Cybersecurity in air cargo – are we prepared?

With the tech experts of our air cargo industry descending upon Brussels for the Air Cargo Tech Summit next month, CargoForwarder Global (CFG) reached out to Celine Hourcade, Managing Director of Change Horizon, for an Opinion Piece on Cybersecurity: a preview to her panel on the subject at the event. CFG wanted to know if the air cargo industry is adequately fortified to withstand cyber-attacks, or whether it is closing its eyes to cybersecurity risks and hoping for the best?
Here are Celine Hourcade’s insights.

Digitalization, automation, and overall modernization of the air cargo sector is underway. It has been for years but has accelerated the past five years. It is particularly visible with the success of start-ups around online booking, modern payment, automation, tracking. We also see more traction with unmanned aviation/drones’ solution for cargo, and happily read that brand-new cargo facilities open here and there with modern features, advanced robotics, innovative processes, and use of mixed realities. The next question linked to this massive acceleration in digitization is whether the companies also took the time to think through the cybersecurity implications.

Cyber risks are a serious business threat
There is no specific air cargo industry survey on cybersecurity, but more generic studies show that cyber risks are considered the 4th most severe business risk for the coming year (PwC CEO survey 2023), in the next two years (WEF Global Risks Report 2023), and in the medium term – i.e. five years (PwC CEO survey 2023).
So, cyber risks do keep CEOs awake at night, and there is no doubt that this also applies to aviation and logistics companies. At least for the critical infrastructures and services identified by governments, regulators around the world have started imposing cybersecurity measures. This is the case in the U.S. with TSA’s aviation cybersecurity requirements for airport and aircraft operators, for instance.

Is the air cargo industry prepared?
But outside of the regulated environment, it is still unclear how mature the air cargo companies are regarding their cybersecurity. It’s certainly a mixed bag: companies that have already been attacked in the past versus the ones that have not (yet); big corporates versus small and medium size businesses; front runners versus laggards.
Like digitalization 15 years ago, some companies have awoken earlier and started to identify their critical assets and processes, test the procedures with employees, put in place emergency plans and fallback scenarios. In my humble opinion, these companies are gaining a serious competitive advantage, building their business resilience, and probably saving money and protecting their reputation in the longer run. Did you know that ransom amounts have grown to seven-figure and eight-figure numbers? And we can also see the rise in class action lawsuits that follow a data breach resulting in millions or hundreds of millions in settlements. The cost of inaction or late action is potentially very high.

Where are the weak points?
Between January 2021 and October 2022, the EU Agency for Cybersecurity (ENISA) analyzed and mapped the cyber threats faced by the transport sector, including aviation, combining data from the EU Aviation Safety Agency (EASA). According to the data collected, prime threats for the aviation sector are data-related threats (45%), ransomware (36%), and malware (23%), motivated by financial gain. For the broader transportation sector, 23% of the attacks are linked to hacktivist groups, with the motivation of their attacks, mostly aiming at operational disruption, usually being linked to geopolitical conflicts, or guided by ideological motivation.
Recent examples show that cyber-attacks can affect any company in the chain: airlines, airports, forwarders, ground handlers, IT solution providers, air navigation systems, manufacturers. Cybercriminals are exploiting vulnerabilities to steal data (company’s data, employees’ records, customers’ data), paralyze systems, or take control of key asset and infrastructure.
There is no type of stakeholder more or less at risk than the other. The weakest link or easier targets will be companies with little to no cybersecurity “culture” and processes in place.

What’s the best prevention approach?
It is very important to understand that, whilst important, investments in cybersecurity technologies alone are not enough. Increasing resilience to cyberattacks also requires a solid risk management approach (including vulnerability assessments, tested business continuity plans and recovery scenarios) and a strong cybersecurity culture.
CEOs and Boards need to make cybersecurity a strategic priority, appoint a Chief Information Security Officer (CISO) who will work with the entire C-suite to embed the right behavior at every level of the organization. It is critical to engage all employees regularly with staff awareness campaigns, and adequate training to upgrade relevant IT and behavioral skills.

Cybersecurity goes beyond technology
The role of the CISO is to not only to identify risks and protect the company’s assets, systems, and infrastructure, but also prepare the organization to detect, respond to, and recover from cyber-attacks, minimizing the exposure of the business. The CISO is also the first cyber-safety auditor of the company performing vulnerability assessments and penetration tests.
Cybersecurity is not just about technology: it’s about people and processes and truly requires a mindset shift. That is why I am looking at cybersecurity in addition to sustainability or diversity & inclusion matters. These look like very different topics, but in reality, they are critical ingredients of the corporate transformational recipe to make air cargo smarter, more modern and sustainable.

Celine Hourcade, Managing Director of Change Horizon

We welcome and publish comments from all authenticated users.