Alert
Alert
By Brian E. Finch,
08.24.15
Given the range of threats and the catastrophic impact an attack could have on an airline, strategizing to reduce the risk of breaches and implementing plans to deal with them once they occur should be prioritized at board level. We consider some recent examples of cyber incidents faced by the industry.
Whilst cybersecurity has ranked (or should have ranked) increasingly high on many boards’ agendas for some time now, the risks associated with an attack on an airline places them in somewhat of a unique position. In particular, should an airline suffer a cybersecurity attack, this might not solely result in the loss of data, whether that be customer records, financial details of customers or sensitive details about company revenue; rather it could well impact an airline’s core operations, with cyberattacks having the potential to seriously disrupt and endanger the safety of flights.
Recent incidents and unique challenges faced by airlines
Two recent examples highlight the fact that those who wish to harm an airline need not necessarily pass through a departure lounge any longer:
(i) On June 21, LOT Polish Airlines had its flight operations system hacked, resulting in disruption or cancellation of 22 flights. While there is little public information, and indeed there are some conflicting reports as to whether this was an actual cybersecurity attack, it is reported to have been a Distributed Denial of Service (DDoS) attack on a private network responsible for issuing flight plans, showing the scope for penetration into the inner workings of an airline’s IT estate; and
(ii) In April, American security researcher Chris Roberts claims to have accessed flight-critical controls through the in-flight entertainment system (though this is rebutted by Boeing).
A specific challenge for airlines which heightens their cybersecurity risk is the incredibly diverse nature of their business in terms of geography, business lines (passenger and cargo), complex public and private systems (see diagram below), and significant interfaces with other bodies in the industry. This is an environment with many access points and potential points of weakness. As members of Boeing’s cybersecurity team have said, “pervasive and instantaneous network connectivity, once limited to IT environments, is now a part of the global aviation culture.”
Regulations and standards in the sector
As the industry responds to these threats, there is currently no uniform benchmark standard(s) or regulation for bodies to aim toward. At a regulatory level, there are some principles of general application primarily in relation to the security of data (for example the risk-based approach to security envisaged by the European Economic Area’s Data Protection Directive); however they are of very general and high level application, and not specific to the industry. Aviation regulators and industry officials are in fact pressing for greater collaboration between governments and airlines to protect the industry from cyber breaches, as was evidenced by the briefing of European ministers by the head of the European Aviation Safety Agency in early July.
From a standards perspective, there are a variety of initiatives: Aircraft manufacturers are providing guidance on best practice. Trade association IATA is developing a security toolkit. Airlines are taking unilateral action, e.g. the “bug bounties” of frequent flyer miles purportedly being offered by airlines such as United to buy the assistance of those who have uncovered weaknesses in the company’s IT infrastructure. But these only go so far, and none of these initiatives offer a silver bullet in light of the risks posed.
This is a game of cat and mouse against those looking to breach security, and the risks presented were possibly best summarized by Adrian Kubicki, spokesperson for LOT in the wake of their DDoS incident, who stated that “[LOT is using] state-of-the-art computer systems, so [this event] could potentially be a threat to others in the industry.”
Read more: Cybersecurity and the Aviation Sector: Recent Incidents Highlight Unique Risks