Until early 2020, the aerospace sector was climbing toward unprecedented growth. However, the COVID-19 pandemic brought seismic changes and is reshaping the industry’s ecosystem and ways of working. As a key part of global COVID vaccination rollouts, the aerospace sector is now charting a path to recovery.
But the sector remains rife with risk — spanning operational, strategic, financial and compliance issues that challenge the resilience of its organizations daily. The continuing growth, pace and complexity of digitization carries the potential for significant cybersecurity risks, increasing the likelihood of aerospace cybercrime and the inevitability of critical safety and cybersecurity breaches. Examples relevant to the aerospace sector include loss of passenger data, aircraft systems compromise and intellectual property (IP) theft, all of which pose commercial and reputational challenges for the industry.
Industry stakeholders, including airlines, aircraft manufacturers and suppliers, airport operators, air traffic control and border authorities, need to act swiftly to counter information and cybersecurity risks and bolster safety, digital defenses and trust.
Four Major Risks
We at BSI, the business improvement company, have identified four critical risks that organizations will need to prepare for and manage to secure the aerospace sector’s future. These risks are:
- Managing the supply chain
- Compliance with regulations and restrictions
- Capacity to innovate
- Exposure to cybersecurity events
Ultimately, cybersecurity affects all areas of risk and magnifies associated issues with its potential threats: supply chain, regulations and innovation. In general, the aerospace industry can take advantage of clear opportunities to make improvements in cybersecurity risk management.
Managing the Supply Chain
Managing the supply chain is a challenging area for any industry, but particularly within aerospace, it can also have the most resounding positive impact on resilience when its threats are addressed.
The aerospace sector is under tight scrutiny to guarantee its components are properly manufactured to ensure the safety of consumers. Responsible sourcing strategies play a large role in reducing potential quality risks and in protecting an organization's brand and reputation. It’s imperative that aerospace manufacturers have complete visibility into their suppliers’ practices to make sure they all remain compliant with government, regulator, customer and company requirements.
Further, it is critical for aerospace organizations to map out their supply chain partners to minimize and manage the risk landscape.
Compliance with Regulations and Restrictions
In light of COVID-19 and the period beyond the pandemic, the sector, particularly the commercial arm, will need to adapt quickly, adopt updated working practices and address new regulations and guidelines while ensuring it remains trusted to protect people and provide a healthy, safe environment for employees and customers alike.
One consistent challenge across the entire aerospace industry (including commercial and defense companies) is that regulations and restrictions imposed are extremely fragmented, and the rate of change for technology is so fast that regulators struggle to keep up with the pace. Features or devices developed last year are already outdated and being replaced.
Capacity to Innovate
The challenge here comes from the implementation of new technology for good commercial reasons that may outpace current regulation and make compliance and governance difficult.
For the sector to drive innovation, regular horizon scanning will be required to ensure organizations are aware of new risks and can properly anticipate emerging compliance requirements so they don’t hinder the capacity to innovate.
Innovators able to influence the aerospace industry today may not have come up through an aircraft-oriented safety culture. These new contributors write software code and can develop, say, luxury in-flight entertainment systems, but may not have the same mindset when it comes to defending “connected” aircraft from cyberattack.
Exposure to Cybersecurity Events
We are in the era of digital aviation. There is a rapid evolution toward electric and semi-autonomous aircraft and drones. At the same time, exponential growth in data volume across the industry comes with the need for users to access multiple systems remotely and by increasingly interconnected aerospace technology. “Wired” systems now link airframes, airside operations, landside operations and, ultimately, passengers. Digitization leaves aircraft vulnerable to hacking, especially if security for them is an afterthought, not built by design.
In passenger-carrying commercial aviation, the passenger “journey” from booking a flight to leaving the destination airport is changing, with digital and touchless systems throughout, including booking, check-in, security, immigration/passport, in-airport and in-the-air purchasing, requiring apps and airport and aircraft systems to quickly evolve to meet the new context. While regulations apply to many of these features, they too will need to evolve to keep pace with the changing touchless passenger journey. Therefore, designing robust cybersecurity protocols into every stage of the product development lifecycle is critical.
The result is greater dependence on data and connected systems, which boosts the size of the potential cyber “attack surface” — both in the air and on the ground. Ultimately, cyber breaches, when they do occur, undermine consumer trust, safety and the achievement of strategic goals.
Within cybersecurity perimeters, the individual is often the weakest link, whether with malicious intent or not. Therefore, it is critical that organizations regularly update and educate their people on cybersecurity efforts and associated risks. It’s very easy to inadvertently click a link or open a file that launches malware, for example.
In the aerospace sector, one of the most common types of cybercrime is IP theft. To mitigate this risk, take the following precautions:
Key Takeaways
The state of the aerospace sector’s cybersecurity risk management currently offers ample room for improvement. Without doubt, digitization and technology advances have created new risks. But this opportunity can provide a critical juncture for the sector to move forward, with collaboration and careful management of technological risks along the path.
The key to cyber resilience is to embed the aerospace sector’s strong culture of commitment to safety in its response to the young-but-maturing field of cybersecurity risk management. Aerospace organizations will need to adapt their mindset: In today’s digital world, cyberattacks will come from indiscriminate sources and with increasing persistence, so the response should be to demand equally dynamic solutions, and to recognize the need to deploy mitigation, both externally and internally.
Whether through the assurance provided by training and certification to key management system standards, or more-specific cybersecurity risk management support like security awareness training or penetration testing, aerospace organizations can foster safety, resilience and trust.
Brendon Hill has worked in aerospace and engineering for over 40 years, including 26 years as a British Army Officer & Aircraft Engineer. He has worked in business assurance and certification for 17 years, including writing and implementing the QMS for the technical support of British Army aviation and then expanding this to the technical support for all elements of the army, including electronics, maritime, vehicles and weapons. He has worked at a senior level in industry supplying aerospace, defense and other critical and high-risk sectors such as oil and gas.