The aviation sector is being increasingly digitised which, while providing numerous benefits for consumers and passengers, also introduces new risks and makes the industry a hot target for cybercriminals. Industry experts from Thycotic and Attivo Networks tell us about some of the key threats, how the industry is rising to the challenge and offer best practice advice for CISOs on how to bolster their defences.
Airlines and airports spent a record US$50 billion in 2018 on IT to support improvements to the passenger journey and are now beginning to enjoy the benefit of that investment.
Figures published by SITA for the first time show that this investment has resulted in a significant improvement in both the satisfaction levels for passengers and average processing time.
The SITA 2019 Air Transport IT Insights shows that 60% of airline CIOs recorded up to a 20% year-on-year improvement in passenger satisfaction. During the same period, 45% of them recorded up to 20% improvement in the rate of passengers processed.
The benefits of digitisation are clear to see – improved customer satisfaction and overall efficiencies. But it also introduces new risks and, like every other vertical, CISOs in the aviation industry are having to step up their cybersecurity measures.
Joe Carson, Chief Security Scientist and Advisory CISO at Thycotic, and Chris Roberts, Chief Security Strategist, Attivo Networks, have provided insight about some of the key threats and how they are being combatted.
What are some of the unique cyberthreats to the aviation sector and why?
Joe Carson, Chief Security Scientist and Advisory CISO, Thycotic (JC): The aviation industry is at risk to many unique cyberattacks that can put human lives and even global stability at serious risk. Our society is largely dependent on the aviation industry to keep us connected and the world moving and any threat to that industry puts our way of life at serious risk. The modern aviation industry is heavily dependent on technology and software that is at risk to cyberattacks, which could disrupt flight systems making aircrafts fall from the sky or force pilots to make premature landings.
We have seen recent events on what could happen when software bugs combined with sensors that have no backups can result in pilots fighting with flight controls such as the recent issues with Boeing 737 Max. Other risks which I see as the major threats are those that could impact airports such as disrupting safety systems, baggage handling or logistics and schedules. Since airports are more open and connected, they are exposed to more threats.
Most attacks to date on the aviation industry have been financial fraud related such as business email compromise and invoice fraud or cyberattacks that impacted booking systems and loyalty rewards programs stealing millions of airmiles from customers.
Chris Roberts, Chief Security Strategist, Attivo Networks (CR): Unlike many other industries the airline sector still depends on everyday use of decades-old bespoke proprietary systems. Air-ground communications systems – such as the Aircraft Communications Addressing and Reporting System (ACARS) – are gradually being interconnected to allow them to be controlled remotely via the Internet. As they do this air traffic operators are keenly aware that doing so increases the risk that outsiders could access onboard systems.
How is the aviation sector rising to the challenge of combatting these threats?
JC: The aviation industry has always risen to the challenges since the industry heavily relies on safety as its primary priority. When systems become more connected online, cybersecurity is no longer just an IT security issue – it then becomes a safety issue – and that is why aviation organisations treat cyberattacks as such a high priority. However sometimes shortcuts do occur such as using critical communication equipment onboard aircraft for payments and this increases the threats and risks.
CR: The introduction of increased Internet connectivity brings opportunities for elevated revenue streams and operation savings to the aviation sector. At the same time passengers and industry regulators will expect ever more robust cybersecurity measures to protect the information they exchange and access through aircraft in the sky. The answer to the rising challenges for providers of in-flight communication services – some of which are constrained by the architecture and physical limitations of their networks – is to build increased security layers around these more capable networks.
Can you outline any use cases of how technology is being used to mitigate threats?
JC: One main area of technology being continuously improved is that ADS-B (Automatic Dependent Surveillance – Broadcast) which is used for safety. However, in the past, since it was using radio frequency, it was not encrypted and could have been monitored or, worse, the data could be poisoned. However recent improvements have focused around securing and better protecting critical safety systems by decreasing risks such as spoofing, data poisoning and hacking.
CR: In-flight communication services, both for the entertainment of the general passenger and the efficiency of the business traveller, face steady growth in demand that is certain to increase as passengers insist on the ability to do more and to do it faster while aloft. That demand will only increase further as airlines and other aircraft operators seek greater access to operational and systems data from their flights while they are in the air, in order to improve the cost-effectiveness of their own operations as well as the in-flight experience of passengers.
Would you offer any best practice advice for dealing with threats in this industry?
JC: The aviation industry, while advancing quickly and continuously improving services, must not forget the basics and cybersecurity best practices. These are sometimes overlooked and, in most situations, cybercriminals will look for the easiest, cheapest and stealthiest way to gain access to critical systems and this means abusing human trust.
With deep fakes on the increase, this exposes the aviation industry to new cyberthreats that could put the industry at serious risk. Strong identity and access management with privileged access security is a must to ensure only authenticated users have access to critical systems. Multifactor authentication must be enabled and used for all privileged access.
CR: The aviation industry should start to shift from the traditional security stack to a more proactive stance. Additionally, they must move to an assumed-breach posture. This means focusing less on deflecting an attack and more on using tools that allow them to assess their detection, deception and data integrity options.
Are there any trends or future trends that CISOs working in the sector should prepare for?
CR: Two trends with the potential to introduce new cyberthreat vectors to the aviation sector stem from the availability of Internet-enabled systems on board airplanes. First, is the increasing presence of Internet accessible passenger Infotainment systems. Second, is the presence of Internet of Things devices used for predictive maintenance and near real time reporting of operational components in the aircraft.