Cybercrime, both real, and the threat of it, may have taken a back seat to the financial impacts of COVID since 2020 and the rising costs of jet fuel, but it remains a clear and present danger that cannot be ignored. In this article we look at recent examples of serious cyber-attacks on the aviation industry and consider what these can tell us about current trends in cybercrime, as well as what steps those involved in the industry need to take now to combat the threat in the future.

A warning from Eurocontrol

For those who may have missed it, Eurocontrol published a report in July 2021 with the headline grabbing title "Airlines under attack: Faced with a rising tide of cybercrime, is our industry resilient enough to cope?". The report explained that the aviation industry can ill afford the additional costs caused by a rising tide of cyber-attacks and outlines the increasing exposure of the European aviation industry to rising levels of risk, as criminals, hackers, and state sponsored cyber-attackers all look to exploit vulnerabilities, cause chaos and fill their pockets at the expense of the aviation sector and innocent passengers.

The report was not simply scaremongering, designed to get airlines and other stakeholders in the aviation industry to increase their cyber threat detection and mitigation and prevention measures, but was based on hard Eurocontrol data from the agency's EATM-CERT (European Air Traffic Management Computer Emergency Response Team) service. This data showed that cyber-attacks are up in all threat categories, with a 530% year-on-year rise from 2019 to 2020 in reported incidents across the aviation industry, and with airlines targeted in 61% of all 2020 aviation cyber-attacks.

Scary stuff indeed, but the report goes on to highlight the following:

  1. Aviation faces a ransomware attack every week (i.e., where an attacker gains control over all or part of an organisation's computer system and refuses to give the system back until a ransom has been paid).These attacks present serious threats to business continuity and often have severe financial impacts even before factoring in any ransoms paid, the cost of buybacks of data, or the costs required to take back control of internal systems. The price of ransomware mitigation measures alone is expected to cost global companies over EUR 20 billion a year.
  2. There are a growing number of state-sponsored or highly organised crime syndicates capable of conducting large-scale targeted intrusions to disrupt operations and to steal valuable intellectual property, as well as extort money.
  3. Airlines are an irresistible target for cybercriminals with an estimated EUR 1 billion lost from fraudulent websites alone each year. The report identifies the "Big 3" attacks used to target airlines; namely, fake websites, data theft and phishing.

Drilling into a little of the detail from these three findings, the report highlighted the following datapoints:

  1. 61% of all cyber-attacks in 2020 targeted airlines, almost twice as much as the two next biggest affected market segments combined (16% for manufacturers and 15% for airports), and 95% of these attacks were financially motivated. This led to financial loss in 55% of cases and the leaking or theft of personal data in an additional 34% of cases.
  2. Of the 335 fraudulent and fake refund websites discovered by the EATM-CERT team in 2020, 280 were impersonating IATA and A4E airline members, selling fake tickets and seeking to extract customer credit card data. The report observed a marked increase in fraudsters trying to take advantage of the uncertainty created by the COVID-19 pandemic regarding ticket changes and refunds with a proliferation of fake websites appearing after the imposition of national and local lockdowns across the EU.
  3. Airline loyalty programme accounts became a major target for fraudsters as airlines began returning money via loyalty accounts to passengers whose flights were cancelled. The EATM-CERT team issued alerts to 30 airlines and detected 15,493 accounts offered for sale on the dark web, worth over EUR 400,000.
  4. Data theft continues to be a major problem, which is demonstrated by the highly publicised and massive data hacks of Cathay Pacific and British Airways in 2018, and the attack on easyJet in 2020 (which we cover in more detail below), which was followed by a hack in March 2021 of global aviation industry IT supplier SITA, which handles bookings for around 90% of the world's airlines, including Air India.
  5. There were 62 ransomware cyber-attacks on global aviation stakeholders in 2020 alone, equating to a once-a-week attack, and in 2021 new records were set with USD 50million in demands made. Most notably these attacks included assaults against US-based VT San Antonio Aerospace, Spirit Airlines (with tranches of financial and personal data released on the dark web and a ransom demand issued), and on Colonial Pipeline, which operates an oil pipeline across the South Eastern United States, in the largest successful ransomware attack ever mounted on public infrastructure. The attack on Colonial Pipeline in particular forced the company to pay USD 4.4 million to the attacker to recover control of its pipeline operations, which had a significant impact on the aviation industry as US East Coast airports ran low on fuel and airlines were forced to cancel flights and modify flight plans for refuelling as a result. A further ransomware attack was reported in June 2021 on Japan Airport Fuelling Service, although the extent of the damage suffered in that account is unknown at present.
  6. Phishing attacks increased in 2020/2021 defeating organisations' spam and malware filters, which has caused aviation stakeholders to bring in phishing awareness campaigns and training to better mitigate phishing risks. Perpetrators of phishing attackers have however shown themselves to be extremely adaptable; as an example, in some cases "phishers" have exploited the confusion caused by the Covid-19 pandemic by posing as airlines purporting to offer refunds to passengers affected by flight cancellations.

