Cyber Trends And Threats Facing The Aviation Industry

The scale and impact of cyberattacks on governments, critical infrastructure, and large corporations have varied significantly, and the aviation industry is no exception. In aviation, where life safety is paramount, a successful cyberattack could lead to catastrophic consequences and severely damage consumer trust in the industry.

Aviation and aerospace systems must operate in real-time and meet the highest standards of reliability. These systems are safety-critical, requiring rigorous certification and robust cybersecurity measures to ensure their integrity.

In this episode of the Velocity Podcast, join Randy Starr, Jim Cummings, and Admiral Pat Walsh as they discuss the latest cyber trends and threats facing the aviation industry.

Key talking points:

• Increasing risks like ransomware and denial-of-service attacks disrupt operations and compromise data.
  
• Incidents like the Swissport attack show how global aviation can be severely affected by cyberattacks.
• Strong cybersecurity requires cooperation between governments, military, and private organizations.
• Aviation must use real-time monitoring, system patching, and stronger authentication to combat threats.

This episode was first broadcast in July, 2022.

This episode is part of the Velocity Podcast series, which delves into innovation in transportation, travel, and logistics. We discuss new mobility’s impact on global movement of people and goods, and address industry challenges from tech and economic disruptions.

Subscribe for more on: Apple Podcasts | Spotify | Youtube

Narrator

Welcome to the Velocity Podcast by management consulting firm Oliver Wyman. Join Randy Starr, Jim Cummins. and Admiral Pat Walsh for this episode where they discuss cyber trends and threats facing the aviation industry.

Randy Starr

Good morning from MRO Americas conference in Dallas. This is Randy Starr from Oliver Wyman. I'm the managing partner for the firm's aerospace and defense practice in the Americas. I'm at the conference this week. It's been well attended so far by the commercial and military communities. The agenda in particular has been highlighted by a range of insightful views from a wide range of speakers and panelists from both industry and the military communities. One of the key topics covered this week is aviation cybersecurity. And joining me today to share their views on the topic are two of my colleagues, both Oliver Wyman senior advisors. First is Pat Walsh, former US Navy Admiral and fighter pilot, who served as the 59th Commander of the Pacific Fleet. He's also an experienced Fortune 50 business executive and community leader with an established record of leadership in the public and private sectors. And most recently, Pat achieved expertise in transformational growth and operational execution as a senior executive within Boeing's global services business. And then also joining me is my colleague Jim Cummings, former US Homeland Defense Policy Advisor to the US Air Force and also the DOD on cybersecurity issues. Jim has an extensive corporate and government cybersecurity background, and he previously served as the Chief Security Officer for JPMorgan Chase & Company worldwide. So, Jim and Pat, welcome and thanks for joining me today.

Jim Cummings

Great to be here.

Pat Walsh

Thanks, Randy.

Randy 

As it relates to this week's conference, I think we all agree that with the growing security threats worldwide, particularly from near peer adversaries, that cybersecurity has become a much more prominent national security challenge for the US and its allies. And while this impacts all aspects of the economy, it has increasingly important implications for the commercial and military aviation communities, given the dependency of those ecosystems on our aviation infrastructure, digital assets, even on the military side. And now with all the emphasis on network interoperability among weapons platforms. With that in mind, and maybe Jim, if I can ask you, what do you consider as some of the primary cyber threats that both of those aviation communities face today and what are some of the key trends to watch for?

Jim 

Thank you, Randy, for the question. And again, I appreciate the opportunity to be here with you today. I'm frequently asked by many different audiences and different industries about the cyber threat, and people that have cybersecurity backgrounds often talk about the sky is falling and all the threats in the world are coming upon people. What I think was important for each industry is to truly understand what the risk is associated with those threats that they're facing, risk to their businesses. And so there are three primary risks that I see, specific to the aviation industry, that businesses need to understand with respect to the threats that are causing those risks. The first area is risk to disruption of operations. We've seen a steady increase in ransomware attacks throughout all industries. So far this year alone, the number of ransomware attacks have grown 144%. We also saw the last quarter of last year, a significant increase in distributed denial-of-service attacks, which were up 175% in just one quarter. Those are just two examples of threats that are causing potentially disruption of operations. And to give you a few examples associated with that, earlier this month, the Russian equivalent to the FAA had an attack on their network. They lost in total 65 terabytes of data and it forced their operations to pencil and paper, which is something to be obviously concerned about with that type of an attack. Equally of interest is a Swiss aviation company called Swissport. They had a ransomware attack against their operations, which caused severe degradation in their servicing at 280-plus airports around the globe, 45 different countries. So that's just one example of the risk that potentially could be caused by that type of an attack. Of course, the other two risks, data breach risk. This community itself, the MRO community, experienced it a little less than a year ago with a breach that happened at VT San Antonio Aerospace, where not too much is known or at least publicly, but clearly the potential for the MRO to be subject to such an attack was displayed there. And then finally the supply chain and third-party risk is an area that can be affected by attacks and there are plenty of examples of that we've seen as of late. SolarWinds was an earth-moving event for many in all different industries. One example that is outside the aviation industry but is certainly applicable to the effect that it can have, is the Target breach in 2013. There's a small little company, HVAC company in Pennsylvania. It was subject to a phishing attack and that small company had a portal invoicing into Target, to support that client, to support their Target client. And through that portal was the threat vector. The threat actors got into the portal, used the credentials, got in through the portal, moved laterally within the Target network. And over a month and a half, they were able to exploit 41 million customer records at the cost to Target of over $200 million. So a significant vector of attack through third party, through supply chain. is obvious through that type of attack.

