Avoiding cancellation, in aviation

As airlines become more digitally dependent they will become increasingly vulnerable to cyber attacks, forcing companies like Delta airlines to take action and secure its customer information and supply chains.

Securing supply chains in the digital world of aviation

In the Fall of 2016, Delta had a major IT outage that kept its infrastructure down for five hours and ultimately resulted in over 1000 flights getting cancelled and rescheduled.[i] The ensuing fallout cost Delta airlines an estimated $150 million – no small figure considering their pre-tax net income in 2015 was $1.5 billion.[ii] While there was speculation of foul play or a possible cyber attack, it has never been confirmed. Nonetheless, the outcome of such an event begs the question of how secure the airlines systems are.

Cyber attacks can take many forms as hackers focus on exploiting whatever vulnerabilities a company presents. As airlines have continued to digitize to become more efficient and better track their supply chains around the world, they risk becoming increasingly vulnerable targets. Even digital amenities that give an airline its competitive advantage – such as inflight Wi-Fi – can be exploited creating a delicate tension that airlines must balance. More concerning, there is the possibility that the ubiquitous use of auto-pilot could result in planes being hijacked remotely.[iii]

Any confirmed cyber attack would fundamentally shake consumer trust in the airline industry, and put individual companies in challenging situations. In addition to the costs of repairing the tangible damage of the attack, there would be reputational cost as consumers would lose trust in a company and move to competitors, which is likely to be costlier in the long run to a company than the initial cyber attack.

Steps in the right direction

For Delta airlines, there is both external pressure coming from the FAA and the US Government as well as internal pressure to prevent future events that could disrupt the supply chain. Delta is both taking steps to comply with new regulations and restructuring internally in order to meet the cyber threat.

In the short term, Delta has reorganized their leadership team to consolidate responsibility and better defend against cyber attacks. Delta created the role of a “Chief Information Security Officer” and hired Deborah Wheeler, a careerist in technology security to oversee its efforts.[iv]

Over the next few years, Delta will continue to make more changes to comply with new upcoming regulations such as the Cyber AIR Act, which will attempt to standardize airline disclosure and defense against cyber attacks.[v] However, these regulations will primarily focus on reporting rather than prescribing specific cyber defense actions.

Is it enough?

While each of these actions is a step in the right direction, there is still much more that Delta needs to do.

First, cyber defense is as much a cultural problem as it is a technical one. While Delta could acquire or hire artificial intelligence companies or a crack team of hackers to protect its infrastructure, it is unlikely to be enough. Cyber defense is a game of the lowest common denominator – all of their effort could be for naught if one Delta employee downloads malware, either intentionally or unintentionally. Delta needs to create a culture of cyber awareness and shared responsibility to ensure the company protects itself and its consumers.

Moreover, information flow between partners must be secured. As with internal employees, Delta exposes itself to significant risk as its networks are integrated with other airlines to increase efficiencies, collaboration, and communication between carriers. The challenge is that if a partner has a vulnerability that could be used to backdoor into Delta’s IT infrastructure, it will likely be the point of entry for a cyber attack.

To mitigate this, Delta needs to compartmentalize its IT infrastructure in order to prevent one attack from crippling the entire system. Consumer information should be kept separate from personally identifiable information that could be used to exploit a consumer. Naval ships employ the same idea to prevent ships from sinking – bulkheads separate compartments so that if the hull is compromised, only one compartment of a boat is lost as opposed to the whole boat sinking. In the same way, Delta could compartmentalize consumers’ information so that if there were an attack only non-exploitable information would be compromised because information would be separated.

Where do we go from here?

What relationship should Delta have with its partners in terms of information security? Should Delta take its partners under a security umbrella or require a level of security before working with a partner?

How does Delta address the tension between consumer convenience and security? In the Wi-Fi example, should Delta continue to offer the service – which consumers want – knowing that it could be exploited to the detriment of the consumer?

(756 words)

[i] Isidore, Chris. CNN Tech. 7 Sep 2016. 10 Nov 2017.

<http://money.cnn.com/2016/09/07/technology/delta-computer-outage-cost/index.html>.

[ii] Delta Airlines. Delta Airlines. 19 Jan 2016. 10 Nov 2017.

