To date, airlines have yet to definitively pin any major IT-related incident on a malicious cyber attack — but that doesn’t mean the aviation industry is taking the threat of hackers lightly.
Air traffic control systems, connected logistics networks and in-flight passenger services are just a few of the potential at-risk targets.
Just think of all the digital touchpoints along the passenger experience, from booking a flight online to paying for a drink inflight with your credit card. They make flying more seamless, but they’re also potential “entry points” for hackers.
Cybercrime costs to the global economy sit at around $400 billion per year, and in aviation, this can potentially come in the form of lost customers, delayed flights and expenses to “mop up” a cyber breach, not to mention the resources spent on regulatory compliance and investigation in the aftermath of an attack.
According to industry experts, airlines realize that protecting today’s digital aviation infrastructure requires teamwork. That’s why airlines are increasingly taking an integrated approach to cybersecurity and working with third parties to form a defense against cybercriminals. That includes aviation regulators, law enforcement, the private sector and sometimes even competitors.
“Today's networks are similar to common systems used in a typical office environment — systems that capable hackers are already familiar with,”
-Topias Salminen
Head of Cybersecurity at Finnair
Research firm PricewaterhouseCoopers recently found 85 percent of airline CEOs view cybersecurity as a significant risk. Michael Dierickx, Information Security Officer at Panasonic Avionics, explains a big part of the reason is the increased connectivity and use of the Internet of Things (IoT) in aviation. Aircraft systems, for example, are digitally connected to ground infrastructure so they can provide notification of potential Indicators of Compromise (IoC). While this speeds up incident response times, it also creates a new threat landscape.
“We’ve effectively made the aircraft a giant IoT device which is fairly new in aviation, and it brings potential new risks and threats,” says Dierickx. This includes hacking of systems used by flight crew, or pilfering passenger data with the intent of fraud or identity theft.
Take, for instance, the global system used to coordinate flight bookings, which employs a unique Passenger Name Record (PNR) to facilitate online check-in and ticket retrieval. Experts have recently found several potential weaknesses in protecting PNRs, including lack of password sophistication and ability of hackers to decipher boarding pass barcodes in images that travelers post on social media.
Topias Salminen, Head of Cybersecurity at Finnair, notes older computer systems were unique to aviation, and not privy to most people. Aviation software providers have utilized more widely-used technology to bring the industry’s networks up to speed. However, that means today’s systems more closely resemble more widespread networks that hackers already have experience infiltrating.
“Today’s networks are similar to common systems used in a typical office environment — systems that capable hackers are already familiar with,” Salminen observes.
One of the pieces of low-hanging fruit airlines can pick to combat these vulnerabilities is to work in concert with their private-sector vendors to make sure all software updates and patches are properly installed. It sounds simple, but as evidenced in the recent WannaCry attack on the British National Health System, failure to patch regularly is tantamount to leaving the front door open for hackers.
Connected logistics networks, inflight navigation software, and personal passenger data are unique cyber threats that airlines are addressing via partnerships.
An Integrated Cybersecurity Approach (ISA) is a framework that’s been developed by security experts and government agencies over the years. The primary goals of an ISA is to develop strategies for early threat detection, prevention, and breach response plans. Core to the ISA’s ability to achieve those goals is integrating cyber security efforts of private companies with government intelligence on the strategic, operational and tactical level. In aviation, this means taking a new view of the relationship between airlines and security agencies like the Department of Homeland Security (DHS).
“We used to view governments solely as regulators,” says Salminen. “Information is now constantly shared between airlines and governments. We security-test our IoT devices and proactively share the results with regulators, for example. Today, collaboration is mutually beneficial.”
Creating an integrated cybersecurity defense also requires partnership with the private sector, technology vendors and even competitors.
“Aviation is a unique industry in terms of collaboration,” notes Salminen. “Risk-mitigation strategies are shared openly. We’re like a big family with different cultures and nationalities, but with the same security obligations to our passengers.”
He and Dierickx both note that cybersecurity isn’t seen by airlines as a competitive advantage, but as a common interest.
“We exchange threat information to even protect competitors from cybercrime. Because an attack on one is an attack on all,” Dierickx says, adding that airlines are developing partnerships with private-sector technology experts and vendors to spot bugs and vulnerabilities.
“We work with HackerOne for our bug bounty program,” he explains. Panasonic Avionics uses HackerOne’s researchers to “crowdsource penetration testing” — that is, to uncover potential vulnerabilities of public-facing components. Once a bug is detected, a remediation plan is put into action and a bounty is paid out.
“Airlines and vendors are really going on a journey together, and our success is also the vendors,” he continues. “You’ll see a lot of these partnerships evolving in the future because we need their help to protect a complex, emerging and non-traditional infrastructure.”
Airlines are making substantial progress in creating an integrated cybersecurity approach that successfully involves governments, third parties and competitors. In the end, Salminen recommends airlines communicate effectively with all partners, and to take a “see something, say something” mentality.
“Observe, discuss and share knowledge with your partners,” he concludes. “And keep your ears and eyes open for new threats.”