Let's defend our community, together

Let's defend our community, together

Q4 2018
Let's defend our community, together

The air transport community faces unprecedented risk from cybercrime – the result of digital transformation and an essential but near-total reliance on information and communication technologies. The critical requirement for strong cybersecurity is widely recognized, but existing challenges are delaying progress, according to SITA research.

It’s no surprise that the EU’s European Aviation Safety Agency ranked cybersecurity as the aviation industry’s number one challenge. But that was back in 2016 and, since then, the malicious use of technology across air transport has increased at an exponential rate.

Airline and airports are ideal targets for hackers. They’re highly visible, for one thing. They offer huge potential for disruptions, and they’re closely tied to the identity of the host country – making them an ideal symbolic target.

In this highly complex IT environment there are myriad possible entry points for hackers to test potential vulnerabilities, introduce malware or launch more dangerous and life-threatening attacks. They rely on open communications across a complex matrix – not only the airlines and airports, but also ground handlers, governments, air traffic management, OEMs, retailers and many more players.

Every business involved in air transport faces threats, with significant potential business impacts – from operational, and financial to legal and reputational. On average, there are 1,000 attacks a month, according to the European Aviation Safety Agency.

Cybersecurity is an area where most airlines have a ‘major program’ with large growth, with some 89% citing investment in cybersecurity initiatives.

SITA, Air Transport IT Insights 2018


SITA’s ‘Air Transport IT Insights 2018’ findings

Two SITA research papers offer a clear perspective on where the air transport industry stands today in relation to cybersecurity. The first, SITA’s ‘Air Transport IT Insights 2018’, reports higher forecasted spend on technology by airlines and airports, with priorities placed firmly on strengthening cybersecurity capabilities.

Cybersecurity is one of two areas where most airlines have a ‘major program’ with large growth, where some 89% mention investment in cybersecurity initiatives (the other area being applications for passenger mobile services, at 90%).

The IT Insights research shows airport CIO agendas sharply focused on cybersecurity too, where it tops the list. Some 95% of airports confirm that cybersecurity initiatives are a priority area for their IT investments, whether as a ‘major program’ or for ‘R&D’. Crucially, airports say they’re ring-fencing much more of their IT budgets for cybersecurity.

Over 40% of aviation organizations list cybersecurity as part of a global risk register, with further 42% saying they plan to include cyber-risk in their registers by 2021. But existing challenges are delaying progress. 

SITA, Air Transport Cybersecurity Insights 2018


SITA’s ‘Air Transport Cybersecurity Insights 2018’

Taking a closer look at cybersecurity, SITA’s second piece of research – ‘Air Transport Cybersecurity Insights 2018’ framed many of the discussions at SITA’s Aviation Cybersecurity Symposium, held in November 2018. 

The results reveal growing awareness of the importance of cybersecurity but cites existing challenges as delaying progress. “Those challenges include a lack of resources, budget and skills needed for advancing cybersecurity protection,” says SITA’s Director Integration & Services, Michael Schellenberg.

“Worryingly, our research suggests that at present only 41% of air transport organizations are considering and tracking cyber risks. However, awareness is improving and a further 42% are planning to list cybersecurity as part of a global risk register by 2021.”

Michael Schellenberg continues: “So industry awareness is certainly there. But given the challenges, our Insights survey recommends the empowerment of cybersecurity teams, along with stronger positioning at C-level and resources to initiate concrete and actionable projects.”

SITA's Aviation Cybersecurity Symposium

SITA’s fourth Aviation Cybersecurity Symposium took place in November 2018. The invitation only event brought together around 40 IT and cybersecurity experts from across the air transport industry.

Informed by the results of the first ‘Air Transport Cybersecurity Insights 2018’, the two-day event explored a benchmark study exclusively for air transport, together with key trends, priorities and opinions among cybersecurity leaders across the industry.


The biggest barrier to effective cybersecurity programs is a lack of resources, which affects 78% of air transport organizations. We recommend appointing a dedicated Chief Information Security Officer (CISO). This is regarded as crucial to the visibility and effective implementation of a cybersecurity program.