Pat

So, Jim, if I could follow up, I like the way you've characterized this in terms of risk. There was a point in time, it seems like not too long ago, where we would be guilty of failing to imagine. And by characterizing it the way you have, what you've done is you've elevated the conversation at the corporate level in terms of the questions that leaders and board members ought to be asking when it comes to the particular industry that they're involved in. As I think about aviation in particular, the different scenarios that you described, whether it's an interruption to the supply chain, or it's an actual attempt to cease operations or impact operations, all have significant economic impact. And in the world that we're in today, it just seems logical that the most recent Five Eyes advisory that came out is now making everyone aware. Number one, their motto is shields up and what's behind that is an emphasis across five countries and government agencies that are working together inside all of those countries, to be able to deliver a message that says," If you need to patch your system, go ahead. Even if you have to take it down but get it up to date." And then number two, two factor authentication. And then three, just to be proactively hunting and looking for problems rather than waiting passively for some alert to come. How do you see it?

Jim 

No, I see it the same exact way. In fact, one of the things I've been most impressed at over the years is what we're seeing today is the level of collaboration that's going on. Not only between the government departments' agencies, but also amongst peers. No longer is it looked at as proprietary information from a security perspective, but it's more of, you know, how do we get through this together? How do we fight through it? As we talked about when we were in the military, how do you fight through an incident? And I'll tell you, as you know, the adversaries out there, ranging from nation state all the way to cyber criminals, are getting more and more sophisticated. Fighting this all alone is not an option in this environment today.

Pat 

So, who better positioned than the aviation industry to understand exactly what you said? So there are parallels, they're not perfect, but there's parallels to the discussion of safety and what commercial and military aviation has learned over generations versus the security problem that we have today. You don't have to go back very far in aviation history to see that we did not always have a very good safety record and that's on the commercial side as well as the military side. But what made the difference was a concerted effort to recognize, to improve the health of the overall system. We had to understand in today's context, what Blue did. In other words, the Blue side, the good guys had to be able to come forward and say," I made a mistake, and I made a mistake and I'm sharing what I learned from that mistake with the entire ecosystem, so that everybody benefits from learning the lessons that I learned so that you don't have to go through what I went through." So that could be material failure in the case of aviation, it could be dealing with hazardous weather, it could be dealing with pilot currency and proficiency. And I do see where insights, particularly in the area of cyber and aviation cyber, we could learn from the mistakes of others. Now there's significant liability issues that have to be recognized, and we don't live in a Pollyanna kind of world, but if we could get to a tear sheet understanding where, hey, this is what the ISAC community needs to be able to see and understand, get that message out quickly. And then we'll let lawyers and law enforcement authorities deal with investigations and what goes from that. Then at least we have a real time understanding of how we stay current and proficient, which to me is the real issue at the crux.

Jim

Yeah, absolutely. And you know, just to build on that, I think there's three areas that I see within the aviation world that as you say, that really can galvanize the processes and procedures that have been put in place from a safety perspective, from a collaboration perspective and from a QA perspective, right? Clearly apply to this cyber environment too. And the more and more organizations utilize the existing process and procedures, where appropriate, and bring in cybersecurity folks, as opposed to putting them over in the corner, bring them into those processes and make them part of the culture of the organization. And I think the more and more, they're secure and it follows, like you said, the long, true process of learning, getting better and as an organization, as a whole.

Pat

I think one other challenge that the cyber community has had is that the language, that taxonomy that goes with cyber is highly laden with technical terms. And because of that, the general population or corporate leaders don't feel like they're stakeholders. Well, you highlighted SolarWinds, I'll highlight Colonial Pipeline. And I think the ransomware was $5 million. Well, they could have taken a lot more than that. And I think the reason why is in today's environment, that's sort of a precursor ops. That's like recognizing how the population's going to react when we have a shutdown to a pipeline. So that pipeline, although adjacent to the aviation industry is an example of the supply chain vulnerabilities that you talked about and how it can reach out in an almost ubiquitous environment and touch everybody instead of just simply aviation.

Jim

No, I agree, certainly in the, on all those points, but specifically on the earlier point that you made. I think one of the challenges, as I alluded to a little bit with cybersecurity professionals, is that they're challenged to translate that to senior people in the organization and really make it a business conversation as opposed to the very technical nature of what they do and how to elevate that into business risk as I mentioned in the very outset. That's truly one of the challenges. And if you're an organization out there that you don't have security professionals, trying to translate it into a business type of conversation, then you need to find those folks that can do that for you.

Pat

One of the challenges I think that companies have is that oftentimes security rolls up inside CIO and budget apportionment and resourcing is competitive against other IT infrastructure. One way organizations deal with that is they move cybersecurity out and it goes up under general counsel because it serves the point that you introduced with, which is, hey, this is risk for the enterprise. And therefore, decisions associated with resourcing and funding this need to be done at the enterprise level rather than inside a sub level competing against IT infrastructure.

