Sep 15 2022

How America’s Airports Defend Against Cyberthreats

Airport operations work with partners but also turn to cybersecurity vendors to secure aviation networks.

The U.S. aviation industry has been largely spared from major cyberattack thus far. No one expects it to stay that way.

Recent incursions have focused on airline reservation systems. In 2017, the widely used Saber booking platform was hacked, leading to the crash of reservations for 20 airlines. The breach included the loss of customers’ credit card data and personal information. Another flaw in airline reservation systems, discovered in 2019, affected half of world carriers but was patched before it could be exploited.

British Airways was hit by a breach in 2018 that affected 300,000 to 500,000 customers. Lost data included login details, credit card numbers and travel booking information. The incursion was not noticed for two months.

Cybercrooks aren’t just after credit card numbers, says Dick O’Brien, principal analyst for the Symantec Threat Hunter Team

“It’s mainly of interest in state-sponsored espionage. Travel systems provide useful information to monitor who is traveling and staying where,” O’Brien says. “They may want to see where certain dissidents of their own countries are going.”

Click the banner below to get customized content by becoming an Insider.

What Cybersecurity Vulnerabilities Do Airport Facilities Face?

In March 2020, Russian hackers attacked two San Francisco International Airport websites and stole usernames and passwords of staff and contractors. Airport officials said hackers breached the sites and planted code exploiting an Internet Explorer bug to steal login credentials.

To avoid any adverse events, the airport pulled down the affected websites and issued a forced password reset before bringing them back online.

However, the problem of a larger attack surface remains.

“Both airports and aircraft have networks designed to allow passengers to access the internet,” says Jim Richberg, Fortinet’s field CISO for the public sector. “Computer and navigation systems could be held for ransom or infiltrated with other malware to slow or disrupt travel and potentially put human lives at risk in a worst-case scenario. Planes and airports today are filled with smart devices, Wi-Fi, logistics terminals and sensitive personal information on passengers.”

EXPLORE: Ransomware prevention best practices for state and local governments.

Fortinet’s research lab has found advanced cybercrime that mirrors the stealth and sophistication previously associated with nation-state techniques. 

“We have seen ransomware across all sectors and organizations increasingly leveraging Ransomware as a Service over the past six months. This enables threat actors who may lack technical capabilities to rent malicious cybertools that are capable of attacking airports or the aviation industry,” Richberg says.

Also vulnerable: an airport’s multitude of operational technology systems, like moving gates, baggage conveyor belts, runway lights and air conditioning. OT control modules tend to be simple and decades old, making them a potentially easy target for hackers.

Aircraft also carry outmoded technology, says Mike Weigand, co-founder of transportation cybersecurity firm Shift5. VHF communications used by pilots to communicate with air traffic control is open protocol. “These technologies were written to be reliable,” not secure, Weigand explains.  

How Do Airports Respond to Cybersecurity Threats?

Tampa International Airport experiences threats similar to most large organizations, including ransomware attempts, phishing, malware, social engineering and external network probing, says Vice President of IT Marcus Session.

Recent guidance from regulatory agencies has helped the Florida airport protect itself. “The U.S. Cybersecurity and Infrastructure Security Agency has a variety of resources that it provides to help organizations secure their environments and prepare for the latest cyberthreat,” Session says.

Session also tracks OT systems. “If we encounter something unique with an OT device, we work with the business units responsible for that system to develop a custom set of security protocols,” he says. “Overall, the biggest key to protecting OT systems is knowing what you have and creating an inventory of those devices and systems around which you can build a system-specific strategy.”

REVIEW: How states are making use of federal funding for cybersecurity.

Ohio’s John Glenn Columbus International Airport sees distributed denial of service attacks, phishing, rogue software, ransomware and some unique threats aimed at physical security systems, says Richard Jones, director of technology services for the Columbus Regional Airport Authority.

“The three most critical parts of our cybersecurity program are the maturity of the program itself, effective cyber awareness campaigns and ‘practicing as play’ when it comes to cybersecurity and incident response,” Jones says.

His team regularly conducts simulations, exercises and internal phishing campaigns. The airport also rotates its security vendors every three years to elevate resiliency and bring fresh perspectives to the challenge.

What Are Elements of a Strong Aviation Cybersecurity Initiative?

For airports seeking to improve their cybersecurity posture, Session recommends transparency about current threats, risks and the resources required to properly secure the facility. Next, assign a person to focus on compliance.

“A dedicated resource is becoming more of a need than a luxury,” Session says.

It’s also crucial to have a cyber response plan that is updated regularly as new systems come online, he adds. “That includes tabletop drills of the plan to identify any gaps and to educate everyone on their role in the event of a cyber incident.”

LEARN ABOUT: Collective cybersecurity measures utilized by state and local governments.

Charles Henderson, global head of IBM Security X-Force, advises establishing a baseline to look for the low-hanging fruit.

“What isn’t working? Look at it through the eyes of the attacker,” Henderson says. “It’s also critically important to talk with peers both inside and outside the aviation industry to get new ideas.”

CISA runs the Joint Cyber Defense Collaborative, a public-private venue for experts across industries to compare notes. “Criminals are willing to work together to make money,” Henderson says. “If we don’t work together on the other side, guess who wins?”

What Cybersecurity Resources Are Available to Airports Globally?

In addition to resources from federal agencies such as CISA, airports may seek international assistance through the International Air Transport Association, which represents airlines, and the International Civil Aviation Organization, a United Nations agency.

In 2020, the IATA revised a position paper on aviation security with plans to produce an aviation cybersecurity strategy to coordinate efforts "through advocacy, standards and services." The development of the strategy involves input from stakeholders ranging from airlines, airport operations, air navigation service providers, original equipment manufacturers, regulators and others, IATA notes.

DISCOVER: How states and localities are improving identity and access management.

ICAO has produced a cybersecurity action plan that outlines means for aviation operators to "identify, prevent, detect, respond to and recover from cyberattacks" against aviation operations. The action plan offers a framework for cooperation among aviation stakeholders.

Among other things, the plan identifies how to share information regarding cyberthreats and how to report incidents. It also facilitates situational awareness and advises best practices, operational principles and defensive systems.

ICAO has vowed to update its cybersecurity action plan as necessary in response to evolving threats and advancements in technology.

gorodenkoff/Getty Images

aaa 1

Register