The report concludes that while European aviation has become more cyber-secure, cybercrime and cyber warfare are the latest and newest battleground for the aviation industry, and airlines in particular, and that the stakeholders in the aviation industry cannot afford to lower their defences in the wake of the unprecedented damage caused to the industry by the Covid-19 pandemic.

A snapshot of the scale of the biggest and most recent cyber-attacks on the aviation industry over the last 5 years

To put in context the hard data referred to in the recent Eurocontrol report referred to above, it is worth looking at some of the biggest and most recent cyber-attacks, the significant impacts they had on their targets and the steps that certain industry stakeholders are taking to protect themselves in response:

Date

Airline/Organisation

Details of the event

25 May 2022

SpiceJet

Following a massive ransomware attack on SpiceJet, hundreds of passengers were stranded at airports across India, particularly those airports where restrictions on night operations were in place. SpiceJet has not revealed which systems were targeted or what it did to overcome the attacks, but it is clear that whatever SpiceJet did was effective as services were resumed within hours of the attack beginning, rather than in days as was the case with the ransomware attack on Colonial Pipeline in 2021.

April 2022

SunWing Airlines Inc.

Canadian low-cost airline Sunwing Airlines faced four days of extensive flight delays after the third-party software system it used for check-in and boarding was breached by hackers. The attack forced Sunwing to resort to manually checking in passengers in an effort to minimise disruption to its schedule and caused the Canadian authorities to suspend operations temporarily to ensure that the breach was remedied before flights could resume.

March 2022

Russian CAA

In what appears to have been a retaliatory strike in response to Russia's invasion of Ukraine, an unidentified group (presumed to be the Anonymous Hacking Group) carried out an extremely effective attack on the Russian Federal Air Transport Agency. As part of the attack, all aircraft registration data and emails, totalling approximately a massive 65 terabytes of data, were deleted from the Agency's servers. The attack was so successful that until back-up copies of the electronic data could be found the Agency was forced to resort to using pen and paper and to sending information in hard copy through the post.

March 2021

SITA

SITA, an airline technology and communication provider that operates passenger processing systems for airlines, was the victim of a cyber-attack involving passenger data. SITA serves 90% of the world's airlines and disclosed that among the airlines affected were various major airlines including Air India, Finnair, Japan Airlines, Jeju Air, Lufthansa, Malaysia Airlines, Singapore Airlines and Cathay Pacific.

Singapore Airlines reported that 580,000 of its frequent flyer members were compromised in the attack and Air India estimated that personal data relating to 4.5 million of its passengers was stolen.

2020

VT San Antonio Aerospace

Demonstrating the importance of maintaining security throughout the entirety of the supply chain, VT San Antonio Aerospace fell victim to a sophisticated attack by the Maze Ransomware Group when the criminal group gained access to and encrypted the San Antonio network. The system in question was reportedly recovered within three days but by that time a vast amount of data (1 terabyte) had already been stolen.

