Getting Physical: When the Cyber Threat Materialises in the Real World

The cyber threat has, until recently, been solely an IT concern, but with the introduction of increasingly interconnected surveillance and access controls, the threat of a cyberattack should now be treated as an organisation-wide issue that is assessed and protected against in line with physical systems and policy. Shalom Dolev examines the impact of the cyber threat on operations and the measures that can be taken against it.

The cyber threat has evolved from a data security risk to an existential risk to the organisation that is increasingly difficult to defend against. Its impact has severe consequences that have transformed from annoying space invaders through denial of service to complete denial of computing and data lockup, which has ushered in an era where your business may be one mouse-click away from permanently closing its doors.

External and internal threat vectors range from organised crime and ‘hacktivists’ to frustrated or greedy insiders. The intensive use of mobile communication and mobile computing devices for business and private application stretch and blur the boundaries of the organisation’s Information and Communication Technology (ICT) system more than ever. Sophisticated social engineering attacks necessitate more than protective technologies; they require a proactive organisational awareness culture.

Over the last few decades, airports and airlines have become tremendously dependent on ICT. Reservation systems, informational and commercial airline and airport websites, online check-in, unmanned border controls, automated checked baggage systems, networked hyper-connectivity, Wi-Fi networks, air traffic control, e-Enabled aircraft and so much more. However, aside from great operational and commercial benefits, as technology rapidly evolves, cyber-threats are doing so too.

For the commercial aviation industry, airports and airlines, the cyber threat has an additional critical dimension that affects not only the so-called ‘virtual cyberspace’ but to a wide extent the real world. The cyber-attack can be an effective and efficient tool for sabotage, espionage and psychological warfare.

Nonetheless, the perception that a clever teenager on a keyboard can launch and maintain effective and anonymous cyber warfare is a myth. Effective IT security and forensic tools are continuously being developed and distributed worldwide, making the cyber-attack more difficult and more exposed to detection and tracking of the attacker. Hence, the cyber attackers must be skilled in the use of high-end tools and techniques and capable both of avoiding detection by national and international law enforcement and of succumbing to national level retaliatory action (when the attack has been perpetrated by a state).

And yet, despite the tremendous possible impact of cyber security threats, we have to be careful of becoming alarmist in our approach. If a distinguished expert quotes the USA attorney general as saying, “I want you to know there are two types of American companies: those that have been hacked and know it and those that have been hacked and don’t know it,” it would have a paralysing impact rather than a stimulating one – akin to some of the anti-smoking campaigns which, rather than prevent people from smoking, actually stimulate them to seek relaxation, in the form of another cigarette, in response to the scaremongering. Put bluntly, if my company has already been hacked by such sophisticated tools, what is the point of spending money and effort fighting a losing battle? Furthermore, if there are indeed millions of successful cyber-attacks a day, where is the associated proportional damage? Perhaps the devil is not as black as he is painted?

So we want to propose a balanced and practical approach.

When we go back to the basics we should remember the AIC (availability, integrity and confidentiality) triad model designed to guide policies for information security within an organisation. The external hacker is not the only cyber threat and probably not even the most dangerous one. According to 9 Steps to Cybersecurity by Dejan Kosutic, there are four major types of cyber threats: Natural Disaster, External Source Malicious Attack, Internal Malicious Attack, Malfunction and Unintentional Human Error.

As the External Source Malicious Attack is widely discussed and often even exaggerated, I prefer to focus on two topics, the insider threat and the cascading vulnerability of the second tier systems of airports and airlines.