Authored by Christopher Jackson, Julia Norsetter and Selina Cook.

The CrowdStrike IT outage that occurred on Friday 19 July resulted in 36,000 flights being delayed and by Monday 22 July, around 10,000 flights had been cancelled worldwide. As we now know, the outage was caused when a cybersecurity company, CrowdStrike, released a software update to Windows hosts running sensor version 7.11 and above. This triggered a software outage worldwide, affecting 8.5 million computers. Entities affected by the outage are still addressing the aftermath. Some affected airlines are reportedly seeking legal action to recover compensation for the losses caused.

When flights are impacted, the first questions airlines assess is safety. Luckily, safety was never compromised, and aircraft systems and air traffic control were unaffected. However, as Microsoft identified, “this incident demonstrates the interconnected nature of our broad ecosystem.” As a result, airlines may need to consider enhancing their cyber resilience, which may include modifications to the software upgrade process, and likely a consequential increase in technology spending. 

Cyber resilience can be described as “the ability to continue delivering intended outcomes despite experiencing challenging cyber events, such as cyberattacks, natural disasters or economic slumps.” All entities in the infrastructure and transportation space are encouraged to, and already do, take proactive steps towards cyber resilience. Nevertheless, the recent outage has taught us that work remains to be done. Without ongoing investment and enhancements to cyber resilience, organizations will become more susceptible to software crashes and cyberattacks, increasing the likelihood of suffering reputational, financial, operational, and safety-related consequences.

There are several options for airlines to consider when enhancing cyber resilience. For example, to reduce the likelihood of a software crash, one entity in server operating systems has proposed that companies should disallow new software from having an automatic and direct path from the vendor to the working environment. Instead, new versions of an operating system should first be installed in what is called a “sandbox”, a system that is not used for anything but testing new updates. Alternatively, airlines could implement an upgrade strategy whereby updates are deployed to one percent of the business.

Suggestions like those above may be one path forward, but cyber resilience is an increasingly complex field, especially in the aviation sector. In the future, airlines should redouble their efforts to ensure the robustness of their systems in place to protect against technology failures and mitigate the impact of any such failures occurring.  They should also be ready to test scenarios that they previously considered beyond their control. At Reed Smith, we can assist airlines in enhancing their cyber resilience, whilst at the same time complying with the raft of cybersecurity legislation that affect essential service providers in the transportation sector such as the Network & Information Systems Directive (NIS2) and the Critical Enterprise Resilience Directives (CER). Our Emerging Technology team can help airlines increase resilience by (i) helping them navigate the myriad of cybersecurity law requirements, (ii) devising compliance programmes that meet minimum legal requirements, (iii) undertaking a full review and refresh of cyber policies, (iv) providing training programmes on how to deal with cyber-attacks as well as, (v) providing 24/7 emergency response services on any cyber related incidents.

Special thanks to Reed Smith trainee Selina Cook, who assisted with the compilation of this article.