Cyber Threats to the Aviation Industry

Why Cyber Criminals are Targeting the Aviation Industry 

While all the attention is on preventing attacks on planes and at the airport, the biggest danger may come through computer systems.  

Cyber-attacks represent one of the most serious threats to the aviation industry. At the very least they can exact millions of pounds in damages, but at worst they could be devastating and allow terrorists to achieve their goals without having to set foot on a single flight. What’s more, the last few years have seen an explosion in the number of attacks.

Many of these attacks are fairly low key. In 2018 electronic flight information screens at Bristol Airport had to be taken offline in response to what the airport described as a ransomware style attack. Bristol replaced the screens with whiteboard information and deployed extra staff to cover the gap. While flights were unaffected in the end, the airport did advise passengers to arrive earlier than normal for their flights to cover for any delays.

The ransomware attack attempts to deny service to an operator by taking IT systems down. The criminal will only restore the systems once a ransom has been paid. Bristol Airport on the other hand, opted against paying the attackers and instead built their system from the ground up.

This was just one attack but is symptomatic of what the aviation industry is up against. The sector faces a barrage of attacks every day and is one of the favourite targets of cyber criminals. For example, Israeli airports are said to be fending off three million cyber-attacks daily. They are drawn to it because a combination of digital transformation, connectivity, segmentation and complexity, make the aviation industry both highly reliant on IT and vulnerable to attack. What’s more both the authorities and aviation companies have been slow to act.

The Digital Revolution

More than most sectors, aviation has embraced digital transformation. The future will be one which is increasingly digital, hi tech and connected. Everywhere you look, airports are turning to connected technologies such as the internet of things (IoT), AI, cloud computing and many others.

SITA’s Air Transport Trends for 2017 report found that more than half of all those airports surveyed were planning significant investment in AI over the next few years. Among the technologies being investigated are self-check-ins which use facial recognition data as is being used by Air Asia.

Hong King International Airport, for example, aims to take facial recognition data and allow passengers to use it as a single token for their entire journey. Cameras would scan the face as they arrive and this would allow them to move more quickly through the terminal and onto their flight.

Other airports are tracking the movement of passengers through terminals to help them reduce overcrowding. These can provide details of crowd movements, highlighting potential areas of bottlenecks and allowing the airport to make adjustments to infrastructure and to allocate staff as and when needed to reduce delays.

Heathrow, meanwhile, is using smart boarding cards which are embedded with all the information about a passengers flight and boarding gate. It can track them as they pass through the terminal and spot when they are in danger of being late. Using big screens, they can issue instructions to hurry up and not to dawdle at the duty-free shops. If a passenger arrives at airport security too late, they can be sent back to the check in. The Airport hopes this could reduce the 50,000 hours of delays which it says are caused by late passengers.

Meanwhile, airport IT systems are becoming increasingly connected and take information from many different sources into a central dashboard. This is a future in which airports are smart and connected, bringing together diverse technologies through the internet of things (IoT) to streamline operations, communications, improve collaboration between departments and increase data visibility.

For example, by using tags and sensors an airport can quickly locate infrastructure and equipment, they can monitor the progress and location of baggage and they can track the real time location of aircraft and vehicles.

Initiatives such as the Single European Sky promise to connect different territories. It aims to reform air traffic management to reduce fragmentation, cope with sustained capacity growth, and enable the sharing of information between different governments. This will increase efficiency and improve environmental and financial performance.

These technologies will be crucial if the aviation industry is to successfully meet the various challenges confronting it over the next few decades. Statistics suggest the number of passengers could double over the next 20 years. IATA’s latest long-term passenger forecast, suggests there could be more than 8.2bn passengers by 2037 with numbers growing at an annual rate of 3.5%.

Airports will find themselves operating at, or close to, operational capacity for longer. Expansion is expensive and can take a long time, which means airports will have to find a way of making existing infrastructure go much further. To do that they will need digital technologies.

Types of Cyber Attacks

These connected technologies, however, make the industry much more susceptible to cyber-attacks. Airports are increasingly reliant on technology and the global aviation network is more connected than it has ever been before. A cyber-attack, therefore, could be enormously damaging as SITA has warned.

“A cyber-attack has the potential to wreak large-scale havoc on major transport hubs worldwide and lead to huge numbers of delays, flight cancellations and heightened security alerts,” says Michael Schellenberg, Director of Integration and Services at SITA.

Such an attack could have an enormous impact not just on aviation sector but also on the wider economy. Problems with air security tend to impact the public consciousness more profoundly than other sectors. A loss of trust or passenger confidence could have a major impact on the industry.

The real nightmare scenario comes if terrorists manage to hack into air traffic control instantly putting thousands of lives in the air and on the ground at risk. On a more mundane note, though, criminals are targeting the network for extortion. One of the most common approaches has been distributed denial of service (DDOS) attacks or ransomware which attempt to lock operators out of their systems.

Aviation is incredibly time sensitive. Even a relatively small outage can have knock on effects throughout the system. In many cases it may not be a particularly widespread attack. It can often focus on one single function, such as the processing of payment information. If this data is slowed, or a number of transactions fail, delays will mount up and passengers will become frustrated.

