News
IATA’s Tyler speaks at Civil Aviation Cyber Security Conference

It is a pleasure to be here today to address the topic of aviation cyber security. IATA applauds the Singapore Ministry of Transport in bringing together government and industry stakeholders on this vital subject. Just as information sharing has led to a reduction in accidents and made our industry safer, forums such as this one will help to make it more secure. I look forward to the outcomes and any specific initiatives to which IATA can contribute.

Because my time is limited, I am going to jump directly into the theme of this conference. I should caution that I am not an expert in cyber security. I suspect I am not alone in that, even in a gathering such as this. This is a new and dynamic threat and we will likely always be on a steep learning curve. And it’s such an important and urgent issue that we need to climb that curve fast.

Importantly, we all recognize that cyber security is a critical issue. Each day seems to bring fresh news of a security-breach or data theft. Damage from such attacks can run into hundreds of millions of dollars and leave a company’s reputation in tatters. A successful cyber-attack on an airline could paralyze operations and result in thousands of stranded passengers. Indeed, LOT Polish Airlines may have been the victim of a cyber-attack just a few weeks ago.

No business is immune, but aviation is a specific target for those intent on doing cyber mischief and theft–or worse. Airlines are the highest value target for fraudsters and close to fifty percent of all phishing attempts are made against airlines and airline passengers, according to one cyber security firm with which we work.

We know this well at IATA. We operate global financial systems through which flow annually some $388 billion of air travel related revenues. We are keenly aware of our responsibility and we are extremely vigilant in protecting our business systems to eliminate vulnerabilities for potential cyber theft or malicious attacks. We structure our internal information security program around three main goals:

• To guard against unauthorized external or internal access to IATA’s IT systems;
• To ensure early detection should an unauthorized access occur; and
• To be able to react quickly to address any intrusion and assure secure business continuity

This program is guided by global standards and best practices. Our business critical systems that are involved in the delivery of financial services as well as those relating to members’ data, such as the Global Aviation Data Management System are certified to ISO27001 standards. Even more importantly, we are guided by an IT security quality group comprised of our member airlines.

Actions to protect our systems occur against an ever growing and evolving cyber threat. In March, for example, we identified and blocked an average of 80,000 suspicious connections per day, detected and cleared 891 viruses and resisted five “brute forcing” attempts to connect to IATA accounts.

I imagine this level of activity is probably fairly typical for a major financial institution or retailer. Cyber-attacks are a fact of modern life. But aviation presents a special target for those who seek to damage or disrupt the integrated air transport network upon which the global economy depends. This year, aviation will connect some 3.5 billion travelers with nearly 100,000 flights per day across 51,000 routes. Aviation and related tourism supports some 58 million jobs and  $2.2 trillion of GDP. We can contribute even more in the future—as long as we maintain the trust we have earned from travelers and shippers that flying is safe and getting safer.

Safety is the top priority for everyone associated with aviation. We do not compete when it comes to safety and we must take the same working together approach in addressing cyber-threats. IATA’s role in this regard is to assist airlines in developing a robust cyber security strategy and to help drive coordination of global efforts to address cyber threats to aviation. To achieve this, we have put in place a three-pillar strategy that comprises:

• Working to understand, define and assess the threats and risk of cyber-attack
• Raising awareness of cyber security issues and identifying reporting and information sharing mechanisms
• Advocating for appropriate regulation and mechanisms for increased cooperation throughout the industry and with Governments.

Last year we launched the Aviation Cyber Security Toolkit. The Toolkit provides a general overview of the subject. It proposes solutions to run internal analysis of current cyber risks to help security stakeholders identify ways to protect their vital IT infrastructure. It is intended for airlines but is also applicable to airports, ground handlers and others in the value chain. It is an essential part of our strategy to bolster cyber security and we will release a second version this year.

In the time remaining I would like to focus on two other areas where we have opportunities to raise awareness and address cyber challenges. These are collaboration with other stakeholders and how governments can best support our joint interest in protecting aviation from cyber-attacks.

Stakeholder Collaboration
Commercial aviation was built on cooperation. Every flight that takes off or lands is the result of working together and information sharing among many different entities such as airlines, airports and air navigation service providers (ANSPs). Yet the very nature of our collaboration also enables potential cyber vulnerabilities. For instance, we exchange operational and air traffic information to manage our daily operations. It is vital that we be able to rely on the integrity of that information.

