While there is a lot of focus on dramatic cyber attacks on air transportation infrastructure leading to disruptions in power supply, broken communications and grounded aircraft, the greatest threats from bad actors can be as silent and unpredictable as they are nefarious. That was the main takeaway from discussions on cybersecurity which took place during SITA’s EURO Air Transport IT Summit this week in Lisbon.
Attacks threatening airlines, airports and their supply chain can take many forms, involve many threat vectors, and are carried out by a large variety of hostile actors. Of particular concern are attacks that are designed to go unnoticed, which can harvest and manipulate critical data, as well as those which involve social engineering – the manipulation of human behavior through disinformation or false messaging distributed through aviation’s digital channels.
The aviation industry is preparing for a doubling of passenger numbers by 2037 to as many as 8.2 billion, according to IATA. As such, it will increasingly rely on data management and digital systems integrations to operate. This not only magnifies the potential impact of these threats but also makes the industry a more attractive target for bad actors.
As Israel Airports Authority head of cyber and information security Roee Laufer pointed out at the SITA Summit: “There is an entire cyber monster lurking, just waiting to grab whatever it can.”
The industry has already seen how cyber attacks play out. The theft of valuable passenger data has cost airlines steep fines and loss of customer goodwill. Attacks on systems and infrastructure, including Air Traffic Control, have disrupted service and pose a serious safety risk.
“There is an increase in both the numbers and sophistication of cyber incidents. Studies show that there are around 300,000 new ‘threat-model’ variants which are produced every 24 hours,” said Laufer. “The core technology on which firewalls operate is a 30-year old Israeli technology. Using that in order to protect ourselves … the equation doesn’t work. [There are] a lot of legacy systems, a lot of legacy processes. It’s very hard to introduce a new technology in the aviation circle because it interferes with processes that have been around and have been licensed as safe.”
It is the subtlest forms of attack that worry Laufer most. “Denial of service [attacks] … that’s the easy cyber attack scenario because you see something happen. You see systems crashing. That’s what we call the loud incidents – you see something happening. What we are more concerned with are the low noise events. The types of events that you don’t see anything happening. They can be around the network for years before it actually does something. Imagine that it disrupts the reliability of the data itself. How do you detect someone tampering with the data itself? Not the system – the system works – but the data is tampered with. That is my nightmare scenario.”
This type of silent threat becomes a risk also for new technology adoption, including blockchain, where the rapid distribution of spoofed data could become a problem. “Blockchain is a technology grounded in a certain environment. What if the environment the blockchain is grounded in is vulnerable? What if the blockchain applications implementing clones is vulnerable? Then the blockchain becomes not as secure as we believe,” noted Laufer.
Another risk is social engineering hacks – attacks designed to drive disruptive human behavior, like messaging that could create a panic. “All it takes is one mobile phone that contacts with the displays at the terminal saying that there is a ‘present’ on one of the planes,” Laufer said.
This scenario also worries airlines, David Lavorel, CEO of SITAONAIR, told reporters during a roundtable meeting at the SITA Summit. Despite reported claims by some to be able to command the aircraft by hacking into the systems in flight, which have been widely disputed by the industry, the real threat is simple disinformation. “On board the aircraft, your biggest recognized threat is to weight and balance,” said Lavorel. “Somebody hacking the inflight entertainment system and broadcasting a message saying there is a threat on the aircraft and everyone should move to the left of the aircraft, so the aircraft will lose the balance.”
In these cases, the best response to threats is not just to secure systems from hackers, but to prepare personnel to manage the disruptions that would occur with these types of attacks.
Airlines and airports are investing in infosec to counter this rising threat, with the greatest focus on training. According to SITA’s latest Air Transport IT Insights report, airlines have dedicated around 7% of their IT budgets to cybersecurity from 2017 to 2018, but that number will rise to 9.64% in 2019. Among the top investment priorities are employee awareness and training on cybersecurity (83% of airlines) regulatory compliance (79%) and threat intelligence (72%).
Airports invested slightly less on cybersecurity in 2018 compared to 2017 (down to 8% from 10% of IT spending) but SITA forecasts that spending to rise to 12% in 2019. That increased investment reflects the industry focus on cybersecurity, shared best practices, and a benchmarking tool developed by Airports Council International. Like airlines, airports are prioritizing employee awareness and training (79% of airports), followed closely by telecommunications and network security (72%) and threat intelligence (69%).
We live in complicated times, where we can see the results of active disinformation campaigns from bad actors attempting to disrupt our most vital social structures. It is no surprise, therefore, that the threat would take to the air. In this environment, constant vigilance and an organizational framework for defense are essential.
“There are two types of organizations: ones that have been hacked and others that do not know they have been hacked. This is the premise that we work under,” said Laufer. “It takes around 180 to 200 days for an organization to understand it has been hacked. That’s the environment in which we all live. Since there’s no 100% bullet proof program for cybersecurity, we understand that we are trying to prevent incidents but we cannot. Incidents will happen.
“What we are trying to do is to deal with the consequences … Each organization needs to define critical assets. For us, critical assets are anything that during a cyber incident might impact safety and security.”
- Air transport sector faces daily barrage of attacks from cybercriminals
- Boeing, IFE experts hit back at hacker claims in FBI report
- Panasonic seeks IFE hackers
- GDPR compliance and infosec top of mind as Thales personalizes IFEC
- Cyber security in aviation: The woman who saw the tsunami coming
- Members of Air Charter Association see spike in cybercrime
- FAA to establish aircraft cyber security working group
- Op-Ed: Why hacking an airliner isn’t just an app away
- Many airlines still don’t have cyber security plan for EFBs
- Aerospace focuses more funding on cybersecurity in face of threats
- Pilot group calls for rethink to aviation cyber security approach
- Boeing urges airlines to be vigilant of cyber security threats
- Mitigating cyber threats on the road
- Episode 007: Seat Safety and Cyber Security