What can Darwin teach the aviation industry about cybersecurity?

Air transport is a vital industry that contributes substantially to economic development and improved living standards. According to the International Civil Aviation Organization (ICAO), the 4.1 billion passengers transported in 2017 are expected to grow to around 10 billion by 2040. And according to the International Air Transport Association (IATA), 35% of world trade by value is transported by air cargo, equivalent to $6.4 trillion of goods. The role of the aviation industry in commerce, trade and transport infrastructure makes it indispensable to the global economy. The consequences of any major failure would carry direct public safety and national security implications and costs.

Today, the aviation community is benefitting from new levels of digitalization and connectivity. Technological advances are creating tremendous opportunities for improved flight efficiency, customer service, security, operations and passenger experience – both in the air and on the ground. Yet along with the new heights of efficiency gained through increasing digitalization and connectivity come new frontiers of vulnerability.

Airports are federated management systems with numerous interdependent service providers - and as such, deficiencies in airport cybersecurity potentially could enable the bypassing, subversion and eventual breaching of physical security. Additionally, as new capabilities arise, balancing commercial interests with sound risk management will be even more difficult, potentially creating significant harm to public order, confidence and trust.

There are nearly 44,000 airports in the world - and that means the number of surfaces vulnerable to cyberattacks is high, as is the number of passengers that travel by air each year.

Global spending on the Internet of Things (IoT) is predicted to reach $745 billion in 2019. Transport is ranked third among the industries that will spend the most on IoT solutions, after manufacturing. Furthermore, airport facility automation is one of the IoT use cases that is expected to deliver the fastest growth in worldwide spending over the 2017-2022 period.

The opportunities that IoT capabilities can generate for the aviation sector are unprecedented. They include operational efficiencies such as tracking and connecting airport assets with maintenance and inspection functions, facility management to identify shortages or breakdowns in real-time, and automation of cargo vehicles, food services, ramps and taxiways.

Physical things and cyber systems are becoming increasingly connected – from airport assets to people and data – by harnessing technologies including biometrics, artificial intelligence, machine learning, robotics and blockchain. Rapid cyber capability breakthroughs also create new potential attack vectors at an equally fast pace. Cyberattacks on critical infrastructure are difficult to detect and control, and may generate cascading effects resulting in economic losses, industrial disruption and, in some cases, human casualties. When applied to critical infrastructures that drive economic and social progress, such as airports, the impact can be catastrophic in the absence of adequate security measures.

Source: World Economic Forum

According to the World Economic Forum’s Global Risks Report 2019, cyberattacks rank fifth among the top-10 global risks in terms of likelihood. Moreover, researchers have identified cyber-risk to be among the top three risks facing the transport industry globally.

Not all stakeholders are prepared for the potential risk and liability that may be brought on by new technologies, including new threats to public safety, physical harm and catastrophic systemic attacks on shared public infrastructure. The complexity of the aviation ecosystem, with its many stakeholders, makes understanding the new nature of risk particularly challenging.

As Charles Darwin observed, “it is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change”. Organizations that understand and act on the signals and warnings inherent in industrial IoT risk can adapt much like Darwin’s finches and turn an increasingly ambiguous and fast-moving world to their advantage.

Darwin’s comment is a sure fit when it comes to cyber-resilience; through a proactive approach, by understanding and acting on the signals and warnings, you can adapt ahead of the others and turn an increasingly ambiguous and fast-moving world to your advantage.

Without a common understanding and approach to emerging threats, industry players may struggle – and even fail – to come up with inherent cybersecurity measures for the aviation sector. It is crucial that all stakeholders along the supply chain embrace a collaborative and risk-informed cybersecurity approach to adapt and ensure resilient aviation ecosystems.

The World Economic Forum Centre for the Fourth Industrial Revolution and its Centre for Cybersecurity, working with a multistakeholder community composed of aviation, insurance and information and communication technology industry partners, regulators and public-sector entities, are spearheading an initiative to catalyse the adoption of best practices and create market incentives to increase the level of resilience of the overall aviation ecosystem. The community leading this initiative, Building Cyber-Resilience in the Aviation Sector, is developing an approach and framework of best practices for ‘common duty of care’, which will help aviation businesses better assess and benchmark their level of resilience and readiness for a major cyberattack.

As the domains of aviation and cybersecurity increasingly overlap, the common goals of safety and resilience can be achieved sooner by working together. Preserving aviation’s strengths calls for a clear definition of governance, accountability and recognition of shared responsibility across the ecosystem. The aviation industry has a longstanding and robust safety management system with a safety culture embedded in its core. By generating a mutual understanding of cybersecurity priorities – one that businesses, policymakers and the general public can embrace – we will help assure an adaptive, safer future.