Airlines have long been a symbolic target for nation-state actors due to their close identification with their host countries, but that threat landscape has since widened considerably to include financially motivated attackers who are after customer data. The airline industry is facing an era of growth, which brings an increase in threats that airlines must identify and prepare for through detection, mitigation and incident response.
Digital transformation, smart airports and a growing arsenal of technological gadgets are just a few of the many challenges global airlines have to navigate to serve their customers. Those operating from multiple destinations need robust cybersecurity programs to address the risks associated with cyber and physical security threats that have become inherent to the systems and devices they integrate into their operations, as well as locations that can be riskier than others.
For airline companies, an attack on IT infrastructure can severely impact operations, leading to elevated financial losses and potentially threatening the safety of staff and passengers. The highly sensitive nature of flight systems, passenger data and the interactions between them make data security and privacy a leading concern for airline CEOs, particularly considering attackers’ increased interest in the airline industry. Given numerous highly publicized cases and the capabilities of sophisticated cyberattackers to bypass traditional threat detection, security programs must evolve to become threat-centric and address the variety of attack vectors in the sector.
Why Is the Aviation Industry So Vulnerable to Attack?
The airline supply chain is complex in nature, with several original equipment manufacturers (OEMs) and airline partners accessing the network at any given time. Identity and access management (IAM) and third-party risk management are more important in this sector because of that interdependence. The attack surface is widening over time, and even loyalty programs are prime targets nowadays, requiring special protection from the theft of customers’ personally identifiable information (PII) and financial data. According to a recent IBM study, it could take more than six months to identify a data breach, leaving ample time for intruders to collect data or plan disruption.
For airlines, critical assets primarily consist of customer and operational data, onboard systems, and core networks. These systems have undergone a continuous digital transformation that has expanded their cybersecurity attack surface. As a result, the range of vulnerabilities they can be exposed to has increased exponentially. Consider the following examples:
- Open networks and inter-connectivity, such as connectivity of ground crew with flight operations and air traffic systems, or the connectivity of field devices with the internet and one another — i.e., the internet of things (IoT).
- Addition of new entry points to the overall ecosystem, such as mobile devices, in-flight entertainment and Wi-Fi systems (IFEC), tablet-based electronic flight bags (EFBs), etc.
- Data collection points that are dispersed and geographically distributed, residing in silos with different vendors and, in some cases, little to no data security in place.
- Expansion of the supply chain and strategic partner network — e.g., new technology vendors being added to manage functions that range from billing and reservation to aircraft engine telemetry.
- Shadow IT that, while increasing productivity, introduces vulnerabilities into the environment.
Each of these examples represents a risk profile that must be analyzed within the context of the organization’s overall cyber-physical infrastructure.
We can see how IP-connected systems have increased connectivity and related risk, but we must also think of the increased vulnerability of point-to-point subsystems that are connected to the internet through these IP-connected systems. Data delivery systems that collect, manage and distribute information between flight deck to operations, or from satellites and to in-flight entertainment systems, are no less important than the core legacy systems typically used in the industry. The CIA triad of confidentiality, integrity and availability of data holds true for the airline industry, especially due to its complex and decentralized infrastructure that’s simultaneously corporate and operational, serves customers, and is part of a highly regulated sector.
Rising Attack Vectors and Emerging Cyberthreats
The number of threat vectors affecting organizations in the airline industry has also increased. Over time, attackers have been looking to pivot through underlying systems, such as:
- Next-generation air traffic controls (ATCs);
- Onboard aircraft IP networks;
- Aircraft interface devices;
- Loyalty programs and other new offerings;
- Aircraft operations; and
- Back-office tech platforms.
When it comes to actual attacks against airline companies, external threats are the biggest concern today. The “IBM X-Force Threat Intelligence Index” found the transportation industry, which includes airlines, to be the second most-targeted industry exposed to malicious attacks, trailing only the financial sector. Moreover, according to a report by SITA, an IT system provider to the air transport industry, the top cyberthreats affecting the airline industry are those that can cause mass disruption, steal employee and customer data, and invade networks to scale attacks. The list includes:
- Ransomware attacks;
- Phishing attacks;
- Advanced persistent threat (APTs);
- Regulatory noncompliance;
- Data loss or theft;
- Insider threats;
- Distributed denial-of-service (DDoS) attacks; and
- Shadow IT.
While phishing attacks targeting airline and airport customers are rampant, cyber espionage is another emerging threat in this industry, and such an attack can threaten an airlines’ trade secrets. Due to the very lucrative nature of intellectual property belonging to airline companies, rival states and criminal syndicates are known to carry out cyber espionage operations that affect air transport entities. For example, in 2014, 75 U.S. airports were impacted by an APT attack that occurred the previous year. The attackers sent phishing emails to workers in the aviation industry to compromise airport networks.
