Daily, and frequently across international borders, airlines collect and communicate significant amounts of personal data, obtain, and transfer considerable amounts of currency, and transport substantial volumes of passengers and goods. Many airlines are also highly symbolic of their countries of origin, and the industry is often a focal point for high-profile international issues. These factors, although positive in many facets, make airlines appealing targets to an array of threat actors requiring airlines to safely navigate the evolving threats to their people, data, systems, finances, as well as other assets.
Historically, aviation security has revolved around the prevention and response to physical violence onboard the aircraft or in an airport. With the increasing digitalization of the industry, airlines face a growing threat from cyber-attacks against their operations and not just to their Information Technology (IT) systems and infrastructure. Modern threat actors are advancing their capabilities to conduct digital attacks against Operational Technology (OT), Internet of Things (IoT) devices, and physical infrastructure. These digital attacks, rapidly propagate disinformation or incite people to physical violence and other unlawful activity.
Despite the increasing capability of criminals and extremists to integrate physical and digital tactics in their attacks, airlines often view digital and physical security risks as distinct from each other and therefore maintain aviation, corporate and cyber security functions in discrete organizational silos. This not only limits an airline’s ability to effectively mitigate security risks to their core business, but it can also lead to excess costs and adverse impacts on their operations and customer experience.
This siloed approach may be partly explained by the fact that countering physical and digital attacks at the operational level generally requires discrete technical controls implemented by specialized experts and teams, many of whom come from distinct professional backgrounds. Nonetheless, it is critical for airline leadership to look beyond the tactical aspects of security management that occur at the operational level to the strategic aspects of security management that occur instead of at the organizational level, even at the industry level. And the most effective way to do this is through the implementation of an enterprise-wide Security Management System SeMS.
A robust SeMS provides the overall governance, risk, resilience, and continuous improvement protocols that can be scaled to align many different operational security controls, both digital and physical, – in the protection of an airline’s staff, customers, aircraft, data, assets, and systems. It ensures the ongoing collaboration of all disciplines involved in the mitigation of both physical and digital security threats by establishing common performance objectives based on key business objectives, organizational values, actionable intelligence, and the accurate assessment of risk. This not only enhances an airline’s overall security posture, but also increases efficiency and cost-effectiveness, and ultimately customer value.
Jeff Viens
Director of Security
