Cybersecurity Snapshots #3 - Airports and Airlines Severely Lack Good Cybersecurity Practices

Cybersecurity Snapshots #3 -

Airports and Airlines Severely Lack Good Cybersecurity Practices

Airport and airplane cybersecurity need to be taken seriously among cyber professionals. In a new study conducted by ImmuniWeb on the top 100 world’s biggest airports, they found that almost all of the airports they studied had an alarming lack of systems in place to protect their websites, mobile applications, and public clouds. Two-thirds of the top 100 airports had highly confidential data like IDs, financial records, or plaintext passwords for production systems located on the dark web. Fully 87% percent of the airports had some sensitive or internal data exposed at various public code repositories, such as GitHub or BitBucket. Amongst them, 59 airports were identified with 227 code leakages of critical risk. The researchers also discovered that more than 70 of the 325 exposures found were of a “critical or high risk,” indicating a severe breach. Nearly 90% of the airports have data leaks on public code repositories, and 503 of the 3,184 leaks are of a critical or high risk that could potentially lead to a breach. Three percent of airports studied have unprotected public clouds with sensitive data available. Doug Carr, who is vice president of regulatory and international affairs at the National Business Aviation Association, believes that all employees at an airport need to be taught about proper cybersecurity hygiene and about the hacking risks that come with the job they have.

In 2019, airports saw a significant increase in ransomware attacks. Aviation Information Sharing and Analysis Center (A-ISAC) and Airports Council International (ACI) World want to help combat the cybersecurity issues that airports have. The two organizations have signed an agreement to help Airports Council International members join the A-ISAC for access to airport-specific cyber threat intelligence and actionable data. Airports that join the Aviation ISAC will gain access to a dedicated working group, a quarterly report that talks about the latest threats and trends affecting airports, and other content that is solely focused on airport cybersecurity concerns. This agreement also will allow organizations to work together at industry events and activities with the primary goal of ensuring a more secure and safer aviation infrastructure.

The Transportation Security Administration (TSA) and airports want to do more to embed cybersecurity within screening equipment. The agency created 17 new cyber-related vendor requirements which, once shared with industry, will provide vendors an opportunity to demonstrate their cybersecurity credentials, increase security levels, provide an aligned approach across the industry, and raise the bar of cybersecurity across screening solutions. Vendors need to implement access control and account management practices that can “adequately” enable multi-level access to equipment and restrict users to required levels. TSA is currently holding meetings to try to address cybersecurity risks. In the past, TSA has held meetings addressing information security risk management and cyber requirements for Explosives Detection Systems for Cabin Baggage (EDS CB), automatic tray return systems, and screening lanes. TSA intends to hold meetings in the near future on the information security and cyber risk of security scanners, advanced imaging technology, and EDS CB.

Airplanes are also at risk of cybersecurity attacks. The U.S. Department of Homeland Security warned that hackers who gain physical access to a plane could attach a device that could possibly cause pilots to lose control of the plane. Adversaries also might be able to gain access to onboard electronics by hacking an airplane in-flight entertainment system. Because of this risk, Embry-Riddle Aeronautical University created a program to teach and train students on how to prevent the hacking of airplane systems and devices that are carried by air travelers. There has been a growing interest in avionics cybersecurity, mainly because global business travel associations expect business travel to reach $1.7 trillion in spending by 2022. The aviation industry is beginning to provide active training programs, led by companies like Garmin and Honeywell, to address the threat of being hacked during a flight. The Aviation Accreditation Board International would like to provide a program specifically targeting avionics cybersecurity in the near future. Even though there has been an increase in investment in trying to make airplane systems nearly impossible to breach, new graduates entering the market with new skills and abilities are still needed, as cybersecurity attacks become more prevalent and more destructive. With the increase in cybersecurity measures taken by airports and airlines, this will hopefully help decrease the number of successful cyberattacks against them.