Cyber Risk Landscape of the Global Aviation Industry, 2024
2024年7月31日 - 10:00PM
ビジネスワイヤ(英語)
Aggressive nation-state threats and supply
chain cyber risk indicate major turbulence ahead
SecurityScorecard today released new cybersecurity research on
250 leading global aerospace & aviation companies, including
100 top commercial passenger airlines. In The Cyber Risk Landscape
of the Global Aviation Industry, 2024 report, security researchers
provide a detailed examination of cybersecurity vulnerabilities
across the airline industry and its various supply chains.
This press release features multimedia. View
the full release here:
https://www.businesswire.com/news/home/20240731332066/en/
(Graphic: Business Wire)
Novel insights into aviation cybersecurity
The report comes as regulatory bodies worldwide ramp up
cybersecurity requirements for the aviation sector. The U.S.
Transportation Security Administration introduced new mandates in
March 2023, and the E.U.'s Implementing Regulation 2023/203 will
take effect in 2026, setting a new standard for aviation
information security risk management.
The aviation industry has traditionally focused on physical
security threats, but recent revelations about risks on Boeing's
supply chain have spotlighted the critical need to measure and
mitigate supply chain risk. SecurityScorecard's latest research
aims to elevate the discourse on supply chain cyber risk in
particular, emphasizing the need and best practices for
comprehensive cybersecurity monitoring across the aviation
sector.
Key findings
- The aviation industry scores a "B” on cybersecurity: The
aviation industry scores a "B" on average. While this isn't a
failing grade, significant disparities exist. Organizations with a
B rating are 2.9x more likely to be victims of data breaches than
those with an A rating.
- Vulnerability of IT vendors and airlines: Notably,
aviation-specific software and IT vendors score the lowest, with a
mean score of 83, posing substantial third-party risks for their
airline customers. By the same token, customers can also pose
third-party risks for their vendors. For example, this research
yielded three recent examples of breaches at airlines exposing
information on their aerospace & aviation vendors.
- Impact of third-party breaches: 7% of companies in the
sample publicly reported breaches in the past year; 17% had
evidence of at least one compromised machine in the past year. In
addition, airlines had 4% more breaches than the industry benchmark
due to vulnerabilities in lower-scoring vendors raising their
third-party risks.
- Global disparities at the nexus of cyber and geopolitical
threats: Advanced economies like Western Europe and Australia
achieve better cybersecurity outcomes, with scores significantly
higher than emerging markets. Aggressive nation-state threats from
countries like China indicate major turbulence ahead.
- Ransomware is a top threat: Ransomware is the dominant
theme in public reporting of attacks on this industry. Ransomware
operators actively targeting the aviation industry have included
BlackCat, LockBit, BianLian, and Dunghill Leak..
- Correlation with performance: Top-performing airlines,
as ranked by industry and consumer standards, have above-average
security scores, indicating a link between operational excellence
in general and cybersecurity performance in particular.
Cybersecurity recommendations for the aviation
industry
Based on this analysis, SecurityScorecard threat researchers
also offer actionable insights for enhancing cybersecurity in
aviation:
- Prioritize software & IT vendors: Focus on
mitigating risks from software and IT vendors, which pose the
highest third-party risks.
- Expand third-party risk management: Include customers
and other partners in third-party risk management programs to cover
the full spectrum of potential threats.
- Enhance protection of key data: Implement robust
defenses around aerospace intellectual property and passenger data,
which are high-value targets for cybercriminals and state-sponsored
actors.
- Avoid paying ransoms: Refrain from paying ransoms to
prevent further incentivizing attacks and comply with legal
restrictions.
Ryan Sherstobitoff, Senior Vice President of Threat Research
and Intelligence, said:
“The aviation industry operates on a complex web of
partnerships, but a company's security is only as strong as its
weakest link. Our research shows airlines are flying blind on
third-party risks. It's time for the industry to take control and
prioritize robust security measures across their entire ecosystem
before turbulence turns into a disaster."
Methodology
SecurityScorecard compiled a sample of 250 organizations,
including 100 top-rated commercial passenger airlines; 50 top
manufacturers of aircraft and their components; 50 top providers of
aviation services; and 50 top providers of aviation-specific
software and IT products and services. This list came from industry
rankings and trade and consumer publications, based on a mix of
quantitative and performance metrics and strategic
significance.
Additional resources
- Download “The Cyber Risk Landscape of the Global Aviation
Industry, 2024”
- To learn more about SecurityScorecard threat intelligence,
visit our website.
About STRIKE
The STRIKE threat intelligence team combines unique threat
intelligence, incident response experience, and supply chain cyber
risk expertise. Backed by SecurityScorecard technology, STRIKE is a
strategic advisor to CISOs worldwide, empowering the entire digital
ecosystem to identify, measure, and resolve cyber risk.
About SecurityScorecard
Funded by world-class investors, including Evolution Equity
Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood
Capital, and others, SecurityScorecard is the global leader in
cybersecurity ratings, response, and resilience, with more than 12
million companies continuously rated.
Founded in 2014 by security and risk experts Dr. Aleksandr
Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented security
ratings technology is used by over 25,000 organizations for
enterprise risk management, third-party risk management, board
reporting, due diligence, cyber insurance underwriting, and
regulatory oversight.
SecurityScorecard makes the world safer by transforming how
companies understand, improve, and communicate cybersecurity risks
to their boards, employees, and vendors. SecurityScorecard achieved
the Federal Risk and Authorization Management Program (FedRAMP)
Ready designation, highlighting the company’s robust security
standards to protect customer information, and is listed as a free
cyber tool and service by the U.S. Cybersecurity &
Infrastructure Security Agency (CISA). Every organization has the
universal right to its trusted and transparent Instant
SecurityScorecard rating. For more information, visit
securityscorecard.com or connect with us on LinkedIn.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20240731332066/en/
Allison Knight 10Fold securityscorecard@10fold.com