Cybercrime, both real, and the threat of it, may have taken a back seat to the financial impacts of COVID since 2020 and the rising costs of jet fuel, but it remains a clear and present danger that cannot be ignored. In this article we look at recent examples of serious cyber-attacks on the aviation industry and consider what these can tell us about current trends in cybercrime, as well as what steps those involved in the industry need to take now to combat the threat in the future.
For those who may have missed it, Eurocontrol published a report in July 2021 with the headline grabbing title “Airlines under attack: Faced with a rising tide of cybercrime, is our industry resilient enough to cope?“. The report explained that the aviation industry can ill afford the additional costs caused by a rising tide of cyber-attacks and outlines the increasing exposure of the European aviation industry to rising levels of risk, as criminals, hackers, and state sponsored cyber-attackers all look to exploit vulnerabilities, cause chaos and fill their pockets at the expense of the aviation sector and innocent passengers.
The report was not simply scaremongering, designed to get airlines and other stakeholders in the aviation industry to increase their cyber threat detection and mitigation and prevention measures, but was based on hard Eurocontrol data from the agency’s EATM-CERT (European Air Traffic Management Computer Emergency Response Team) service. This data showed that cyber-attacks are up in all threat categories, with a 530% year-on-year rise from 2019 to 2020 in reported incidents across the aviation industry, and with airlines targeted in 61% of all 2020 aviation cyber-attacks.
Scary stuff indeed, but the report goes on to highlight the following:
Drilling into a little of the detail from these three findings, the report highlighted the following datapoints:
The report concludes that while European aviation has become more cyber-secure, cybercrime and cyber warfare are the latest and newest battleground for the aviation industry, and airlines in particular, and that the stakeholders in the aviation industry cannot afford to lower their defences in the wake of the unprecedented damage caused to the industry by the Covid-19 pandemic.
To put in context the hard data referred to in the recent Eurocontrol report referred to above, it is worth looking at some of the biggest and most recent cyber-attacks, the significant impacts they had on their targets and the steps that certain industry stakeholders are taking to protect themselves in response:
Date
Airline/Organisation
Details of the event
25 May 2022
SpiceJet
Following a massive ransomware attack on SpiceJet, hundreds of passengers were stranded at airports across India, particularly those airports where restrictions on night operations were in place. SpiceJet has not revealed which systems were targeted or what it did to overcome the attacks, but it is clear that whatever SpiceJet did was effective as services were resumed within hours of the attack beginning, rather than in days as was the case with the ransomware attack on Colonial Pipeline in 2021.
April 2022
SunWing Airlines Inc.
Canadian low-cost airline Sunwing Airlines faced four days of extensive flight delays after the third-party software system it used for check-in and boarding was breached by hackers. The attack forced Sunwing to resort to manually checking in passengers in an effort to minimise disruption to its schedule and caused the Canadian authorities to suspend operations temporarily to ensure that the breach was remedied before flights could resume.
March 2022
Russian CAA
In what appears to have been a retaliatory strike in response to Russia’s invasion of Ukraine, an unidentified group (presumed to be the Anonymous Hacking Group) carried out an extremely effective attack on the Russian Federal Air Transport Agency. As part of the attack, all aircraft registration data and emails, totalling approximately a massive 65 terabytes of data, were deleted from the Agency’s servers. The attack was so successful that until back-up copies of the electronic data could be found the Agency was forced to resort to using pen and paper and to sending information in hard copy through the post.
March 2021
SITA
SITA, an airline technology and communication provider that operates passenger processing systems for airlines, was the victim of a cyber-attack involving passenger data. SITA serves 90% of the world’s airlines and disclosed that among the airlines affected were various major airlines including Air India, Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Singapore Airlines and Cathay Pacific.
Singapore Airlines reported that 580,000 of its frequent flyer members were compromised in the attack and Air India estimated that personal data relating to 4.5 million of its passengers was stolen.
2020
VT San Antonio Aerospace
Demonstrating the importance of maintaining security throughout the entirety of the supply chain, VT San Antonio Aerospace fell victim to a sophisticated attack by the Maze Ransomware Group when the criminal group gained access to and encrypted the San Antonio network. The system in question was reportedly recovered within three days but by that time a vast amount of data (1 terabyte) had already been stolen.
January 2020
easyJet
easyJet was the victim of a cyber-attack in which hackers obtained the credit-card information of 2,208 customers. The carrier did not notify passengers of the attack until 4 months after the incident, in May 2020 and as a result they are now facing a class-action suit from 10,000 passengers, seeking around £18 billion in damages.
