The invisible foe

When leaders of the world’s airlines gathered in Dublin last month for the annual general meeting of the International Air Transport Association (IATA) security took centre stage, as experts warned fighting cyber assault and terrorism will only become harder.

by CHIEF CORRESPONDENT, TOM BALLANTYNE  

July 1st 2016

Print Friendly

Dark agents or hackers should be industry friends rather than foes when setting up systems to fight aviation cyber assault and terrorism, security experts said at the recent IATA annual gathering of air industry leaders in Dublin. Read More »

Think like a hacker not a defender, they said, when building IT defences against digital destruction and breaching of airport and airline security by terrorists. Dark agents are really “effective agents”, they believed, because they often identify a company’s greatest vulnerability.

“Most of us agree. The problem continues to worsen,” said security futurist and risk consultant, Dr. Simon Moores at the SITA summit in Barcelona in the week leading to the IATA annual general meeting and World Air Transport Summit.

“In fact, it is much worse if you measure the impact in 2015 alone. Criminals are finding new ways to reach the end point, wherever that may be, as more applications migrate to the cloud and become available through portable and smart devices. In 2016, it’s not just about if we are going to be hacked, it’s about when,” he said.

“We are recognizing - and it is very well documented that cyberattacks are probably precursors to one of the worst threats to our industry and that is a physical attack,” Faye Francy, leader of Boeing Commercial Airplanes Cyber ONE team, told SITA delegates.

 “Hackers access data that contains personal information about who’s flying when, where, how and why. They can take that data and use it against us in a potential attack.

“Incidents across the world indicate the need for us to come together as an industry and recognize that there are potential vulnerabilities,” said Francy, whose Cyber ONE team was a leader in establishing the public-private partnership, the Aviation Information Sharing and Analysis Centre (A-ISAC). A-ISAC’s goal is to increase intelligence and information sharing on threats.

At IATA in Dublin, the association’s outgoing IATA director general and CEO, Tony Tyler, said: “Our electronically connected world is vulnerable to hackers bent on causing chaos. We are all vulnerable and there is no guaranteed way to stay a step ahead.”

Real time collaboration and information exchange between industry and governments in the issue is critical, he said. “Make no mistake. We face real threats. Governments and industry must be nimble, share information, use global standards and keep a risk-based mindset when developing counter-measures,” he said.

IATA has put in place a three-pillar strategy of risk management, advocacy and reporting and communication to support its members’ ability to preserve cyber security and pre-empt terror attacks. At the summit, a Civil Aviation Cyber Security Action Plan was signed and the work of the Industry High Level Group, which includes various stakeholders and organizations, was recognized. A priority for IATA is the establishment of a coherent approach to cybersecurity across the industry.

Association of Asia-Pacific Airlines director general, Andrew Herdman: “We are stuck with too many decisions being made the day after the latest outrage”

It is estimated that cyber security breaches cost billions of dollars last year alone. A former member of the Lloyds of London underwriting syndicate said the potential liabilities from cyberattacks are becoming far too large for the big insurance companies to cover.

It is estimated that 94% of global companies have experienced some form of cyberattack. Despite the increasing sophistication of the general population about the risks of cyber theft or threat, about 13% of them still click on phishing attacks that could lead to the loss of their personal details, including their banking information. Large businesses will suffer an attack three times each and every year, it is forecast.

There are tens of millions of threats every day. In the first quarter of this year, there were 264 million botnet attacks. A botnet, or zombie army, is a number of Internet computers set up to forward transmissions, including spam or viruses, to other computers on the Internet. The owners of the computers are unaware they are part of a botnet.

Drones, too, are an increasing threat to the industry and not only because they enter airspace and endanger aircraft. They also have the ability to eavesdrop.

Nor are passwords, which are supposed to protect data, tamper proof. There are various password-cracking tools freely available on the Internet that can try 300 million variants of potential passwords in 20 minutes - at the cost of about U.S. two dollars per apparatus.

The industry cyber debate in Dublin coincided with the recent release of Cybersecurity And The Airline Industry, produced by PricewaterhouseCoopers (PwC). In a survey conducted by the global professional services firm in 2015, 85% of airline chief executives viewed cybersecurity as a significant risk.

“Online attacks are on the rise, resulting in headline-grabbing stories. In the last few years, we’ve witnessed data breaches across multiple industries, including banking, retail, health insurance and online-only businesses,” the study said.

“The financial impact alone is staggering. The cost of data breaches globally could reach $2 trillion by 2019. Inevitably, cyber threats will grow in number, cost and sophistication.”

