The importance of cybersecurity should not be overlooked by today’s aviation industry
On a Friday afternoon in July 2013, two Turkish airports, Istanbul Atatürk and Sabiha Gökçen, were thrown into chaos when cyberterrorists disabled their passport control systems. Planes were grounded for hours and passengers stuck in massive lines within the terminal began to vent their anger at airport employees. Two years later activity was halted at Poland’s busiest airport, Warsaw Chopin, when hackers overloaded LOT Polish Airlines’ flight plan system, halting aircraft movements for five hours and stranding 1,400 passengers.
By then authorities in the USA had identified a phishing scheme that compromised the data of two US airports and was designed to hit as many as 75. And police in South Korea had thwarted a plan to disrupt flights at Incheon International by arresting a video game distributor they said had loaded games with malware.
Launched by terrorist organizations, politically motivated groups and individuals out to steal personal information, the attacks illustrate the growing reliance airports have on their computer systems and the challenge they face keeping these systems secure.
“Everything from buying a cup of coffee at a kiosk to the airport’s ability to conduct flight operations can be impacted by cyberattacks,” says Rob Bathurst, managing director of IT and embedded systems at Cylance, a developer of security software systems. “Some systems are better protected by physical separation and access control than others.”
Cyberattacks have now surfaced in airport terminals on every continent, ranging from a single defaced website to a line-up of grounded planes. Passengers have visited websites displaying propagandist messages and seen their frequent flier miles erased. And perhaps without knowing it, they have been hit with phishing schemes introduced via airport wi-fi. At stake is not only the travelers’ well-being, but also the reputation of the airports they rely on.
Right: Passengers can unwittingly become targets of phishing scams when using unsecured airport wi-fi networks
Is cybersecurity overlooked?
So far many analysts agree that the industry has largely stayed ahead of the most serious attacks and that terminals remain safe. But experts expect cybercrimes to escalate as attackers grow more sophisticated. And some believe that many airports have not adequately integrated cybersecurity management into every aspect of their operations.
As Ben Trethowan, aviation systems and security architect at Lockheed Martin, wrote in the corporation’s blog: “Just about everyone in the aviation industry recognizes the importance of traveler safety and security. Our airports require solid physical traveler safety and security measures – not having them is unthinkable. Often overlooked, considered less, or placed lower on priority lists is the information at risk and cybersecurity of airports. Our airports require solid cybersecurity measures. Not having them is also unthinkable.”
“The most vulnerable targets tend to pose the smallest risk to travelers,” says Antoine Rostworowski, director of airport customer experience and technology for ACI. These include airport websites. In April 2015, terrorists posted militant messages on the host website of Hobart International Airport in Melbourne, Australia. This attack, at least, could be contained.
However, within an airport any major system that relies on a computer can be tampered with, a list that includes ticketing, x-ray screening, baggage handling, flight schedule displays, parking, telephone and wi-fi. Vicious hackers could even plant a bug that pops open airport doors.
“Statistically, when we look at attackers’ behavior we know that they will put the most effort into high-value targets,” observes Cesare Garlati, chief security strategist and expert in mobile and cloud security at prpl Foundation, a non-profit organization that focuses on enabling next-generation datacenter-to-device portable software and virtualized architectures. “This is what makes airports more vulnerable than other buildings running the same systems.”
Trethowan comments, “If enough disruptions are put into place simultaneously, such as failed runway lighting and airport heating systems, it would be difficult to foresee any outcome other than an airport closure.” Another analyst, business writer Andrew Munro, goes further, writing in the publication Global Risk Insights that data leaks and other forms of cyberattacks could impact the global economy and hamstring businesses.
Left: Cyber security operations center
at Los Angeles International Airport
However, experts agree that major incidents are rare and
that the aviation industry is responding well with high-level safeguards. “The risk of an attack that directly affects safety and security is considered much lower given the sophistication of the systems in place today and the mitigating measures in place,” adds Rostworowski.
He says that airports usually place critical computer systems, such as those that manage baggage screening, on their own networks and build in mitigation plans that can be activated in the event of an attack. Lockheed Martin’s Trethowan points out that most terminals maintain effective change management and backup processes, along with barriers that limit physical access to controlled equipment rooms and visitor management functions.
