from their schedules.
Capital preservation was the default setting for boards across the country, but as the sector emerges from economic instability, CEOs and CISOs want to know where to invest to ensure long-term growth. The North Star of success in aviation continues to be the safety of passengers, systems, and the data they house. For decades, this safety was only challenged by spilled coffee, crosswinds, and external market forces.
The cybersecurity of airlines and manufacturers has opened a new domain of safety crucial for the continuity of flight systems, servers, and communication equipment. Security has become an integral component of an economic powerhouse that has contributed to American transportation, trade, and commerce for over 100 years.
To ensure the security of the industry for the next century, protecting critical infrastructure from increasingly complex and frequent cyberattacks should be the No. 1 priority for large organizations across the US. The new litmus test for investors and insurers will be how prepared airlines and manufacturers are for the potentially debilitating consequences of a cyberattack.
The Rising Tide of Accountability
Of all cyberattacks against the aviation industry in 2021, 55% resulted in financial loss, and over one-third resulted in the leaking or theft of personal data. The improving success rate of hackers compelled them to go bigger and better, as the average ransomware demand skyrocketed to $2.2m in 2022, although payouts often were less. Ransomware responses continue to evolve as regulations tighten.
In light of this, regulatory bodies and lawmakers have sounded the alarm, placing a spotlight on securing systems and networks against rising threats. In March 2023, the Transportation Security Administration (TSA) issued an “emergency amendment” to airports and aircraft operators’ security programs. The amendment mandates TSA-regulated entities develop implementation plans to improve their cybersecurity resilience, aiming to prevent disruption and degradation to their infrastructure.
At the same time, the US government’s new National Cybersecurity Strategy this year has reinforced the necessity of defending critical infrastructure by shifting responsibility from individuals to large organizations. This coordinated governmental strategy has, in part, been a response to the abundance of attacks against targets in the aviation sector. Canadian low-cost airline SunWing faced four days of flight delays last year after third-party software systems breached the check-in process. Indian carrier SpiceJet was also hit by a ransomware attack that left hundreds stranded at airports nationwide, showing that these events are occurring in all corners of the world.
The International Air Transportation Association (IATA) is the foremost authority of global aviation best practice. They made the responsibility of civil aviation cybersecurity clear, stating that “people, processes, and technology” (PDF) are the three main components dependent upon each other to create a unified cyber strategy. We are in an age where nation-state tactics and techniques are accelerating beyond the ability of the commercial sector to defend themselves. However, traditional General Data Protection Regulation (GDPR) approaches to assessing and reducing cyber-risk have simply become obsolete.
If pilots navigated planes only using their knowledge of flight controls, this would not prepare them for the demands of neutralizing an engine failure at 30,000 feet. This is why they test and train their skill set in simulators designed to mimic real-world scenarios, so their knowledge and reactions are robustly exercised for maximum performance. The next generation of cybersecurity is now taking this concept and applying it to the defense of critical assets in the aviation industry.
One Small Step for Tech, One Giant Leap for Cybersecurity
Cyber-ranges are the government-grade flight simulators of cybersecurity. By battle-testing defenses in real-world conditions, airlines’ IT and OT environments can experience the equivalent of three years’ worth of attacks in just 24 hours. However, many airlines use data collection and storage software seen in most industries, making lateral movement through networks relatively straightforward.
Decision-makers in the halls of aviation titans around the country are now deciding how to implement precautions to secure these systems and bolster their company’s investment strategy for the next stage of growth. Prioritizing government-grade cybersecurity can help them refine their incident response plans, train employees, and comply with the latest groundswell of regulation. By implementing a “train to failure” mindset, companies can test their defenses against phishing, DDoS attacks and data-breach techniques that contribute to around two-thirds of all cyber threats in the industry today.
If an aviation organization loses less than 1% of its customers as a result of a data breach, millions of dollars in revenue could be lost. Carriers and manufacturers need the data and insight into their IT and OT environments to see what is working, and what isn’t.
By implementing a proactive approach to cybersecurity, effective mitigation of threats can be achieved, reducing the dwell time of attackers. By removing the “unknown unknowns” of cyber threats, businesses can achieve the maximum levels of protection needed to keep their company safe.
About the Author(s)
CEO & Co-Founder, SimSpace
William “Hutch” Hutchison is the CEO and Co-Founder of SimSpace. He had extensive experience working in the NSA as a senior officer with US Cyber Command. US Cyber Command and the National Security Agency (NSA) are the premier organizations of the US Department of Defense and Intelligence Community, responsible for conducting military and intelligence operations in the cyber domain. Hutch was appointed through presidential order to create a team focused on defending US national infrastructure against state cyberthreats. In 2015 Hutch started the cyber readiness platform to deliver military-grade cybersecurity protection against advanced cyber threats for governments and organisations worldwide.
As a former F-15 fighter pilot, Hutch went on to lead cyber exercises at the US Cyber Command, and created numerous Department of Defense (DoD) cybersecurity training, testing and assessment programs. Hutch helped create a “Special Forces” approach to testing cyber defense teams and continues to serve as the Test Director for cyber operational assessments at the DoD.
At SimSpace, Hutch spearheaded multiple deployments in financial and other commercial sectors. Hutch holds a Bachelor’s degree from Duke University, a Master’s degree in aerospace engineering from University of Texas at Austin, and a master’s degree from the MIT Sloan School of Management.