The importance, and difficulties, of protecting aviation against cyber assaults was highlighted by the experts on the IATA summit’s cyber security panel. Air Force general, Linda Urrutia-Varhall, from the U.S. Department of Defence, said aviation is a central focus for terrorists and criminals. Industry role-players and authorities needed to collect and share information to deal with threats, she said.

Kurt Pipal of the U.S.’s Federal Bureau of Investigation (FBI), said airlines sit on a lot of big data that could be the target of industrial espionage. He warned airlines and their partners to be very careful about subcontractors and stressed the importance of sharing intelligence information across the industry.

“Build awareness and do not have a silo approach. Identify your vulnerabilities. Assume you are going to be hacked. Participate in a 24/7 securities operation centre. Occasionally, you could even use a ‘dark agent’ to test your system. Companies do fire drills so why do they not do cyber security drills?” Pipal asked.

Another member of the IATA panel, the president and CEO of Thales USA Inc., Alan Pellegrini, said aircraft had become nodes of connectivity and the types of protections that encompass connected systems need to evolve apace.

“How can we protect [commercial] aircraft that are becoming more and more connected with each other as a result of new technology?” he asked.

“Maintenance, operations, fleet and flight planning and passengers themselves generate a huge amount of data which the airline must handle properly, securely and in a way that assists their businesses.

“This data is naturally shared between different nodes and, increasingly, with aircraft themselves. Therefore, protections need to be developed as fast as the use is being made of the data.”

“There is no silver bullet. We must continuously monitor threats as they materialize”.

Former chief information officer at Los Angeles World Airports, Dominic Nessi, now an airport consultant with AeroTech Partners, told IATA delegates cybersecurity threats were growing faster than mitigation efforts.

Leader of Boeing Commercial Airplanes’ Cyber ONE team, Faye Francy: industry cyberattacks are probably precursors to a physical attack

“Airports have been attacked. They will continue to be attacked and anybody who thinks it is not going to happen is completely wrong. We have so many potential areas to be hacked in an airport that it’s amazing. It can be done in many different ways.”

He said it was not known precisely the amount of industry money lost to cyber attacks or how many airports had been attacked because the facilities that were breached did not want anyone to know about them.

Some examples, however, included 75 airports that suffered from a phishing e-mail from two nation states and an international airport that had its passport control system affected, possibly from malware. Departures at the attacked airport were delayed significantly. In another attack, an airport had its website defaced by Islamic State and the site had to be shut down.

“Many airports believe a cyberattack could not happen to them,” said Nessi. The threats could be an internal threat, a random attack or a hacker assault from a disgruntled passenger, among many lines of digital assault. An extensive education program for airport managers, at all levels, also is essential.”

Aviation is improving its global security, but the deterrent measures vary widely between countries. “The foundation stone of security has been rocked by tragedy. In the last twelve months, terrorists have laid claim to atrocities involving Metrojet 9268, Daallo 159 and the Brussels Airport attack,” said IATA’s Tyler.

“These are grim reminders aviation is vulnerable. Airlines rely on governments to keep passengers and employees secure as part of their responsibility for national security. And we are committed to working with them in that challenging task,” said Tyler.

Association of Asia Pacific Airlines (AAPA) director general, Andrew Herdman, said aviation security should be treated more like safety, where a cost-benefit analysis was typically performed before deciding on change.

“In security, I’m afraid we are stuck with too many decisions being made the day after the latest outrage. While we may harbour doubts, particularly after we have made those decisions, it is very hard to reverse them,” he said.

“You lack the evidence to say ‘well, if it made sense to make that decision what is the new evidence that persuades us we can relax it?’ ”

Emirates Airline president, Sir Tim Clark, said not enough was being done about aviation security. “We have had so many wake-up calls in the last couple of years. We have to be doing more than we are doing,” he said and added there were too many opportunities for security breaches at airports.

“Biometrics need to be much more to the fore. We need to streamline the processes,” he said. Clark also criticized the industry’s inability to quickly locate lost aircraft and said more needed to be done to ensure air passenger safety in general. “As far as aircraft tracking is concerned, it’s a disgrace,” he told IATA delegates.

IATA said the recent attack on Brussels Airport highlighted the importance of security at landside airport public areas and that keeping this area secure is fully the responsibility of governments. The most effective defense was government intelligence used to stop terrorists long before they reach airport property. It added risk in airport public areas can be mitigated with efficient processes.

“Intelligence is the most powerful tool governments have to protect their citizens wherever they are - at work, at home or traveling. One of the biggest risk areas is large crowds,” Tyler said.

Industry is helping to bolster these efforts with practical measures—Smart Security and Fast Travel—that will mitigate risk by reducing airport queues. Government and industry must be nimble, share information, use global standards and keep a risk-based mindset when developing counter-measures.”