At the Gate: The threat of cyberattacks
By Brian Dunn
The risk of cyberattacks poses the biggest threat to airports and aviation in general, according to a U.S. airport official. In today’s technologically driven airports, there are basically no areas or functions that do not rely on some type of digital network, Tampa International Airport general counsel Michael Stephens told a joint hearing of the House Homeland Security Committee’s Cyber Security and Transportation Security subcommittees in September.
By Brian Dunn
The importance of these systems makes airports appealing targets and vulnerable to cyber threats from criminal organizations and state sponsored actors.
In his testimony, Stephens said U.S. airports have reached a point where voluntary compliance is no longer sufficient and asked lawmakers to consider mandating “uniform minimum cyber security standards and frameworks.” He added that “human factor remains the most highly exploited vector” for breaching cyber defences and threat awareness and information security training programs for airport, airlines and aviation industry employees are “perhaps one of the most effective and cost-efficient ways of increasing airports’ and airlines’ cyber security readiness.”
The committee also heard from Christopher Porter, chief intelligence strategist at FireEye Inc., who testified that state-backed hackers are regularly targeting the U.S. aviation industry through cyber espionage to steal industrial secrets from manufacturers, researchers and operators of military and civilian aircraft.
Porter called cyber espionage the “most common cyber threat facing the aviation industry,” and said that hackers sponsored by China, Russia and more recently Iran have all “targeted the U.S. or its close allies for stealing aviation secrets.” All three countries routinely target ticketing and traveller data, shipping schedules and even partner industries like railways or hotels in counterintelligence efforts, Porter added. However, he reminded lawmakers that, because cyber espionage is routine, it should not be viewed as destabilizing. “When cyber espionage operators get a foothold on a system, they can often use that access for stealing information or to launch a disabling or destructive attack using the same technology,” Porter said. “But they rarely choose to do so, and in the U.S., there are significant redundancies in place to ensure safety. A crashed IT system does not mean a crashed plane, and it’s important for the public to keep that in mind.”
The International Civil Aviation Organization (ICAO) held a summit on cyber security in Dubai to address the issue and stated it is the responsibility of states to act in such a way as to mitigate the risk posed by cyber threats, to build their capability and capacity to address such threats in civil aviation, and to ensure their legislative framework is appropriately established to take action against actors of cyberattacks.
In addition, collaboration and exchange between states and other stakeholders is essential for the development of an effective and coordinated global framework to address the challenges of cyber security in civil aviation and that cyber security matters must be fully considered and coordinated across all relevant disciplines within state aviation authorities, ICAO explained.
The ratification and entry into force of the Beijing Convention would ensure that a cyberattack on international civil aviation is an offence and serve as an important deterrent against activities that compromise aviation safety by exploiting cyber vulnerabilities. The Convention is a treaty by which states agree to criminalize terrorist actions like cyberattacks against civil aviation. The protocol went into effect on July 1, 2018.
In Canada, the Canadian Centre for Cyber Security was established earlier this year to tackle the challenges of cyberattacks. It will be a unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public, according to the centre. The centre will unite approximately 750 employees from existing cyber security operations units at Public Safety Canada, Shared Services Canada and the Communications Security Establishment (CSE) into one unique, innovative and forward-looking organization, as part of CSE. More than one in five Canadian companies were hit by a cyberattack last year, with businesses spending $14 billion on cyber security as they confront greater risks in the digital world, according to a Statistics Canada survey.
In August, some 20,000 Air Canada customers or about one per cent of the 1, 7 million people who use the airline’s mobile app learned their personal data may have been compromised following a breach. The app stores basic information like a user’s name, email and telephone number, all of which could have been improperly accessed. Additional data like a customer’s Aeroplan number, passport number, Nexus number, known traveller number, gender, birth date, nationality, passport expiration date and country of residence could have been accessed, if users had them saved in their profile on the app.
Brian Dunn is a Wings writer and columnist.