Jim

I saw that firsthand when I was at JPMorgan Chase. I had the responsibility of cybersecurity, and I partnered with the CIO. So it was a joint responsibility, but I reported directly up to the Chief Operating Officer. I've seen different architectures, like you mentioned, whether it be the CIO or with the general counsel, or I've also seen it reporting up to the Chief Risk Officer. So, you know, different constructs based upon the culture of the organization I've worked, but I've always been more of an advocate of kind of pulling it, as you say, pulling it out of technology a bit because I refer to, you know, my Texas days as the fox guarding the henhouse mentality, where if you're part of IT and you're a cyber guy inside of IT, sometimes the business drive will, you know, overshadow perhaps some security concerns to a degree. So I've always been an advocate of having that separated.

Randy

Jim and Pat. Those are great insights, really interesting conversation. I want to maybe shift for a moment, raising the conversation a level up. Just thinking about the aviation industry's position as a key critical infrastructure sector within the context of how we as a country and the Department of Homeland Security oversee our critical infrastructure, risks and resiliency. We know that the US has taken some steps, both in the commercial aviation world and in the military to combat cyber threats. Some examples of those are on the military side, the US Air Force's Cyber Squadron initiative, which I've mentioned a few minutes ago, but also the FAA has been collaborating very closely with the Department of Homeland Security and the Department of Defense with its Aviation Cyber Initiative that involves, you know, cross- sector collaboration and collaboration with industry as well. What are your thoughts on how effective you think these programs will be in addressing some of the risks that you've mentioned?

Jim

Well, I think there's been a long history of the defense industrial base and cleared contractor support specifically in military aviation and DoD as far as providing classified information and having that special relationship such that they can see over the horizon perhaps, better than they could otherwise on their own. Before the FS- ISACs or the Aviation ISACs or the Critical Infrastructure ISACs were established, I think the dib in that relationship with clear contractors was almost the guiding light, if you will, of the creation of information sharing for the rest of the government. I think there are shining examples of how that has been a success. You know, the collaboration to this day continues to be an important function for defense base and within the aviation ISACs, clearly sharing information has been a huge increase capability for those organizations that are partaking in that.

Pat

Clearly malware doesn't respect organizational boundaries. So it can go anywhere, it's ubiquitous. And I think the sooner that we have organizational relationships that respect the threat environment that we're in, the better, the more effective that we'll be. It starts with authorities, but we have the Department of Defense and we have the Department of Homeland Security. And then if you were to trace just who touches cyber on The Hill, you'll see kind of a bird's nest of all kinds of different relationships, some that overlap, and then some that are left out. I don't think malware respects any of that. I think malware's going to go where there's vulnerability. The key to being effective in this environment is to be able to be seamless and to be proactive, to be able to hunt, because at the end of the day, this is something that affects not only government, but it's also the private sector. So we're in an environment where we are equally touched here between public and private, and therefore we need creative solutions on the relationship side between public and private, where we can take full advantage of how to leverage capabilities in ways that can be solution oriented. I think the issues are not necessarily technical on the private sector side, but proprietary. So finding the right sort of formula to thread that needle for the benefit of the American people, to me, is the challenge.

Randy

Those are great comments, and thank you. One of the other challenges I see, which perhaps is not something that we have considered very much in the past is, because when we think about cyber threats, we think about IT infrastructure, information systems, but in the aviation world, there's a lot of exposure and vulnerability related to the technology that's on the aircraft, right? The avionics, the communication systems and whatnot. And I think traditionally, the supply base hasn't been prepared to deal with these emerging threats in a way that might affect how their technology gets designed and engineered and implemented. Comments on that, on how we need to shift our focus to perhaps upstream in the supply chain so that we're not dealing with this as an after effect, but perhaps something that we need to consider from a resilience standpoint, much earlier on in the technology development process?

Jim

I've got, it’s kind of a very broad response to that. And I would say, when the Biden administration identified. for instance, the new and the first National Cyber Director, Chris Inglis, former Brigadier General for the National Guard, former Deputy Director of the National Security Agency, understanding both the offensive side and the defensive side of this environment called cyber. And also interestingly enough, former board member of FedEx within this aviation environment. By identifying someone in that background, in that position for the government, I think is beneficial for all. And I think we're starting to see movement in a very different way than we have perhaps in the past. Equally, I think important is for instance, the nomination and position of Jen Easterly, who's a former army officer who is in charge of the Cybersecurity and Infrastructure Agency. Her efforts, as well as Chris Inglis' efforts, have really been laser focused since the Colonial Pipeline effort to really drive the 16 identified critical infrastructure entities into more of a collaboration and information sharing environment than perhaps we've been in before, really driving the sharing of that information and the criticality of it. I think equally, you're starting to see each one of the regulators in these critical infrastructures become more and more driven from a volunteer status of cybersecurity type of reviews, to more of a mandated requirement from a cybersecurity perspective. So I think you're going to see more and more mandates come down specifically in the aviation world to drive the suppliers as well as the primary producers in this environment to be more cyber secure.

Pat

The leaders that Jim identified are right out of central casting. And they're perfect for the position regardless of what administration is in control. They have resumes and credentials that will transcend one administration to the next, they are that good. In terms of the components and tier two, tier three suppliers, I think rightfully that's where the spotlight needs to go in terms of baking into the architecture, cybersecurity of those respective components. Jim points out, this is where the regulators are going. This is where we're seeing adherence requirements to CMMC and other sorts of initiatives that the government is rapidly trying to implement and to move forward on so that we can get to an environment that generates confidence among the consumers. We're not there yet.