January 2020

easyJet

easyJet was the victim of a cyber-attack in which hackers obtained the credit-card information of 2,208 customers. The carrier did not notify passengers of the attack until 4 months after the incident, in May 2020 and as a result they are now facing a class-action suit from 10,000 passengers, seeking around £18 billion in damages.

February 2019

Ben Gurion Airport

In an example of the immense pressures that aviation industry stakeholders can come under when defending themselves from cyber-attacks, a spokesperson for Ben Gurion Airport revealed that they were blocking three million attempts per day by bots to breach their systems.

To deal with these attacks Ben Gurion Airport has established a Security Operation Centre to coordinate defences; it is believed that the Airport is one of the first in the world to do so.

December 2019

Albany International Airport

A criminal gang succeeded in gaining access to Albany International Airport's database, which was then encrypted and ransomed back to the airport by the gang for a five-figure sum that was paid in Bitcoin. Fortunately, the attack did not affect operations at the airport and it is understood that the ransom was reimbursed by the Airport's insurer, thus demonstrating the necessity of having robust procedures and comprehensive insurance in place to deal with attacks like these.

August 2019

Air New Zealand

Personal data of over 120,000 customers was compromised following a successful phishing attack on two members of staff. The attackers used the information gained through phishing to access Air New Zealand's frequent flyer programme, from where they were then able to obtain extensive personal data relating to passengers on the programme. Fortunately, no passport or credit-card information were stolen on this occasion.

August 2018

British Airways

British Airways' system was infected with a malicious code, resulting in the theft of personal data relating to 429,612 customers and members of staff from its servers. The information extracted included names, addresses and credit-card information relating to 244,000 customers.

A subsequent investigation by the Information Commissioner's Office (the "ICO") found that the airline lacked adequate security measures to protect the personal data under its control. As a result, British Airways received a record-breaking fine of £20 million for its failure to protect its customers.

August 2018

Air Canada

Air Canada's mobile application software was hacked, resulting in the potential leak of highly sensitive personal data relating to its customers' passport information.

2018

Cathay Pacific

A cyber-attack led to 9.4 million accounts being breached and the theft from within the compromised accounts of extensive personal data regarding the airline's customers. An investigation by the ICO revealed that Cathay Pacific's system lacked any password protection for backup files and that the OS was out of date. After the attack, Cathay Pacific introduced multi-factor authentication to prevent future attacks. As a result of this failure the ICO issued Cathay Pacific with a fine for £500,000.

September 2017

Delta Airlines

Delta and Sears Department Store were both involved in an extensive data breach in April 2018 when an online support service used by both organisations suffered from an extensive malware attack.

The attack lasted from September to October 2017, but Delta and Sears only became aware of the attack in the following year. As a result of the attack the credit-card information belonging to approximately 100,000 customers was lost.

September 2018

Bristol Airport

In a dramatic ransomware attack, the electronic flight information at the airport was disabled and the screens showing all flight information were taken offline in order to contain the threat. Bristol Airport did not pay the ransom to the perpetrators of the attack and instead used whiteboards that were updated manually to keep passengers informed of flight details until the attack was thwarted.

November 2015

Sweden air traffic control

Sections of Sweden's air traffic control capabilities were blocked for five days following a successful attack by "Fancy Bear", otherwise known as APT28, a Russian cyber espionage organisation that is believed by some industry analysts to be associated with GRU, the Russian military intelligence agency. Sweden initially blamed a solar flare for the outage, but has since confirmed that the event, which caused huge disruption to air traffic travelling to, from and across Sweden, was a result of a malicious attack.

