Increasing dependence on technology in order to meet business targets and to improve the passenger experience means increased exposure to cybercrime. Roee Laufer discusses this emerging threat, its implications and the measures that we need to start investing in to ensure the security of our systems.
The number of people flying each year never ceases to grow. According to a recent forecast published by ACI (Airports Council International), global traffic surpassed the 8.2 billion passenger mark in 2017. Over the long term, it is projected to reach 20.9 billion by 2040.
In order for global civil aviation operations to keep up with such tremendous growth in passenger numbers and the economic changes, the use of more computer-based and IT systems is a key driver of innovation and efficiency, including systems that enhance safety and security. At the same time, passengers’ demand for new services is being met by means of broader connectivity – delivered through greater digitalisation in the aviation world. As a result, the travel experience is becoming increasingly seamless, with airports and airlines providing a fully automated passenger journey with mobile devices being used for electronic ticketing, check-in and immigration clearance.
Evolving from Physical to Cyber security
However, this advancement is not reflected in airports’ current approach to cyber security. With the risk of cyber-attacks growing considerably in recent years, the increased connectivity widens the cyber-attack surface. The growing number of direct and indirect cyber-attacks on airports and airlines globally, indicates that the aviation sector is becoming a strategic target for threat actors. The estimate is that the number of these attacks will increase in the near future.
“…typical hacktivist behaviour includes webpage defacements, and conducting distributed denial-of-service attacks…”
While there is a growing recognition of the importance of managing and mitigating cyber risks, operators have a long way to go to develop better protection. It is de rigeur to allocate substantial resources to physical security and very little, if any, to cyber security. Essentially, organisations lack the understanding that security is achieved through adopting a holistic approach. Failing to develop a robust cyber security programme affects the overall level of the organisation’s security.
Cyber Threat Actors
The cyber space is the arena where modern warfare takes place; state-sponsored cyber-attacks, crimes and hackers, as well as extremist entities driven by ideology who operate almost without disturbance. Simple access, anonymity and the global nature of the cyber space creates a comfortable ground for these types of activities, and presents difficulties for governments in their attempts to prevent attacks. These are the types of actors responsible for the majority of attacks on aviation-related cyber space:
- Hacktivists: Hacktivists are politically or ideologically motivated hackers who conduct hostile and sometimes destructive activities in support of a cause or belief. Groups like Anonymous engage in operations against targets to punish a perceived transgression or draw attention to a situation. Typical hacktivist behaviour includes webpage defacements, and conducting distributed denial-of-service attacks (DDoS), which flood a website’s server with so much traffic it renders the site inoperable. Hacktivists have repeatedly demonstrated their willingness to conduct offensive cyber operations against enterprises they feel deserve to be made an example of.
- Hackers: Hackers are differentiated from hacktivists in that their motivations are not politically or ideologically based. Motivations may include financial gain or simply the thrill of the challenge. Attack tools have become increasingly sophisticated yet easier to use, negating the need of an individual to be technologically advanced to launch attacks. Hacking sites feature free tools, tutorials, and a plethora of experienced hackers to serve as mentors for those less experienced.
- Nation State Actors: Nation state actors typically use cyber espionage to collect sensitive information and intellectual property information from their targets. However, depending on the intent of nation state actors, gaining unauthorised access into target networks can be leveraged to reconnoitre and map out the network in order to gain intelligence in support of a later attack. This is considered the cyber equivalent of ‘intelligence preparation of the battlefield’.
- Terrorist Groups: While terrorists and terrorist organisations prefer kinetic strikes against targets, there is a growing body of evidence to suggest the cyber domain is being exploited for terroristic purposes. Primarily, terrorists use cyberspace to recruit and disseminate propaganda, and for radicalisation, financing, training, planning, and research.
- Insiders: A deliberate or unwitting insider can provide hostile actors with direct access to networks and systems that may be targeted for disruption, destruction, or manipulation. Insiders constitute any individual who has direct or indirect access to a targeted computer or network.
Trends Increasing Cyber Attack Surface
Airports and airlines have significantly increased their reliance on technology to be able to meet their business objectives.