Randy

Yeah. I think those comments, if I may, just in response, I think amplifies the importance of cross- sector initiatives, you know, suppliers collaborating, government, private sector collaboration, really to address some of those challenges. Because I think these are unprecedented, right? And we're thinking about these things for the first time and it's going to take a different approach.

Jim

Yeah. And just to add you know, to the threat, you think about the offensive guys that are trying to do nefarious things to your network. They're going to go to the path of least resistance. They're going to use the tools of normal trade craft in this environment, as opposed to using high end if they have to. To go after large companies that have spent a significant amount of money towards their infrastructure to be able to secure it is perhaps not the easiest door to open for them. They're going to look at third party vendors perhaps to swim upstream if they can. Clearly, this is an opportunity for them and by not doubling down on your third party and understanding who connects to your network, who doesn't connect to your network or how they connect to your network is an important function.

Pat 

Just a footnote to underscore that point. So remember malware development is a business and as soon as that malware is out, the whole playbook is out and everybody can see it. So if you used your highly researched malware to get very little return, then that's not a good business model. It's good to understand that from the defense perspective, because what that'll do is it'll help get the right mindset to look for where the vulnerabilities are that are the easiest to come in.

Randy

Thank you for that Pat and Jim. One other thought that comes to mind, perhaps it's a question, is I think about where the aviation sector is just overall in addressing some of the concerns that you've mentioned, that there has to be other industries out there that are at the forefront of establishing standards and thinking more innovatively about dealing with cyber resiliency. Your thoughts on that, Jim, as it relates to where the aviation industry can turn to learn and gain insights from other sectors?

Jim

Yeah, I think, you know, certainly many sectors have undergone this digital transformation to some extent, certainly the financial sector has progressed significantly on the digital transformation piece. And I observed that when I was at JPMorgan Chase. And one of the things that we really focused on as part of that was, you know, your IT team is part of the overall team. They're not folks that are getting in your way, you're integrating your cybersecurity folks into the development and process of your digital transformation, such that you're baking that security into the process, baking it into your applications. So you're becoming that much more secure. I think that's one of the areas, certainly from other industries, that you can gain some insight on. The other thing in the financial sector, which is kind of interesting, is the three lines of defense is what they call it. It was a very focused, independent review by three different levels of your organization to ensure that from a policy perspective, things are being applied appropriately. From a risk perspective, it's taken a look at in that lens. As I mentioned earlier, you're not just looking at it from a technology perspective, and then from an operations perspective. So in the financial sector, you have three different specific lines of defense that they look at various things, cybersecurity is one of the areas that they focus, those three lines of defense. So I think that's also an important, you know, something to look at cross- sector.

Pat

Just a broad point. With this challenge comes opportunity, and the opportunity I think is for building coalitions that are really focused on defense and you can take that from not just public, private domestically, but also internationally. So the Five Eyes is a good example and there's others. I think that would be very beneficial because you've got this opportunity where we have a shared problem, and we need a creative solution among those who are affected.

Randy

Very good. Thank you for those thoughts. I'd like to maybe ask one last question, just to wrap up our conversation. You have to imagine that the government's going to continue to think about its impact or its influence on the aviation sector overall. Do you anticipate any changes in regulations or in the way the government is engaging the private sector today, you know, as we think about public private partnerships and different collaboration models? What sort of actions would you anticipate coming out of the government?

Jim

Just recently, Congress passed the Incident Response Bill that requires the critical infrastructure to make incident reporting as well as ransomware reporting over a set period of time. That will likely probably be fully implemented I think by the end of 2024. But you know what, I think that's one example of trying to share the level of events that are happening across sectors, specifically critical infrastructure sectors, so that we can share a little bit better and learn a little bit more. I think that's just one example. Clearly in different industries, as we mentioned earlier, the aviation industry regulatory interest in voluntary compliance is on the way out. And I think you're going to get more mandated requirements from a regulatory perspective in this environment.

Pat

I think there's probably a question or two that's still out there that, from the eyes of the defender's perspective, which is the role of law enforcement and then how much liability. So if you're up against a nation state actor and your company's targeted, think Sony, how much liability is there? Because, you know, what's driving a lot of the mandated reporting requirements is that companies are very vulnerable. There are lawsuits that typically follow with the spillage of data. And then there's all kinds of liability issues that have to be resolved. I think at some point there's going to have to be a clear understanding of what role and what relationship we have between US government, US consumer, US defender, because in the absence of that, that's where you get a lot of questions about hacking back because there still is no deterrence environment, one that's respected by the malware guys that are agents that are out there. So, in the absence of that, it's the Wild West. And I think the sooner that we can tighten up this relationship between consumer and government, the better.

Randy

Well, thank you both for your comments and insights today. This has been a great conversation. This is a paramount issue for, you know, facing both the commercial and public sectors. I know that our listeners will appreciate your thoughts and hopefully they'll take it back to their own internal initiatives on how to address this challenge down the road. So, thank you for sharing your ideas.

Pat

Thank you.

Narrator

You've been listening to the Velocity Podcast by Oliver Wyman. You can find more podcasts in this series at oliverwyman.com. Thank you for listening.