 

As can be seen from these examples, many of the largest cyber incidents in the past 7 years have related to the theft of highly sensitive personal data relating to passengers, including credit card details, passport information and passenger name record ("PNR") data. At present this type of attack, along with the theft of valuable intellectual property from manufacturers, are perhaps the more pressing threats facing the industry. However, as we explore in more detail below, the increasing dependence of the aviation industry on complex and inter-related information technology systems means that there are now more opportunities for cyber-attacks to target aircraft and airports directly than there have been ever before.

Emerging cyber battlegrounds

Complex information technology solutions are found all across the industry supply chain, from integration into new aircraft, including WiFi connections and on-board infotainment systems for passengers, to software used in airports and by airlines to manage, among other things, security checks and booking information respectively. These solutions are particularly vulnerable to attack in circumstances where organisations have attempted to integrate them with dated legacy IT systems that were not designed to deal with the sophistication of cyber-attacks seen today. More and more aviation stakeholders are also now beginning to include greater levels of automation within their systems, and this creates an entirely new area of potential vulnerability. Overall, the growth in the use of complex IT solutions by the aviation industry, fuelled by a rapid return to global travel following the Covid-19 pandemic travel restrictions and lockdowns, serves to increase the size of "attack surfaces" (meaning the sum of the different points where unauthorised users can seek to obtain or enter data) available to would-be cyber criminals.

The pandemic itself gave rise to a plethora of new opportunities for attacks, with criminals seeking to exploit the confusing international situation to the fullest extent possible and to make the most of the vulnerabilities in new systems that airlines around the world were rushing to implement to deal with the situation. In particular the pandemic saw an explosion in false websites purporting to sell Covid-19 testing kits and certificates, and widespread use of sophisticated phishing attacks by attackers posing as airlines offering refunds for cancelled flights. Some airlines also experienced waves of thousands of fraudulent chargeback requests by attackers and found that their websites came under sustained attack from entities seeking to steal unredeemed vouchers and points from loyalty programmes.

This growth in opportunities for attack has led some in the industry to speculate that would-be cyber criminals may turn their attention towards the systems used to operate, navigate and communicate with aircraft while they are in flight. In particular, the increasing adoption of WiFi technology onboard aircraft during flight and the growing practice of airports allowing passengers and employees alike to use "Bring Your Own Device" systems while in the airport, both serve to dramatically increase the size of the "attack surface" available to cyber criminals looking to directly target aircraft and airport systems. At their most dramatic, such attacks could include Distributed Denial of Service ("DDoS") attacks (where attackers overwhelm servers with internet traffic in order to prevent other users from using connected services) on security screening or air traffic control systems, preventing airports from using them, or attempts to use passenger interfaces to access avionics and navigation systems onboard aircraft in mid-flight. Although there is no known example of such an attack succeeding to date, if such an attack were to succeed it could have potentially catastrophic consequences.

A major potential "attack surface" open to would-be cyber criminals is the Automatic Dependent Surveillance-Broadcast (also known as ADS-B) system, which is used by aircraft to automatically transmit and receive positional and identification data (and which is also used to supplement the information used by popular online flight tracking services like Flightradar24). The ADS-B system plays a vital role in facilitating ATC operations and the safe operation of aircraft and its security is therefore of paramount importance. However, much of the data transmitted using ADS-B is done so in an unencrypted format and is therefore particularly vulnerable to eavesdropping, interception and, potentially, to jamming and alteration by third parties. To combat this threat industry experts have proposed measures including encryption of ADS-B data and random blurring of aircraft data in such a way that only those that need it (i.e., ATC and aircraft operators) can obtain sufficient information from the data while third parties cannot.

What steps is the industry taking collaboratively through ICAO, IATA and national legislation to tackle this rising wave of cyber-crime?

As the Department for Transport ("DfT") has recognised in its Aviation Cyber Security Strategy, responsibility for combatting cybercrime in the aviation industry effectively lies with three groups: governments, regulators and participants in the aviation industry themselves, at all stages in the supply chain. Given the uniquely international and symbiotic nature of the aviation industry it is obvious that any attempt to combat cybercrime cannot succeed unless each of these three groups work together to formulate a cohesive plan. In this section we explore in more detail some of the more important steps that governments, regulators and industry stakeholders are taking together to deal with the issue.

