Assault on cyber vandalism
The threat of cyber-attacks on aviation critical IT systems is ever present. Alerted to the enormous damage cyber vandalism can inflict on their businesses, airlines are investing billions to protect their passengers, staff and every part of their operating systems from internet assault. Chief correspondent, Tom Ballantyne, reports.
Three years ago, published research by a well-regarded commercial aviation consultancy revealed that more than 40% of the world’s airlines did not have any protection from cyber-attacks. Read More » This is no longer the case.
In a 2017 transport industry trends report published last month, it was estimated that this year airlines and airports will spend almost $33 billion on IT and the number one priority of that expenditure will be cyber security.
By 2020, the SITA Air Transport IT Trends report said, 95% of airlines and 96% of airports would have invested in cyber security protection and research to strengthen their defences against cyber assaults. “In the highly woven transport industry, cyber-attacks are a very real threat, said SITA president Air Travel Solutions, Ilya Gutlin.
The risk of cyber-attacks has been an increasingly common subject of discussion in recent years with security experts constantly warning the industry that a major event is inevitable.
Until now, hacker attacks have been relatively minor and airlines prefer not to discuss any invasions of their systems. A year ago, Philippine Airlines confirmed it had been the target of a cyber-attack but declined any requests for details about the incident. Recently, the release of the WannaCry virus was known to have struck at some of the systems at some airlines.
Analysts at global consultancy, PricewaterhouseCoopers (PwC), said cyber security has become an elevated risk and one of the most pressing issues for businesses, including aviation.
“Today’s cyber adversaries are more persistent, skilled and technologically savvy than just a year ago. Leaders across all industries are taking notice,” PwC said. Some 85% of airline chief executives the Big Four firm surveyed saw cyber security as a significant risk, reflecting the highly sensitive nature of flight systems and passenger data.
“They also know they have to constantly monitor and evolve their cybersecurity programs to keep pace with advancing and shifting threat vectors from loyalty programs to aircraft operations to back-office technology platforms.”
Along with SITA, software solutions provider IFS has pointed out that the use of the cloud and blockchain can reinforce cyber security in commercial aviation. “The aviation supply chain covers a wide variety of businesses, from original equipment manufacturers and Tier 1 suppliers to airlines, airports and third party MRO providers,” it said.
|'Unscheduled disruptions of transport carrier operations can have a substantive economic impact on third parties and national economies. Preventing disruptions caused by cyber events is increasingly a primary focus for those involved in global air transport'
“This presents an interesting dilemma because not only do you need to secure and protect data accumulated from each party, you also need to be able to share it across this broad supply chain.
“Blockchain technology is emerging for this very purpose. In a Blockchain, each record or ‘block’ of data has its own time stamp and is encrypted with credentials in a peer-to-peer relationship. It makes malicious tampering extremely difficult. All ‘blocks’ are linked to the previous block of data, meaning the only way to tamper with its content is to have the entire network of trusted peer-to-peer contributors collude to corrupt the chain.”
IFS said Blockchain is still some way from widespread adoption and is just a concept for airlines at this time. “From keeping aircraft in the air to checking in passengers, aviation organisations rely heavily on IT systems.
“But data collected from the growing number of aircraft, routes and passengers has increased pressure on these systems, while legacy and inflexible IT systems are leaving airlines vulnerable to the growing threat of cyber-attacks.”
Vice president strategy at IFS’s Aviation & Defence Business Unit, Jeff Cass, said like most industries, airlines are realising that threats are just as likely to come from inside the organisation as from the outside.
“Cyber-attacks have been reported at airports across the world, and it seems only a matter of time before we see an attack on a major airline. In response to this threat, many commercial aviation organisations are actively hiring chief security officers. The SITA Airline IT Trends Survey said the number of airlines that were advancing preparations to manage cyber risks had almost doubled in three years.”
With more IoT-enabled (Internet of Things) sensors being used, it is newer aircraft fleets that are more at risk from cyber vandalism. Increasingly being used for services such as passenger Wi-Fi, real-time air-to-ground communications are evolving to support mission critical functions such as inflight fuel adjustments and aircraft health monitoring, both of which could severely disrupt airlines if compromised. The safeguarding of data has become a major challenge for airlines, one that threatens to disrupt key practices for the entire industry.
|'Airline executives are accustomed to managing high-risk business environments. Airline safety and security programs have been maintained at such a high standard that other industries have tried to emulate them. But now airlines are confronting a new set of risks in the cyber domain where the challenge of protecting their passengers, flight crews, and trading partners is rapidly becoming more complicated'
Compliance remains a top priority, IFS said.
