Cybersecurity Starts at the Top: Why Aviation Risk Is Operational Risk
In many industries, cybersecurity risk can result in data loss or downtime. In aviation, especially airline operations, exploitation of one vulnerability can cause operational disruption, which can lead to safety degradation. Subsequently, that degradation can potentially introduce negative impact to the business.
Aviation involves sky-high stakes and consequences. If you have systems connected that reach beyond your organization, you are at risk. If you have legacy and/or modern technologies, you are at risk. Third-party dependencies? The answer is more risks. This combination of risks, among others, is partially why regulators emphasize the integration of cybersecurity risk be included in safety and operational risk management, versus tucked away in the depths of the IT department of the organization. Despite the complexities of these environments, safety is simply non-negotiable.
An airline can best position its cybersecurity posture by conducting a risk assessment of its operation to understand what failures can disrupt flight-relevant operations and/or introduce airworthiness or safety risk. Identifying relationships between dependencies of critical functions can uncover hidden risks. Additionally, evaluating existing security controls for effectiveness is important. A documented security control does not reflect how well it works when an incident occurs. Tabletop exercises are critical and the closest thing to real-world events for testing employees under operational pressure. Without practical scenarios and exercises, how is your organization measuring readiness?
Cybersecurity risk assessments must be a living process. There should be a periodic frequency as opposed to a one-and-done approach. New risk assessments should also occur when relevant changes occu that could affect information security of the aircraft. The hard part is not identifying risk; it’s integration with other parts of the organization and onto other operational frameworks, such as the Safety Management System. However, when an organization can bridge the gaps between cyber and operational teams, it transforms cybersecurity from a compliance exercise into a strategic capability. It evolves from a technical function to an element of operational resilience. Resilience is built when an organization can continue its operations even under cybersecurity duress/pressure. It’s not about protecting systems, it’s about protecting operations.