The International Civil Aviation Organisation

The International Civil Aviation Organisation ("ICAO"), the specialised agency of the UN responsible for aviation, published its Aviation Cybersecurity Strategy in October 2019 (the "Strategy Report"). In its Strategy Report, ICAO acknowledged the continuous and evolving threat of cyber-attacks with "malicious intents, disruptions of business continuity and the theft of information" while recognising the reliance of the aviation sector on the "availability of information and communications technology systems as well as on the integrity and confidentiality of data."

Some of the key proposals in the Strategy Report included:

  1. International Cooperation - ICAO recognised the borderless nature of both aviation and cybersecurity and emphasised the need to ensure international cooperation between states in developing and improving cybersecurity solutions.
  2. Governance - ICAO acknowledged the importance of Member States including cybersecurity in their national aviation safety and security programmes and to work collaboratively with their respective civil aviation authorities to set clear governance and accountability standards for cybersecurity in the civil aviation industry.
  3. Effective legislation and regulation - ICAO called on Member States to ensure proper legislation and regulations are put in place to combat cybercrime and to conduct ongoing analysis to identify and rectify any key legal provisions for the prevention and prosecution of cyber-attacks.
  4. Cybersecurity policy - ICAO also called on Member States to include cybersecurity within their aviation security and oversight systems, and to develop risk management frameworks and cybersecurity policies that account for the complete supply chain of the aviation industry.
  5. Information sharing - Recognising the need for all players in the industry to have access to the most up to date information, ICAO recommended that all industry stakeholders should share information related to vulnerabilities, threats, events and best practices when possible.
  6. Incident management and emergency planning - ICAO recommended that governments put in place appropriate contingency plans for ensuring the continuity of air transport and minimising disruption to passengers as much as possible even during cyber-attacks.
  7. Capacity building, training and cybersecurity culture - To strengthen the industry's resilience to future attacks, ICAO wants to see an increase the number of personnel in the civil aviation sector that are well-versed in both aviation and cybersecurity, and to cultivate a culture of cybersecurity for the next generation of aviation professionals.

Prior to the Strategy Report, in August 2017 ICAO formed the Secretariat Study Group on Cybersecurity (the "SSGC") in order to implement a resolution of ICAO to take certain steps to counter cyber threats to industry stakeholders. The SSGC comprises four sub- and working-groups, namely: a legal research group, a working group for airlines and aerodromes, a working group for air navigation systems, and a working group for cybersecurity for flight safety. These groupings demonstrate the different levels that need to be considered in order to formulate a unified and cohesive approach to cybersecurity in the industry. Among other things the SSGC is responsible for reviewing the Annexes to the Chicago Convention 1944, consolidating existing Standards and Recommended Practices ("SARPs") and reviewing proposals for amendments to ICAO provisions. At present the SSGC is revising the ICAO Cybersecurity Action Plan, which was put into place some time ago in 2014.

National legislation and regulation

Due to its borderless nature, it is important that individual states work together to legislate and regulate for cybersecurity in a connected way. Cybersecurity and data protection in the EU are legislated for at Union level, with each Member State responsible for implementing relevant legislation and appointing national enforcement bodies to apply it. Following Brexit, responsibility for overseeing cybersecurity and data protection in the aviation industry in the UK is vested in four bodies: the National Cyber Security Centre, which is the UK's technical authority for cybersecurity, the UK Civil Aviation Authority (the "UKCAA") and the DfT who both enforce relevant legislation and provide support to the industry, and the ICO, which focuses on data protection and enforcement of the General Data Protection Regulation ("GDPR").

The UKCAA and the DfT are both competent authorities responsible for the enforcement of the Network and Information Systems Regulations 2018 (the "NIS Regulations"). The NIS Regulations implement the EU's NIS Directive 2016/1148 as retained after the end of the Brexit implementation period in December 2020 and which allow the UK to maintain a minimum level of harmonisation with the EU.

