Cybersecurity: A Top Priority for Airline Boards
Homeland Security Today Magazine published a bylined article written by Russell Reynolds Associates' Mercedes LeGrand and Christine Yasaitis titled, "Cybersecurity: A Top Priority for Airline Boards." The piece looks at the importance of cybersecurity preparedness on airline boards and shares findings from our study, "Cyber Security: Five Leadership Issues Worthy of Board and Executive Attention." The article is excerpted below.
In the 15 years since 9/11, passenger air travel has changed significantly with a variety of measures put in place to ensure passengers’ safety and the nation’s security. Opportunities for physical terrorism are significantly reduced, and the measures have indeed prevented major incidents. However, an important question remains: Are we truly safer?
Despite leaps and bounds in physical security, there are new major security risks in the airline industry coinciding with the proliferation and increasing centrality of digital technology and information systems. Opportunities for those who seek to threaten the economy, political stability and safety are just as prevalent, if not more so, through cyber attacks. The recent past has given us many examples of cybersecurity threats and actual incidents in passenger aviation: Chinese-origin hackers who stole millions of individuals’ information from the US government systems are said to have stolen customer data from two major US airlines. Polish flag carrier airline LOT was forced to ground its fleet when fake flight plans were loaded into its system by an unknown agent. In February, USA Today reporter Steven Petrow’s computer was hacked in mid-air while connected to in-flight Wi-Fi onboard an American Airlines flight from Dallas to Raleigh, N.C. Aircraft systems are increasingly connected to the Internet. Even legacy point-to-point systems, generally considered to be limited in their risk of exposure to hacks, are becoming greater points of vulnerability due to the expansion of hybrid systems as modernization of onboard avionics and control systems take hold elsewhere in the ecosystem.
Airlines are not the only target in the aviation industry nor the only point of vulnerability. Multiple voices across industry and government have expressed concern about Federal Aviation Administration (FAA) proposed plans for the replacement of its current radar-based air traffic system. The new NextGen Automatic Dependent Surveillance-Broadcast (ADS-B) system has been criticized for being unauthenticated and unencrypted, enabling attacks like detection of fake aircraft on the ADS-B where none exist, unauthorized realtime tracking of specific aircraft, signal jamming and more. The FAA estimates that nearly 60 percent of air traffic control systems (which include avionics systems) will be connected to the internet by 2020. The fear is that new systems designed to enable the future of air travel may unwittingly endanger the security of American airspace and passenger aviation.
When it comes to increasing cybersecurity preparedness on the board, the most straightforward answer may appear to be hiring a cybersecurity director onto the board, but this is a significant challenge. A survey by Financial Times’ “Agenda Week” has shown cybersecurity is the number one skill or area of expertise desired by board directors across all industries. In addition to the intense demand, cybersecurity has evolved so quickly in recent years that many experts in this domain lack the gravitas and years of experience needed to contribute at the board level in order to discuss broader enterprise risk and strategic business issues and to communicate and build commitment to ideas and concepts that may not be as familiar to other directors.
Far from abandoning the search for qualified cybersecurity directors, however, airline boards should continue to see hiring of cybersecurity experts as a top priority and, in the meantime, consider other sources of valuable expertise in the boardroom. As previously mentioned, directors with significant consumer financial services experience are likely to have dealt with cybersecurity and so may have at least minimal familiarity, and directors with digital experience can also contribute valuable perspectives. Additionally, in the context of the highly regulated airline industry, hiring directors with experience in tightly regulated critical industries can be of value. The nuclear industry is one example. Like aviation, it is highly regulated and is counted among critical infrastructure, and the industry has recently been making leaps and bounds in cybersecurity through sharing of best practices across facilities, companies and even countries.
Whatever the board’s state of cyber preparedness may be, it will radically increase cybersecurity strength by establishing an active relationship with the CISO. It is so crucial that Russell Reynolds Associates’ Five Leadership Issues Worthy of Board and Executive Attention focuses three of the five key issues on the CISO role to ensure it is properly established in the organization. Companies without a dedicated CISO are leaving themselves extremely vulnerable to cyber attacks. Moreover, companies with a CISO in place must ensure that the CISO has a trusted relationship with the board to ensure full transparency around the reality of their information security program and any subsequent threats.
To read the full article, click here.