The hope, with all these attacks, is that the airport will decide that their cheapest option is to simply pay the ransom, and they are often correct. Ransomware has become a multibillion-dollar industry. In 2017 the number of ransomware payments topped the $2bn mark. Operators have become extremely professional in their outlook. They often present themselves as the solution rather than the perpetrators offering targets a link or a phone number which puts them through to a call centre.

It’s a cheap and easy attack to put into effect. A common approach is to use a phishing email containing an infected link. All it needs is one person to make the mistake of clicking on it and an entire network can be compromised creating havoc. Attacks come from many different areas from criminals trying to extort money to activists and terrorists aiming to either compromise the system or endanger life.

What’s Standing in the Way?

However, what’s really placing the sector at risk is the fact that it is not fully prepared. Data from SITA suggests only 35% of airlines and 30% of airports consider themselves to be adequately protected.

The problem stems from the complexity of the aviation industry. Multiple entry and exit points make it difficult to create a watertight defence strategy. Defenders can feel a little like the little Dutch boy desperately trying to plug all the gaps.

Legacy IT issues and fragmentation add to the complexity. Much of the IT infrastructure in use today is dated and was not designed to cope with the modern challenges of cybercrime. This lack of security by design creates problems as security teams attempt to build layers of cyber security on top of systems which were not designed for them.

Fragmentation within organisations and the wider sector make it difficult to adopt unified approaches. Every airport is comprised of a huge number of different departments many of whom operate within their own siloes and through their own closed off IT systems. On a wider scale, the aviation is global and interconnected, but remains fragmented. Communication between governments and different organisations is difficult. Many cyber attacks go unreported. In many cases, firms may be worried about the reputational damage publicising a cyber-attack might do, but by failing to share information, aviators are passing up opportunities to gain insights into the threat landscape.

Government Action

There is now a growing recognition of the need to share information. The US has developed the Aviation Information Sharing and Analysis Center (A-ISAC) which aims to exchange sensitive information about vulnerabilities. Europe is pursuing its own initiative, the European Centre for Cyber Security in Aviation (ECCSA). However, there is a risk that by pressing ahead with separate initiatives governments will struggle to develop a coherent defence strategy.

IATA’s Cyber Security Strategy, meanwhile, focuses on reporting and communication as one its three key pillars, the other two being risk management and advocacy. Reporting of events and vulnerabilities will be key to growing the aviation sector’s capacity to fight cyber crime as a whole.

Authorities, therefore, are belatedly waking up to the threat and the need to develop a joined-up response to cybercrime, but it’s also a problem which each organisation will have to address itself. This starts with assessing the system as it stands and potential cyber threats. This may be complicated as all entry points into the system will need to be secured. Deploying a secure and encrypted system will help to make the system as safe as possible against incoming attacks, but this will only form part of the solution.

Airports and airlines can expect to be targeted with multiple attacks every day, which stacks the odds in favour of the attackers. For them it’s a simple approach, they can try time and time again and only need to be successful once. Defenders, meanwhile, have to constantly fight back incoming threats.

Focusing on Detection

A breach, therefore, is almost inevitable which means organisations much focus on detection as well as prevention. If and when a breach occurs, the clock is ticking from the very beginning. It must be detected and resolved as quickly as possible. Sita’s Air Transport Trends reports says that 11% of organisations say it could take them as long as four months to detect a cyber-attack. By that time the damage will have already been done. Intelligent led detection can ensure a prompt response to issues and create new insights into the origin and nature of attacks.

Taking Responsibility

Defence must also be organisational as well as technical. Even the best defences can be compromised by errors by internal employees. Every time an employee receives a password to internal IT systems, they are effectively receiving keys to part of the kingdom. They have a responsibility to ensure those keys are kept safe, but if anyone in the organisation fails to accept their share ownership of cyber security strategies, they represent a threat. All it takes is for one person to click one link carrying a malicious program and the defences come tumbling down.

Cyber security, therefore, has to take on much more importance within an organisation. It starts at the executive team and moves on down throughout the organisation. Employees will need to be trained in best practice procedures as part of their induction and the strategy will need to be continually monitored and updated as the threat landscape evolves.

This has to be an all-encompassing approach using experts both within and outside of the organisation to identify risks and develop a multi-layered strategy. Munich Airport, for example, has implemented an information security hub which delivers a competency centre in which IT experts within the organisation work with experts from the European aviation industry to develop new approaches to fighting cybercrime.

It is an enormous undertaking and something which can intimidate many organisations, especially if those at the top are uncomfortable dealing with advanced technologies. However, it will be crucial to the future of the aviation sector. All the evidence suggests that cyber criminals have firmly set their eyes on aviators. They seem them as being valuable targets bristling with vulnerabilities and the more important digitisation becomes to the sector, the more vulnerable it will be.

The cyber criminals, then, are hammering at the gates of the aviation industry, but in many cases the fortifications are not quite up to standard. Only now is the sector really beginning to wake up to the threat but already it is playing catch up. Cyber crime is evolving rapidly and has become extremely sophisticated. As soon as one form of attack is countered, they will be looking for another. In the digital world, this will be a war without end. The only solution is for operators to ensure their defences are as strong as possible and that they have good detection and response measures in place for when an attack occurs.

C-19 Cyber Resilience Service: