"Cybersecurity experts generally agree that it is not a
question of if a company will
be the victim of a data breach but rather when such a breach will occur," according to an airline
data security bulletin law firm Condon & Forsyth posted on its website in
the fall. The aviation industry has heeded the warning, as cybersecurity trade
membership organization Aviation Information Sharing and Analysis Center will
focus on growing its 28-member roster in 2017 and further develop the
intelligence information its members value.
Each goal aids the other. "The more members that we
have, the more cyberattacks in the aviation industry we have access to,"
said A-ISAC director Jeffrey Troy.
A-ISAC analysts spend their days scouring alerts from member
companies; data from threat-intelligence services; and publications, blogs and
other websites for aviation-related threats. "The threats that our
companies are worried about are more advanced threats, which are not going to
be as prevalent," Troy said, placing the average number the organization
addresses each day at tens or hundreds, rather than thousands. A-ISAC also
communicates constantly with governmental partners, including the Department of
Homeland Security's National Cybersecurity and Communications Integration
Center.
How does this impact managed travel programs? Corporations
share a lot of sensitive traveler data with suppliers, and they need to ensure
that their suppliers and their suppliers'
vendors have secure systems. Similarly, when data is compromised,
corporations want to feel confident that their suppliers are doing everything
in their power to minimize the damage. At stake are individuals' privacy,
identities, safety and credit scores, plus companies' confidential information
and the millions of dollars it could take to remedy the situation.
Companies have begun asking suppliers about their data
breach practices and action plans, some even in their RFPs. Others establish indemnification
clauses in their supplier contracts. In response, suppliers that are members
of A-ISAC can point to the organization's industrywide efforts to protect data.
Aviation-Specific
Cybersecurity
Industry-specific ISACs began in 1999, after the federal
Presidential Decision Directive 63 required "critical infrastructure
sectors," such as finance and manufacturing, to establish such organizations.
It wasn't until 2012, however, that a working group commissioned by the
Aviation Sector Coordinating Council determined there was a need for an
aviation ISAC. "Because of the global piece, the aviation industry
[decided] that we, probably more than any other sector, needed to drive this
global collaboration so that we can reduce risk and exposure of an attack,"
Troy said.
The aviation industry is unique, he said, because it is
globally interconnected and segments of the industry are interdependent.
"Systems must all be secure and be functioning well so that no one member
of the whole ecosystem becomes unproductive due to an attack on one piece of
the system." A cyberattack that occurs elsewhere in the world can affect
the U.S. significantly, "as many of the systems that support U.S. systems
also support the aviation sectors on the whole planet," he said.
Airlines make up the majority of members, but participants also
include aircraft, engine, avionics and in-flight entertainment system manufacturers
and service providers like Airlines Reporting Corp.
"We're in discussion with some airports,"
Troy said. "That would be another important industry segment for us to
bring on board."
Sabre—which serves about 225 airlines and 700 other customers
like airports, cargo carriers, charter airlines, corporate fleets, governments
and tourism boards—joined A-ISAC in 2015, and the global distribution system
believes more companies from across the industry should join. "As cyber
threats continue to grow throughout the industry, information sharing also
grows in importance" because information sharing will “better position all
participants to improve our defenses," a Sabre spokesperson said.
What It Means to Be a
Member
The $50,000 annual membership includes weekly summaries of incidents
and analytics, four workshops a year, an annual summit with industry experts that
includes an emergency simulation, access to an information-sharing platform
where members can report incidents, and other collaboration opportunities.
A-ISAC is looking for members that want to do more than consume
intelligence, though. "There's a lot more to be invested than just a fee,"
Troy said. "We're looking for the engagement of their analysts with ours
and participation in the workshops. … There's a process they need to go through
to see if they can make the commitment and if they have the capabilities to
contribute, as well as benefit from being in this partnership," Troy said.
Unless a company agrees otherwise, the association keeps its
membership anonymous to prevent companies from becoming data breach targets.
The organization also allows companies to report attacks anonymously. However, it
pushes for those reporting attacks to identify themselves, as it helps analysts
evaluate events and understand the attackers, especially as others report
similar attacks.
Troy offered loyalty program breaches as an example.
"If you're an attacker, you don't care if you steal the loyalty program
points from airline A or B. You just want the airline ticket or you want to
convert the points into cash." He added, "It's likely someone else or
many others in the industry are being attacked for the same information."
That's where an organized community of members
comes into play. "The whole purpose of the association is basically to
recognize that it's more often that the industry is attacked than one member of
the industry," Troy said.