Air India announced in May 2021 that a few months earlier its technology provider SITA had fallen victim to a cyberattack that resulted in the theft of 4.5 million of Air India’s passengers’ data.
The attack – which was notified to the company around the end of March – targeted passengers’ personal data, flight, and credit card information dating from August 2011 to February 2021.
To mitigate the damage, the company took several steps including securing the servers involved, notifying credit card issuers. and resetting Air India’s passwords.
“The protection of our customers’ personal data is of the highest importance to us, and we deeply regret the inconvenience caused and appreciate continued support and trust of our passengers,” Air India said in a statement at the time.
Defined as highly sophisticated, the SITA attack involved not only Air India but several other carriers including Lufthansa, Japan Airlines, and Finnair.
“SITA acted swiftly and initiated targeted containment measures,” the technology provider explained in a press statement following the news. “The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security.”
Cybersecurity attacks in aviation
Even though cybersecurity is not a threat specific to aviation, in the last few years the sector has been at the centre of several cybersecurity attacks, with the European Union’s Aviation Safety Agency reporting around 1,000 accidents per month.
Within the industry, cybersecurity risks are extremely wide ranging as they depend on the type of operator and how they are hit. “If you think about airports, you can have quite a wide and sprawling set of IT environments that are quite difficult to secure,” explains PA Consulting cybersecurity expert Justin Lowe.
Carried out by different actors, the causes behind cyberattacks can be divided into ransomware and intelligence or spying purposes. According to Bryan Hornung, CEO at Xact IT solutions, cybercriminals resort to ransomware for financial reasons, disrupting operations or stealing data and using it as leverage to get paid quickly.
“What typically happens with ransomware is that cybercriminals get into the system and exfiltrate the data off of the network, finding personal information of passengers and employees” he explains. “Once they have it, they use it to extort from people whose data they have or use it to do some identity theft for fraud or things like that.”
Especially when it comes to ransomware, 85% of attacks are carried through phishing while in the remaining 15% of cases, cybercriminals can exploit a piece of the network.
State-sponsored hackers do not resort to ransomware but enter IT systems and spy. “That’s another threat that especially the aviation industry should be aware of,” he adds. “A lot of times you’ll have itineraries and flight plans for high-profile individuals ahead of time and that’s not something you want hackers to have their hands on.”
A different kind of threat
Cybersecurity threats have become a major concern for aviation in the last five to ten years, explains Lowe, mainly as a result of digitalisation processes becoming the norm in the sector.
“With the increased digitalisation you end up with a lot of additional connectivity and interconnectivity going on,” continues Lowe. “That increases the risk to a lot of these systems, whereas if they were isolated as they had been previously, attacks wouldn’t spread to other systems because of inbuilt resilience.”
In a report published a couple of years ago, PA Consulting highlighted how, on top of additional connectivity, other factors – including customer-centricity and airports now becoming mega hubs – have contributed to the industry’s susceptibility to cybersecurity risks. The Covid-19 pandemic also did not help, as companies cut back on security spending due to the economic repercussions of travel bans.
“I would have to say that the pandemic opened more avenues for exploitation in the past 16-months, but we were on this trajectory anyways,” comments Hornung. “Cybercriminals are absolutely ruthless, and they wouldn’t hesitate to ask a ransom to the industry, even though the sector has been down [because of Covid-19].”
Compared to other threats to the sector, especially physical and safety ones, cybersecurity is more insidious. “Cybersecurity risks differ from terrorism and Covid-19 because the threat actors can be anywhere in the world and can strike at any time,” comments Hornung.
“The current cybersecurity threat landscape is worse than it was before 9/11 [and] TSA Screening checkpoints or masks won’t solve this problem. The industry should prepare for cyberattacks, do the best they can to prevent them, and have a resilient plan to put into action if they are a victim of a cyberattack.”
Physical risks also tend to be targeted, whereas in cybersecurity there is a higher risk of accidental attacks.
“On the safety side, there is actually quite a commonality between safety and cybersecurity because it’s not just information systems that are at risk but also the operational technology,” explains Lowe. “An incident on the runway lighting could cause outages and severe disruption as well as implications for the airfield.”
What aviation can do to protect itself
According to Daniel Lewis, CEO of Welsh software company Awen Collective, aviation operators should adopt three approaches to protect themselves from a cyberattack.
The compliance-driven approach, explains Lewis, revolves around regulation and standardisation ensuring best practices when it comes to policy and procedure. “The aviation sector in the UK and EU has a baseline thanks to a cybersecurity regulation called the NIS Directive,” he adds.
The risk-driven approach, on the other hand, assumes that an organisation understands the level of risk and reduces it while the competitive-driven approach is used when a strong cybersecurity system can help win business.
To build a stronger cybersecurity network for the whole industry, experts believe that there should be oversight from international organisations that can give best practice rules to the industry such as the industry-wide aviation cybersecurity strategy promoted by the International Air Transport Association alongside the International Civil Aviation Organisation.
Individual businesses also need to work on preventative measures, such as taking risk assessments. “Operators need to look at what their cyber maturity is across their whole estate,” concludes Lowe. “And they need to look across all that operational technology as well as IT, looking at gaps [in cybersecurity] and the risk they pose.”