Together we stand, Divided we fall: ‘The need for a global cybersecurity defense policy for aviation’

Dr Gerasimos Kontos, Associate Professor, Abu Dhabi University

A major paradigm shift in the digital transformation of the aviation ecosystem is currently taking place. Investments in Information Technology, Artificial Intelligence, Internet of Things and Biometrics are redefining the passenger, baggage and freight journey, enabling a seamless and efficient travel experience.

At the same time, these emerging technologies could expend vulnerabilities and security risks if not adequately managed and controlled, especially when they could affect or have an impact on aviation ecosystems’ safety and airworthiness.

Therefore, to ensure the ecosystem’s safety, security and cyber-resilience, the aviation industry needs to work collaboratively, be more transparent, exchange information on risks and lessons learned along the way. Certainly, there is no “one-size-fits-all” solution and successful initiatives will be grounded in cross border collaborations and strong partnerships between private organizations, airlines, civil aviation authorities and policy makers (i.e. government entities).

Background

Over the last decade, the Travel & Tourism sector has made enormous gains in driving solutions that enhance security while improving the traveler experience. In particular, the aviation industry has embraced the use of biometrics to make travel safer, offer a better experience, reduce friction points in the traveler journey, and reduce operational costs. Working with innovation companies and partners worldwide the industry challenges the status quo, piloting new ideas and new technologies that ultimately transform the travel experience from Check-in to Security and Passport Control, and Ultimately Boarding. 

Bringing to life this innovative travel experience involves many different organizations and teams working closely together to align processes, policies and solutions. This harmonization of processes, gives passengers more control over their journey through seamless flow through the terminal and at the same time real time monitoring and efficiency on airside operations.

From the operational and business point of view, the challenge is to improve airport operations through real time information sharing for staff and passengers and smart allocation of airport resources.

From the technological point of view, it is imperative to implement the next generation of airport operations systems. Technological systems which are more flexible, modular, hybrid and even mobile. Eventually, a seamless passenger experience improves not only the passenger and baggage flow, but also the aircraft flow. This is quite a unique opportunity for developing new perspectives and innovations for the future.

Technology is Not an Issue. Being a Strong Team is the Real Challenge

But this is the frontend. The real, interactive and immersive passenger experience. Behind the scenes, interconnected systems ensures that decision making is based on trusted and reliable data. This practically means that organizations will exchange information and data with IT systems which are outside the traditionally defined security perimeter.

As airports become more and more digital, organizations are increasingly embracing the demand for connected environments and acknowledging their exposure to cybersecurity threats. To help defend against potential financial loss or reputational damage caused by cyber attacks, a strong cybersecurity strategy needs to be implemented – one that starts with the understanding of attacker motives and practicing cyber risk scenarios.

This means that the Aviation industry needs to show leadership, protect personal data and privacy, define global standards and ultimately be at the forefront of Cybersecurity.

For this to make happen all stakeholders need to work together, and governments as main orchestrators of the seamless passenger journey, must accept Biometric Boarding as an alternative mode of Boarding.

The technology for secure Biometric Boarding is already available and reliable. So its more a question of the Aviation Ecosystem and Government organizations to collaborate and create a global standard policy framework for securely exchange and using Biometric Data. 

This portrays an image of strong teams working together, specific policies and guidelines to be agreed upon, Common processes and standards, and by all means interoperable systems that will be able to exchange use and protect these personal data.

So this is the time that Airports and Airlines should not make bold decisions for the passenger journey, without having Government support on board. On the others side, this is the time for policy makers to accept alternative verification processes and act with leadership in making this happen.

Trust is the King 

Trust in data exchange is also at the heart of operational cyber issues. Data has to flow across the aviation value chain and this requires that systems that talk to each other and all parties having confidence that the data is protected.

But trust is a concept that cannot be mandated or enforced. It has to come naturally through common agreement and mutual understanding. Attaining it is therefore a challenge for the industry, especially as companies of all sizes, not to mention at varying cybersecurity levels, are involved. It is critical for organizations to share vulnerabilities or fears so that the overall cyber ecosystem can be secured. Sharing knowledge helps prevent future attacks and creates cyber resilience. It means the weakest point in the end-to-end passenger experience can be brought up to a requisite level and keeps all companies ahead of attack trends and developments.

For establishing trust in the decentralized Aviation Ecosystem, Privacy and Data Security  responsibilities and liabilities need to be clear and agreed through explicit rules, clearly defining which entities have access to passengers data and how these data will eventually be used for Biometric Verification.