This transcript has been edited for clarity.

The scale and impact of cyberattacks on governments, critical infrastructure, and large corporations have varied significantly, and the aviation industry is no exception. In aviation, where life safety is paramount, a successful cyberattack could lead to catastrophic consequences and severely damage consumer trust in the industry.

Aviation and aerospace systems must operate in real-time and meet the highest standards of reliability. These systems are safety-critical, requiring rigorous certification and robust cybersecurity measures to ensure their integrity.

In this episode of the Velocity Podcast, join Randy Starr, Jim Cummings, and Admiral Pat Walsh as they discuss the latest cyber trends and threats facing the aviation industry.

Key talking points:

• Increasing risks like ransomware and denial-of-service attacks disrupt operations and compromise data.
  
• Incidents like the Swissport attack show how global aviation can be severely affected by cyberattacks.
• Strong cybersecurity requires cooperation between governments, military, and private organizations.
• Aviation must use real-time monitoring, system patching, and stronger authentication to combat threats.

This episode was first broadcast in July, 2022.

This episode is part of the Velocity Podcast series, which delves into innovation in transportation, travel, and logistics. We discuss new mobility’s impact on global movement of people and goods, and address industry challenges from tech and economic disruptions.

Subscribe for more on: Apple Podcasts | Spotify | Youtube

Narrator

Welcome to the Velocity Podcast by management consulting firm Oliver Wyman. Join Randy Starr, Jim Cummins. and Admiral Pat Walsh for this episode where they discuss cyber trends and threats facing the aviation industry.

Randy Starr

Good morning from MRO Americas conference in Dallas. This is Randy Starr from Oliver Wyman. I'm the managing partner for the firm's aerospace and defense practice in the Americas. I'm at the conference this week. It's been well attended so far by the commercial and military communities. The agenda in particular has been highlighted by a range of insightful views from a wide range of speakers and panelists from both industry and the military communities. One of the key topics covered this week is aviation cybersecurity. And joining me today to share their views on the topic are two of my colleagues, both Oliver Wyman senior advisors. First is Pat Walsh, former US Navy Admiral and fighter pilot, who served as the 59th Commander of the Pacific Fleet. He's also an experienced Fortune 50 business executive and community leader with an established record of leadership in the public and private sectors. And most recently, Pat achieved expertise in transformational growth and operational execution as a senior executive within Boeing's global services business. And then also joining me is my colleague Jim Cummings, former US Homeland Defense Policy Advisor to the US Air Force and also the DOD on cybersecurity issues. Jim has an extensive corporate and government cybersecurity background, and he previously served as the Chief Security Officer for JPMorgan Chase & Company worldwide. So, Jim and Pat, welcome and thanks for joining me today.

Jim Cummings

Great to be here.

Pat Walsh

Thanks, Randy.

Randy 

As it relates to this week's conference, I think we all agree that with the growing security threats worldwide, particularly from near peer adversaries, that cybersecurity has become a much more prominent national security challenge for the US and its allies. And while this impacts all aspects of the economy, it has increasingly important implications for the commercial and military aviation communities, given the dependency of those ecosystems on our aviation infrastructure, digital assets, even on the military side. And now with all the emphasis on network interoperability among weapons platforms. With that in mind, and maybe Jim, if I can ask you, what do you consider as some of the primary cyber threats that both of those aviation communities face today and what are some of the key trends to watch for?

Jim 

Thank you, Randy, for the question. And again, I appreciate the opportunity to be here with you today. I'm frequently asked by many different audiences and different industries about the cyber threat, and people that have cybersecurity backgrounds often talk about the sky is falling and all the threats in the world are coming upon people. What I think was important for each industry is to truly understand what the risk is associated with those threats that they're facing, risk to their businesses. And so there are three primary risks that I see, specific to the aviation industry, that businesses need to understand with respect to the threats that are causing those risks. The first area is risk to disruption of operations. We've seen a steady increase in ransomware attacks throughout all industries. So far this year alone, the number of ransomware attacks have grown 144%. We also saw the last quarter of last year, a significant increase in distributed denial-of-service attacks, which were up 175% in just one quarter. Those are just two examples of threats that are causing potentially disruption of operations. And to give you a few examples associated with that, earlier this month, the Russian equivalent to the FAA had an attack on their network. They lost in total 65 terabytes of data and it forced their operations to pencil and paper, which is something to be obviously concerned about with that type of an attack. Equally of interest is a Swiss aviation company called Swissport. They had a ransomware attack against their operations, which caused severe degradation in their servicing at 280-plus airports around the globe, 45 different countries. So that's just one example of the risk that potentially could be caused by that type of an attack. Of course, the other two risks, data breach risk. This community itself, the MRO community, experienced it a little less than a year ago with a breach that happened at VT San Antonio Aerospace, where not too much is known or at least publicly, but clearly the potential for the MRO to be subject to such an attack was displayed there. And then finally the supply chain and third-party risk is an area that can be affected by attacks and there are plenty of examples of that we've seen as of late. SolarWinds was an earth-moving event for many in all different industries. One example that is outside the aviation industry but is certainly applicable to the effect that it can have, is the Target breach in 2013. There's a small little company, HVAC company in Pennsylvania. It was subject to a phishing attack and that small company had a portal invoicing into Target, to support that client, to support their Target client. And through that portal was the threat vector. The threat actors got into the portal, used the credentials, got in through the portal, moved laterally within the Target network. And over a month and a half, they were able to exploit 41 million customer records at the cost to Target of over $200 million. So a significant vector of attack through third party, through supply chain. is obvious through that type of attack.

