The aviation sector continues to face a "persistent cybersecurity threat." It follows a US agency directive that compels the aviation industry to improve their defences against malicious hackers and cybercriminals, after President Biden announced its National Cybersecurity Strategy that seeks tighter regulations to protect the US critical infrastructure.
Announcing its new cybersecurity requirements, the Transportation Security Administration (TSA) explained that airport and aircraft operators must develop a TSA-approved plan that explains what they are doing to "prevent disruption and degradation to their infrastructure."
Airlines continue to be an irresistible target for cybercriminals, with around $1bn a year lost from fraudulent websites alone. Add to that data theft, card fraud, air miles fraud, phishing, fake invoices and more, and you have a perfect storm for a part of the industry that continues to reel from the pandemic. Every week, an aviation company suffers a ransomware attack somewhere in the world, with big impacts on productivity and business continuity, let alone data loss and/or costly extortion demands paid to restart operations.
Thankfully, no impact on flight safety has yet been reported – but that is no grounds for complacency, with state-sponsored or highly organised crime syndicates capable of conducting large-scale targeted intrusions that aim at massive disruption as much as financial gain.
In Europe, a Eurocontrol report has found that many aviation businesses, including in the supply chain, are exposing themselves to extra risk by not systematically applying basic IT security controls.
61% of all identified cyber-attacks in 2020 targeted airlines, almost twice as much as the two next largest market segments combined (16% manufacturers, 15% airports). Most of these attacks – 95% – were financially motivated: 739 out of 775 incidents. This led to financial loss in 55% of cases, and the leaking or theft of personal data in an additional 34% of cases.
The fake airline ticket business is extremely lucrative: The average value of a purchase is significantly higher than that of a legitimate purchase, and “fraudsters are drawn to the profit margins on airline ticket fraud – where the average cost of a fake ticket, at around $1,930, is almost triple that of a legitimate purchase (on average $606).
Airline loyalty programme accounts are a hugely attractive target for fraudsters, and the pandemic has accelerated criminal interest as airlines began returning money via loyalty accounts to passengers whose flights had been cancelled owing to the pandemic, or extending the validity period of accumulated miles. In 2020, around 30 airlines had 15,493 passenger loyalty accounts on offer on the dark web, worth over $400,000. The total market value of unredeemed miles is enormous – estimated by IATA at $238bn. During the pandemic, the average value of a compromised account rose by 48% between the first quarter and fourth quarter of 2020.
With aviation moving towards introducing more and more digitalisation thanks to new technologies and concepts using non-aviation specific means (eg. Cloud, 5G, Internet, satellite communications and navigation), it’s somewhat inevitable that there has been an increase in the number of aviation actors potentially impacted by a cyberattack.
The challenge now lies in making aviation systems/services progressively more and more cyber-resilient while remaining safe and cost-effective.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said US TSA Administrator David Pekoske. “This amendment to the aviation security programmes extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
Scandinavian Airlines (SAS) is one airline to have posted an alert warning passengers that a recent multi-hour outage of its website and mobile app was caused by a cyberattack that also exposed customer data. The cyberattack caused some form of a malfunction on the airline's online system, causing passenger data to become visible to other passengers. This data includes contact details, previous and upcoming flights, as well the last four digits of the credit card number.
When suffering the cyberattack, it stated: “Last night SAS, alongside several other companies, were subjected to a cyberattack that led to our website and app being down for a few hours. Furthermore, some passengers' data became visible to other passengers who were active during the ongoing attack.”
Portugal’s national airline TAP Air Portugal had previously confirmed hackers obtained the personal data of some of its customers and have published the information on the dark web. No payment data was taken in the cyberattack, the flag carrier said in a statement.
In the Portugal scenario, the attack began weeks before and was later investigated by Portuguese authorities, with the help of specialists from Microsoft. Portuguese newspaper Expresso said a hacker group was offering the information of 1.5mn TAP Air Portugal customers on the dark web.
The author is an aviation analyst. Twitter handle: @AlexInAir