Cybersecurity

Roundtable:

are airports prepared for cyber threats?

The CAA recently launched the ASSURE scheme, which will help strengthen the aviation industry’s cybersecurity resilience. Adele Berti speaks to the first companies accredited as Cyber Suppliers by ASSURE about current and future challenges facing airports and airlines.

Developed on the back of the European Commission’s EU Network and Information Security (NIS) directive, the UK Civil Aviation Authority’s (CAA) new ASSURE scheme has been set up to “enable the aviation industry to manage their cybersecurity risks without compromising aviation safety, security or resilience and support the UK Government’s National Cyber Security Strategy”.

ASSURE will allow aviation organisations to obtain accredited cybersecurity capabilities and carry out a self-assessment on their protection measures. A number of specialist third-party suppliers have already been accredited as ASSURE Cyber Suppliers in collaboration with CREST, a not-for-profit accreditation and certification body for the technical security industry.

We asked some of the new Cyber Suppliers: what are the current cyber threats to airports and airlines? And are they prepared to meet these threats?

Image: 

Adele Berti: What are the current cyber threats to airports and airlines?

Image: Frazer-Nash-Context

Greg Pope, head of systems and engineering technology consultancy Frazer-Nash-Context

Some larger airports and airlines form part of a nation’s critical national infrastructure, providing essential transport services for people and businesses, and are likely to be key targets for cyber-attacks. The nature of such cyber-attacks depends on the intent of the threat actor and their capability to do harm. Some cyber-criminals will wish to seek financial gain while others such as hacktivist groups, may aim to cause temporary disruption and embarrassment to the victim.

The most serious threat actors, including hostile nation states, may seek to impact on aviation safety, or cause significant disruption to our national and international transport networks.

Image: Nettitude

Ben Densham, chief technology officer at cybersecurity services provider Nettitude

In the airline industry there's a primary focus on safety for passengers but a cyber threat can cause safety and security impacts though a wide range of systems that airports and airlines will operate. There is often a large amount of legacy technology (particularly in operational technology) that's in play and this is often natively very vulnerable. So, some of the biggest threats can be from the unintended ones, like ransomware. For example, an engineer comes in to update a particular system and the USB stick they use to bring in the updates has got a virus on it, which has not been checked.

Another significant impact to the airline industry that has been seen in recent days is around customers and personal data. Clearly, the airlines hold a lot of personal information for people travelling with them. That can definitely be a target for criminals who will be able to monetise this data very easily.

Image: NCC Group

Lawrence Baker, aerospace technical lead at cybersecurity and risk mitigation consultancy NCC Group

In-flight entertainment (IFE) systems can present one of the largest attack surfaces in the air. Passengers can become exposed to threats when existing vulnerabilities in their devices provide unauthorised access to the IFE system or to other connected networks. By compromising the individual’s device, hackers could manipulate the system or issue malicious information through IFE screens.

On the other hand, if Wi-Fi or cellular phone services are misconfigured or developed using vulnerable software components, these can be misused by attackers and provide a route into aircraft systems and other passengers' devices, potentially exposing personal or sensitive information.

Image: Bridewell Consulting

Scott Nicholson, delivery director at specialist cybersecurity and data privacy consultancy Bridewell Consulting

Aviation organisations do suffer quite a lot of commodity-type threats, such as standard phishing attacks, ransomware - all the standard things that affect any company. Most of them will have two types of IT. They will have standard IT – emails, Excel, HR systems – and the operational technology (OT), which can allow aircraft to take off, control the utilities in and around the airports and the data centres. More so in the OT, the threat there really comes from the damage that can be caused. Often those systems are not connected to the internet, so being able to hack them is extremely difficult/impossible without having physical access to those systems, which is why attackers will often try to get a foothold in a network through the IT environment.

The other thing to build into that is security within the supply chain. An airport is a very complex ecosystem. Cybersecurity within the supply chain is a huge threat, as attackers could look to exploit weaknesses in the supply chain and use them as the starting point to build out and cause wider disruption.

Image: Pen Test Partners

Ken Munro, partner and founder of cybersecurity and penetration testingcompany Pen Test Partners

The security model for aeroplanes for many years has been physical, meaning good physical airside security controls make it very difficult for the average hacker to get access to the plane.