The EU's NIS Directive 2016/1148, as implemented by the NIS Regulations, has three main purposes:

  1. Improving national security capabilities, through implementing cybersecurity strategies, setting up competent authorities and having a national strategy on the security of network and information systems.
  2. Security and incident notification requirements, with measures taken to prevent and minimise the impact of any cyber-attacks and clear instructions on when the need to notify the competent entities of a Member State or the wider public of any incidents (an incidents being "any events having an actual adverse effect on the security of network and information systems").
  3. Improving EU level cooperation, by establishing a Cooperation Group among Member States to facilitate communication and enhance support, as well as creating a network of National Cyber Security Strategy, a Computer Security Incident Response Team ("CSIRT Network") to improve efficiency in communicating and dealing with security incidents and known risks.

In addition to the NIS Regulations, two other important pieces of legislation that apply to aviation organisations, and which the UKCAA is able to enforce, are the EASA Basic Regulation (which applies by virtue of the fact that it was in place in the UK prior to Brexit) and the EASA Standards and Recommended Practices ("SARPS") taken from the annexes to the Chicago Convention 1944, and the various UK Air Navigation Orders.

In an effort to meet UK, European and International aviation standards for cybersecurity, the UKCAA has also developed the UKCAA Cyber Security Oversight Team (the "UKCAA Oversight Team") to manage cybersecurity risk and support the industry's efforts to improve safety and security. It has also published CAP 1753, the cybersecurity oversight process for aviation, which sets out the UKCAA's expectations along with examples of good practice for complying with the EASA Basic Regulation, the NIS Regulations and the ICAO SARPs.

The International Air Transport Association

The International Air Transport Association ("IATA") is the largest trade body representing airlines in the world. It is therefore a powerful voice for advocating for the aviation industry's interests. Similar to ICAO, IATA also emphasises the importance of a common approach to cybersecurity because it would improve the flow of information and cooperation within the network.

To assist the industry, IATA has said that it is developing an industry-wide Aviation Cyber Security Strategy to coordinate and ensure the necessary level of holistic protection in the industry. As part of this it has established the Cyber Management Working Group (the "CMWG"), which is intended to provide guidance to industry members and analyse industry needs as they develop. IATA has also founded a more informal group known as the Aircraft Systems Cyber Security Steering Group, whose role is to provide a space for the industry to share information in relation to flight safety systems. Highlighting the importance of co-operation within the industry, IATA has also worked with the International Coordinating Council of Aerospace Industries Associations (of which most national aviation associations are members), which have worked together to create an international group to allow airlines to share concerns with original equipment manufacturers ("OEMs") and design approval holders (i.e., organisations responsible for aircraft design types).

At a more immediate level, when it comes to airlines improving their cybersecurity, Manon Gaudet, the Assistant Director of Aviation Cybersecurity at IATA, recommends bringing in an expert because "there are lots of different attacks and lots of different ways an attack could impact an airline. You have to work through all the different scenarios especially those that could have an impact on safety." This reflects a wider concern across the industry that at present most aviation organisations do not have access to sufficient numbers of properly trained and experienced cybersecurity professionals.

Conclusion

The aviation industry has been quick to adopt developments in cyber technology to allow them to deliver improved efficiencies and better passenger experiences for their customers. For the most part this has been achieved safely, but that safety cannot be taken for granted.

With each new opportunity for improving the customer experience or increasing the efficiency of aircraft operations comes the opportunity for cyber criminals to exploit that new or upgraded technology for personal, or sometimes political, gain. The frequency of cyber-attacks is clearly rising, as is the level of sophistication of the attackers, and without a cohesive and unified approach to the problem it seems chillingly inevitable that at some point a cyber-attack, that cannot be contained relatively quickly, with devastating and possibly fatal consequences on the industry, will succeed.