How Cyber (In)Secure is Air Travel?
By Andrew Munro for Global Risk Insights
Frequent travellers passing through any airport will be familiar with an array of overt security precautions: the seemingly endless queue to have your luggage examined in front of an audience of weary flyers. This breach of personal space is a small sacrifice to pay for safer travel.
Less obvious however are the security measures that all airports and airlines should be adopting to counter the growing cyber threat. 75 cyber attacks upon US airports alone were recorded by the Centre for Internet Security in 2014. This total is likely to grow higher in 2016, as cyber attacks become even more sophisticated.
Why target air travel?
Airports and the global airline industry are tempting targets for cyber attack given the interconnectivity of cyberspace and global travel. Just like power stations and energy grids, airports and air travel are considered Critical National Infrastructure: vital to the daily economic and social operations of any given state.
A ‘successful’ cyber attack could prove disastrous, impacting the global economy, business continuity and the plans of individual travellers.
Information theft via cyber attack could also be used for commercial gain by rival airports or airlines. This would be especially relevant with rivals competing for bids, or even for new technological designs.
The embarrassment caused by a data leak could also be used to damage the victim’s reputation. For example, if passenger’s confidential data was stolen and published online, customers would choose to avoid that airline.
Who would target air travel?
A ‘cyber attack’ launched against Boryspil Airport in Ukraine’s capital on 18 January, serves as a pertinent example of the realms of geopolitics and cyber space merging. Since Russia’s annexation of Ukraine, multiple cyber attacks have been reported against Ukraine’s critical infrastructure.
Whilst we must not be quick to conclude that this incident was launched by the Russian government, a Ukrainian military spokesman stated that the cyber attack did, indeed, originate in Russia.
Should this be true, the on-going geopolitical realities between the two states provides two possible motives for the attack: political influence and coercion over Ukraine. They also mark a turning point whereby both military and civilian operations are deemed viable targets of cyber attack.
Physical terror attacks upon air travel are well documented, but less so are cyber attacks launched as acts of terrorism.
While disruptions to passenger Wi-Fi would not provide the same fear factor as an airliner hijacking, terror groups with cyber capabilities should be seen as a growing advisory.
Terror groups have successfully disrupted websites in the past. Whilst most do not currently possess the same technical capabilities as state-sponsored hackers, it is likely that terror groups will attempt to launch simultaneous cyber and physical attacks on the air travel industry, in the far future.
The threat is often exaggerated in media reports, yet these groups are increasing their level of sophistication every year. Watch this space.
Targets for cyber attack
Recent research and development projects uncovered that competent hackers, in theory, could disrupt Air Traffic Management, Communications Navigation Surveillance (ATM/CNS) systems. This would have very real impacts of flight operations: grounding those set to depart, and posing a potential crisis for those mid-flight.
Of course, pilots are trained to use manual navigation techniques, yet modern aircraft increasingly rely on ‘glass-cockpits,’ using only digital computer displays. With these down, pilots may find themselves flying blind, especially during bad weather, in crowded airspace.
Passport control is another vulnerable area. A cyber attack at Istanbul Ataturk airport demonstrated that by disrupting passport control, mass passenger chaos could be caused. Global databases are vital to check traveller’s ID; especially crucial for ensuring terrorists do not slip between borders. Returning Islamic State fighters from Syria are one potential example, one which manual passports checks may overlook.
How (in)secure is air travel?
Air travel should generally be considered secure. Major breaches are rare and infrequent, and the industry is adapting fast: rest assured you can still board your flight tomorrow.
The ultimate vulnerability throughout air travel is the reliance upon information systems. This is not endemic to the airline industry. When faced with a cyber attack, passenger comfort and safety, a business’ reputation and it’s financial health are all threatened.
Secondly, with such interconnectivity, only one weakness is needed to compromise network security. Not all stakeholders in air travel have the same resilient cyber defences. International frameworks must be agreed upon by all aviation authorities for holistic cyber defence.
Ironically, with all this focus on high-end technology, the human aspects of cyber security are often overlooked. Negligence by an airport employee could well be used as a ‘backdoor’ vulnerability for a hacker to exploit. A disgruntled employee could also intentionally expose cyber weaknesses as payback.
What can be done?
The answer, at least in the foreseeable future is what Eurocontrol label as a ‘Total Systems Approach.’ This tackles cyber threats through military and civilian cooperation: both these sectors are champions of innovation. Continuing relations with said sectors are therefore wise. For the human aspect, cyber security must continue to be taught at all levels, across the air travel industry.
Cyber security should be treated just as seriously as physical security for air travel to be considered fully ‘secure.’