Roundtable: are airports prepared for cyber threats?

Adele Berti 23 April 2020 (Last Updated April 24th, 2020 12:25)

The CAA recently launched the ASSURE scheme, which will help strengthen the aviation industry’s cybersecurity resilience. We spoke to the first companies accredited as Cyber Suppliers by ASSURE about current and future challenges facing airports and airlines.

Roundtable: are airports prepared for cyber threats?
ASSURE will allow aviation organisations to obtain accredited cybersecurity capabilities. Credit: Windmemories (via Wikimedia Commons).

Developed on the back of the European Commission’s EU Network and Information Security (NIS) directive, the UK Civil Aviation Authority’s (CAA) new ASSURE scheme has been set up to “enable the aviation industry to manage their cybersecurity risks without compromising aviation safety, security or resilience and support the UK Government’s National Cyber Security Strategy”.

ASSURE will allow aviation organisations to obtain accredited cybersecurity capabilities and carry out a self-assessment on their protection measures. A number of specialist third-party suppliers have already been accredited as ASSURE Cyber Suppliers in collaboration with CREST, a not-for-profit accreditation and certification body for the technical security industry.

We asked some of the new Cyber Suppliers: what are the current cyber threats to airports and airlines? And are they prepared to meet these threats?

What are the current cyber threats to airports and airlines?

Greg Pope, head of systems and engineering technology consultancy Frazer-Nash-Context:

Some larger airports and airlines form part of a nation’s critical national infrastructure, providing essential transport services for people and businesses, and are likely to be key targets for cyber-attacks. The nature of such cyber-attacks depends on the intent of the threat actor and their capability to do harm. Some cyber-criminals will wish to seek financial gain while others such as hacktivist groups, may aim to cause temporary disruption and embarrassment to the victim.

The most serious threat actors, including hostile nation states, may seek to impact on aviation safety, or cause significant disruption to our national and international transport networks.

Ben Densham, chief technology officer at cybersecurity services provider Nettitude:

In the airline industry there’s a primary focus on safety for passengers but a cyber threat can cause safety and security impacts though a wide range of systems that airports and airlines will operate. There is often a large amount of legacy technology (particularly in operational technology) that’s in play and this is often natively very vulnerable.

So, some of the biggest threats can be from the unintended ones, like ransomware. For example, an engineer comes in to update a particular system and the USB stick they use to bring in the updates has got a virus on it, which has not been checked.

Another significant impact to the airline industry that has been seen in recent days is around customers and personal data. Clearly, the airlines hold a lot of personal information for people travelling with them. That can definitely be a target for criminals who will be able to monetise this data very easily.

Lawrence Baker, aerospace technical lead at cybersecurity and risk mitigation consultancy NCC Group:

In-flight entertainment (IFE) systems can present one of the largest attack surfaces in the air. Passengers can become exposed to threats when existing vulnerabilities in their devices provide unauthorised access to the IFE system or to other connected networks. By compromising the individual’s device, hackers could manipulate the system or issue malicious information through IFE screens.

On the other hand, if Wi-Fi or cellular phone services are misconfigured or developed using vulnerable software components, these can be misused by attackers and provide a route into aircraft systems and other passengers’ devices, potentially exposing personal or sensitive information.

Scott Nicholson, delivery director at specialist cybersecurity and data privacy consultancy Bridewell Consultancy:

Aviation organisations do suffer quite a lot of commodity-type threats, such as standard phishing attacks, ransomware – all the standard things that affect any company. Most of them will have two types of IT. They will have standard IT – emails, Excel, HR systems – and the operational technology (OT), which can allow aircraft to take off, control the utilities in and around the airports and the data centres. More so in the OT, the threat there really comes from the damage that can be caused. Often those systems are not connected to the internet, so being able to hack them is extremely difficult/impossible without having physical access to those systems, which is why attackers will often try to get a foothold in a network through the IT environment.

The other thing to build into that is security within the supply chain. An airport is a very complex ecosystem. Cybersecurity within the supply chain is a huge threat, as attackers could look to exploit weaknesses in the supply chain and use them as the starting point to build out and cause wider disruption.

Ken Munro, partner and founder of cybersecurity and penetration testing company Pen Test Partners:

The security model for aeroplanes for many years has been physical, meaning good physical airside security controls make it very difficult for the average hacker to get access to the plane.