February 2019
Ben Gurion Airport
In an example of the immense pressures that aviation industry stakeholders can come under when defending themselves from cyber-attacks, a spokesperson for Ben Gurion Airport revealed that they were blocking three million attempts per day by bots to breach their systems.
To deal with these attacks Ben Gurion Airport has established a Security Operation Centre to coordinate defences; it is believed that the Airport is one of the first in the world to do so.
December 2019
Albany International Airport
A criminal gang succeeded in gaining access to Albany International Airport’s database, which was then encrypted and ransomed back to the airport by the gang for a five-figure sum that was paid in Bitcoin. Fortunately, the attack did not affect operations at the airport and it is understood that the ransom was reimbursed by the Airport’s insurer, thus demonstrating the necessity of having robust procedures and comprehensive insurance in place to deal with attacks like these.
August 2019
Air New Zealand
Personal data of over 120,000 customers was compromised following a successful phishing attack on two members of staff. The attackers used the information gained through phishing to access Air New Zealand’s frequent flyer programme, from where they were then able to obtain extensive personal data relating to passengers on the programme. Fortunately, no passport or credit-card information were stolen on this occasion.
August 2018
British Airways
British Airways’ system was infected with a malicious code, resulting in the theft of personal data relating to 429,612 customers and members of staff from its servers. The information extracted included names, addresses and credit-card information relating to 244,000 customers.
A subsequent investigation by the Information Commissioner’s Office (the “ICO”) found that the airline lacked adequate security measures to protect the personal data under its control. As a result, British Airways received a record-breaking fine of £20 million for its failure to protect its customers.
August 2018
Air Canada
Air Canada’s mobile application software was hacked, resulting in the potential leak of highly sensitive personal data relating to its customers’ passport information.
2018
Cathay Pacific
A cyber-attack led to 9.4 million accounts being breached and the theft from within the compromised accounts of extensive personal data regarding the airline’s customers. An investigation by the ICO revealed that Cathay Pacific’s system lacked any password protection for backup files and that the OS was out of date. After the attack, Cathay Pacific introduced multi-factor authentication to prevent future attacks. As a result of this failure the ICO issued Cathay Pacific with a fine for £500,000.
September 2017
Delta Airlines
Delta and Sears Department Store were both involved in an extensive data breach in April 2018 when an online support service used by both organisations suffered from an extensive malware attack.
The attack lasted from September to October 2017, but Delta and Sears only became aware of the attack in the following year. As a result of the attack the credit-card information belonging to approximately 100,000 customers was lost.
September 2018
Bristol Airport
In a dramatic ransomware attack, the electronic flight information at the airport was disabled and the screens showing all flight information were taken offline in order to contain the threat. Bristol Airport did not pay the ransom to the perpetrators of the attack and instead used whiteboards that were updated manually to keep passengers informed of flight details until the attack was thwarted.
November 2015
Sweden air traffic control
Sections of Sweden’s air traffic control capabilities were blocked for five days following a successful attack by “Fancy Bear”, otherwise known as APT28, a Russian cyber espionage organisation that is believed by some industry analysts to be associated with GRU, the Russian military intelligence agency. Sweden initially blamed a solar flare for the outage, but has since confirmed that the event, which caused huge disruption to air traffic travelling to, from and across Sweden, was a result of a malicious attack.
As can be seen from these examples, many of the largest cyber incidents in the past 7 years have related to the theft of highly sensitive personal data relating to passengers, including credit card details, passport information and passenger name record (“PNR“) data. At present this type of attack, along with the theft of valuable intellectual property from manufacturers, are perhaps the more pressing threats facing the industry. However, as we explore in more detail below, the increasing dependence of the aviation industry on complex and inter-related information technology systems means that there are now more opportunities for cyber-attacks to target aircraft and airports directly than there have been ever before.
Complex information technology solutions are found all across the industry supply chain, from integration into new aircraft, including WiFi connections and on-board infotainment systems for passengers, to software used in airports and by airlines to manage, among other things, security checks and booking information respectively. These solutions are particularly vulnerable to attack in circumstances where organisations have attempted to integrate them with dated legacy IT systems that were not designed to deal with the sophistication of cyber-attacks seen today. More and more aviation stakeholders are also now beginning to include greater levels of automation within their systems, and this creates an entirely new area of potential vulnerability. Overall, the growth in the use of complex IT solutions by the aviation industry, fuelled by a rapid return to global travel following the Covid-19 pandemic travel restrictions and lockdowns, serves to increase the size of “attack surfaces” (meaning the sum of the different points where unauthorised users can seek to obtain or enter data) available to would-be cyber criminals.
