Cyber Attacks in Aviation
By Brian Dunn
With today’s technologically advanced airports, there are basically no areas or functions that do not rely on some type of digital network, Tampa International Airport general counsel Michael Stephens told a joint hearing of the House Homeland Security Committee’s Cyber security and Transportation Security subcommittees in September.
By Brian Dunn
The importance of these systems makes airports appealing targets and vulnerable to cyber threats from criminal organizations and state sponsored actors.
In his testimony, Stephens said U.S. airports have reached a point where voluntary compliance is no longer sufficient and asked lawmakers to consider mandating the adoption of “uniform minimum cyber security standards and frameworks.”
He added that “human factor remains the most highly exploited vector” for breaching cyber defences and threat awareness and information security training programs for airport, airlines and aviation industry employees are “perhaps one of the most effective and cost-efficient ways of increasing airports’ and airlines’ cyber security readiness.”
The committee also heard from Christopher Porter, chief intelligence strategist at cyber security group FireEye, Inc., who testified that state-backed hackers are regularly targeting the U.S. aviation industry through cyber espionage to steal industrial secrets from manufacturers, researchers and operators of military and civilian aircraft.
Porter called cyber espionage the “most common cyber threat facing the aviation industry,” and said that hackers sponsored by China, Russia and more recently Iran have all “targeted the U.S. or its close allies for stealing aviation secrets. All three countries also routinely target ticketing and traveller data, shipping schedules and even partner industries like railways or hotels as part of their counterintelligence efforts, Porter added.
However, he reminded lawmakers that, because cyber-espionage is routine, “it should not be viewed as destabilizing.”
“When cyber espionage operators get a foothold on a system, they can often use that access for stealing information or to launch a disabling or destructive attack using the same technology,” Porter said. “But they rarely choose to do so, and in the U.S., there are significant redundancies in place to ensure safety. A crashed IT system does not mean a crashed plane, and it’s important for the public to keep that in mind.”
The International Civil Aviation Organization (ICAO) held a summit on cyber security in Dubai to address the issue and stated it is the responsibility of States to act in such a way as to mitigate the risk posed by cyber threats, to build their capability and capacity to address such threats in civil aviation, and to ensure their legislative framework is appropriately established to take action against actors of cyber-attacks.
In addition, collaboration and exchange between States and other stakeholders is essential for the development of an effective and coordinated global framework to address the challenges of cyber security in civil aviation and that cyber security matters must be fully considered and coordinated across all relevant disciplines within State aviation authorities, ICAO stated.
The ratification and entry into force of the Beijing Convention would ensure that a cyber attack on international civil aviation is considered an offence and would serve as an important deterrent against activities that compromise aviation safety by exploiting cyber vulnerabilities. The Convention is a treaty by which State parties agree to criminalize terrorist actions such as cyber attacks against civil aviation. The protocol went into effect on
July 1, 2018.
In Canada, the Canadian Centre for Cyber Security was established earlier this year to tackle the challenges of cyber attacks. It will be a single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public, according to the centre. The centre will unite approximately 750 employees from existing cyber security operations units at Public Safety Canada, Shared Services Canada and the Communications Security Establishment (CSE) into one unique, innovative, and forward-looking organization, as part of CSE.
More than one in five Canadian companies say they were hit by a cyber attack last year, with businesses spending a staggering $14 billion on cyber security as they confront greater risks in the digital world, according to a Statistics Canada survey.
In August 2018, some 20,000 Air Canada customers or about one per cent of the 1, 7 million people who use the airline’s mobile app learned their personal data may have been compromised following a breach of the app. The app stores basic information such as a user’s name, email address and telephone number, all of which could have been improperly accessed.
Additional data such as a customer’s Aeroplan number, passport number, Nexus number, known traveller number, gender, birth date, nationality, passport expiration date, passport country of issuance and country of residence could have been accessed, if users had them saved in their profile on the app.