SITA, Air Transport Cybersecurity Insights 2018


Appoint a CISO to advance the cause

According to the Cybersecurity Insights survey, the biggest barrier is a lack of resources, which affects 78% of organizations. It recommends appointing a dedicated Chief Information Security Officer (CISO) and building a proper cybersecurity roadmap, aligned with the risks exposure of the organization considered.

This is regarded as crucial to the visibility and effective implementation of a cybersecurity program. Yet the findings reveal that only 31% of responding organizations have a dedicated Chief information Security Officer (CISO), a role that is pivotal to empowerment, the positioning of security teams at C-level and the relegation of cybersecurity to a lower level due to other priorities.

Consider the best practices for the best defense

“A CISO is certainly one best practice at the top of the list, and there’s no shortage of advice that can be followed to implement other good practices,” says SITA’s Michael Schellenberg. He cites adherence to five elements which, combined, provide the framework for addressing the cybersecurity challenge:

  • Identify the threats & the risks
  • Protect your assets and business activities
  • Strengthen your detection capabilities
  • Implement and test your safeguard to be able to react when a cyberattack will occur
  • Link this to your business continuity  

SITA’s cybersecurity team sets out a nine-point good practice checklist:

  1. Raise awareness with your board, empower your cybersecurity team and appoint a Chief Information Security Officer (CISO)
  2. Perform a cyber maturity assessment to give you the baseline of where you stand, as the starting point for developing a long-term cybersecurity strategy, with the necessary resources to initiate concrete and actionable projects
  3. Take a risk-based, top-down approach, linked with your business activities and threat exposure. It will allow to better communicate and report to your management on how things are moving forward.
  4. Update your processes and implement the right security equipment (Firewalls, antivirus, Endpoint Detection and Response, Intrusion Prevention System, etc.)
  5. Train your people and continue raising awareness within your organization
  6. Continuously assess your current security gaps (controls, vulnerabilities, etc.), and implement a systematic approach to remediate them (or at least track them)
  7. Secure the “extended enterprise” by assessing your third parties and interconnections with them
  8. Adopt industry standards on cybersecurity and data protection (NIST, ISO, etc.)
  9. Engage with peers, share and receive cyber intelligence

A response tailored to the industry

SITA’s response to the cybersecurity challenge includes services and products highly tailored to the industry and focused on addressing the complete scope for our customers: identify, protect, detect & react. Three types of services are currently available: Consulting, Security Operation Center, Infrastructure and Cloud security services.

These services were designed and are currently delivered to the industry, such as a CyberSecurity Maturity assessment, Awareness and Training, Aviation SOC, and more. Services include SITA’s Aviation Cyber Expertise Cell materials.

“The Aviation Security Operation Center that we built with Airbus, which is the first CyberSecurity Managed Services dedicated to an industry in the world, translate this strong need of verticalization of CyberSecurity to be closer to the businesses this service is supposed to cover. It is no longer a technical topic but more a business issue to tackle”, says Michael Schellenberg.

“But equally, collaboration is vital to best defend air transport community’s eco-system.”. SITA set up collaborative and iterative initiatives in 2017 for strengthening cybersecurity, namely the:

  • Cybersecurity Aviation Security Operations Center (SOC)
  • SITA Community Cyber Threat Center (CCTC)

‘Verticalized’ cybersecurity: the Aviation SOC

SITA’s Air Transport Cybersecurity Insights finds that one in two air transport organizations plan to implement a SOC in the next three years, enabling proactive monitoring of threats. It cites such centers as being necessary but complex projects, with faster ROI achieved through staged implementation. As of today, however, only 33% of those surveyed had implemented a SOC and of these the clear majority use it to monitor their network and infrastructure through a SOC.

“A SOC should be the immediate priority of an airline or airport. Initially one approach could be to start with what’s business critical before extending to less critical areas,” says Michael Schellenberg.

Airbus and SITA began working together to provide ‘verticalized’ aviation centric cybersecurity, with the resulting Cybersecurity Aviation SOC becoming the first of its kind. The center minimizes the impact of cyberattacks on operations, reputations and customer relations by responding to and reporting on the latest cyberthreats.