We are only as strong as our weakest link. An airline is dependent on its ANSP and airport partners to be highly engaged in cyber security. Many airlines and airports have robust systems in place to address common hacking threats. The challenge is the evolution of the threat. Cyber experts have to improve their expertise constantly in order to remain vigilant and keep ahead of hackers. What we are facing is close to an asymmetric warfare in which it is easier to attack than to defend. In order to assess the broader threat to the aviation system, there is a need to adopt a holistic approach which would include all our IT infrastructure as well as that of our partners.

A related vulnerability comes from the introduction of greater levels of automation. The industry relies on information and communications technology such as flight management systems, electronic flight bags and e-enablement of aircraft and there is greater connectivity between these systems. There is no question that automation significantly enhances safety and aircraft capabilities while simplifying many rote tasks. But as a result, the number of entry points into systems is increasing steadily. The more systems we automate, the more vendors we have and the more interfaces that can be targeted for attack.

For example, Departure Control Systems (DCSs) perform load calculations that were formerly done by our flight crew in the cockpit. This eliminates a routine task that frees pilots to focus on other pre-flight activities. And few will argue against the proposition that a computer can do the job faster and with at least as much accuracy. But every automation brings with it the challenge to secure the information that it relies upon.

Given our environment of rapidly evolving applications of technology, a systemic approach to understanding and addressing the potential risks is critical. And the challenge becomes even more complicated as airlines increase the use of outsourced systems and technology. An important part of the relationship with vendors and partners is developing a cyber-security culture that is continuously evaluating and mitigating risks. Some of this is addressed in the Aviation Cyber  Security Toolkit. But as it is an ever evolving threat, we need to be continuously vigilant and constantly in communication with our partners across the value chain.

The Role of Governments
Industry cooperation, while an absolute necessity, by itself will not get us where we need to be. Governments have resources and access to intelligence that the private sector can never achieve. They also have a responsibility to use these resources to support industry efforts. We have an example of this approach in the decades of successful government-industry cooperation on safety.

Unfortunately, we have not achieved that level of cooperation in security. As the threat of malicious cyber-attacks increases, the need for consultation, coordination and cooperation built on trust – among governments, between governments and industry, and within industry – becomes more critical. A key component of managing risk is effective sharing of information, including common or mutually understood policies and procedures for doing so. It is a lesson we learned following the tragedy of MH 17. Information that may be shared can include vulnerabilities, threat intelligence, and incident reporting.

Today, constraints of national classification systems and ambiguities around the legal rights and mechanisms for sharing information across borders are particularly challenging. However, the significant risks of not sharing information demand more progress in this area. It is not acceptable that one airline may have access to information and best practices regarding appropriate cyber measures and potential vulnerabilities, while another carrier does not, simply because it is based in a different country. Aviation is a global business that transcends national boundaries, and governments must come together in this area to find a solution.

It is likewise with regulation. Following the 9.11 attacks and subsequent terrorist acts, regulators initially responded with inflexible, prescriptive, one-size-fits-all mandates. It is only over the past five years or so that we have been able to transition away from this approach towards a more flexible, risk-based model. We must not repeat that steep learning curve with cyber security. Any regulation must be undertaken in close cooperation with industry and, as with our successful approach to safety, needs to be built on consistent global standards and recommended practices.

Governments need to adopt threat-based, risk-managed and outcome-focused frameworks that are balanced against industry capabilities and sustainability. This is a much better way to address evolving threats than prescriptive measures that are not able to adapt to the constantly shifting cyber arena.

A highly positive development in this regard was the signing of a Civil Aviation Cybersecurity Action Plan in December 2014 by IATA, ICAO, Airports Council International, Civil Air Navigation Services Organization and the International Coordinating Committee of Aerospace Industries Associations: In short, the representatives of the regulators, the airlines, the airports, the ANSPs and the manufacturers. The goal of the Action Plan is to ensure that all industry stakeholders and governments promote a coherent and consistent approach to cyber security. All of the partners are working towards developing recommendations to be presented at the 39th ICAO assembly next year.

Conclusion
As one of the most complex and integrated systems of information and communications technology in the world, the global aviation system is an attractive target for a large-scale cyber-attack, or for a targeted attack on some of its most vital elements. While we cannot eliminate cyber risk, we must manage it. This can of course be done, but it will require a deeper collaboration between authorities, industries and the academic world through an effective information sharing program that will leverage the collective power of the key players in the aviation industry.

This year IATA is celebrating our 70th birthday. Cyber threats did not exist in April 1945, when 57 airlines came together in Havana, Cuba to create this organization. But although the world has changed, IATA’s mission has not — to build global standards through industry cooperation and by working with governments through ICAO. It is a mission that is well-suited to addressing the challenges of cyber security. Be assured that IATA is committed to working with our members and all aviation stakeholders to develop, implement and enhance strategies for improving cyber security.