Why We Need a Dedicated Cybersecurity Framework for the Airline Industry
In the face of existing, rising threats and new ones emerging across the board, the air transportation industry is beginning to recognize special needs for security. But are these needs fully addressed by existing frameworks?
The aviation industry does not lack in regulation, safety procedures and standardization programs such as ISO/IEC 27001:2013 and other standards that stem from the 27000 family. But while these standards have multiplied over the years, the sector still does not have a customized cybersecurity framework to address its specific needs.
Any good cybersecurity strategy is based on a strong framework. The NIST Framework for Improving Critical Infrastructure Cybersecurity, while it is very helpful, it is not specific to the air transport industry. The Framework Core actually refers users back to ISO/IEC 27001 and to standards from the IEC 62443 series without considering factors that air transport organizations have to tackle. Think about the impending rise of smart airports, for example, or the need for incident response in the event of a life-threatening, in-flight cyberattack. These are just a few examples of issues that would apply only to this sector.
Until a more specialized framework is constructed, building up resilience will have to rely on existing guidelines and standards, modified according to each organization’s assets and risk appetite.
10 Risk Mitigation Tips for Airlines
Securing an extensive cyber-physical infrastructure is a complex task. Below are 10 mitigation tips that can help lower overall risk in the airline sector.
1. Endpoint Protection
With endpoint protection compliance, airlines can improve control over the number and types of access points to the network, detect infections, and collect data on the scope of potential incidents.
2. Cloud Security
While it can increase productivity and reduce costs, cloud computing comes with its own set of security challenges that must be considered during the initial phase of planning cloud migration projects. Another important aspect is the shared responsibility for security. Misconfigured cloud servers and security controls, as well as unpatched issues, can go unnoticed for years before they cause a security incident.
3. Threat Intelligence
Threat intelligence can bolster security by giving advance warning of potential adversaries, their motives and the way they operate. By knowing what to prepare for, security teams can reduce the cost of unnecessary controls and focus their incident response on relevant scenarios.
4. Identity and Access Management (IAM)
IAM systems secure access to important functions such as e-commerce, ticketing systems, loyalty point redemption and concourse applications. IAM solutions have evolved into adaptive authentication systems that detect anomalies by applying contextual data about the user such as login location, effectively strengthening user access controls both internally and for third-party access. Deploying IAM can help airlines better secure access to their own networks.
5. Cloud Detonation Centers
Malicious files can come from myriad sources nowadays, especially inside productivity files that companies cannot block from entering via email. To limit risk from potentially “explosive” files, organizations can opt to use what are known as detonation centers — sandbox environments that replicate the organization’s operating environments. By using cloud-based detonation platforms, it is possible to test suspicious code, such as files that come via email, thereby reducing risk of harm to the live environment.
6. Data Protection and Encryption
The use of end-to-end encryption is known to reduce the impact of cyber breaches as well as the usefulness of the data to those who steal it. It is always a best practice to use encryption as much as possible. In the airline industry, it can easily apply to customer data, payment data, traveler information, biometric data and employee data, to name a few.
Another place where encryption is vital is the communications between aircraft and ground-based air traffic control systems. Those should be authenticated and encrypted to protect against eavesdropping, jamming, message deletion and message modification that could be launched by an adversary.
7. Beyond Application Security: Privacy by Design
After the General Data Protection Regulation (GDPR) took effect, organizations across the globe had to start looking more closely at the data they collect, use, move and store. To build into the overall operational resiliency and to supplement mission-critical systems with data integrity, it is important to adopt the foundational principles of privacy by design.
8. Penetration Testing
Conducting periodic penetration tests can help uncover and address risk exposure gaps before attackers do so.
Since airlines rely heavily on third party vendors, the domain of Third-Party Risk Management (TPRM) becomes all that much more important to secure. Including vendor access monitoring, security audit clauses, and specified testing procedures in vendor contracts can helps with overall vendor risk management.
Just as environmental safety standards have made their way into operational platforms over time, the concept of cybersecurity awareness must also be integrated into the company’s culture and day-to-day work. With the proliferation of ransomware and phishing, employee education is a great line of defense against such attacks. Don’t limit education to prevention strategies; help each employee know the basics of incident response and what to do in cases where they suspect a cyber issue.
10. Incident Response
Careful incident response planning should be an integral part of your security program, and you should hire a dedicated, in-house team to command and manage the response process in case of an incident. Since airline incidents can easily affect human lives and damage physical systems, the response module has to be tied to both business continuity and safety plans.
For worldwide operations, it can also help to have a professional incident response team on call to help with immediate response, containment and incident management. An external team can supplement in-house teams to remedy issues faster and return to operational capacity.