The pandemic itself gave rise to a plethora of new opportunities for attacks, with criminals seeking to exploit the confusing international situation to the fullest extent possible and to make the most of the vulnerabilities in new systems that airlines around the world were rushing to implement to deal with the situation. In particular the pandemic saw an explosion in false websites purporting to sell Covid-19 testing kits and certificates, and widespread use of sophisticated phishing attacks by attackers posing as airlines offering refunds for cancelled flights. Some airlines also experienced waves of thousands of fraudulent chargeback requests by attackers and found that their websites came under sustained attack from entities seeking to steal unredeemed vouchers and points from loyalty programmes.
This growth in opportunities for attack has led some in the industry to speculate that would-be cyber criminals may turn their attention towards the systems used to operate, navigate and communicate with aircraft while they are in flight. In particular, the increasing adoption of WiFi technology onboard aircraft during flight and the growing practice of airports allowing passengers and employees alike to use “Bring Your Own Device” systems while in the airport, both serve to dramatically increase the size of the “attack surface” available to cyber criminals looking to directly target aircraft and airport systems. At their most dramatic, such attacks could include Distributed Denial of Service (“DDoS“) attacks (where attackers overwhelm servers with internet traffic in order to prevent other users from using connected services) on security screening or air traffic control systems, preventing airports from using them, or attempts to use passenger interfaces to access avionics and navigation systems onboard aircraft in mid-flight. Although there is no known example of such an attack succeeding to date, if such an attack were to succeed it could have potentially catastrophic consequences.
A major potential “attack surface” open to would-be cyber criminals is the Automatic Dependent Surveillance-Broadcast (also known as ADS-B) system, which is used by aircraft to automatically transmit and receive positional and identification data (and which is also used to supplement the information used by popular online flight tracking services like Flightradar24). The ADS-B system plays a vital role in facilitating ATC operations and the safe operation of aircraft and its security is therefore of paramount importance. However, much of the data transmitted using ADS-B is done so in an unencrypted format and is therefore particularly vulnerable to eavesdropping, interception and, potentially, to jamming and alteration by third parties. To combat this threat industry experts have proposed measures including encryption of ADS-B data and random blurring of aircraft data in such a way that only those that need it (i.e., ATC and aircraft operators) can obtain sufficient information from the data while third parties cannot.
As the Department for Transport (“DfT“) has recognised in its Aviation Cyber Security Strategy, responsibility for combatting cybercrime in the aviation industry effectively lies with three groups: governments, regulators and participants in the aviation industry themselves, at all stages in the supply chain. Given the uniquely international and symbiotic nature of the aviation industry it is obvious that any attempt to combat cybercrime cannot succeed unless each of these three groups work together to formulate a cohesive plan. In this section we explore in more detail some of the more important steps that governments, regulators and industry stakeholders are taking together to deal with the issue.
The International Civil Aviation Organisation (“ICAO“), the specialised agency of the UN responsible for aviation, published its Aviation Cybersecurity Strategy in October 2019 (the “Strategy Report“). In its Strategy Report, ICAO acknowledged the continuous and evolving threat of cyber-attacks with “malicious intents, disruptions of business continuity and the theft of information” while recognising the reliance of the aviation sector on the “availability of information and communications technology systems as well as on the integrity and confidentiality of data.”
Some of the key proposals in the Strategy Report included:
Prior to the Strategy Report, in August 2017 ICAO formed the Secretariat Study Group on Cybersecurity (the “SSGC“) in order to implement a resolution of ICAO to take certain steps to counter cyber threats to industry stakeholders. The SSGC comprises four sub- and working-groups, namely: a legal research group, a working group for airlines and aerodromes, a working group for air navigation systems, and a working group for cybersecurity for flight safety. These groupings demonstrate the different levels that need to be considered in order to formulate a unified and cohesive approach to cybersecurity in the industry. Among other things the SSGC is responsible for reviewing the Annexes to the Chicago Convention 1944, consolidating existing Standards and Recommended Practices (“SARPs“) and reviewing proposals for amendments to ICAO provisions. At present the SSGC is revising the ICAO Cybersecurity Action Plan, which was put into place some time ago in 2014.