Pat

So, Jim, if I could follow up, I like the way you've characterized this in terms of risk. There was a point in time, it seems like not too long ago, where we would be guilty of failing to imagine. And by characterizing it the way you have, what you've done is you've elevated the conversation at the corporate level in terms of the questions that leaders and board members ought to be asking when it comes to the particular industry that they're involved in. As I think about aviation in particular, the different scenarios that you described, whether it's an interruption to the supply chain, or it's an actual attempt to cease operations or impact operations, all have significant economic impact. And in the world that we're in today, it just seems logical that the most recent Five Eyes advisory that came out is now making everyone aware. Number one, their motto is shields up and what's behind that is an emphasis across five countries and government agencies that are working together inside all of those countries, to be able to deliver a message that says," If you need to patch your system, go ahead. Even if you have to take it down but get it up to date." And then number two, two factor authentication. And then three, just to be proactively hunting and looking for problems rather than waiting passively for some alert to come. How do you see it?

Jim 

No, I see it the same exact way. In fact, one of the things I've been most impressed at over the years is what we're seeing today is the level of collaboration that's going on. Not only between the government departments' agencies, but also amongst peers. No longer is it looked at as proprietary information from a security perspective, but it's more of, you know, how do we get through this together? How do we fight through it? As we talked about when we were in the military, how do you fight through an incident? And I'll tell you, as you know, the adversaries out there, ranging from nation state all the way to cyber criminals, are getting more and more sophisticated. Fighting this all alone is not an option in this environment today.

Pat 

So, who better positioned than the aviation industry to understand exactly what you said? So there are parallels, they're not perfect, but there's parallels to the discussion of safety and what commercial and military aviation has learned over generations versus the security problem that we have today. You don't have to go back very far in aviation history to see that we did not always have a very good safety record and that's on the commercial side as well as the military side. But what made the difference was a concerted effort to recognize, to improve the health of the overall system. We had to understand in today's context, what Blue did. In other words, the Blue side, the good guys had to be able to come forward and say," I made a mistake, and I made a mistake and I'm sharing what I learned from that mistake with the entire ecosystem, so that everybody benefits from learning the lessons that I learned so that you don't have to go through what I went through." So that could be material failure in the case of aviation, it could be dealing with hazardous weather, it could be dealing with pilot currency and proficiency. And I do see where insights, particularly in the area of cyber and aviation cyber, we could learn from the mistakes of others. Now there's significant liability issues that have to be recognized, and we don't live in a Pollyanna kind of world, but if we could get to a tear sheet understanding where, hey, this is what the ISAC community needs to be able to see and understand, get that message out quickly. And then we'll let lawyers and law enforcement authorities deal with investigations and what goes from that. Then at least we have a real time understanding of how we stay current and proficient, which to me is the real issue at the crux.

Jim

Yeah, absolutely. And you know, just to build on that, I think there's three areas that I see within the aviation world that as you say, that really can galvanize the processes and procedures that have been put in place from a safety perspective, from a collaboration perspective and from a QA perspective, right? Clearly apply to this cyber environment too. And the more and more organizations utilize the existing process and procedures, where appropriate, and bring in cybersecurity folks, as opposed to putting them over in the corner, bring them into those processes and make them part of the culture of the organization. And I think the more and more, they're secure and it follows, like you said, the long, true process of learning, getting better and as an organization, as a whole.

Pat

I think one other challenge that the cyber community has had is that the language, that taxonomy that goes with cyber is highly laden with technical terms. And because of that, the general population or corporate leaders don't feel like they're stakeholders. Well, you highlighted SolarWinds, I'll highlight Colonial Pipeline. And I think the ransomware was $5 million. Well, they could have taken a lot more than that. And I think the reason why is in today's environment, that's sort of a precursor ops. That's like recognizing how the population's going to react when we have a shutdown to a pipeline. So that pipeline, although adjacent to the aviation industry is an example of the supply chain vulnerabilities that you talked about and how it can reach out in an almost ubiquitous environment and touch everybody instead of just simply aviation.

Jim

No, I agree, certainly in the, on all those points, but specifically on the earlier point that you made. I think one of the challenges, as I alluded to a little bit with cybersecurity professionals, is that they're challenged to translate that to senior people in the organization and really make it a business conversation as opposed to the very technical nature of what they do and how to elevate that into business risk as I mentioned in the very outset. That's truly one of the challenges. And if you're an organization out there that you don't have security professionals, trying to translate it into a business type of conversation, then you need to find those folks that can do that for you.

Pat

One of the challenges I think that companies have is that oftentimes security rolls up inside CIO and budget apportionment and resourcing is competitive against other IT infrastructure. One way organizations deal with that is they move cybersecurity out and it goes up under general counsel because it serves the point that you introduced with, which is, hey, this is risk for the enterprise. And therefore, decisions associated with resourcing and funding this need to be done at the enterprise level rather than inside a sub level competing against IT infrastructure.

