Few cyber security attacks on ground handling IT systems have been recorded to date, but operators cannot afford to be complacent, discovers Martin Courtney
Francy: the honeymoon is over. We are seeing attacks across the aviation front
Faye Francy, executive director of the Aviation Information Sharing and Analysis Center (A-ISAC) and head of Boeing’s Cyber ONE team, was stark earlier this year. “The honeymoon is over. We are seeing attacks across the aviation front. Luckily nothing really dramatic or serious has taken place, but we recognise this is going to cost us time and money.”
Francy highlighted the growing list of cyber attacks directed at companies in the aviation sector over the last few years. The trade association for North American airports warned its members in 2014 of an advanced persistent threat (APT) attack aimed at dozens of airport computer systems across the US. The US Center for Internet Security (CIS) confirmed that a total of 75 airports were victims of cyber attacks, two of them leading to successful breaches, though it did not name the sites or types of system involved. CIS also highlighted a large-scale phishing attack on US airports in 2013.
Most recently 1,400 LOT airline passengers at Warsaw’s Chopin airport were grounded after an attack in June 2015 breached the computer systems used to issue flight plans, the airline admitted. And last year the Norwegian police arrested and charged a 17-year-old boy claiming to be a member of the hacktivist group Anonymous Norway for orchestrating a massive distributed denial of service (DDoS) attack which disabled the websites of multiple business across the country, including Scandinavian Airlines and Norwegian Air.
United Airlines, too, was hit by a cyber attack in the summer of this year, with stolen data including passenger manifests detailing passenger origins and destinations. A group of Chinese hackers was rumoured to be the culprit, although it was not known what their motive was or how they would use the information. Either way it was enough to convince United to pay two hackers more than 1 million frequent-flyer miles each to stress test its security systems for further vulnerabilities as part of its broader ‘bug bounty’ programme.
Nor should Francy’s warning be ignored by ground handling companies in the belief that airlines and airports alone will bear the brunt of the attacks. The recent trend for shared IT services and infrastructure with airport operators and airlines provides considerable potential for data security breaches by the back door as malware infections and unauthorised access incidents have a knock-on effect elsewhere. And the growing use of computer terminals, wireless networks and portable devices such as laptops, tablets and smartphones amongst ground handling staff on the ramp also presents vulnerabilities.
Who are the hackers?
Attacks can originate from a wide variety of sources. Hacker convictions remain quite rare and in most cases victims and law enforcement agencies can never be certain who it was that tried to breach their systems or what their motives may have been.
The nightmare scenario for the aviation industry, given recent history, is of course terrorism: the fear that computer systems will be breached to steal end user credentials to bypass other security systems which will enable perpetrators to cause disruption at will – or even gain access to aircraft control systems.
However, the vast majority of hackers do not have political aims. Security software specialist McAfee identifies four distinct categories of attacker apart from terrorists and those involved in state-sponsored espionage, ranging from recreational intruders looking for fame and notoriety through to vandals, hacktivists and organised cyber criminals.
Some groups of hacktivists, including the HighTech Brazil HackTeam or the Portugal Cyber Army – known for its past involvement in attacks on Dubai airport – like to cause trouble for the fun of it. Other attacks are ‘inside jobs’ caused by disgruntled staff looking to embarrass their employers. Industrial espionage can also play its part as rival companies look to steal customer details from their competitors, or simply reduce confidence in another organisation’s capabilities by highlighting deficiencies in their data protection defences.
Criminal intent underpins a large number of cyber attacks, as crooks look to make money by stealing information which can be used to access financial systems or enable identify theft, often targeting thousands of passenger details (names, addresses and even credit card information) which can be sold on to other criminal groups.
The big question for ground handling companies is whether they can stand the risk of not taking measures to reduce their chances of being hit. Irrespective of the hackers’ intentions and the scale of any attack, the reputational damage which comes when successful breaches are made public may prove the difference between winning a contract or renewal and losing out to a rival, and/or maintaining the trust of critical business partners.
Types of attack
Determined hackers have proved extremely resourceful in creating new strains of malicious software, or malware, and coming up with innovative ways to gain unauthorised access to remote computer systems.
Symantec’s 2015 Internet Security Threat report estimated that over 317 million new pieces of malware were created in 2014. It found that one in every 965 emails sent now includes some form of phishing attack, for example, a form of fraud that sees the hacker masquerade as somebody else in order to try to obtain login credentials or account information – data which can then be used for identity theft or to gain access to other computer systems.
Zero day malware, which exploits vulnerabilities in web browsers when the user visits certain websites and/or is embedded in executable code contained in email messages, is on the rise too. McAfee has also seen a significant increase in the number of technically sophisticated attacks, or APTs, which hide undetected in inert code for months or even years and wait for a chink in the system’s defence mechanisms to appear before executing their payload.
The mobile perspective
Many air ground service suppliers are currently investing in mobile technology designed to provide their employees with messaging and access to centralised information systems from portable devices – everything from laptops and PDAs to smartphones and even some form of wearable device.