Airports are also part of the critical national infrastructure. “A cyberattack is a criminal act, a national attack, an act of war,” says John McCarthy, cyber research fellow at ServiceTec Global Services, a provider of cybersecurity services. “The major players – the FBI, the CIA – are on standby for such events.”
Cyberattacks can be broken down into three areas, according to Rostworowski. “They are enterprise risk, which includes theft and fraud; operational risk, which is attacks on operations that could cause major disruption; and security risk, which is attacks on critical safety functions,” he explains.
Although website defacement can be stopped relatively easily, operational threats are inherently difficult to defend against, even if they are less likely to occur. Among these are distributed denial of services (DDoS) attacks, in which a system is maliciously overloaded to cause a shutdown.
This was what happened in the June 2015 attack on Warsaw Chopin Airport. “These attacks are extremely difficult to stop,” explains McCarthy. “These are the ones you really don’t want.” At the time, LOT said that cyberterrorism warranted far more attention – a sentiment echoed throughout the world.
“Los Angeles International Airport has taken important steps in response to threats to its computer systems,” says Anson Fong, a spokesman for airport operator Los Angeles World Airports. At a new security operations center, trained and certified personnel respond to cyber concerns 24 hours a day. Employees are trained annually on specialized hardware that detects malicious traffic.
Fong says cyber threats surface on a regular basis. Among the most prevalent are cross-site script, in which attackers inject malicious code in web pages, and SQL injection, which works similarly through web databases. “Even though we may think our business will not draw direct attention from hackers,” he explains, “there is a high chance that our servers are being probed by opportunistic cybercriminals who are constantly looking for that easy ‘open window’.”
According to Fong, the US Department of Homeland Security and the FBI keep LAX apprised of threats, information that can be used to deny computer access to suspicious parties. Following recent reports of ransomware viruses for example, security filters were added to block the traffic.
Right: Airports should employ external experts to help them protect their systems and networks against a cyber attack
An industry-wide approach
Critics point out, however, that not all airports have elevated their processes
to the level necessary to keep ahead of increasingly savvy attackers. Rostworowski believes that the same discipline that has helped achieve aviation’s high safety standard must be applied to cyber safety. Achieving this standard means pursuing risk assessments, disaster recovery and business continuity plans in the event of failure. Also key is cooperation from all levels of the operation.
“Airports are at varying degrees of sophistication,” he explains. “Many have the basics in place – good IT practices and good defenses. But more needs to be done to ensure they have a holistic approach to the issue, especially as more systems become networked.”
Dominic Nessi, senior technology advisor who works on developing security programs for clients at Burns Engineering, believes that there are a number of steps an airport can undertake to improve cybersecurity. “First, it must have qualified personnel or external expertise that understand how to assess cyber risk and what steps to take for mitigation. Second, it must engage in an aggressive organizational training effort so that all staff and contractors are fully aware of the risks. Third, it needs to ensure that its network has protection from outside attacks. Fourth, it needs to ensure strong internal protection against in-house threats. Fifth, it must establish a process to monitor and audit network logs, looking for potential attack patterns. Finally, an airport must have a disaster recovery and business continuity plan when the first five steps outlined above have not prevented a cyberattack,” he explains.
Although some facilities maintain an arsenal of technical tools – firewalls, encryption and network monitoring – they lack the needed expertise in more complex areas such as cryptography and network defense monitoring. Airports may leave themselves vulnerable by managing their cybersecurity in isolation.
“Many organizations choose to define their own information security management regimes without any input from an external expert, industry body, or similar who could provide insight into the various standards that are out there and what would be appropriate for that particular organization to do,” comments Trethowan.
But even the most sound practices at one facility will not eliminate a threat, given that networks are used by others. McCarthy notes that the industry is slowly shifting to an approach that involves sharing information and working closely with intelligence agencies.
“Even so, given the interconnectivity of computer systems, the increased efforts of major facilities are not effective when smaller airports are not also fortifying their systems. And smaller airports, of course, don’t have the same resources as the larger ones,” McCarthy explains.
“The cyber world is not the physical world. Everything is connected,” he adds. “The FBI may call LAX and say ‘there is a phishing attack out there’, but there are 400 airports in the USA and I don’t think the FBI calls them all.”
This article was originally published in the June 2016 issue of Passenger Terminal World magazine.
June 15, 2016