<http://ir.delta.com/news-and-events/news/news-release-details/2016/Delta-Air-Lines Announces-December-Quarter-and-Full-Year-2015-Profit/default.aspx>.

[iii] AT&T. AT&T. 2016. 10 Nov 2017. <https://www.business.att.com/solutions/Portfolio/cybersecurity/cybersecurity-resources/page=addl-info/?gc=cybersecurity-report/v6/index.html#resource>.

[iv] Delta Airlines. Delta Airlines. 3 Feb 2017. 10 Nov 2017.

<http://news.delta.com/delta-selects deborah-wheeler-ciso>.

[v] Sen. Markey, Edward. Cyber AIR Act. 21 March 2017. 10 November 2017.

<https://www.congress.gov/bill/115th-congress/senate-bill/679/text>.

 

Previous:

TEPCO: A quiet emergence of Smart-Grid in Japan (Digitization)

Next:

Under Armour: Chasing Digitization

6 thoughts on “Avoiding cancellation, in aviation

  1. A cyber attack that infiltrates the control of an airplane while airborne is one of the most prominent risks that could result in the catastrophic loss of life. I agree that Delta is taking proactive steps to decrease their vulnerability to such attacks, where information systems are compartmentalized to prevent malware on an employee’s computer from migrating to the software controlling the autopilot. Regarding the question of how Delta should approach the security of its partners, I think it should take a similar approach to how it regards its responsibility to ensure the employees of partner companies do not have an intent to harm the airline or its passengers. That is, Delta should only work with partners that meet the security standard Delta and/or the FAA sets with third party audits. Initially, Delta may have to provide consultation support to its partners, but the infrastructure and maintenance of IT security should be the burden of the individual company. The airline industry as a whole should also share best practices with each other and establish standards for network and information security to continue to ensure the skies are safe.

  2. Really interesting article Mykola! It was interesting to read about the role of individual contributors and business partners in ensuring Delta’s IT security, as one weak link can be exploited to enter Delta’s system. Regarding the hacking of autopilot systems during a flight, I think Delta (and most importantly the aircraft manufacturers) should ensure that planes have a “manual” mode in which pilots can overhaul the electronic autopilot in case of malfunction.

  3. Mykola – very interesting article about an extremely important topic that does not get discussed enough. I have confidence that the federal government is doing everything that it can to protect critical infrastructure and national assets from cyber espionage, but I am not sure that private companies operating in sensitive industries like transportation are doing everything they can. I personally believe that there should be a public-private partnership that shares sensitive information about attempted cyberattacks. I know that many financial institutions have invested heavily in building out their cybersecurity capabilities and have partnered to share information. While it has not been a foolproof partnership, it has been successful in thwarting additional attacks. Hopefully the airline industry will adopt this type of collective defense mechanism before it is too late.

  4. This is such an important topic. I think your example of Delta speaks to a broader risk that digitization brings across industries. As physical objects (e.g., cars or planes) become connected and as services are rendered and tracked online (e.g., paypal) we gain efficiency but we also open ourselves up to large-scale security risk of cyber attack. By connecting everything, we create an economy of scale for ourselves but also for someone wants to disrupt and destroy. We have seen tragic incidents of terrorism with single cars, trucks or planes, but consider the destruction that could be wrought if these could be accessed at scale.

  5. I actually remember when this event occurred and had close friends working with Delta at the time. This cyber attack caused chaos on for customers and employees, and these events will continue to be an issue. Every company has to continuously improve their security and require corporate partners to do the same.

  6. Mykola, great job! I enjoyed reading your article. It feels super relevant to our everyday life. I absolutely agree that Delta needs to be selective with partners and only work with those following strict IT security procedures. However, IT threats and risk of hacking attack are also coming from Delta’s customers. For instance, it’s becoming more and more popular among customers to check-in to a flight using a mobile app. When people travel they often don’t have 4G on their phones and they use some unsecured public Wi-fi to check-in. As a result, customer personal data might leak through Delta app. So Delta has a choice: either to educate customers and invest in the extra security of its app or to encourage customers to check-in in person at the airport. In the former case, customer personal data might be compromised; but in the latter case, Delta will have to deal with big check-in queues at the airport that might delay flight departure.

Leave a comment