Airlines and governments around the world must work together urgently to combat cyber attacks by criminals and hackers. The call comes after the International Air Transport Association (IATA) disclosed that in March, it blocked more than 80,000 suspicious connections to its system per day, cleared 891 viruses and fended off several so-called “brute-force” cyber attacks.
International Air Transport Association director general Tony Tyler says airlines have become the highest value target for fraudsters.
Tyler spoke in Singapore a day or two after a series of strange, virtually simultaneous computer glitches grounded United Airlines, shut down the New York Stock Exchange and hit the Wall Street Journal website.
While the glitches were said to be a coincidence, conspiracy theories ran hot. United’s glitch (it blamed the problem on a broken network router) disrupted the flight plans of roughly half a million travellers. Not long before, LOT Polish Airlines suffered an expensive cyber attack.
A worst-case scenario cyber attack could cost the US up to USD 1 trillion, according to report by specialist insurancer Lloyds and the Centre for Risk Studies at Cambridge University.
Carriers needed to share vital information to keep the attacks at bay, Tyler said.
“It is not acceptable that one airline may have access to information and best practices regarding appropriate cyber-measures and potential vulnerabilities, while another carrier doesn’t, simply because it is based in a different country.”
Airlines are prime targets for hackers because their systems process more than USD 388 billion in transactions annually.
“Each day seems to bring fresh news of a security-breach or data theft,” Tyler told the Civil Aviation Cyber Security Conference in Singapore .
“Damage from such attacks can run into hundreds of millions of dollars and leave a company’s reputation in tatters. A successful cyber attack on an airline could paralyse operations and result in thousands of stranded passengers.
“No business is immune, but aviation is a specific target for those intent on doing cyber-mischief and theft – or worse. Airlines are the highest value target for fraudsters and close to 50% of all phishing attempts are made against airlines and airline passengers, according to one cyber security firm with which we work.”
Tyler says IATA is working to help airlines develop a robust cyber security strategy to address cyber threats to aviation.
Last year, IATA launched the Aviation Cyber Security Toolkit, intended for airlines but also applicable to airports, ground handlers and others in the value chain.
“It is an essential part of our strategy to bolster cyber security and we will release a second version this year,” Tyler said.
Tyler pulled no punches in describing the threat aviation faces.
“We are only as strong as our weakest link,” he warned. “An airline is dependent on its ANSP (air navigation service providers) and airport partners to be highly engaged in cyber security. Many airlines and airports have robust systems in place to address common hacking threats.
“The challenge is the evolution of the threat. Cyber experts have to improve their expertise constantly in order to remain vigilant and keep ahead of hackers. What we are facing is close to an asymmetric warfare in which it is easier to attack than to defend. In order to assess the broader threat to the aviation system, there is a need to adopt a holistic approach which would include all our IT infrastructure as well as that of our partners.
“A related vulnerability comes from the introduction of greater levels of automation. The industry relies on information and communications technology such as flight management systems, electronic flight bags and e-enablement of aircraft and there is greater connectivity between these systems.
“There is no question that automation significantly enhances safety and aircraft capabilities while simplifying many rote tasks. But as a result, the number of entry points into systems is increasing steadily. The more systems we automate, the more vendors we have and the more interfaces that can be targeted for attack.”
Tyler reminded his audience that a key component of managing risk is effective sharing of information.
“It is a lesson we learned following the tragedy of MH 17. Information that may be shared can include vulnerabilities, threat intelligence, and incident reporting.
“As one of the most complex and integrated systems of information and communications technology in the world, the global aviation system is an attractive target for a large-scale cyber attack, or for a targeted attack on some of its most vital elements.
“While we cannot eliminate cyber risk, we must manage it.”
Written by Peter Needham