Much has been made of the security vulnerabilities which smartphones in particular present to hackers, and there is no doubt that the volume of attacks directed against common mobile operating systems like Apple iOS, Google Android and Microsoft Windows Mobile is rising. But experts warn that focusing too heavily on mobile devices risks overlooking the real source of danger – networks, system login portals, web sites and desktop PC software applications.
The 2015 Data Breach Investigations Report (DBIR) published by US telecommunications carrier Verizon provides a detailed snapshot of security threats affecting 61 countries in 2014. The telco engaged the help of 70 contributing partners to analyse 79,790 security incidents and 2,122 confirmed data breaches.
It found that only a small percentage of the cyber attacks discovered involved mobile devices and almost all of those fell into the category of what Verizon terms “adnoyance” and “similar resource-wasting infections” rather than serious cyber security attacks.
“Mobile devices have clearly demonstrated their ability to be vulnerable,” Verizon stated. “What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritise our resources to focus on the methods that they’re using now.”
Connected vehicles and IoT
That is not to say that the volume and diversity of potential security threats derived from mobile devices will not expand over the next few years. Emerging technologies beyond smartphones may also open unanticipated vulnerabilities in network and system access.
Automotive manufacturers have started to equip their vehicles with multiple electronic systems which rely on a combination of WiFi, cellular 3G/4G and satellite networks to transmit data: in-car entertainment platforms tracking and machine-to-machine (M2M) capabilities that collect performance and maintenance information before transmitting it back to a central database, for example.
These remain cutting edge and sparsely deployed for the moment. But it is likely they will become standard in all types of vehicle in the future, including those used by air ground service companies on and around the ramp as they look to track equipment and pull information about their maintenance, fuel consumption and usage into central databases for operational monitoring and business intelligence purposes.
Hackers have already demonstrated how they can access internet-connected vehicles to control a Jeep Cherokee remotely by breaking into its in-car entertainment system, leading Fiat Chrysler to recall 1.4 million of its models exhibiting the vulnerability.
And in some cases the diagnostic systems which mechanics use to run tests during maintenance checks on multiple makes also rely on vulnerable third-party software which can be accessed via a garage PC, the ODB-11 diagnostic port or even a USB stick plugged into the vehicle. This presents the possibility that specific components, such as airbags, brakes, fuel system or central locking systems, can be switched on or off to cause significant operational disruption.
Nor is it just vehicles and other plant machinery that is now being linked into the Internet of Things (IoT). Internet Protocol (IP) surveillance cameras, which also use wired and wireless networks, are open to attack from Botnets and DDoS attacks that can flood the network with spurious requests in order to cause system crashes, not only bringing down the cameras themselves but also the back-end servers which store footage.
Other vulnerable systems ground handlers may rely on include electronic bag tagging and baggage screening systems as well as smart lighting, temperature and humidity gauges and traffic control lights.
There is a general realisation amongst cyber security experts that with enough time, money and effort hackers can get into anything – it is only a question of their intended target and level of resource. Yet the vast majority of attack methods, malware and viruses have been around for years and remain entirely preventable if basic information security tools and processes are applied.
Hackers almost always aim for scale. In all but the most targeted assaults, malware and viruses are built to strike the operating systems and applications in most common use by the largest number of people, because this will cause the most amount of widespread damage. Most airports, airlines and ground handling companies have traditionally installed proprietary networks, terminals and software systems, but there is an increasing acceptance of ‘off-the-shelf’ hardware and software which is already widely used in other vertical industries – packages which are consistently updated to mitigate against new cyber attacks via regular patches and upgrades.
Market research company Visiongain identifies a broad range of leading providers of aviation cyber security products and services, including Amadeus, Airbus Group, Boeing, Cisco, CSC, Harris, IBM, Intel, Kapersky Lab, Rockwell Collins, Sabre, SITA, Symantec, Thales, Trend Micro and Unisys. The company suggests that sales of aviation-focused cyber security products could expand at a compound annual growth rate (CAGR) of 3.9% from US$123 million in 2014 to be worth $1,534 million by 2020 as airports, airlines and ground handling companies ramp up their spending.
Practical steps to better security
User awareness is critical and ground handlers can go some way to protecting themselves from cyber attacks simply by educating system users and staff on the dangers; they can issue standardised guidance on authentication and password protection, and on keeping devices and peripheral storage devices safe.
Routine data security practices such as always changing the default username and password on any piece of hardware or software being installed can also help to stop malware, with two-factor user authentication tightening up employee system access.
Ground handlers can also use advanced threat intelligent solutions that look out not just for known viruses and malware but also unknown threats by monitoring suspicious activity (out-of-hours user logins, sudden spikes in network traffic or unauthenticated access attempts, for example) and ‘sandbox’ downloaded files into safe execution environments to quarantine any threat before it can spread.
Encrypting network communications or ‘data in transit’ can help to stop information being intercepted by hackers during transmission between IP-enabled systems and devices on the ramp. Implementing virtual private networks (VPNs) to segment different types of data traffic ensures that sensitive information can travel securely across public WiFi networks or the Internet.