Due to its borderless nature, it is important that individual states work together to legislate and regulate for cybersecurity in a connected way. Cybersecurity and data protection in the EU are legislated for at Union level, with each Member State responsible for implementing relevant legislation and appointing national enforcement bodies to apply it. Following Brexit, responsibility for overseeing cybersecurity and data protection in the aviation industry in the UK is vested in four bodies: the National Cyber Security Centre, which is the UK’s technical authority for cybersecurity, the UK Civil Aviation Authority (the “UKCAA“) and the DfT who both enforce relevant legislation and provide support to the industry, and the ICO, which focuses on data protection and enforcement of the General Data Protection Regulation (“GDPR“).
The UKCAA and the DfT are both competent authorities responsible for the enforcement of the Network and Information Systems Regulations 2018 (the “NIS Regulations“). The NIS Regulations implement the EU’s NIS Directive 2016/1148 as retained after the end of the Brexit implementation period in December 2020 and which allow the UK to maintain a minimum level of harmonisation with the EU.
The EU’s NIS Directive 2016/1148, as implemented by the NIS Regulations, has three main purposes:
In addition to the NIS Regulations, two other important pieces of legislation that apply to aviation organisations, and which the UKCAA is able to enforce, are the EASA Basic Regulation (which applies by virtue of the fact that it was in place in the UK prior to Brexit) and the EASA Standards and Recommended Practices (“SARPS“) taken from the annexes to the Chicago Convention 1944, and the various UK Air Navigation Orders.
In an effort to meet UK, European and International aviation standards for cybersecurity, the UKCAA has also developed the UKCAA Cyber Security Oversight Team (the “UKCAA Oversight Team“) to manage cybersecurity risk and support the industry’s efforts to improve safety and security. It has also published CAP 1753, the cybersecurity oversight process for aviation, which sets out the UKCAA’s expectations along with examples of good practice for complying with the EASA Basic Regulation, the NIS Regulations and the ICAO SARPs.
The International Air Transport Association (“IATA“) is the largest trade body representing airlines in the world. It is therefore a powerful voice for advocating for the aviation industry’s interests. Similar to ICAO, IATA also emphasises the importance of a common approach to cybersecurity because it would improve the flow of information and cooperation within the network.
To assist the industry, IATA has said that it is developing an industry-wide Aviation Cyber Security Strategy to coordinate and ensure the necessary level of holistic protection in the industry. As part of this it has established the Cyber Management Working Group (the “CMWG“), which is intended to provide guidance to industry members and analyse industry needs as they develop. IATA has also founded a more informal group known as the Aircraft Systems Cyber Security Steering Group, whose role is to provide a space for the industry to share information in relation to flight safety systems. Highlighting the importance of co-operation within the industry, IATA has also worked with the International Coordinating Council of Aerospace Industries Associations (of which most national aviation associations are members), which have worked together to create an international group to allow airlines to share concerns with original equipment manufacturers (“OEMs“) and design approval holders (i.e., organisations responsible for aircraft design types).
At a more immediate level, when it comes to airlines improving their cybersecurity, Manon Gaudet, the Assistant Director of Aviation Cybersecurity at IATA, recommends bringing in an expert because “there are lots of different attacks and lots of different ways an attack could impact an airline. You have to work through all the different scenarios especially those that could have an impact on safety.” This reflects a wider concern across the industry that at present most aviation organisations do not have access to sufficient numbers of properly trained and experienced cybersecurity professionals.
The aviation industry has been quick to adopt developments in cyber technology to allow them to deliver improved efficiencies and better passenger experiences for their customers. For the most part this has been achieved safely, but that safety cannot be taken for granted.
With each new opportunity for improving the customer experience or increasing the efficiency of aircraft operations comes the opportunity for cyber criminals to exploit that new or upgraded technology for personal, or sometimes political, gain. The frequency of cyber-attacks is clearly rising, as is the level of sophistication of the attackers, and without a cohesive and unified approach to the problem it seems chillingly inevitable that at some point a cyber-attack, that cannot be contained relatively quickly, with devastating and possibly fatal consequences on the industry, will succeed.
Paul Phillips
Partner
T: +44 20 7809 2302 M: +44 7734 135 401 Email Paul | Vcard Office: London
Johnny Champion
Managing associate
T: +44 20 7809 2358 M: Email Johnny | Vcard Office: London
Patrick Bettle
Associate
T: +44 20 7329 4422 M: Email Patrick | Vcard Office: London