Always on guard

Now is the time to step up the industry’s efforts against cyber-crime, writes Dominic Nessi, vice president of strategic engagement for the Aviation Information Sharing & Analysis Center (Aviation-ISAC).

A series of successful cyber-attacks on airports in late 2018 helped focus the industry’s attention on the need to up its game in the battle against cyber-crime.

Back then, in what seemed like a tsunami of attacks, the security breaches were many and varied and included the use of ransomware, which has grown increasingly sophisticated ever since and continues to pose a threat to airports today.

Airport databases were being encrypted and only through the payment of a ransom were the keys provided to decrypt the data. Sadly, we saw that many airports were not prepared to defend against the attack or to recover their data resources through their own backups without paying a ransom.

At the same time, BEC or business email compromise attacks were also becoming widespread. In this type of cyber-attack, businesses are targeted by attackers using compromised email accounts as the springboard for diverting company funds meant for legitimate vendors.

Email correspondence is second nature in today’s digital world because of all the inherent advantages it affords. Among those advantages, it provides a dated written record which can easily be located and reviewed at any time, it can be sent in the middle of the night and will be waiting for the recipient whenever they next check their mail.

Airports, like all other businesses, employed email as an absolute necessity, yet it was often considered to be simply a routine administrative process and cybersecurity safeguards were not at the top of most IT department’s list.

As we look back on the past two years of almost constant attacks on airports compared with the decade before, it appears that airports, generally speaking, were lulled into a false sense of security.

For while data theft was plaguing other industries, airports seemed immune since there is relatively little sensitive data actually stored in most airports. Billing applications, credentialing, and human resource systems represented the primary data stores. Passenger data has always been the domain of airlines.

The network infrastructure itself received more attention as it was viewed as the most likely threat vector into an airport’s technology environment. Yet, even in network infrastructures, developing a strong cyber-defence was a low technology spending priority as compared to the acquisition of new passenger processing applications and tools.

Another factor which played into the airport world’s relatively weak common cyber-defence is the wide range of airport sizes and available resources. Small and medium sized airports utilise most of the same systems as the largest airports, though their systems are smaller in size and process last activity.

Nevertheless, they require the same cyber-defences as a large airport would need. In many cases, small and medium sized airports had too many competing demands and not enough financial resources to adequately develop a strong cyber-defence. Indeed, on far too many occasions, I heard a member of the airport’s management team saying something like, “Why would any attacker be interested in us? We’re too small.”

Unfortunately, as we now know, the bad guys don’t necessarily target a specific institution or even an industry. They attack large numbers of targets hoping to catch just one or two, and airports could be included in the same attack as other industries.

So, it is now 2020, and airports are battling two viruses. Computer viruses and COVID-19, both of which are sapping airport resources even more. Lest anyone think that the bad guys have slowed down because of the pandemic, as the reality is quite the opposite.

The attackers work from the relative security of their own isolated (disease-free) world, knowing that defences are down at airports due to significantly reduced air traffic, which, in turn, has caused lay-offs, furloughs, and reduced financial resources.

In fact, due to many airports having a large number of their personnel working from home, relying on email and other virtual forms of communication, our vulnerability has never been greater.

The Aviation-ISAC has seen a tremendous increase in ransomware attacks on airports and continue to find a growing inventory of airport credentials being sold on the dark web. So, what do we do now? Here are some steps that every airport needs to consider immediately.

1. Eliminate the thought that “it can’t happen to us”. It is happening everywhere, and if you haven’t been attacked, it is only by pure luck. Furthermore, because you don’t know you have been attacked, doesn’t mean it hasn’t happened. Cyber-attacks are stealthy by nature and it can take months before an organisation realises they have been compromised.

2. The management team itself must take stock of what has been done within its own organisation to protect itself. It can’t just assume the IT department has it ‘covered’. We have seen successful attacks at large international airports which indicate that many airports still lack basic cyber necessities.

You should do this through a formal risk assessment, but it takes time and money to bring in an independent resource to evaluate what you may already know or suspect. I am not suggesting that you don’t do a risk assessment, I am simply saying that time is not on your side and you need to move more quickly than the time it takes to do a formal risk assessment.

Airport management can start by having a frank, no-holds barred discussion with their IT and cybersecurity team. If you don’t have any of the latter, you know for certain you have problems.

3. Understand that you can’t do everything at once. You have to protect your most important assets against the most likely threats. And today, those threats are ransomware and BEC.

4. The best defence against those two types of attacks starts with training of all staff on phishing, social engineering. Think of it as wearing a mask and social distancing in the age of the coronavirus.

There are hundreds of cybersecurity courses on-line you can acquire to ensure that all airport staff are fully aware of the threat, know how to spot it, and what to do if they suspect something is amiss. Just as importantly, airport management needs to show that they are serious about enforcing internal precautions.

5. Management needs to inquire on the status of proper back-up procedures for all systems and data. While they may not understand what the best model would be, most airport managers will get a sense of how well they are prepared by asking one simple question of its IT staff, “If we lost every system and database today, can we and how long would it take to bring up the exact same technology operating environment?” If the answer is longer than 24 hours, you have a problem.

6. There are sources of cybersecurity intel available that every airport must utilise. You can’t properly defend yourself if you don’t know what threats are coming your way. Consider working with the Aviation-ISAC or other intelligence sharing to ensure that your staff and management team are aware of the latest attack vectors. By the way, this intel is not just for IT technicians. It comes in in a format that airport managers can easily digest and act upon as necessary.

7. Finally, start to think about cyber-insurance. If you don’t already have insurance, your risk management team has likely already considered it. If you can’t immediately develop a sound cyber-defence, at least be prepared if you are successfully attacked.

These seven steps are just the proverbial tip of the iceberg. A good cyber-defence entails far more planning and implementation, but every airport, irrespective of location or size, can start with these simple steps.