Analysis of the growing threat from cyber attacks
21 / 11 / 2016
The logistics supply chain has become a favoured target because the industry is underprepared for a serious cyber attack.
Global cargo theft and supply chain disruption reportedly cost $56bn last year.
One part of that supply chain, the aviation industry, is expanding, evolving, and becoming ever more connected due to the rapid rate of innovative technologies entering the marketplace.
The industry is now heavily dependent on information and communications technology to operate the global air transportation system.
With the continued growth of the global civil aviation industry, reliance on IT will only increase. The drive towards achieving greater efficiency and use of IT to reduce costs has widened the digital interface between airlines and airport systems and increases the risk of cyber attacks.
Introducing new technologies without vigorous cybersecurity in place presents a huge risk to the industry.
A shipment can often involve data or intellectual property transfer between up to 10 separate parties across the globe.
Some of the transited jurisdictions are riskier than others, with a thin grasp of cybersecurity and little or no cyber laws.
The ability to combat sophisticated and targeted hackers and avoid financial and/or reputational harm involves continuous top down risk awareness and control frameworks with multiple stakeholders.
These stakeholders include the air carrier, land transportation and/or the cargo owner, shipper, consignee, IT portal, airports, customs authorities, warehouses and banks.
Maritime container and air cargo shipments and their associated electronic control and data systems are considered to be soft targets for economic criminals.
This is due in part to the high values of cargo, but also because of the multiple data transfers through different computer technologies, and insufficient cyber threat/event information sharing amongst logistics stakeholders,
Cyber attacks are sophisticated, elusive and a rising threat to civil aviation, having been referred to as the second major risk to airlines following natural disasters.
Although cybersecurity has moved rapidly up the agendas of stakeholders in the air cargo and transportation industries, it is uncertain whether this has translated into effective active cyber risk management.
Previous well publicised hacks have shown cyber criminals look for the weakest link and it can take many months to detect such an intrusion.
The almost universal use of sophisticated IT systems has enabled multiple parties in a supply chain to track shipments, opening up pathways for intrusion.
Cyber attacks can ground fleets, control aircraft, interfere with the aircraft systems (either in flight or on the ground) leaving airlines facing claims from every direction and all those involved in the supply chain.
Airlines also hold a wealth of confidential data, both personal and business related, across multiple platforms, increasing the risk of unauthorised intrusions.
The loss of confidential information could give rise to data protection issues and breach of privacy laws, leaving airlines and airports with heavy fines, government audits and even criminal liability.
The cost of cyber attacks are wide ranging ─ business disruption, reputational damage, loss of business, court settlements, investigations and deployment of detection software.
Air cargo is not alone in facing this hidden threat. Ocean freight is as vulnerable.
The maritime industry received a sharp wakeup call three years ago. Drug traffickers, assisted by professional hackers, illegally accessed electronic data concerning containers located in the port of Antwerp.
Officially, the containers were shipping timber and bananas but some of the containers carried smuggled drugs which the criminals had switched.
The relevant containers were located by hacking into the electronic container tracking system, obtaining password release codes and diverting the containers before the official cargo owners arrived to collect their goods.
"Can it happen to us?" was the urgent question raised in many boardrooms following the event and the answer is likely to be "it already has".
Many organisations are now asking what a trading partner is doing to demonstrate effective cybersecurity and resilience – are they conducting security examinations or audits and using appropriate risk transfer language in their trading terms and conditions?
Furthermore, many governments are becoming more assertive in their expectations of appropriate cyber hygiene across businesses and national/international infrastructures.
The recent EU General Data Protection Regulation (GDPR), with its far reaching data protection provisions, and the EU Security of Network and Information Systems (NIS) Directive are significant examples of this.
In publishing its recent Cybersecurity Strategy paper for 2016-2021 the UK government reasonably expects each business to take commensurate and proportional steps to protect themselves and their stakeholders.
Cyber threats cannot be eliminated but can be managed through stronger collaboration between governments and key industry stakeholders and by adopting a strong information security framework.
Fundamental core elements of this framework should be to Identify, Protect, Detect, Respond and Recover.
These integrated disciplines are intended to create and maintain a dynamic operational culture which forms part of a continuous and concurrent risk management process to promote cyber resilience and economic and personal confidence.
The threat is a shared responsibility, involving governments, airlines, airports and manufacturers.
The cyber frontier is already extremely large, and further advancement and development will continue this expansion and become increasingly exploited by hackers unless appropriate and solid security measures are in place.
Authors: Consultant Peter Schwartz and Associates Rupali Sharma and Victoria Cooper from the Aviation team at international law firm Holman Fenwick Willan.