Aviation gets cyber savvy

posted on 12th March 2019

The air transport industry is deploying the latest technology to strengthen physical and cyber security defences writes Martin Courtney

The implementation of fast, convenient security controls to smooth the passenger journey a key element of competitive differentiation amongst airlines, airports and ground handling companies.

New approaches based on innovative hardware, software and data sharing processes that utilise the latest technology are starting to make a difference.

But the industry also must keep a close eye on the cyber security vulnerabilities created by mass digital transformation creates and stay one step ahead of hackers and regulators in ensuring sensitive information is properly protected.

Biometric identification on trial

Airports around the world are using sophisticated new IT systems – made up of high definition cameras, tracking and analytics software – to trial biometric identification systems for example.

Lufthansa became the first airline to use biometric exit cameras on flights from Miami International Airport (MIA), allowing passengers to access the aircraft without either a boarding pass or a passport. The system was jointly conceived and developed by a partnership that also included MIA, US Customs and Border Protection and SITA.

Cameras snap passengers at the boarding gate to confirm their identities and authorise them for travel, with each facial recognition process estimated to take less than two seconds with a 99% match rate success.

Los Angeles International Airport too is piloting similar biometric boarding technology from Gemalto to see if it complies with US Customers and Border Protection (CBP) requirements. Gemalto’s video-based Live Face Identification System (LFIS) analyses high resolution footage to match images against an existing personal document database and feeds the results into CBP’s Traveler Verification Services system.

Other biometric systems being set up by Emirates and Aruba Airport go further by extending facial recognition to bag drop, border control and boarding. Emirates will shortly launch a biometric path system that uses a mixture of facial and iris recognition to check in for flights, complete immigration checks, enter the Emirates lounge and board the aircraft just by walking through Dubai International Airport for example, with no human intervention whatsoever.

The Aruba Happy Flow – developed by the Government of Aruba, Aruba Airport Authority and KLM, in cooperation with developing partners Vision-Box, Schiphol Group and the Dutch Government – is an identity management system being applied to passengers visiting the Caribbean Island of Aruba. For the moment passengers show their passport once to enrol their biometric data at the check-in desk and are then free to move across all other stages of the airport process whilst being automatically identified at various touch points. It is envisaged the system could be extended to other airport stakeholders in the future and used for lounge access, hotel bookings and tax-free shopping for example.

Though most, if not all, of these biometric systems remain in the pilot phase for now, airlines and airports are already reporting significant benefits to operational efficiency that enable them to better handle passenger flows in peak periods, not least by eliminating long queues and providing real-time congestion management.

Cyber threats and data breaches

Airports, airlines and ground handling companies capturing sensitive passenger details through biometric enrolment systems, or any other form of data collection must be doubly careful about how they protect and store that information.

Failure to comply with either sovereign or international data protection regulation can lead to not only to hefty fines but also generate considerable reputational damage for companies found to be lax in their custody of that data.

The aviation sector was hit by a major data breach in October last year when hackers gained unauthorised access to the IT infrastructures of Cathay Pacific and stole the passport numbers, travel histories and contact details of an estimated 9.4 million customers

The attack highlights the importance not just of protecting sensitive data against compromise, but also making sure any data breaches are notified to the relevant authorities irrespective of where they happen to occur.

Cathay Pacific handles the data of European Union (EU) nationals whose private data is subject to the terms of the General Data Protection Regulation (GDPR) introduced in May 2018, legislation that gives national data protection authorities in EU countries the power to impose fines of up to EUR20 million or 4% of a company’s annual turnover, whichever is the greater.

Other recent data breaches involving airlines include British Airways, Air Canada and Delta Air Lines, all of which lost sensitive customer details as a result of an orchestrated cyber-attack. That has led to suggestions that cyber criminals are deliberately targeting the industry because it is vulnerable, with the European Aviation Safety Agency (EASA) estimating an average of 1,000 attacks occur per month on aviation systems.

