Skip to main content

Increasing Cyber Resiliency in the Aviation Industry

Chris Verdonck, Bryan Terry

The aviation industry remains stalled in challenging times. Hit hard by the COVID pandemic, airlines saw global passenger traffic drop nearly 66 per cent last year, compared to 2019. While this year shows promising signs of an upcoming recovery, the International Air Transport Association (IATA) predicts global travel demand won’t return to pre-pandemic levels until 2024.

In this environment, major financial and organisational changes have been inevitable. The dramatic and persistent loss of revenue has forced aviation businesses to reprioritise their budget and resource allocations to enable business continuity – a “keeping-the-lights-on” mindset and approach.

But while revenues and cyber budgets have declined, the number of cyberthreats – and their level of sophistication – have not. Phishing attacks and ransomware represent endemic threats to businesses across industries, aviation included. Consider these statistics:

  • The World Economic Forum (WEF) Global Risks Report (2021) details the continual rise in cyberattacks, noting cybersecurity failure is one of the “highest likelihood risks of the next 10 years.”
  • Nearly 62 per cent of airport authorities reported that their airports were targets of cyberattacks during an “Airport Cybersecurity COVID-19 Survey,” conducted by Airport Council International (ACI) World.
  • The same survey found that more than half (54.1 per cent) of airport IT leadership believes that “the single biggest challenge with regard to cybersecurity during the COVID-19 recovery phase would be budget reduction.”

Against this backdrop and despite financial and organisational hardships faced, reducing investments in cybersecurity is a risky proposition. With COVID vaccine transportation and distribution an international priority, aviation businesses and supply chains are, and will be, likely targets of cyberattacks – necessitating strong cybersecurity postures, cross-industry collaboration and proactive action.

New Report: Cybersecurity and Aviation

Deloitte – in collaboration with the WEF and a global multi-stakeholder community of more than 50 aviation experts – developed the “Pathways Towards a Cyber Resilient Aviation Industry ” report. It explores some of the main barriers to achieving cyber resiliency, which is defined as: “the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

The report also examines the state of the aviation industry today, including the expanded digital aviation ecosystem and use of remote-work technologies. It focuses on the cyberthreat landscape, ramifications of cybersecurity gaps and recommendations and next steps for achieving cyber resilience.

The bottom line: In order for the aviation industry to prosper and realise the digital dividends of the Fourth Industrial Revolution – which marries physical assets and advanced digital technologies, such as the Internet of Things (IoT) and artificial intelligence – cyber resilience needs to be embedded in the aviation business culture and operating model.

Pathways and Recommendations

To develop the report, Deloitte worked with the WEF to conduct a benchmarking exercise with a group of aviation businesses, using Deloitte’s Cyber Strategy Framework (CSF). This activity highlighted strengths and weaknesses in cyber resiliency in the aviation sector today.

The report highlights recommendations for stakeholders at multiple levels:

  • Foster a culture of cyber resilience, with the CEO and board driving the cultural shift; integrate cyber resilience into business resilience practices; and go beyond compliance and adopt a “risk-based approach mindset”
  • Ensure systemic risk assessment and prioritisation by evaluating the organisation’s asset base and interdependence within the ecosystem; collaborate ecosystem-wide and align expectations with suppliers on their cybersecurity controls; and establish ecosystem-wide cyber resilience plans that appropriately balance preparedness and protection
  • Enable systematic skills build-up to drive greater cyber literacy among current and future employees, and equip them with the tools to detect, mitigate and prevent suspicious activity; and reward more open communication on incidents to help promote learning and better act on future threats
  • Align regulations globally with balanced and outcome-based guidance; establish a cyber resilience baseline across the supply and value chain; encourage assessments and industry benchmarking; and develop international information-sharing frameworks and standards

The recommendations build on each other and like many aviation systems, processes and services today, they’re interconnected. That’s why open communication and collective action are so important, so cyberattacks and risks don’t threaten to topple cyber resilience across the industry. Together with these recommendations, collaborative action within the aviation sector – encompassing identifying points of risk in the supply chain and addressing them – can help forge a cyber resilient ecosystem.