Industry Insight Special Report
British Airways cyber attack a forewarning for Asia-Pacific airlines
The cyber jacking of the financial profiles of 380,000 British Airways passengers in August and September revealed the sophistication of cyber criminals. It also highlighted the cross border complexity Asia-Pacific carriers must master to conform with Europe’s New General Data Protection Regime.
October 1st 2018
It was hardly a surprise. Tech experts have been warning the industry for years that a major cyber attack on an airline was not a matter of “if” but “when”. Read More »
For British Airways (BA) “when” was August 21 this year. The breach was stopped by September 5. Required by Europe’s new General Data Protection Regime (GDPR) to notify the European regulator within 72 hours of being made aware of an attack, BA reported the cyber haul from its passenger database included the victims’ credit card information, residential addresses and email addresses. Travel itineraries and passport details had not been accessed.
Now being investigated as “a matter of urgency”, the attack revealed the vulnerability of airlines to cyber criminals and reminded the airline industry that the new European regulations on data protection could cost international airlines millions of dollars in penalties if they fail to comply with the new rules. For BA, failure to report the breach could attract a penalty of up to 4% of turnover. For a major airline, that would mean an invoice in the tens of millions of dollars.
“It applies to all companies offering services to European citizens. It includes many companies worldwide. Even if they don’t operate within Europe they are bound by the requirements of GDPR. You could be any business,” Association of Asia-Pacific Airlines director general, Andrew Herdman, told Orient Aviation last month.
“You could be a small business operating tours in a single Asian country with a website accessible to European citizens who are potential customers. Strictly speaking, you are liable. Whether you are in America or Asia, a lot of businesses have had to think very hard about compliance with GDPR and not just European businesses.”
Global airline operations complicate compliance. Asia-Pacific carriers must detect and report breaches or suspected breaches of their databases under the EU GMPR rules. They also must be confident their partners worldwide have the same defences.
“You have to look at your relationships with all your suppliers and all your business partners because everything is interconnected. You are exchanging information. In terms of your contractual arrangements, you must determine your obligations as an enterprise are being met. You have to impose similar obligations on your suppliers, such as GDSs or other distribution channels with whom you are exchanging information,” Herdman said.
“Another challenge is a global business like an airline faces different reporting obligations in the U.S., Europe or the jurisdiction in which you operate in Asia.”
“How do you build your systems to be compliant with these different relationships? A lot of big U.S. companies were concerned about being compliant with GDPR because of the different approaches of U.S. and European authorities.
“In Asia, different countries are in different states of readiness. Singapore has reporting obligations and cyber security regulations. Korea and Japan are other examples. From our [AAPA] point of view we’d like as much standardization and harmonization as possible.”
At a recent SITA Asia Pacific Air Transport IT Summit in Singapore, an airline survey revealed only 30% of respondents believed they were prepared to deal with cyber security threats. SITA said “the weakest point in the chain will be the one that impacts the industry”.
'There’s nothing to be gained by thinking you can strengthen your own systems and not worry about the rest of the ecosystem. Everything is inter-connected and we need to think in terms of making the overall ecosystem stronger and more resilient so that when there are breaches appropriate action is taken and you have co-ordination among different players' |
Andrew Herdman Association of Asia-Pacific Airlines director general |
A report by PwC said 85% of airline CEOs were concerned about cyber security, which was 24 percentage points higher than chief executives in other industries.
Earlier this year, the AAPA called on the region’s aviation industry to co-operate in strengthening cyber security because expanding digital connectivity attracts hackers.
The association joined forces with the Qantas Group, Australia’s Foreign Affairs Department, Singapore’s Ministry of Transport and the Civil Aviation Authority of Singapore to strengthen cyber resilience. The first of four interactive workshops was held in Singapore in February with a second scheduled in Hong Kong in November.
