NEW AND PRESSING DANGER: Successful Cyber attacks can paralyse airline operations

Governments should shed their wariness of sharing security information with airlines if Cyber attacks are to be thwarted, says the global airline industry.

by CHIEF CORRESPONDENT, TOM BALLANTYNE  

September 1st 2015

Print Friendly

Whether it is terrorism, plain and simple criminal activity or someone with malicious intent, Cyber Security has emerged as a major topic of discussion in the aviation industry, the head of the International Air Transport Association (IATA) told delegates attending the recent Civil Aviation Cyber Security Conference in Singapore. Read More »

“This is a new and dynamic threat and we will likely always be on a steep learning curve. And it is such an important and urgent issue that we need to climb that curve fast,” said IATA director general and CEO, Tony Tyler.

“Industry co-operation, while an absolute necessity, by itself will not get us where we need to be. Governments have resources and access to intelligence the private sector can never achieve.

“They also have the responsibility to use these resources to support industry efforts.

“We have an example of this approach in the decades of successful government-industry co-operation on safety. Unfortunately, we have not achieved that level of co-operation with security.

“A key component of risk is information sharing. Today, constraints on national classification systems and ambiguities around the legal rights and mechanisms for sharing information across borders are particularly challenging. However, the significant risks of not sharing information demand more progress in this area.”

For everyone at the conference, organized by the Singapore government, the sensitivity of the subject was clearly evident. The gathering was hardly publicized and invitation only. The Association of Asia Pacific Airlines’ (AAPA) director of regulatory and industry affairs, Beatrice Lim, was a moderator at the conference.

“Some governments think Cyber Security is only about terrorist threats and hacking into planes’ systems, but Cyber Security for airlines also has a commercial dimension,” Lim told Orient Aviation.

“You are talking about credit card fraud, identity fraud, frequent flyer fraud and the breaching of airline data bases. There is concern that a hacking threat exists and that personal information, passenger information and credit card details can be stolen.”

For the most serious issue of all: taking down an aircraft, airlines are talking very closely with governments and security service providers, Lim said. “The nature of the threat is not fully understood. Generally, the security experts at the conference thought the possibility of bringing down an aircraft was fairly remote.”

In his address Tyler said: “Each day seems to bring fresh news of a security breach or data theft.

“Damage from such attacks can run into hundreds of millions of dollars and leave a company’s reputation in tatters. A successful Cyber attack on an airline could paralyze operations and result in thousands of stranded passengers.”

IATA, which operates a global financial system that handles some $388 billion annually in air travel related revenues, has upgraded protection of its systems against an ever-growing threat of Cyber assault.

“In March, for example, we identified and blocked an average of 80,000 suspicious connections per day, detected and cleared 891 viruses and resisted five ‘brute forcing’ (over powering a computer’s defences by repetition) attempts to connect to IATA accounts,” Tyler said.

MH370 investigations attacked by hackers? Hackers allegedly stole information about MH370 investigations a day after the aircraft went missing on March 8, 2014. Malaysia has been investigating the alleged hacking of computers and email accounts of officials involved in the search for MAS flight MH370. Apparently, the hackers siphoned off classified information and transferred the data to a location in China. The Malaysian government said 30 computers belonging to those involved in the international search for the jet were infected by malware disguised as a news article about the disappearance of the plane, which the hackers sent to ranking officials. The hacked emails “contained confidential data from the officials’ computers, including minutes of meetings and classified documents”.

“No business is immune, but aviation is a specific target for those intent on doing cyber mischief and theft, or worse. Airlines are the highest value target for fraudsters and close to fifty percent of all phishing attempts are made against airlines and airline passengers, according to one Cyber Security firm with which we work.” Phishing is a fraudulent attempt to steal personal information, usually via email.

Tyler continued: “I imagine this level of activity is probably fairly typical for a major financial institution or retailer. Cyber attacks are a fact of modern life. But aviation presents a special target for those who seek to damage or disrupt the integrated air transport network upon which the global economy depends.”

The AAPA’s director general, Andrew Herdman, told Orient Aviation the issue has been on the association’s security committee agenda for some time. “But that’s not sufficient because it can’t just be compartmentalized. It’s on a list of emerging threats along with a few others.

“But now there is a realization it’s a business risk management issue and that there must be analysis of how these risks are managed. It is receiving more attention and it is being discussed at a higher level.”

Airline IT systems are linked with the systems of partner airlines, global distribution systems (GDS), airports and service providers. The information they can store is vast, including the personal details of hundreds of millions of passengers.

It is not only aviation’s own systems that need greater protection. Airlines are dependent on electricity grids and communications networks. Attacks on these basic services have the potential to cause chaos for airlines, produce huge financial losses and damage an airline’s brand.

Herdman said no-one should think Cyber attacks, whose victims have included Target, Sony, J P Morgan and the U.S. Defence Department, are isolated incidents that can’t happen to airlines, but he is not aware of specific attacks at any of the region’s carriers. “Airlines are like banks. They don’t talk publicly about sensitive issues,” but he added he would not be surprised to learn that incidents had occurred.