Seamless Passenger Journey: The aviation industry continues to make strides toward creating an e-enabled environment that successfully interconnects the multi-faceted components of the aviation landscape. This will make travel more convenient and dependable, facilitating information-sharing to better inform operators and increase efficiency, while maintaining a high level of safety. However, the technology involved in implementing a seamless communication process provides a myriad of opportunities for hostile actors to exploit. One example of such technology is the introduction of big-data solutions to provide more accurate enterprise decision-making, and releasing new apps and services. On-site infrastructures are increasingly transitioning to the cloud for improved flexibility and scalability. However, big-data models require the integration of huge amounts of data from different sources, and developing new open services and apps can also increase exposure to new and present sources of attack.
“…56% of organisations have had a breach that was caused by one of their vendors…”
Biometrics and Face Recognition: The soaring number of security breaches reveal one simple truth: email addresses, passwords, and personal information are no longer sufficient to protect identities online. While credential theft is the oldest (and most effective) trick in the book, it does not mean that attackers are not coming up with new tricks. Two-factor authentication (2FA) adds an extra layer of security, but even this method has vulnerabilities: it is usually accomplished through cellular phones.
“…Ben Gurion Airport is one of the few airports globally to activate a cyber defence centre on the premises…”
Contractors and Third Parties: According to a survey conducted in the fall of 2018 by the Ponemon Institute, 56% of organisations have had a breach that was caused by one of their vendors. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors – basically any company whose employees or systems have access to the organisation’s systems or data. However, third-party cyber risk is not limited to these companies. Recent hacks that exposed ‘back doors’ to well-known software have confirmed that the definition of third-party should not be limited to only the companies you directly work with. Third parties are often considered a weak link and must therefore be engaged as part of the security programme at the earliest stage, with steps taken to reduce the associated risk.
Operational Technology: The distinction between information technology (IT) and operational technology (OT) is diminishing with the increased use of underlying IT technologies in OT. For example, Ethernet and TCP/IP enable the provision of new types of systems and services. These two domains are still being treated separately, with the responsibility typically sitting with different functions in the business. Systems and services should be viewed on an IT/OT range and managed accordingly to mitigate the cyber-security risks that could affect their normal operation. OT is typically seen as the responsibility of operations. IT is viewed in the traditional sense of information management. As the responsibility sits with different roles, only by working together can there be effective oversight of cyber-security risks across the airport. The responsibility of both IT and OT security should be with the same individual, who provides a holistic view of cyber risks.
Diverse Security Operations: Most, if not all, organisations have a physical security and/or a network operations centre. However, very few possess the capabilities of a Cyber-SOC (Security Operations Centre). Whether on the premises or externally sourced, they provide added security benefits by providing operators with the ability to fuse information from multiple sources. This helps operators gain a better understanding of an incident, and allows them to manage the response as it unfolds.
Cyber Defence Centre (CDC)
Today, there is an understanding that detection and/or prevention sensors are not enough to develop a resilient defence strategy. There is a growing need to extend the threat visibility by employing central and proactive cyber defence methodologies.
Many airports are opting to outsource their security operations rather than deploying it themselves. The major downside to that, and the most critical, is the lack of business context. The interconnected nature of systems within airports makes understanding the business operational aspect ever more crucial, both to identifying abnormal behaviour and to being able to respond in an effective manner.
Israel’s Ben Gurion Airport is one of the few airports globally to activate a cyber defence centre on the premises. This enables a unified and co-ordinated defence against the evolving threat landscape. Security response experts help to protect, detect and respond 24/7 to security threats against Ben Gurion Airport infrastructure and services in real-time. Operational for over two years, we have established practices and procedures that accelerate the identification and resolution of security threats. We also utilise big data platforms and tools to generate trends and carry out pattern analysis, which helps identify slow-moving attacks and build statistical machine-learning models for predictive behaviour analysis.
Conclusion
The civil aviation landscape is complex with many stakeholders involved, and aviation security is fast-changing and becoming more challenging in coping with cyber threats. The use of more advanced and sophisticated IT and computer-based systems in civil aviation operations will continue to expand even more in the future. While many stakeholders are becoming increasingly aware of the seriousness of cyber threats, many are not necessarily ready to deal with such threats. Therefore, it is crucial that governments and civil aviation stakeholders work to raise the level of awareness and undertake actions. Israel Airports Authority has been working to leverage its accumulated knowledge and help raise the level of readiness and ability.
Roee Laufer is head of the Cyber Division, Israel Airports Authority.