AEROSPACE CYBERSECURITY: BUILDING RESILIENCE IN THE HAILSTORM

1. THE COVID-19 CRISIS: A LAND OF OPPORTUNITIES FOR HACKERS

The world economy has been hit by the COVID-19 pandemic, and the air industry is among the industries most severely impacted by this crisis. Airlines and OEMs, in particular, have started to announce cost reduction plans, which are probably not possible without downsizing their workforces, in order to survive until the end of the crisis. On top of the operational difficulties triggered by the crisis, the weakening of industrial players is seen by cyberthreat actors as an opportunity to be seized. The cyberattack level has soared in the last two months, and all but a handful of hackers have shown how far they are from following any code of conduct and how unethical their behavior can be, particularly when striking medical institutions and hospitals. Factors such as the economic downturn, mandatory home work for millions of employees, and difficulties setting up strong cybersecurity rules in a short timeframe make it the right moment for hackers to weaken companies that already have a knee on the ground.

2. CYBER-RESILIENCE CANNOT BE BUILT IN A DAY

By hitting airline revenues directly, this crisis may mechanically impact their level of defense. The airline industry’s level of IT investment in the last 5 years has shown a remarkable compound annual growth rate (CAGR) of 10.4%, from $21.5 bn in 2014 to $35.2 bn in 2019. The airline cybersecurity budget represents a decent portion of this IT budget. It has been estimated that the cybersecurity budget of airlines followed an outstanding CAGR of at least 50% in the last 5 years from $0.5 bn in 2014 to $3.8 bn in 2019 (2019 figure is an estimate by CyberInflight. 2018 figure, provided by SITA, is at $2.75 bn).

Does the level of investment in cybersecurity actually reflect the airline industry’s levels of maturity and resilience? It is certainly a good indicator. In 2019, the cybersecurity/IT budget ratio was estimated at 11%, when national security agencies usually advise a ratio between 5% and 15% depending on the industry. At first sight, this 11% could be seen as fair for the airline industry. In comparison, the cybersecurity investment level in the airport industry is estimated around $1.5 bn in 2019, which represents a 14% cybersecurity/IT ratio. This difference could be explained by the fact that airports have been targeted by cyberattacks more frequently due to easier physical access to their facilities. Airports have had to answer this level of exposure by increasing their levels of cybersecurity maturity. The airline industry would probably need to reach a similar cybersecurity/IT ratio to be on the safe side. In addition, an important point to mention regarding cybersecurity investments is that it takes time to raise a company’s level of maturity, and probably several months at least to see the outcome of a cybersecurity investment. The cyber/IT ratio grew from 4.6% in 2016 to 7% in 2017 and 9% in 2018. It may take time for these increasing investments to be totally effective and for cyber-resilience —which is mainly linked to the culture and maturity of a company— to be achieved. Ultimately, it is important to keep in mind that a company’s level of cyber-resilience not only depends on the level of investment, but also on how well these investments have been made.

3. THE REGULATORY FRAMEWORK: ON THE CUSP OF A MORE PROFUND CHANGE

Simply by measuring maturity based on the cyber/IT ratio, it is difficult to foresee whether this maturity level could increase in the coming months and years, as current priority is oriented toward the survival of the industry and its companies. Nevertheless, it seems that cybersecurity will remain high in company’s agendas, as forcing people into quarantine has revealed that strict cyber-hygiene rules must be timely and properly deployed. Basic cybersecurity practices appear to be the foundation of the sustainability of any organization. As an unexpected benefit, the COVID crisis will probably help to raise the entire industry’s cybersecurity awareness.

Among the strongest drivers of the adoption of cybersecurity, the influence of international regulatory bodies is considered key. The year 2019 was marked by a set of initiatives launched by international regulators regarding cybersecurity. Among the most significant ones, one can mention:

  • The publication of Aviation Cybersecurity Strategy by ICAO (October 2019)
  • The adoption of Assembly Resolution A40-10 addressing cybersecurity in civil aviation by ICAO (Oct. 2019)
  • The creation of the Aviation Cyber Security position paper by IATA, outlining IATA’s cybersecurity vision and mission (Jun. 2019)
  • The establishment of the Security Advisory Council (SAC) by IATA (Jun. 2019)
  • The first Aviation Cyber Security Roundtables (ACSR) held by IATA (Apr. 2019)
  • The rulemaking task from EASA, called RMT.0648, created in May 2016 with a Notice of Proposed Amendment (NPA2019.01) process performed between Q1 and Q3 2019
  • Several interesting initiatives launched by ACI in 2019.

A stronger and clearer cybersecurity framework is under construction and set to be introduced beginning in 2021, particularly in Europe. Hopefully, the crisis won’t delay the decision-making process of regulatory bodies, as the 2019 initiatives show a compelling momentum for air cybersecurity regulations. The current crisis’ slowdown of air traffic and restructuring of priorities could also be seen as the right moment to pave the way for a solid regulatory framework.

4. IN-FLIGHT CYBERSECURITY: BREAKING THE GLASS CEILING

In its “Aerospace Cybersecurity Market Intelligence” report, CyberInflight identified in-flight cybersecurity (IFCS) among one of the next trends. Despite the downturn, the evolution of the mindset regarding cybersecurity and the development of the regulatory framework could be seen as solid driving forces to encourage the deployment of IFCS components once the crisis softens. The crisis could help break the existing glass ceiling that has prevented many cybersecurity solutions suppliers to penetrate this market and to embed their products in aircraft.

To date, the cybersecurity of in-flight systems communications (IFE and IFC systems in particular) is mainly implemented within legacy equipment. With the development of cyberthreats, airlines could consider the introduction of independent dedicated cybersecurity components from third parties to monitor, detect and react to cyberthreats. The take rate of in-flight cybersecurity is definitely set for significant growth, as it is considered to be fairly low today. The adoption of dedicated embedded cybersecurity components (hardware and/or software) is already happening in business and military aviation and other vertical-mobility markets such as maritime and rail.

While IFCS may represent a small fraction of airlines’ cybersecurity expenses compared to items such as employee awareness and training, regulatory compliance or the setup of SOC infrastructures, it is expected to show the greatest growth rate in the coming years.

Find the complete details in our report. CyberInflight’s market research report features key findings regarding the aerospace cybersecurity market. Table of contents and excerpt available here: link. For more information, please contact us at contact@cyberinflight.com.