LOT Polish Airlines was hacked in June

There have been attacks on carriers elsewhere. The most recent known incidence was in June at LOT Polish Airlines. Hackers caused the cancellation of 10 domestic and international flights. Some 1,400 passengers were stranded at Warsaw’s Chopin airport when the hackers attacked the ground computer systems that controlled the carrier’s flight plans. It took five hours to repair the damage.

One of the issues also to emerge in the heightened debate is that airline IT system failures are being headlined as hacking attacks, even if they are not. In July, a computer router error that grounded hundreds of United Airlines flights in the U.S. was widely reported to be have been a hacking incident. Instead, it was an internal system failure.

“Stories that wouldn’t have been given the Cyber label in the past are now being labelled as hacking attacks. You have to be very careful about assigning the word cyber to faults or malfunctions at airlines,” Herdman said.

The AAPA is advocating a mindset change to deal with Cyber threats. “The development of firewalls has resulted in a attitude that persuades us we are protected and can keep out hackers,” said Herdman.

“The new thinking is that there is no immunity from attacks so these threats must be detected. It’s a bit like the old physical security. It’s no good saying we’ve have a fence and we have a wall.

“They have to be monitored to determine if there have been break ins or theft or if there has been systematic stealing over a long period. In terms of Cyber threats you have to ask is it smart to have a single button that can download 75 million names and addresses of customers? Is it smart to keep credit card details unencrypted?”

AAPA’s Lim believed part of the problem was the ivory tower mentality that often exists among IT professionals. They must be a able to move away from regarding IT departments as places where staff speak their own language, don’t talk to anyone and stare at a screen all day thinking nobody understands them.

“IT people have to talk across departments. They have to understand the business as well. Their job is not just updating the virus scan,” Lim said.

“One question that needs to be asked is who takes ownership of the risk?” said Herdman.

'Whether it is terrorism, plain and simple criminal activity or someone with malicious intent, Cyber Security has emerged as a major topic of discussion in the aviation industry'

Tony Tyler Director general and CEO International Air Transport Association

“We have done away with paper tickets, but now we have e-ticket fraud and frequent flyer fraud. There are fraudulent attacks that tend to involve finance departments.

“Cyber threats that might be from terrorists go to the security department. There are also other areas of airline operations where Cyber breaches could occur. Do the IT people take the risk? Or is it the responsibility of the security people?

“The answer has to be a combination of these departments. Policies have to be developed to address the range of issues from all Cyber threats.”

It has been suggested that airlines employ expert hackers to test their systems. “Forget the idea we are impervious to attack,” said Herdman. “Think about it: OK, if they do get in how do you stop them running off with a whole load of stuff?

“The military has been doing it for years. They employ people to attack you. Test you out. Role-playing to understand weaknesses. There is a bit of that going on.”

In July, United Airlines confirmed it had awarded millions of frequent fly miles to hackers who uncovered gaps in its web security. It paid out two awards, worth one million miles each, that could provide dozens of free domestic flights on the airline. The Chicago-based carrier hopes to take the lead in airline web security by offering “bug bounties” for uncovering Cyber risks.

Herdman said one of the weaknesses of airline IT is its interconnectedness to third party systems. “We outsource the frequent flyer program, or our distribution system means that our reservation systems are by definition interlinked with GDSs, alliance partners and so on,” he said.

“IT people say your weakness from network penetration is always at the outside. The hackers don’t go through your front door, they go for the side door, which is a permanent connection to some other business in which an airline has a partnership. Understanding the mindset of the people who are looking for weaknesses in airline systems is important because everything is interconnected now.”

One of the AAPA’s concerns is how the government will define Cyber Security and how it will regulate to avert attacks. “Thou shalt do this, thou shalt do that and will that be helpful or otherwise?” asked Herdman. “That’s why the industry is talking to other sectors, talking to governments about the problems we need to address. ere. If you disagree on the definition of the problem then you won’t agree on what should be done”

He said a lot of the people thinking of using Cyber attacks as a weapon aren’t terrorists. “One of our concerns is that governments will use Cyber attacks as a weapon themselves. They may be as much part of the problem in terms of what governments are trying to do,” he said.

“As an example, look what governments have done to banks by demanding back doors to the Swift payment system, their reactions to the Snowdon revelations and all the rest of it.” Governments, he added, want your systems to be secure but not invisible to them.

One aspect of cyber threats that has been largely dismissed is someone hacking into an aircraft system and taking control of a flight. The possibility arose earlier this year when a United Airlines passenger, Chris Roberts, claimed to have hacked into the plane’s Wi-Fi system on a flight to New York, over-writing code that enabled him to direct the aircraft to climb.

He claimed to have done this 15 to 20 times since 2011.

Roberts was questioned by the U.S.’s Federal Bureau of Investigation, but there was no proof his claims were true. Boeing (Airbus has similar separation of systems) said its entertainment systems are “isolated from flight and navigation systems” and that its planes have more than one navigational system, “multiple security measures” and “flight deck operating procedures that help ensure safe and secure airplane operations”.

While the industry focusses on defining exactly where the cyber threats lie and what needs to be done to protect against them, everyone agrees airlines need to continue working on making their IT systems as robust as possible and be prepared to act quickly when an attack happens.