To provide these elements, SITA and Airbus are using the Aviation Cyber Expertise cell materials, in order to:

  • Understand the threats of the airport or airline considered
  • Prioritize the critical scope that needs to be covered, starting with the IT assets supporting the most critical activities
  • Define use-cases (detection rules implemented into the SOC) on specific IT assets
  • Enrich alert notifications with the potential business processes impacted by the detected attack

Cybersecurity Aviation Security Operations Center

SITA’s Cybersecurity Aviation Security Operations Center (SOC) works through three core areas: Event management, Security incident management, and Reporting management, align with Threat expose and Business processes of the considered customer.

Event management explores who accesses a customer’s systems by collecting and analyzing selected and prioritized security event logs, from:

  • Critical applications and systems
  • Servers and workstations
  • Switches and other network appliances
  • Air transport industry specific assets

Security incident management ensures the SOC stays on top of incidents using an event management tool – SIEM (Security Incident and Event Management) – that:

  • Correlates events and matches them with generic and air transport industry-specific predefined rules
  • Qualifies any matches (managed by analysts) taking into account the aviation business context
  • Identifies security incidents and creates alerts

Reporting management keeps organizations informed with:

  • Pre-defined sets of reporting processes
  • Comprehensive alert reports, included the business processes impacted
  • Reports fitting the air transport context

To provide a service that is highly relevant for our customer, we integrate this Aviation expertise by understanding the threats exposure of the Airport or the Airline considered, prioritizing the critical scope to cover, starting with the IT Assets supporting the most critical activities, defining use-cases (detection rules implemented into the SOC) on specific IT Assets of the industry and enriching alert notifications with the potential business processes impacted by the detected attack.

Learn more

A SOC for the air transport community – ideal for constrained budgets

“We realized that some airports and airlines have very limited budget, and often the SOC is too expensive for them to set-up. Worst case scenario, they are starting to implement a SIEM with limited resources to configure it and manage the alerts, and at the end it is not working.” says Michael Schellenberg. “We wanted to address this challenge by designing a cheaper SOC solution, ensuring all the activities of a SOC but leveraging on the community to limit the cost and offer, at the end, a very competitive solution for the industry.”

Investigating in this direction, SITA defined the shared SOC concept, which is a SOC tailored to the air transport community, with a high level of standardization and shared between several stakeholders. Decisions are taken all together, best practices and use-cases are shared with the community value at the center of the service.

For more, see ‘How can airports manage cybersecurity on a constrained IT budget’.

Community Cyber Threat Center

Meanwhile, the SITA Community Cyber Threat Center (CCTC) offers a further layer of assistance. As a complimentary service open to cybersecurity professionals at SITA member organizations, the CCTCS is based on a customized alert system that provides rapid notification of sensitive information. 

That includes Tactics, Techniques and Procedures (TTPs) used by some cyber criminals, information on cyber campaigns targeting our industry or relevant to our industry, and stolen credentials exposed on the open, deep and dark web. 

To build trust and foster increased communication among users of the center, regular meetings are held to share insights and mitigation strategies, as well as discuss the evolving cyber threat landscape. The Center’s members (currently 29) also receive a weekly digest of cybersecurity stories and threat indicators affecting the air transport industry. Since becoming operational, the center has shared 124 alerts and 31 threat intelligence advisories with members.

Proactive responses turn the tables

The pioneers of the internet and the web never anticipated the degree to which cybercriminals would use technologies to cause harm or commit fraud.

“But we’re turning the tables,” says Michael Schellenberg. Rather than being reactive to cyber attacks, we are becoming proactive, with technologies, tools and processes designed not just to address but significantly reduce the attack surface and react quickly to attacks.”

“SITA is addressing cybersecurity as part of its fundamental role to provide community and collaborative services. The need for more cybersecurity will always be there. But helped by collaboration, growing know-how and advancing technologies, there are now well understood and cost-effective ways to defend the air transport community,” he concludes.

SITA Air Transport Cybersecurity Insights 2018

View the report

For more

Subscribe to the Air Transport IT Review