Jim

I saw that firsthand when I was at JPMorgan Chase. I had the responsibility of cybersecurity, and I partnered with the CIO. So it was a joint responsibility, but I reported directly up to the Chief Operating Officer. I've seen different architectures, like you mentioned, whether it be the CIO or with the general counsel, or I've also seen it reporting up to the Chief Risk Officer. So, you know, different constructs based upon the culture of the organization I've worked, but I've always been more of an advocate of kind of pulling it, as you say, pulling it out of technology a bit because I refer to, you know, my Texas days as the fox guarding the henhouse mentality, where if you're part of IT and you're a cyber guy inside of IT, sometimes the business drive will, you know, overshadow perhaps some security concerns to a degree. So I've always been an advocate of having that separated.

Randy

Jim and Pat. Those are great insights, really interesting conversation. I want to maybe shift for a moment, raising the conversation a level up. Just thinking about the aviation industry's position as a key critical infrastructure sector within the context of how we as a country and the Department of Homeland Security oversee our critical infrastructure, risks and resiliency. We know that the US has taken some steps, both in the commercial aviation world and in the military to combat cyber threats. Some examples of those are on the military side, the US Air Force's Cyber Squadron initiative, which I've mentioned a few minutes ago, but also the FAA has been collaborating very closely with the Department of Homeland Security and the Department of Defense with its Aviation Cyber Initiative that involves, you know, cross- sector collaboration and collaboration with industry as well. What are your thoughts on how effective you think these programs will be in addressing some of the risks that you've mentioned?

Jim

Well, I think there's been a long history of the defense industrial base and cleared contractor support specifically in military aviation and DoD as far as providing classified information and having that special relationship such that they can see over the horizon perhaps, better than they could otherwise on their own. Before the FS- ISACs or the Aviation ISACs or the Critical Infrastructure ISACs were established, I think the dib in that relationship with clear contractors was almost the guiding light, if you will, of the creation of information sharing for the rest of the government. I think there are shining examples of how that has been a success. You know, the collaboration to this day continues to be an important function for defense base and within the aviation ISACs, clearly sharing information has been a huge increase capability for those organizations that are partaking in that.

Pat

Clearly malware doesn't respect organizational boundaries. So it can go anywhere, it's ubiquitous. And I think the sooner that we have organizational relationships that respect the threat environment that we're in, the better, the more effective that we'll be. It starts with authorities, but we have the Department of Defense and we have the Department of Homeland Security. And then if you were to trace just who touches cyber on The Hill, you'll see kind of a bird's nest of all kinds of different relationships, some that overlap, and then some that are left out. I don't think malware respects any of that. I think malware's going to go where there's vulnerability. The key to being effective in this environment is to be able to be seamless and to be proactive, to be able to hunt, because at the end of the day, this is something that affects not only government, but it's also the private sector. So we're in an environment where we are equally touched here between public and private, and therefore we need creative solutions on the relationship side between public and private, where we can take full advantage of how to leverage capabilities in ways that can be solution oriented. I think the issues are not necessarily technical on the private sector side, but proprietary. So finding the right sort of formula to thread that needle for the benefit of the American people, to me, is the challenge.

Randy

Those are great comments, and thank you. One of the other challenges I see, which perhaps is not something that we have considered very much in the past is, because when we think about cyber threats, we think about IT infrastructure, information systems, but in the aviation world, there's a lot of exposure and vulnerability related to the technology that's on the aircraft, right? The avionics, the communication systems and whatnot. And I think traditionally, the supply base hasn't been prepared to deal with these emerging threats in a way that might affect how their technology gets designed and engineered and implemented. Comments on that, on how we need to shift our focus to perhaps upstream in the supply chain so that we're not dealing with this as an after effect, but perhaps something that we need to consider from a resilience standpoint, much earlier on in the technology development process?

Jim

I've got, it’s kind of a very broad response to that. And I would say, when the Biden administration identified. for instance, the new and the first National Cyber Director, Chris Inglis, former Brigadier General for the National Guard, former Deputy Director of the National Security Agency, understanding both the offensive side and the defensive side of this environment called cyber. And also interestingly enough, former board member of FedEx within this aviation environment. By identifying someone in that background, in that position for the government, I think is beneficial for all. And I think we're starting to see movement in a very different way than we have perhaps in the past. Equally, I think important is for instance, the nomination and position of Jen Easterly, who's a former army officer who is in charge of the Cybersecurity and Infrastructure Agency. Her efforts, as well as Chris Inglis' efforts, have really been laser focused since the Colonial Pipeline effort to really drive the 16 identified critical infrastructure entities into more of a collaboration and information sharing environment than perhaps we've been in before, really driving the sharing of that information and the criticality of it. I think equally, you're starting to see each one of the regulators in these critical infrastructures become more and more driven from a volunteer status of cybersecurity type of reviews, to more of a mandated requirement from a cybersecurity perspective. So I think you're going to see more and more mandates come down specifically in the aviation world to drive the suppliers as well as the primary producers in this environment to be more cyber secure.

Pat

The leaders that Jim identified are right out of central casting. And they're perfect for the position regardless of what administration is in control. They have resumes and credentials that will transcend one administration to the next, they are that good. In terms of the components and tier two, tier three suppliers, I think rightfully that's where the spotlight needs to go in terms of baking into the architecture, cybersecurity of those respective components. Jim points out, this is where the regulators are going. This is where we're seeing adherence requirements to CMMC and other sorts of initiatives that the government is rapidly trying to implement and to move forward on so that we can get to an environment that generates confidence among the consumers. We're not there yet.

