Securing supply chains in the digital world of aviation
In the Fall of 2016, Delta had a major IT outage that kept its infrastructure down for five hours and ultimately resulted in over 1000 flights getting cancelled and rescheduled.[i] The ensuing fallout cost Delta airlines an estimated $150 million – no small figure considering their pre-tax net income in 2015 was $1.5 billion.[ii] While there was speculation of foul play or a possible cyber attack, it has never been confirmed. Nonetheless, the outcome of such an event begs the question of how secure the airlines systems are.
Cyber attacks can take many forms as hackers focus on exploiting whatever vulnerabilities a company presents. As airlines have continued to digitize to become more efficient and better track their supply chains around the world, they risk becoming increasingly vulnerable targets. Even digital amenities that give an airline its competitive advantage – such as inflight Wi-Fi – can be exploited creating a delicate tension that airlines must balance. More concerning, there is the possibility that the ubiquitous use of auto-pilot could result in planes being hijacked remotely.[iii]
Any confirmed cyber attack would fundamentally shake consumer trust in the airline industry, and put individual companies in challenging situations. In addition to the costs of repairing the tangible damage of the attack, there would be reputational cost as consumers would lose trust in a company and move to competitors, which is likely to be costlier in the long run to a company than the initial cyber attack.
Steps in the right direction
For Delta airlines, there is both external pressure coming from the FAA and the US Government as well as internal pressure to prevent future events that could disrupt the supply chain. Delta is both taking steps to comply with new regulations and restructuring internally in order to meet the cyber threat.
In the short term, Delta has reorganized their leadership team to consolidate responsibility and better defend against cyber attacks. Delta created the role of a “Chief Information Security Officer” and hired Deborah Wheeler, a careerist in technology security to oversee its efforts.[iv]
Over the next few years, Delta will continue to make more changes to comply with new upcoming regulations such as the Cyber AIR Act, which will attempt to standardize airline disclosure and defense against cyber attacks.[v] However, these regulations will primarily focus on reporting rather than prescribing specific cyber defense actions.
Is it enough?
While each of these actions is a step in the right direction, there is still much more that Delta needs to do.
First, cyber defense is as much a cultural problem as it is a technical one. While Delta could acquire or hire artificial intelligence companies or a crack team of hackers to protect its infrastructure, it is unlikely to be enough. Cyber defense is a game of the lowest common denominator – all of their effort could be for naught if one Delta employee downloads malware, either intentionally or unintentionally. Delta needs to create a culture of cyber awareness and shared responsibility to ensure the company protects itself and its consumers.
Moreover, information flow between partners must be secured. As with internal employees, Delta exposes itself to significant risk as its networks are integrated with other airlines to increase efficiencies, collaboration, and communication between carriers. The challenge is that if a partner has a vulnerability that could be used to backdoor into Delta’s IT infrastructure, it will likely be the point of entry for a cyber attack.
To mitigate this, Delta needs to compartmentalize its IT infrastructure in order to prevent one attack from crippling the entire system. Consumer information should be kept separate from personally identifiable information that could be used to exploit a consumer. Naval ships employ the same idea to prevent ships from sinking – bulkheads separate compartments so that if the hull is compromised, only one compartment of a boat is lost as opposed to the whole boat sinking. In the same way, Delta could compartmentalize consumers’ information so that if there were an attack only non-exploitable information would be compromised because information would be separated.
Where do we go from here?
What relationship should Delta have with its partners in terms of information security? Should Delta take its partners under a security umbrella or require a level of security before working with a partner?
How does Delta address the tension between consumer convenience and security? In the Wi-Fi example, should Delta continue to offer the service – which consumers want – knowing that it could be exploited to the detriment of the consumer?
[i] Isidore, Chris. CNN Tech. 7 Sep 2016. 10 Nov 2017.
[ii] Delta Airlines. Delta Airlines. 19 Jan 2016. 10 Nov 2017.
[iii] AT&T. AT&T. 2016. 10 Nov 2017. <https://www.business.att.com/solutions/Portfolio/cybersecurity/cybersecurity-resources/page=addl-info/?gc=cybersecurity-report/v6/index.html#resource>.
[iv] Delta Airlines. Delta Airlines. 3 Feb 2017. 10 Nov 2017.
[v] Sen. Markey, Edward. Cyber AIR Act. 21 March 2017. 10 November 2017.