[Avionics Today 07-09-2015] The global aviation industry is one of the biggest and growing targets for cyber attacks, Tony Tyler, CEO of the International Air Transportation Association (IATA), said during a civil aviation cyber security conference hosted by the Singapore Ministry of Transport Wednesday. Tyler joined more than 200 civil aviation stakeholders and cyber security experts at the conference to highlight recent cyber attacks and push for more government and industry collaboration to address the growing risks faced by airlines. With arguably more interconnected data-sharing systems and networks than seemingly any other industry, and as aircraft become more e-enabled, the aviation industry is at risk.
IATA CEO Tony Tyler at the Civil Aviation Cyber Security Conference in Singapore. Photo: IATA.
Ironically on the same day as the Singapore conference, United Airlines was forced to ground thousands of flights
due to a router issue associated with their ground IT network, causing speculation that a cyber attack caused the issue. While the United issue was not associated with a cyber attack, the occurrence highlighted the type of widespread disruption that a cyber attack on an airline's IT infrastructure can cause. During his speech in Singapore, Tyler outlined two opportunities available for the aviation industry to address these risk: adopting a holistic approach to cyber security and focusing on more government partnership to adopt outcome-focused frameworks balanced against industry capabilities and sustainability.
"Airlines are the highest value target for fraudsters and close to 50 percent of all phishing attempts are made against airlines and airline passengers, according to one cyber security firm with which we work," said Tyler. He noted that IATA itself is a prime target for cyber attackers as the organization operates global financial systems through which $388 billion of air travel-related revenues flows annually. In March, IATA "identified and blocked an average of 80,00 suspicious connections per day, detected and cleared 891 viruses, and resisted five 'brute forcing' attempts to connect to IATA accounts," he said.
Tyler's speech also advocated for the industry to go beyond just focusing on how to prevent the type of onboard aircraft attacks described by security researcher Chris Roberts, who claims to have hacked into the flight-critical avionics systems of a Boeing
777 via an In-flight Entertainment (IFE) interface.
"We are only as strong as our weakest link. An airline is dependent on its [Air Navigation Service Provider] ANSP and airport partners to be highly engaged in cyber security. Many airlines and airports have robust systems in place to address common hacking threats," said Tyler. "The challenge is the evolution of the threat. Cyber experts have to improve their expertise constantly in order to remain vigilant and keep ahead of hackers. What we are facing is close to an asymmetric warfare in which it is easier to attack than to defend. In order to assess the broader threat to the aviation system, there is a need to adopt a holistic approach which would include all our IT infrastructure as well as that of our partners."
During the conference, Pang Kin Keong, Singapore Ministry of Transport permanent secretary, also discussed the role of national civil aviation authorities in addressing cyber security. He noted that, according to an annual survey carried out by PriceWaterhouse Coopers, the total number of detected security incidents climbed from 29 million in 2013 to 43 million last year, amounting to more than 100,000 attacks every day. Keong proposed that civil aviation authorities should be legally empowered to have a high level of oversight over cyber security across the entire aviation sector.
"The civil aviation authority needs to draw up a comprehensive picture of the interdependencies and interfaces across the IT systems of the various stakeholders. This allows us to know where the threats could come from, and the vulnerabilities that need to be addressed," said Keong. "Since last year, our civil aviation regulator has embarked on an ongoing effort to review the entire civil aviation sector's cyber systems. Mission critical systems will be identified. We then intend to map out the interdependencies across the various systems. This would allow us to address the cyber threat more comprehensively, and better prioritize our resources."
Singapore's Ministry of Transport envisions that the outcome of the discussions of the conference could produce a list of recommendations for the International Civil Aviation Organization (ICAO) to consider formulating new industry standards around advancing cyber security practices for aviation.