Yet we see a lot of commonality between the satellite systems that are used on ships and those used on aeroplanes. There is an increasing desire to connect an aeroplane for reasons of efficiency and economy so you can drive savings. However, you’re connecting an aeroplane that traditionally hasn’t been that well connected and has relied upon physical security and so much of the connectivity is starting to break down many of the traditional security models that we have around the fact that the hacker can just jump into an avionics bay and start messing with an aeroplane.

Meanwhile, airports are an incredibly complex environment which brings together conventional IT, the internet of things, the industrial control systems – it’s a crazy, incredibly complicated series of systems.

Are airports prepared enough to meet these threats and if not, what more should be done?

Greg Pope, head of systems and engineering technology consultancy Frazer-Nash-Context:

The aviation industry is increasingly using digital technologies to enhance operations and to improve the services they provide to consumers. A key challenge is to realise the benefits of these technologies, whilst mitigating the increased cyber threat that arises from their use and from greater connectivity between systems.

The vision for ASSURE is to have a proportionate and effective approach to cybersecurity oversight, that will enable aviation organisations to manage their cybersecurity risks without compromising aviation safety, security or resilience. While no systems can be 100% secure, 100% of the time, the CAA’s approach should ensure aviation organisations keep pace with the ever-changing cybersecurity trends.

Ben Densham, chief technology officer at cybersecurity services provider Nettitude:

Any sector is probably not prepared enough – there is always more we can do. Looking at what needs to be done, we always encourage people to first think tactically on some quick wins. So, understand how you might be breached and how these big impacts could be realised on your company, your assets, your data – and then look at those things that can be done very quickly to reduce that risk.

Then secondly, definitely consider things strategically. People don’t go from nothing to something overnight in cybersecurity, it is always built up over time. So set out a clear vision of what ‘good’ looks like for your company and then build your plans of what you want your capability to be and then incrementally improve that in a way that is measured and achievable.

Also, don’t start off aiming for the most advanced cybersecurity capabilities but rather start with the basics and build that up over time, while having a clear idea of where you’re going.

Lawrence Baker, aerospace technical lead at cybersecurity and risk mitigation consultancy NCC Group:

Ongoing collaboration between the International Civil Aviation Organisation, industry and national regulatory bodies will be crucial in bringing about a global standard and regulation to ensure greater resilience across the board. The challenge is to achieve a global approach that is effective yet proportionate and available within a reasonable timescale.

Regulatory measures will help ensure safety and sector level resilience, but may not accommodate differing levels of risk and individual goals held by the wide range of operators across the sector.

Scott Nicholson, delivery director at specialist cybersecurity and data privacy consultancy Bridewell Consultancy:

I would say they’re not prepared enough at the moment but they’re working towards it. But prepared enough for what? Organisations will say that they have a lot of cybersecurity controls in place. But if there is an organisation or a group who is targeted enough, I do believe they could be successful. However, I personally am seeing quite a large uplift and a desire to improve.

Having appropriate segregation between IT networks and OT systems is really important. A lot of airports have this, but with the way that technology is changing, and people wanting to have more capability to manage some of the OT, some of these devices are becoming more connected to the internet and therefore bring about a higher threat level. That ability to understand where the threat is coming from is often overlooked.

The other aspect [to improve] is around having the skills required to deliver effective cybersecurity. So one of the key challenges in cybersecurity as an industry is a lack of cybersecurity skills in the marketplace. Because aviation organisations use a lot of OT, finding the right people who have that experience and the cybersecurity experience is even rarer.

Ken Munro, partner and founder of cybersecurity and penetration testing company Pen Test Partners:

I think the industry is ahead of the curve, certainly ahead of my industries although there are still things that you can do. One of the real challenges is that because aeroplanes are very expensive and the cargo is very precious as so the people, you can’t really go experiment. Whilst we have great confidence in manufacturers to take cybersecurity seriously on aeroplanes, it’s very important that airline should embrace the security research community to help drive security and change.

Many airports are making great leaps in the right direction already but it’s also important to have some demonstrable regulations to show that great things have been done and an airport is now compliant, demonstrating what we’re working on with the CAA and providing strong assurance levels for the travelling public.