{"id":1081,"date":"2020-05-10T20:13:09","date_gmt":"2020-05-10T18:13:09","guid":{"rendered":"https:\/\/www.cyberinflight.com\/?p=1081"},"modified":"2020-05-11T14:42:56","modified_gmt":"2020-05-11T12:42:56","slug":"aerospace-cybersecurity-building-resilience-in-the-hailstorm","status":"publish","type":"post","link":"https:\/\/www.cyberinflight.com\/?p=1081","title":{"rendered":"AEROSPACE CYBERSECURITY: BUILDING RESILIENCE IN THE HAILSTORM"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

1. THE COVID-19 CRISIS: A LAND OF OPPORTUNITIES FOR HACKERS<\/strong><\/p>\n\n\n\n

The world economy has been hit by the COVID-19 pandemic, and the air industry is among the industries most severely impacted by this crisis. Airlines and OEMs, in particular, have started to announce cost reduction plans, which are probably not possible without downsizing their workforces, in order to survive until the end of the crisis. On top of the operational difficulties triggered by the crisis, the<\/strong> weakening of industrial players is seen by cyberthreat actors as an opportunity to be seized<\/strong>. The cyberattack level has soared in the last two months, and all but a handful of hackers have shown how far they are from following any code of conduct and how unethical their behavior can be, particularly when striking medical institutions and hospitals. Factors such as the economic downturn, mandatory home work for millions of employees, and difficulties setting up strong cybersecurity rules in a short timeframe make it the right moment for hackers to weaken companies that already have a knee on the ground.<\/p>\n\n\n\n

2. CYBER-RESILIENCE CANNOT BE BUILT IN A DAY<\/strong><\/p>\n\n\n\n

By hitting airline revenues directly, this crisis may mechanically impact their level of defense. The airline industry\u2019s level of IT investment in the last 5 years has shown a remarkable compound annual growth rate (CAGR) of 10.4%, from $21.5 bn in 2014 to $35.2 bn in 2019. The airline cybersecurity budget represents a decent portion of this IT budget. It has been estimated that the cybersecurity budget of airlines followed an outstanding CAGR of at least 50% in the last 5 years<\/strong> from $0.5 bn in 2014 to $3.8 bn in 2019 (2019 figure is an estimate by CyberInflight. 2018 figure, provided by SITA, is at $2.75 bn).<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Does the level of investment in cybersecurity actually reflect the airline industry\u2019s levels of maturity and resilience? It is certainly a good indicator. In 2019, the cybersecurity\/IT budget ratio was estimated at 11%,<\/strong> when national security agencies usually advise a ratio between 5% and 15% depending on the industry. At first sight, this 11% could be seen as fair for the airline industry. In comparison, the cybersecurity investment level in the airport industry is estimated around $1.5 bn in 2019, which represents a 14% cybersecurity\/IT ratio. This difference could be explained by the fact that airports have been targeted by cyberattacks more frequently due to easier physical access to their facilities. Airports have had to answer this level of exposure by increasing their levels of cybersecurity maturity. The airline industry would probably need to reach a similar cybersecurity\/IT ratio to be on the safe side. In addition, an important point to mention regarding cybersecurity investments is that it takes time to raise a company\u2019s level of maturity,<\/strong> and probably several months at least to see the outcome of a cybersecurity investment. The cyber\/IT ratio grew from 4.6% in 2016 to 7% in 2017 and 9% in 2018. It may take time for these increasing investments to be totally effective and for cyber-resilience \u2014which is mainly linked to the culture and maturity of a company\u2014 to be achieved. Ultimately, it is important to keep in mind that a company\u2019s level of cyber-resilience not only depends on the level of investment, but also on how well these investments have been made.<\/p>\n\n\n\n

3. THE REGULATORY FRAMEWORK: ON THE CUSP OF A MORE PROFUND CHANGE<\/strong><\/p>\n\n\n\n

Simply by measuring maturity based on the cyber\/IT ratio, it is difficult to foresee whether this maturity level could increase in the coming months and years, as current priority is oriented toward the survival of the industry and its companies. Nevertheless, it seems that cybersecurity will remain high in company\u2019s agendas, as forcing people into quarantine has revealed that strict cyber-hygiene rules must be timely and properly deployed. Basic cybersecurity practices appear to be the foundation of the sustainability of any organization<\/strong>. As an unexpected benefit, the COVID crisis will probably help to raise the entire industry\u2019s cybersecurity awareness.<\/p>\n\n\n\n

Among the strongest drivers of the adoption of cybersecurity, the influence of international regulatory bodies is considered key. The year 2019 was marked by a set of initiatives launched by international regulators regarding cybersecurity<\/strong>. Among the most significant ones, one can mention:<\/p>\n\n\n\n