In the wake of a cyber attack which forced Tasmania’s Hobart International Airport to shut down after an ISIS supporter group hacked into its servers and posted defacing images, Eva Grey spoke to Matt White, senior manager in KPMG’s cyber security practice, about some of the virtual dangers faced by international airports
Eva Grey: Are airport websites at higher risk of cyber security attacks than any other website?
Matt White: I wouldn't say so. From my experience, the motive for an attacker is the defining characteristic of the selection. If they're looking for a large audience, they pick a site with a large audience. If it's a message to be made, they pick a specific type of target. If it's an attack of convenience they pick a soft target.
EG: How common are these types of hacks on airports and airline's servers around the world?
MW: They have happened in the past, but they're not that common. To my knowledge the last one publicised was in November 2013 when the website of Seltar Airport in Singapore was hacked and defaced as part of a series of hacks against the Singapore government.
EG: How can airports be prepared, and what steps can they take to efficiently protect themselves from attacks, such as the April 14th attack in Tasmania?
MW: There are many steps that can be taken, but they all hinge on the website, how it's been coded, secured, architected etc. A strong foundation for security includes not just technology centric checks, prevention of regular code reviews, prevention of SQL injections, cross-site scripting attacks, etc., but also people and process steps such as making sure users only have the levels of access they require, that passwords are changed regularly and that users (especially privileged users such as administrators) are trained sufficiently to be aware of potential attack vectors such as social engineering (and the steps they can take to avoid becoming victim to them).
EG: In this case, the attack came in the form of "website defacing". What bigger risks and dangers are posed by cyber attacks on airport servers?
MW: The greatest risks come from a breach of the main airport systems. If a suitably skilled attacker was able to breach internal airport systems it is conceivable (all be it highly unlikely) that they could cause unimaginable damage including substantial loss of life. I should stress to my knowledge, an event like that has never occurred as these systems are typically much more heavily fortified and secure.
EG: What level of expertise is necessary to hack into an airport's website?
MW: It really depends on the specifics of the website you're looking at. For some sites, the level of skill required is high, for others it's low. It's all dependent on security, architecture, code structure of the website in question.
EG: Why is it important for airlines and airports to have a higher degree of protection from such attacks?
MW: For systems such as air traffic control, the result of a breach could be catastrophic, but for customer facing websites, the effects are not as drastic. That said, when consumers are reliant upon such portals for updates and information, there is significant scope for public inconvenience on a grand scale. If the website is used for ticketing/account management, there is a considerable risk of fraud (illicit purchase of tickets) just as with other forms of consumer site.
EG: To your knowledge, how disruptive can such attacks be both for the airport's business and long-term reputation?
MW: At present there isn't a hard and fast calculation to accurately quantify the effects. When breaches were a rarity, there was public outcry when they occurred, but more recent high profile incidents (such as the Sony hack) have shown that the modern consumer seems less bothered by security breaches (almost as though they have become so common that they're now just an accepted occurrence, like a cellular phone call dropping...an annoyance at the time, but something quickly forgotten next time the website is to be used).