New generation cloud solutions can be set up in their own separate environments, which today have the potential to be far more secure than any previous private or on-premise data centre. “As the name suggests, cloud containers create isolated boundaries of data which means that if anything goes wrong in one container, it only affects that single cell and not the entire system – helping to reduce the threat of a wider cyber-attack,” said Cass.
Keeping up with cyber developments requires airlines to adapt to new technology. Legacy systems pose a stumbling block, especially when it comes to dealing with compliance regulations and data protection – the cost of which can be damaging in an industry where safety is the top priority.
PwC said airlines must determine what “reasonable security” means for their organization. “What is reasonable for a regional carrier operating a single model fleet of regional jets built by one manufacturer and flying to 32 gates per day is vastly different from a global carrier operating a mixed fleet from multiple suppliers flying to hundreds of global destinations that include high cyber and physical security threat locations,” it said.
“A good way to consider trade-offs for prevention is to analyse the horizontal breadth of protection and the vertical depth of preparedness. For example, if an airline invests too much in the latest prevention tools (vertical depth), it risks lagging in the horizontal investment to protect the breadth of the airline’s value chain—interactions required with OEMs, MROs and global distribution systems (GDS).
“Conversely, carriers that underinvest in vertical preparedness risk having a security portfolio that lacks tools and techniques to detect and prevent more sophisticated attacks.”
|Critical elements for effective cyber defence at airlines*
* Oversight at the board level and building a security culture:
A cybersecurity program has to rest on a risk-based framework that addresses risks across the airline including back-office IT, maintenance, operations, and consumer-facing systems because failure in one area can affect others. Management, employees, and the board must become more cyber aware as breaches can occur as a result of small lapses in procedure. But security awareness training is not enough. Airlines need to incorporate cyber awareness into the security culture, embedding cybersecurity into the organizational fabric.
* Having a proactive approach that sets priorities:
It is too expensive to protect all assets from all threats, so airlines must prioritize: assets, threats, and threat perpetrators. On assets, they have to recognize their protection obligations, identify associated digital assets, and focus aggressively on protecting those assets most valuable and critical to the organization. On threats, airlines need to prioritize and categorize the kinds of threats they are facing, both those known currently and those projected to emerge over the next few years, and recognize the signs of an attack early on. On perpetrators, they need to look at the players that are most threatening, a list which can include nation states, organized crime, and terrorists. Airlines cannot do this by themselves: They need to avail themselves of all existing tools, public and private, that can help mitigate risk.
* Support international standards:
There are no international standards for cybersecurity design and testing, which is widely acknowledged to be an issue. IATA has called for better sharing of airline cyber threats among governments and airlines worldwide and asked governments around the world to take a more active stance in improving cybersecurity.
* Address supply chain risks:
It’s critical that airlines and their external partners (such as OEMs, MROs, IFEC (in-flight entertainment and communications] providers) collaborate on threats and response techniques to share best practices to increase the knowledge base. But, in addition, airlines have to monitor partners’ operations for potential security breaches and manage the access of users to different systems.
* Threat intelligence:
Airlines must gather both external and internal threat intelligence from multiple sources including third-party vendors, subscription feeds, and agencies as well as system event and log information. This information can then be correlated and fed into a 24 x 7 x 365 security operations center (SOC) to help identify and prioritize threats. It’s also key that airlines get involved at an industry level so they can raise awareness of threats among colleagues.
* Security awareness:
Whether it’s the tampering of concourse devices, activity within the cabin (e.g., plugging into USB ports), or corporate espionage, awareness is often the front-line defense against threats. All airline employees, not just the physical and information security departments, have to share in that awareness and understand their roles and responsibilities in preventing cyber-attacks. For example, phishing attacks are still one of the most effective attack vectors used by adversaries; they are very easy to exploit and can yield significant returns even if just one target takes the bait. In such an attack, an employee is targeted to open an email link, which then downloads malware that infects the IT environment of the entire organization. Recently, executives have been the target of these types of attack because of their access to sensitive data. It’s easy to see how one unwitting employee or executive can lead to significant damage.
|* Aviation Perspectives: cyber security and airlines