As one of the most complex and integrated networks of information and communications technology in the world, the global aviation system presents an attractive target for a large-scale cyber-attack, warn cyber security experts. The airline industry in particular relies on its computer systems for both ground and flight operations, making a potential attack not only a direct threat to the safety of an aircraft in flight, but also to the industry’s reputation and financial health.
So when a computer outage effectively grounded all of United Airlines’ mainline flights originating in the U.S. Wednesday morning at virtually the same time the New York Stock Exchange suspended trading due to a computer glitch of its own, speculation about the possibility of a cyber-attack understandably began to circulate. But while the suspicion that the outages arose as a result of a hacking scheme proved ill-founded, the events served to remind the airline industry of the disruption a successful attack could cause.
Although many airlines and airports have installed what they call robust systems to address common hacking threats, the International Air Transport Association (IATA) concedes the need for improvement—and a need for a “holistic” approach to assessing the threat to their own IT infrastructures as well as to that of partners such as subcontractors, clients, suppliers and travel agencies. The association’s “three pillar” strategy for addressing the threats calls for the development of a cyber security management system, institution of an “appropriate” basis for regulation and the establishment of reporting and communication channels.
Speaking in Singapore Thursday during a cyber security conference held by the Singapore Ministry of Transport, IATA director general Tony Tyler cited an apparent attack on LOT Polish Airlines’ systems on June 21, preventing the airline from creating flight plans and grounding 10 flights.
“No business is immune, but aviation is a specific target for those intent on doing cyber mischief and theft—or worse,” said Tyler. “Airlines are the highest value target for fraudsters, and close to fifty percent of all phishing attempts are made against airlines and airline passengers, according to one cyber security firm with which we work.”
In fact, during the month of March IATA itself identified and blocked 80,000 suspicious connections a day, detected and cleared 891 viruses and resisted five “brute force” attempts to connect to IATA accounts, he reported.
While Tyler stressed the importance of a collaborative approach to protecting the industry from the threat, the nature of the industry’s collaboration results in vulnerabilities. “For instance, we exchange operational and air traffic information to manage our daily operations,” he said. “It is vital that we be able to rely on the integrity of that information.”
Of course, more automation also means more opportunities for hackers to do damage. Meanwhile, greater connectivity between technology such as flight management systems, electronic flight bags and so-called e-enablement of aircraft means a cyber attack can disrupt several systems at once. “There is no question that automation significantly enhances safety and aircraft capabilities while simplifying many rote tasks,” added Tyler. “But as a result, the number of entry points into systems is increasing steadily. The more systems we automate, the more vendors we have and the more interfaces that can be targeted for attack.”
IATA has endeavored to help mitigate the risks through such programs as its Aviation Cyber Security Toolkit, which proposes solutions to run internal analysis of risks to help security “stakeholders” identify ways to protect their IT infrastructures. However, stressed Tyler, governments need to cooperate better among themselves and with industry to combat the threat effectively.
“Governments have resources and access to intelligence that the private sector can never achieve,” he noted. “They also have a responsibility to use these resources to support industry efforts. We have an example of this approach in the decades of successful government-industry cooperation on safety...Unfortunately, we have not achieved that level of cooperation in security.”
Tyler warned against allowing national classification systems and ambiguities around the legal rights for sharing information across borders to get in the way of international cooperation, adding that no one should accept a circumstance in which one airline can get access to information and best practices while another cannot simply because of its country of origin. Similarly, governments cannot afford to repeat the inflexible, prescriptive approach to regulation initially taken in response to the 9/11 attacks, he added.
“It is only over the past five years or so that we have been able to transition away from this approach towards a more flexible, risk-based model,” explained Tyler. “We must not repeat that steep learning curve with cyber security.”