Code Red: Planning for the Cyberattack Aftermath

This is an era of rapid change and technological advancement, and although it is challenging, responsible organizations seek to manage and mitigate cyber risks. Insecure systems and uncertain people, added to inadequate contingency plans, create a perfect business continuity storm in the aftermath of a cyberattack.

This discussion explores organizational impacts on people, perception of the brand and, most importantly, the impact on aviation’s ability to conduct operations safely.

Technology Failures

Technology failures pose a significant risk to the infrastructure and safety of the aviation industry. Organizational workforces have become overly reliant on technological tools and often have insufficient contingencies in place for when the technology we depend on fails.

In 2023, the FAA NOTAM delivery system experienced an outage caused by a damaged database file. This led the Department of Transportation to mandate a nationwide ground stop on domestic flight departures, resulting in thousands of delayed or canceled flights.

In early 2024, the aviation industry encountered another significant disruption from a glitch in CrowdStrike software. That event prompted major airlines, large charter and fractional operators to implement ground stops attributed to communication issues. Fiscal losses exceeded USD500 million, and thousands of employees experienced significant anxiety while untrackable aircraft moved through the airspace.

Although CrowdStrike released an official statement advising the failure was not a cyberattack, the effects were similar, and irrevocable fiscal and psychological damage resulted.

Cyberattacks

IBM defines cyberattacks as “any intentional effort to steal, expose, alter, disable, or destroy data, applications, or other assets through unauthorized access to a network, computer system or digital device.” As time progresses and the sophistication of bad actors increases, the exploitation of reputation and brand is a high priority on the list of intent. Criminals force organizations to pay exorbitant ransoms for their own data, stop or change business practices or renounce political or societal positions.

Cyberattacks can last weeks or months, while some can deny access to networks indefinitely. Attacks can not only crash company servers, but unwitting employees can grant unauthorized access to the highly confidential and personal data of passengers and clients. Imagine the trip itinerary of a Fortune 50 company in the hands of a bad actor. Imagine being the employee who made it happen.

Planning for the Aftermath

Recovery from a technological failure or cyberattack, just in the sense of equipment and systems, can take days or weeks, depending on the depth of the attack. The negative impact on people and brand perception can last years. The good news is that we can begin implementing and assessing the effectiveness of the response and recovery strategy without delay.

First, we can think of cyberattacks just as we think of aviation safety management. Prevention is always the primary focus, with responsible planning (e.g., a cybersecurity emergency response plan) and practice (e.g., tabletop exercises and drills) tightly integrated.

The following guidelines may assist you in practicing for the aftermath of a technology failure or cyberattack.

1. Mitigate the negative impact of a cyberattack.
Cyber insurance is one asset that safeguards the organization against cyberattack losses. Get to know the resources and processes your insurer has in place, and practice with them. Like any emergency resource, learn it before you need it!

2. Practice with realistic scenarios.

• PII Data Breaches (e.g., incidents involving theft of Personally Identifiable Information with dangerous intent). Run scenarios that pose significant impact with layered effects. For instance, bad actors steal personal information on the dark web and then use it to exploit the individual or company.
• Cyberattacks on data held by vendors. Conduct a data security audit on all your aircraft and business office vendors to see where your data goes, the safeguards your vendors use (or not), who else can access the data and what vendors your vendors use.
• Cyberattacks resulting in denial of service. Practice pen and paper management of your core business responsibilities. You may need a team that can move quickly and effectively to safeguard your assets and people.
• AI attacks. This burgeoning attack vector may be the most frightening and used for very compelling kidnapping, extortion and theft attempts.

Unlike aviation accidents, which are fortunately rare events, cyberattacks are not, and time is the only determinant of their arrival. In fact, intruders may be in your systems now, and it is quite likely your PII is already on the dark web. Just as in aviation safety, the SM4 pillars of Prevention, Planning, Response and Recovery are your most significant safeguards.