Cyber security specialists addressing demand

Recurring cyber security incidents and new regulations like the GDPR have brought the need for investment in better protection into sharper focus over the last 12 months. Air transport industry IT services provider SITA calculating that aviation spend on cyber security products and services grew to $3.9 billion in 2018. According to the company’s 2018 Air Transport Cybersecurity Insights report, 89% of airline CIOs plan a major programme around cyber security initiatives between 2018 and 2021, up from 71% in 2017. The figure was higher for airports – 95% are planning major programs by 2021, most commonly involving raising employee awareness and training of cyber threats; achieving regulatory compliance; and implementing better identity access management (IAM) systems and processes.

Those investment plans have led some cyber security product and service suppliers to set up specialist practices aimed specifically at customising their portfolio for the aviation industry. These include F-Secure which last year developed its Aviation CSS platform to better protect the hardware, software and communications systems typically used to share information between airlines, airports and ground handling companies.

Elsewhere, Lufthansa is working with SAP to introduce IBM security solutions based on blockchain transactions designed to improve the passenger experience by protecting personal data being transferred between various aviation operations systems and their supply chains. Accenture too is targeting its blockchain platform squarely at an aviation industry that sees data being shared and transferred between multiple stakeholders and touchpoints – including airlines, online travel platforms, card providers, airports, immigration, government, hotels, car rental agencies and ground handling companies.

Forcepoint secures Pegasus Airlines data

Like other industries, the air transport industry has been adversely affected by a growing shortage of skilled cyber security professionals available to hire. Before falling prey to hackers last August [2018], BA had been negotiating the outsourcing of its security operations to IBM as it struggled to find sufficient numbers of skilled cyber security experts to implement, configure and manage the levels of threat protection in-house, for example.

With experienced, knowledgeable staff difficult to find and expensive to hire, many companies in the aviation sector have started to put their trust in vendors that can deliver and maintain managed security services and software on their behalf. Turkey’s Pegasus Airlines is one, having appointed specialist cyber security firm Forcepoint to deliver range of solutions covering web and email security, data loss prevention, and a cloud access security broker (CASB) late last year.

Pegasus collects and stores vast amounts of customer data, many of which pertains to EU nationals covered by the GDPR, and the airline was keen to give its employees to that data without compromising data security. It also wanted a solution that was hosted in the cloud to allow flexible access for remote employees from wherever they happened to be, irrespective of the device they were using.

After implementing Forcepoint’s Cloud Security and Cloud Protection platforms, Pegasus has noticed significant increases in staff productivity who now spend less time reporting malware such as phishing attempts and ransomware, leaving its dedicated cyber security teams free to focus on other tasks. The analytics engine also controls employee web browsing and email usage, keeping an audit trail of activity that allows the airline to quickly trace the source of a data breach.

Other companies – including Raytheon, FireEye and Kaspersky Labs – now offer security analytics and threat intelligence services designed to provide airlines, airports and ground handling companies with advanced warning of imminent cyber-attacks. No company can ever be completely secure, but there are effective measures that can be taken to protect every link in the data chain to minimise the chances of being successfully breached.

Luggage scanning

New technology is also playing a key role in ensuring the security of customer baggage, with several airports experimenting with different types of scanners to screen carry-on luggage.

The Los Angeles World Airports (LAWA) and the Transportation Security Administration (TSA) are piloting a computed tomography (CT) scanner which is like those used in hospitals to investigate hand luggage by creating a 3D image of the contents of each bag to identify suspicious objects, including liquids.

Current scanners use 2D images, whereas the 3D scanners (manufactured by Smiths Detection) give operators a 3D image that can be viewed and rotated 360 degrees with back end software using algorithms to match objects against known threats in real time. With hundreds of images take to create a 3D view in real time, operators can see much clearer pictures on their digital screens to make more accurate judgements on a bag’s contents.

TSA expects to have more than 145 units installed at airports by the end of fiscal year 2019 with Australia’s Melbourne Airport also set to trial Smith Detection’s HI-SCAN 6040 CTiX 3D screening device.

In both cases, the new scanners are intended to improve the passenger experience and minimise queueing time by removing the need to separately screen liquids and gels, laptops and electronic items, which travellers currently must remove from luggage to scan individually.