How to Make it Happen – Management Recommendations

As with all challenges in Aviation, definitely it starts from the determination, commitment and culture of senior management team in each organization. Without strong support from the management board, any Cybersecurity strategy is prone to fail.

Equally important is an employee Education and Awareness program which aims to train employees on best practices for implementing Cybersecurity and the challenges when working with personal data. This includes training on the various methods of phishing and social engineering as well as the importance of maintaining and applying security updates to professional but also personal devices and computers.

It is important to create a common cybersecurity culture which will be directly connected to the Aviation Safety Culture already existing. Starting from the Top Management teams and following a Top Down approach, the industry will create a Human Firewall. We may now have all the available technology in the world, but having well informed and empowered employees is the greatest defense against cyberattacks. That is why Education and awareness are critical. 

How to Make it Happen – Operational Recommendations

According to the International Air Transport Association Survey (IATA), 2022 Global Passenger Survey, Passengers see value in biometric identification. 75% of passengers want to use biometric data instead of passports and boarding passes. Over a third have already experienced using biometric identification in their travels, with an 88% satisfaction rate. But data protection remains a big concern for more than half of travelers. And they continuously need to be reassured that the data needed to support such an experience will be requested only when this is truly important and they will be safely kept.

Privacy concerns is not about achieving compliance or running through a security checklist. Privacy Concerns is about implementing a Risk Management Framework from an Aviation Ecosystem’s point of view.

Identifying potential risks, assessing their likelihood of occurrence and determining the potential impact of each risk is all part of Risk Analysis. After identifying and evaluating the risks, the ecosystem can devise strategies to mitigate, minimize and isolate their impact.

To Take Home

The Aviation Industry needs to take proactive steps to strengthen its cybersecurity posture since cyber threats are occurring more frequently and are becoming more sophisticated. The effects of a successful cyber attack can be disastrous, whether it be the theft of sensitive information, downtime, financial loss or reputational harm. It is very important to have collaboration among the stakeholders and first and foremost to include Governments in these initiatives.

A common agreed framework and the standards for sharing and protecting the required passengers data between different systems and stakeholders for a seamless and frictionless experience is imperative.

The technology already exists to support a seamless passenger experience, and from an ecosystem perspective, a seamless passenger journey also improves airport operations, minimizes delays and flight disruptions are managed properly. This requires a collaborative experience and data sharing approach.

Now is the opportunity to improve things and work together, Now is the perfect time for a establishing a Cybersecurity defense policy for Aviation. 

The following suggested fundamental components aim to support this direction:

Fundamental Components for an Aviation Cybersecurity Policy

1. Public Private Partnerships

Governments need to work together and create bilateral agreements, based on the foundation that all data is authenticated and verifiable. Collaboration between the public and private sector will be critical to drive innovation and adoption. The private sector needs to work together to advocate for regulations and global standards, which are needed to assist in making their businesses thrive using biometric-enabled digital identities.

2. Data Collection and Sharing

Data is owned, managed, and provided to airport ecosystem stakeholders by the traveller. The foundation of a passenger’s digital identity is the collection of authenticated and verifiable data. From an identity perspective, this must be based on a government-issued identification (e.g. passport, national ID). Any additional data the passenger chooses to include in their digital identity is authenticated and verifiable by a Government entity. When passengers are asked to share their data, this should be done in a fully transparent manner, through simple and clear consent requests and only when this is truly required.

3. Data Privacy by Design

Solutions must adhere to the highest level of data privacy standards, using Data Privacy by Design principles. 

4. Interoperability

For enabling a seamless passenger journey, it is operationally imperative that data exchange systems are interoperable and based on global standards. This should be applicable across governments, private organizations, civil aviation authorities and airlines as well as between the different sectors within Travel & Tourism Industry. 

5. Passenger – Oriented Mindset for Design

Many of the advances in airport processes, such as biometric verification, require passengers to provide important personal details. Privacy laws, such as the European Union’s General Data Protection Regulation (GDPR) set high standards for securing this special category of personal data. This gives the option to passengers which are not willing to provide their biometric data, to have the option for traditional boarding process.  

This means for airport operators in the near future, that they need to re-design or at least adapt the boarding areas in way that they can accommodate passengers that would like to use the fast track and that want to be biometrically recognized and those passengers that do not want.