Author Bio ▼

IFSEC Global is the online community for the Security and Fire industry. Our market-leading live events span the globe, connecting buyers and sellers.
February 21, 2020

Sign up to free email newsletters


Contact tracing and COVID-19 director’s briefing

Cyber resilience in aviation

Scott Nicholson, Delivery Director at Bridewell Consulting, details the challenges involved in the aviation sector in relation to cyber security.

Cyber security is a board level topic of discussion regardless of the industry. Private sector businesses and public sector organisations alike face a number of threats from hackers and cyber criminals, but one industry that has featured strongly on the news agenda over the last few months is the aviation sector. Indeed, a recent report on IFSEC Global highlighted that there were major concerns over airport cyber security.

While the biggest threat to the aviation sector is disruption — consider the drone debacle of 2018 or several power failures at UK airports in 2019 — cyber attacks certainly pose a major challenge and can significantly contribute to disruption.

A fast-evolving threat

Cyber security was even highlighted by the World Economic Forum (WEF) as one of the biggest challenges facing the industry during its 50th annual meeting held in January this year. Terrorism is most likely top of mind when considering the threats to aviation, due to severity. Here, it’s not just about causing disruption and chaos by exploiting aviation systems and processes, but there is also a significant threat of loss of life.

However, the aviation industry, be it airlines, airports or service providers, faces myriad other threats too. Consider that while nation state type threats and terrorism are acute, aviation organisations are also businesses. As such, they face many of the same threats that enterprises do, whether that’s a data breach, ransomware attack or phishing attempt.

But where are these threats aimed? And how can aviation organisations mitigate the risk associated with attacks?


Protecting infrastructure

Taking a step back, airports typically feature two types of technology; traditional IT and SCADA-based operational technology (OT).

The airport ecosystem has many moving parts, from an ecommerce side run on standard IT systems where passengers can pay for parking or buying rail tickets online, to OT that supports key services across the airport, like utilities, runway lighting, etc. Typically, OT systems contain SCADA-based technology, may also include IT components and are likely to be contained within isolated networks that aren’t generally accessible via the internet.

While this may make it more difficult for nation state type attackers to gain access to airport systems, it is still possible. Threat actors can’t launch attacks from anywhere in the world, rather they may need physical access to the systems or a foothold in the network – so difficult, but not impossible.

OT is also a challenge when it comes to skills for cyber security. The acknowledged skills gap in cyber security is made even broader around OT and SCADA. Cyber security experts don’t necessarily have the skills to apply this knowledge to SCADA-based infrastructures. However, relying on third-party cyber experts with the expertise in both security and engineering can alleviate this issue.

On the traditional IT side, aviation organisations face commodity-type threats where hackers are either looking for a foothold, notoriety, money or to cause disruption. Here, they scan the internet looking for surfaces that are vulnerable and then build on those gaps. This includes phishing attempts to gain credentials and login details, malware attacks or trying to breach network perimeters.

These types of attack have been successful. A number of airlines, Delta in 2017, Cathay Pacific in 2018 and British Airways in 2018 have experienced significant data breaches, losing passenger personal details and credit card information. In fact, the latter attack led to British Airways being given a proposed fine of £183m, one of the first as a result of the General Data Protection Regulation (GDPR).

Guarding the supply chain

But it’s not just in-house infrastructure, whether that’s standard IT or OT, that aviation organisations need to protect. They need to secure their supply chain too. Attackers don’t need to target aviation organisations directly; they can attack vendors, harvest information and use that to gain a foothold in the organisations they are actually after. These organisations often have access to critical systems and assets so represent a threat in themselves to aviation organisations.

In the Delta Air Lines data breach, the cause of the attack was traced to one of the airline’s vendors who supplied chatbot technology for the website. Due to lax password security, attackers gained access to the vendor’s systems and stole the personal details of 825,000 Delta customers.

Aside from data breaches and theft of intellectual property, one of the dangers here is that vendors to the aviation industry serve multiple customers, be that airports or airlines. So, if their systems are compromised, it’s a much wider issue.

The supply chain is often an attractive target, as was demonstrated in the Cloud Hopper hacking attacks perpetrated against managed hosting providers in the US government (and other enterprises’) supply chain.

As a result, aviation organisations need to not only ensure their own cyber security is up to spec, but also need to understand their supply chain. They need to know who has access to which systems, and make sure these vendors have the right practices and procedures in place to deal with the cyber threat.

To this end, the Civil Aviation Authority in the UK recently launched the ASSURE framework. Developed in collaboration with the Council for Registered Ethical Security Testers (CREST), the ASSURE scheme is designed to enable the aviation industry, including airlines, airports and air navigation service providers, to manage cyber security risk without compromising aviation security or resilience.

A best practice approach to aviation cyber seurity

There are number of methods that the aviation industry can take to secure infrastructure, mitigate risks and ensure resilience in the face of the cyber threat. First, it’s vital that IT and OT teams work together on cyber security. Apart from the skills gap which presents a challenge, this information sharing is vital to the health of the organisation. Importantly, cyber security isn’t an IT or OT issue; it’s a business issue and therefore must be tackled as such.

Second, aviation organisations need to understand their data flows in the network, much like enterprises do. If they have a good understanding of what normal looks like inside the network, it becomes easier to identify and understand any anomalies that could signal an issue or attack.

Finally, segregation. While OT and IT are often separate, having clearly defined layers of network segregation provides a solid foundation to reduce the attack surface and limit an attacker’s ability to move laterally within their network.

Moving forward

Protecting the aviation industry is crucial and despite challenges it is not a losing battle. This is especially true with emphasis being placed on tackling cyber security issues at a government level, and aviation organisations building on the risk mitigation already in place.

Keep up with the wireless access control market

Download this free report to find out more about:

  • The current state of wireless access control solutions in the market
  • The developing ‘move to mobile access control’ trend
  • Views on open architecture and integration
  • The growing use of the cloud and ACaaS to manage access systems
  • How important is sustainability to the industry?

Related Topics

Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

[…] FURTHER READING: Cyber resilience in aviation […]