Randy

Yeah. I think those comments, if I may, just in response, I think amplifies the importance of cross- sector initiatives, you know, suppliers collaborating, government, private sector collaboration, really to address some of those challenges. Because I think these are unprecedented, right? And we're thinking about these things for the first time and it's going to take a different approach.

Jim

Yeah. And just to add you know, to the threat, you think about the offensive guys that are trying to do nefarious things to your network. They're going to go to the path of least resistance. They're going to use the tools of normal trade craft in this environment, as opposed to using high end if they have to. To go after large companies that have spent a significant amount of money towards their infrastructure to be able to secure it is perhaps not the easiest door to open for them. They're going to look at third party vendors perhaps to swim upstream if they can. Clearly, this is an opportunity for them and by not doubling down on your third party and understanding who connects to your network, who doesn't connect to your network or how they connect to your network is an important function.

Pat 

Just a footnote to underscore that point. So remember malware development is a business and as soon as that malware is out, the whole playbook is out and everybody can see it. So if you used your highly researched malware to get very little return, then that's not a good business model. It's good to understand that from the defense perspective, because what that'll do is it'll help get the right mindset to look for where the vulnerabilities are that are the easiest to come in.

Randy

Thank you for that Pat and Jim. One other thought that comes to mind, perhaps it's a question, is I think about where the aviation sector is just overall in addressing some of the concerns that you've mentioned, that there has to be other industries out there that are at the forefront of establishing standards and thinking more innovatively about dealing with cyber resiliency. Your thoughts on that, Jim, as it relates to where the aviation industry can turn to learn and gain insights from other sectors?

Jim

Yeah, I think, you know, certainly many sectors have undergone this digital transformation to some extent, certainly the financial sector has progressed significantly on the digital transformation piece. And I observed that when I was at JPMorgan Chase. And one of the things that we really focused on as part of that was, you know, your IT team is part of the overall team. They're not folks that are getting in your way, you're integrating your cybersecurity folks into the development and process of your digital transformation, such that you're baking that security into the process, baking it into your applications. So you're becoming that much more secure. I think that's one of the areas, certainly from other industries, that you can gain some insight on. The other thing in the financial sector, which is kind of interesting, is the three lines of defense is what they call it. It was a very focused, independent review by three different levels of your organization to ensure that from a policy perspective, things are being applied appropriately. From a risk perspective, it's taken a look at in that lens. As I mentioned earlier, you're not just looking at it from a technology perspective, and then from an operations perspective. So in the financial sector, you have three different specific lines of defense that they look at various things, cybersecurity is one of the areas that they focus, those three lines of defense. So I think that's also an important, you know, something to look at cross- sector.

Pat

Just a broad point. With this challenge comes opportunity, and the opportunity I think is for building coalitions that are really focused on defense and you can take that from not just public, private domestically, but also internationally. So the Five Eyes is a good example and there's others. I think that would be very beneficial because you've got this opportunity where we have a shared problem, and we need a creative solution among those who are affected.

Randy

Very good. Thank you for those thoughts. I'd like to maybe ask one last question, just to wrap up our conversation. You have to imagine that the government's going to continue to think about its impact or its influence on the aviation sector overall. Do you anticipate any changes in regulations or in the way the government is engaging the private sector today, you know, as we think about public private partnerships and different collaboration models? What sort of actions would you anticipate coming out of the government?

Jim

Just recently, Congress passed the Incident Response Bill that requires the critical infrastructure to make incident reporting as well as ransomware reporting over a set period of time. That will likely probably be fully implemented I think by the end of 2024. But you know what, I think that's one example of trying to share the level of events that are happening across sectors, specifically critical infrastructure sectors, so that we can share a little bit better and learn a little bit more. I think that's just one example. Clearly in different industries, as we mentioned earlier, the aviation industry regulatory interest in voluntary compliance is on the way out. And I think you're going to get more mandated requirements from a regulatory perspective in this environment.

Pat

I think there's probably a question or two that's still out there that, from the eyes of the defender's perspective, which is the role of law enforcement and then how much liability. So if you're up against a nation state actor and your company's targeted, think Sony, how much liability is there? Because, you know, what's driving a lot of the mandated reporting requirements is that companies are very vulnerable. There are lawsuits that typically follow with the spillage of data. And then there's all kinds of liability issues that have to be resolved. I think at some point there's going to have to be a clear understanding of what role and what relationship we have between US government, US consumer, US defender, because in the absence of that, that's where you get a lot of questions about hacking back because there still is no deterrence environment, one that's respected by the malware guys that are agents that are out there. So, in the absence of that, it's the Wild West. And I think the sooner that we can tighten up this relationship between consumer and government, the better.

Randy

Well, thank you both for your comments and insights today. This has been a great conversation. This is a paramount issue for, you know, facing both the commercial and public sectors. I know that our listeners will appreciate your thoughts and hopefully they'll take it back to their own internal initiatives on how to address this challenge down the road. So, thank you for sharing your ideas.

Pat

Thank you.

Narrator

You've been listening to the Velocity Podcast by Oliver Wyman. You can find more podcasts in this series at oliverwyman.com. Thank you for listening.

This transcript has been edited for clarity.