Yet we see a lot of commonality between the satellite systems that are used on ships and those used on aeroplanes. There is an increasing desire to connect an aeroplane for reasons of efficiency and economy so you can drive savings. However, you're connecting an aeroplane that traditionally hasn't been that well connected and has relied upon physical security and so much of the connectivity is starting to break down many of the traditional security models that we have around the fact that the hacker can just jump into an avionics bay and start messing with an aeroplane.

Meanwhile, airports are an incredibly complex environment which brings together conventional IT, the internet of things, the industrial control systems – it’s a crazy, incredibly complicated series of systems.

Adele Berti: Are airports prepared enough to meet these threats and if not, what more should be done?

Image: Frazer-Nash-Context

Greg Pope, head of systems and engineering technology consultancy Frazer-Nash-Context

The aviation industry is increasingly using digital technologies to enhance operations and to improve the services they provide to consumers. A key challenge is to realise the benefits of these technologies, whilst mitigating the increased cyber threat that arises from their use and from greater connectivity between systems.

The vision for ASSURE is to have a proportionate and effective approach to cybersecurity oversight, that will enable aviation organisations to manage their cybersecurity risks without compromising aviation safety, security or resilience. While no systems can be 100% secure, 100% of the time, the CAA’s approach should ensure aviation organisations keep pace with the ever-changing cybersecurity trends.

Image: Nettitude

Ben Densham, chief technology officer at cybersecurity services provider Nettitude

Any sector is probably not prepared enough – there is always more we can do. Looking at what needs to be done, we always encourage people to first think tactically on some quick wins. So, understand how you might be breached and how these big impacts could be realised on your company, your assets, your data - and then look at those things that can be done very quickly to reduce that risk.

Then secondly, definitely consider things strategically. People don't go from nothing to something overnight in cybersecurity, it is always built up over time. So set out a clear vision of what ‘good’ looks like for your company and then build your plans of what you want your capability to be and then incrementally improve that in a way that is measured and achievable.

Also, don't start off aiming for the most advanced cybersecurity capabilities but rather start with the basics and build that up over time, while having a clear idea of where you're going.

Image: NCC Group

Lawrence Baker, aerospace technical lead at cybersecurity and risk mitigation consultancy NCC Group

Ongoing collaboration between the International Civil Aviation Organisation, industry and national regulatory bodies will be crucial in bringing about a global standard and regulation to ensure greater resilience across the board. The challenge is to achieve a global approach that is effective yet proportionate and available within a reasonable timescale.

Regulatory measures will help ensure safety and sector level resilience, but may not accommodate differing levels of risk and individual goals held by the wide range of operators across the sector.

Image: Bridewell Consulting

Scott Nicholson, delivery director at specialist cybersecurity and data privacy consultancy Bridewell Consulting

I would say they're not prepared enough at the moment but they're working towards it. But prepared enough for what? Organisations will say that they have a lot of cybersecurity controls in place. But if there is an organisation or a group who is targeted enough, I do believe they could be successful. However, I personally am seeing quite a large uplift and a desire to improve.

Having appropriate segregation between IT networks and OT systems is really important. A lot of airports have this, but with the way that technology is changing, and people wanting to have more capability to manage some of the OT, some of these devices are becoming more connected to the internet and therefore bring about a higher threat level. That ability to understand where the threat is coming from is often overlooked.

The other aspect [to improve] is around having the skills required to deliver effective cybersecurity. So one of the key challenges in cybersecurity as an industry is a lack of cybersecurity skills in the marketplace. Because aviation organisations use a lot of OT, finding the right people who have that experience and the cybersecurity experience is even rarer.

Image: Pen Test Partners

Ken Munro, partner and founder of cybersecurity and penetration testingcompany Pen Test Partners

I think the industry is ahead of the curve, certainly ahead of my industries although there are still things that you can do. One of the real challenges is that because aeroplanes are very expensive and the cargo is very precious as so the people, you can't really go experiment. Whilst we have great confidence in manufacturers to take cybersecurity seriously on aeroplanes, it's very important that airline should embrace the security research community to help drive security and change.

Many airports are making great leaps in the right direction already but it’s also important to have some demonstrable regulations to show that great things have been done and an airport is now compliant, demonstrating what we're working on with the CAA and providing strong assurance levels for the travelling public.

Share this article