Views: 8
Emerging Risks
The global aviation industry has been told it needs to up its cyber security both internally and with third parties as regulators demand change.
The calls comes in a new report by SecurityScorecard which has published cybersecurity research on 250 leading global aerospace & aviation companies, including 100 top commercial passenger airlines.
The report comes as regulatory bodies worldwide ramp up cybersecurity requirements for the aviation sector. The US Transportation Security Administration introduced new mandates in March 2023, and the EU’s Implementing Regulation 2023/203 will take effect in 2026, setting a new standard for aviation information security risk management.
“The aviation industry has traditionally focused on physical security threats, but recent revelations about risks on Boeing’s supply chain have spotlighted the critical need to measure and mitigate supply chain risk,” the report explained. “SecurityScorecard’s latest research aims to elevate the discourse on supply chain cyber risk in particular, emphasizing the need and best practices for comprehensive cybersecurity monitoring across the aviation sector.”
Key findings include:
- The aviation industry scores a “B” on cybersecurity: The aviation industry scores a “B” on average. While this isn’t a failing grade, significant disparities exist. Organisations with a B rating are 2.9x more likely to be victims of data breaches than those with an A rating.
- Vulnerability of IT vendors and airlines: Notably, aviation-specific software and IT vendors score the lowest, with a mean score of 83, posing substantial third-party risks for their airline customers. By the same token, customers can also pose third-party risks for their vendors. For example, this research yielded three recent examples of breaches at airlines exposing information on their aerospace & aviation vendors.
- Impact of third-party breaches: 7% of companies in the sample publicly reported breaches in the past year; 17% had evidence of at least one compromised machine in the past year. In addition, airlines had 4% more breaches than the industry benchmark due to vulnerabilities in lower-scoring vendors raising their third-party risks.
- Global disparities at the nexus of cyber and geopolitical threats: Advanced economies like Western Europe and Australia achieve better cybersecurity outcomes, with scores significantly higher than emerging markets. Aggressive nation-state threats from countries like China indicate major turbulence ahead.
- Ransomware is a top threat: Ransomware is the dominant theme in public reporting of attacks on this industry. Ransomware operators actively targeting the aviation industry have included BlackCat, LockBit, BianLian, and Dunghill Leak.
- Correlation with performance: Top-performing airlines, as ranked by industry and consumer standards, have above-average security scores, indicating a link between operational excellence in general and cybersecurity performance in particular.
Ryan Sherstobitoff, the company’s senior vice president of Threat Research and Intelligence, said: “The aviation industry operates on a complex web of partnerships, but a company’s security is only as strong as its weakest link. Our research shows airlines are flying blind on third-party risks. It’s time for the industry to take control and prioritise robust security measures across their entire ecosystem before turbulence turns into a disaster.”
Based on the analysis, SecurityScorecard’s threat researchers said there were steps that needed to be taken:
- Prioritise software & IT vendors: Focus on mitigating risks from software and IT vendors, which pose the highest third-party risks.
- Expand third-party risk management: Include customers and other partners in third-party risk management programs to cover the full spectrum of potential threats.
- Enhance protection of key data: Implement robust defences around aerospace intellectual property and passenger data, which are high-value targets for cybercriminals and state-sponsored actors.
- Avoid paying ransoms: Refrain from paying ransoms to prevent further incentivising attacks and comply with legal restrictions.