Complex Made Simple

Cyber attacks can crash a plane; are airlines doing enough to prevent this?

Planes fall from the sky for several reasons, including storms, engine failure, terrorism and pilot errors, but could cyber-hacking be one of those reasons? You bet! Airlines are aware of that, not sharing the fact, but are giving the issue a top priority, but is what they’re doing enough?

Huge investments in cyber-security

Airlines and airports worldwide will spend an estimated $33 billion in 2017 as additional investments in cyber-security and cloud services, according to SITA, a global specialist in air transport communications.

Airports around the world will spend approximately five per cent of their revenues to upgrade their IT systems and cloud applications. Moreover, airlines around the globe will spend a total of $24.3bn, or 3.3 per cent of their revenues, on cyber-security and cloud services.

Read: Data breach at Uber: why it took so long to reveal and what next?

“70 per cent of airlines and 88 per cent of airports will either increase their investments in cyber-security and cloud services next year or keep their investments at the same level as it is now,” said the report.

“Cyber-attacks are a very real threat in the highly interwoven air transport industry so building solid defences is essential,” said Ilya Gutlin, President, Air Travel Solutions at SITA.

SITA said more than 90 percent of world airlines and airports identified cyber-security as their top priority.

Read: Top 5 cybercrime safety tips ahead of White Friday

Air systems outdated

According to industry regulator IATA, if passengers are to retain trust in the aviation system, it’s vital that the industry protects itself from cyber-attacks

“The countless entry points and interfaces make it vulnerable to cybersecurity threats. Moreover, many of those systems are outdated and were never designed to counter modern cybercrime,” said IATA in 2017.

“Making the reporting of cyber-attacks mandatory is perhaps the most critical of all.

If an attack isn’t reported, then other airlines and partners in the aviation value chain cannot use it to improve their defenses.”

Read: Saudi is under cyber attack, but who’s behind it?

IATA says that when attacks go unreported by airlines, the risks grow in nature: when other airlines are similarly hit, they are not able to do a proper risk assessment.

“A hack is a one-time event. One opening, exploited once. System defenses, on the contrary, must work every second of every day. If you only consider prevention, attacking is simple, defending is hard,” said IATA.

In an interconnected world, cyber-security is the cost of doing business, it said.

Notable attacks

According to EurActiv, an online site concerned with EU policies, there’s a fear that, one day, terrorists by simply using a laptop will be able to crash planes or make them disappear from radar screens.

“We have to be prepared always for the worst,” Luc Tytgat, Director of Strategy and Safety Management at the European Aviation Safety Agency (EASA), an EU agency, told EurActive.

Tytgat said aviation systems were subject to an average of 1,000 attacks each month.

According to JLT group, a global insurance provider, it said in a 2017 report that the number of reported aviation data breaches doubled during 2012-2015, compared to 2008-2011.

“On average, 78,000 records were compromised per airline between 2012 and 2015. Some 58 per cent of breaches in that period were the result of hacking,” JLT said.

Read: Is gaming a way of socializing for Saudis?

“Airlines are also exposed to potentially costly disruption to their daily operations as a result of attacks or system outages. This can result in lost revenues, additional expenses, disgruntled customers and reputational damage.”

In August 2016, a power cut crashed Delta Air Lines’s check-in system, causing long delays and the cancellation of 2,300 flights. The outage was estimated to cost the company $150 million.

More recently in May 2017, British Airways owner IAG SA said a power outage led to the cancellation of hundreds of flights and cost approximately $102 million in lost revenue as well as the expense of accommodating, re-booking and compensating thousands of passengers.

At least 75,000 travellers found themselves grounded over three days from May 27, as the U.K. carrier’s information-technology systems crashed.

Read: Shunned by banks, and abandoned by staff, are SMEs folding?

Japan’s All Nippon Airways, Southwest Airlines in the US and British Airways all suffered technical incidents that caused severe delays and cancellations during 2016, according to JLT.

Cyber-attacks have also been known to cause disruption to airline operations. In 2015, for example, 1,400 passengers with Poland’s national carrier, LOT, suffered delays, due to a DDoS (Distributed Denial-of-Service) attack against it.

JLT said hackers could access aircraft flight controls and air traffic systems, and security experts and penetration testers identified vulnerabilities in aircraft systems.

“One claimed that he repeatedly hacked a US passenger plane via the entertainment system, and was able to manipulate the plane’s engines inflight. Another boasted that he could take over an aircraft’s steering system using a mobile phone,” said JLT.

With this sense of foreboding, will airlines be able to prevent upcoming attacks?