Last year, the general manager technology at Sydney Airport, Stuart Rattray, told delegates at the Australian Airports Association annual conference that “we all stand together in cyber security - governments, airports, airlines, Airservices Australia and our supply chain. We are so connected through processes, people and customers, but also through IT. If one of us is under attack, we can think of ourselves as all being under attack.”
He counselled against relying solely on IT teams to take care of cyber security and repeated the generally accepted rule that 80% of cyber risk was about people and 20% about the technology.
Herdman said the BA attack highlighted the fact airlines handled vast amounts of cash and payments for air travel every day of the week. It makes them appealing to fraudsters. “It is not yet known what form the BA attack took. It looks like the system was infiltrated where customer information was being captured, including credit card information. Obviously, everyone is interested in strengthening the barrier to that sort of infiltration,” he said.
Herdman said he was aware of breaches of commercial systems, IT systems, airport information systems and networks. Normal IT hardware and system failures and power outages also are very disruptive.
It must not be forgotten that “in terms of cyber offensive activity, individual countries and government agencies are using cyber as an offensive tool. We have to be careful about this. It’s not all criminal intent. There are concerns some governments are actively experimenting or actively using cyberattacks,” he said.
“One of the big policy issues is the need to establish protocols for cyber war in the same way that it was done with nuclear disarmament and chemical, biological and radiological weapons. At the moment there are no ground rules. This needs to be addressed at government-to-government and United Nations level.”
While industry players from Boeing and Airbus to engine manufacturers and avionics providers agree building cybersecurity into systems at aircraft and product design level is essential, there are concerns about the security of the global air traffic management (ATM) systems. ATM is largely built around open standards and unencrypted systems. Without encryption, systems are vulnerable. This issue is being addressed by the ATM community.
Herdman pointed out that in the military arena, interfering with GPS signals and communications is part and parcel of defence. “What happens if those sorts of tactics are applied to civil aircraft?
“It’s a like the question of how do we keep civil aircraft safe from military attack by missiles from the ground,” he said.
“It’s not our job to dodge the missiles. Do we need government to government dialogue on protocols? If state actors targeted the ATM system it could easily cause disruption and loss of confidence.”
Hackers always seem to be a step ahead of their victims. Sydney Airport’s Rattray said there were a number of tools and systems that detected attacks but it was important to know how to respond and recover.
“Don’t assume you will ever be fully protected with cyber security. Work through what to do when you are attacked. Its about continuity. It’s about incident response plans and communication analysis.” He also warned that cyber security is never done. It is a continual process of assessment, building and testing defenses and then doing it again. “This world around us is moving very, very quickly in this space. We have to continually assess and test and improve,” he said.
“Realistically, a lot of industry discussion is about detecting, responding and recovering from breaches and attacks, which involves collaboration across multiple enterprises. It’s like facing possible natural disasters. Its a question of supposing it happens then planning how to recover as quickly and effectively as possible. The goal is to get the system back up and running to maintain public confidence in the integrity of the system even if it’s compromised,” Herdman said.
The latest research into the level of cyber security maturity at airlines and airports indicates the subject is at the forefront of business planning. SITA said there are a very high levels of security awareness among airline staff (82%) and airport employees (85%).
Beyond cyber security protection, the industry is focused on threat detection and response management, SITA said. Chief information officers at 69% of airlines and 47% of airports are implementing security events and correlation monitoring. Security incident response management is being put in place at 77% of airlines and 60% of airports.
Earlier this year, SITA partnered with Airbus to address the air transport industry’s distinct concerns and create a unique Cyber Security Aviation Security Operations Center (SOC). It acts like a cyber control tower with an integrated combination of processes, people and technology to detect, analyze, respond and report on cybersecurity incidents.
Head of Airbus Cyber Security, Markus Braedle, said, “The air transport industry has unique cyber security challenges because of the varied and increasing use of smart end points across a largely distributed infrastructure. Digital transformation is enabling the air transport industry to deliver better services to its customers, but raising its threat exposure.”