Cyber Security - Access Denied
Airlines must respond to cyber threats and ensure the security of all forms of electronic data exchange
Electronic data transfer offers huge potential for airline operations. Equally it increases the opportunity for cyber attacks. Airlines remain on their guard.
The 2010 Deloitte Airline Fraud Report revealed that credit card fraud increased between 2006 and 2009, largely driven by the popularity of online bookings. On average, an airline loses $2.4 million a year to fraud. Almost half of the airlines surveyed said that fraud associated with e-commerce and the Internet had increased between 2008 and 2009. Some 35% noted an increase in card fraud associated with point of sale or handheld devices, and 22% noted an increase in the number of attempts to breach IT security and firewalls from the Internet.
Although credit card fraud is regarded as a serious risk by most airlines, the Deloitte Report found that only about 50% had a formal system in place to track this fraud.
The weakness is being addressed, however. The new 2011 Cybersource Airline Fraud Survey found that in 2010, airlines lost a total of $1.4 billion due to online credit card fraud perpetrated through their websites, representing 0.9% of total worldwide online ticket sales. But these figures were 31% better than the findings from the previous survey in 2008.
Airlines are doing everything they can to address the problem of credit card fraud, and to comply with the Payment Card Industry Data Security Standards (PCI-DSS), a security standard developed in 2006 by the major international payment schemes to provide protection to their cardholders. Any organization that processes, stores or transmits cardholder data is required to comply with these standards.
Further work on the issue will progress matters even more. In particular, there is a need to assist airlines that have less experience of online sales. These tend to suffer from the highest rates of fraud as a percentage of sales. Low-fare airlines have the lowest rates of fraud, probably because of their online savvy and increased awareness that every cent counts.
Credit card fraud
IATA does not collect statistics on online fraud, but is active in this area. It has developed the Perseuss program, which offers a secure platform where airlines can legally share information about known fraudulent activity. The data can be matched with airline sales data, such as e-mail addresses or IP addresses, to identify suspect transactions. Perseuss is a subscription service, and more than 60 airlines are now involved to various degrees.
“Some airlines have recouped the annual cost of Perseuss in just a few months,” says Christophe Kato, IATA’s Project Manager for the Perseuss program. “We don’t offer this service to make a profit. The value is to the community of users, and what they can bring to the table through their meetings and new relationships.”
IATA has also developed its own PCI-DSS program, which secures and protects BSP sales via agencies. Whenever a credit card is used, airlines must ensure their systems are in line with PCI-DSS.
“IATA plays a significant role in trying to prevent cyber credit card crime,” says Kato. “Ensuring that PCI-DSS is correctly implemented means the risk can be passed from the airline to the merchant.”
Detecting fraud is another important area. Some airlines use automated systems to do this; others tend to do larger numbers of manual checks. “It is really a question of trying to spot anything that is suspicious,” says Kato. “It is not an exact science. Some airlines have in-house fraud analysts, while others outsource to specialist companies. Risk scores can be applied to each transaction, and those with the largest risk scores can then be given manual checks.”
The terrorist threat
Losing money is one thing; losing lives is something else again. Cyber terrorism poses especially serious challenges for airlines that will be taking delivery of the new generation of aircraft. In some cases, it may even require airlines to rethink the structure of their security and IT divisions.
The International Civil Aviation Organization (ICAO) has identified cyber terrorism as a distinct threat to the aviation industry that needs attention. On 17 November 2010, a new ICAO Recommended Practice related to cyber threats was adopted and became applicable on 1 July 2011. It suggests that each ICAO Contracting State should develop measures to protect information and communication technology systems used for civil aviation purposes from interference that could jeopardize the safety of civil aviation. Vulnerability assessments relating to cyber security are recommended, with the objective of evaluating the efficiency of mitigation measures and identifying vulnerabilities from a threat-based perspective.
Chamindra Lenawa of Air Astana says the airline has a resilient system with several layers of defense. “Our main servers are at our operational hub in Almaty, but we have the core operational structure replicated on an offline copy in Astana,” Lenawa notes. “As for the data itself, we also have hot‑standby systems, which replicate the data of critical systems in the form of regular snapshots so that if for any reason the data becomes corrupted, we have standby systems that can be activated quickly.”
Cyber terrorism’s increasing threat to airlines has been enhanced by globalization and the ubiquity of the Internet. An attack on an airline’s IT systems can be regarded as cyber terrorism if it brings down or paralyzes any critical system. But this can extend to the more frightening possibility that it could actually cause damage to an aircraft.
“Many future efficiency gains will be based on network connectivity and electronic data exchange,” says Ken Dunlap, IATA’s Director of Security. “The new generation of aircraft will be much more interactive in terms of automated electronic data exchange than the present generation of aircraft. These new aircraft are being discussed as ‘all-electric’ models. It is not only the primary fly-by-wire flight controls; they will have a whole range of systems operating electronically, and data will be updated automatically in real time, rather than the static updating that takes place today.”
Ensuring that this data is transferred between the ground and aircraft securely is the challenge airlines must address. It is essential that all stakeholders in the civil aviation industry work together to ensure there are no glitches.
The movies come to life
“This is a relatively new concern for airlines,” says Pascal Andrei, Director of Aircraft Security at Airbus. “Conventional security threats, such as bombs, disruptive passengers, smuggled baggage, and cargo are already being managed effectively, although these are constantly evolving. Now airlines must learn to manage cyber threats.”
In the film Die Hard 2, an aircraft’s systems were fooled by cyber hackers into thinking it was flying 200 feet higher than it actually was, through resetting the instrument landing system.
Andrei says this is no longer merely a fictional scenario. “It is not just a matter of ensuring that the channels of data transmission are secure, but also of ensuring that the information transmitted through those channels is correct. Aircraft have to rely on external data coming into the aircraft. If that information is not correct, it could jeopardize the safety of the flight.”
Manufacturers deliver aircraft with security features embedded, but once the aircraft has been delivered, it is the responsibility of the airline to maintain that level of security throughout the life of the aircraft.
“Airlines need to understand the threat evolution associated with new IT technologies,” says Andrei. “These new technologies can be taken hostage. Airlines need to know what they need to do to protect and maintain the level of security on the aircraft itself, which is the last line of defense.
“With more and more open systems and electronic connections between the various stakeholders in the air transport industry, the risks are increasing,” he adds. “All applications have potential bugs, and this, coupled with the interconnectivity between the aircraft and the ground, creates the challenge.”
Opening the doors
The aircraft manufacturers have already started a dialogue with airlines about these matters, but much more needs to be done to bring other stakeholders into the discussions. Airbus’s annual Aircraft Security Users Panel (ASUP) meetings have been running—strictly behind closed doors—for several years now, bringing together the heads of security at airlines with Airbus. This year, for the first time, Boeing was invited to attend the ASUP meeting, and Andrei says that next year Bombardier and Embraer will also be invited.
In October 2011, at the IATA AVSEC conference, a panel discussion highlighted the importance of bringing more stakeholders into these sorts of talk. “Airlines, OEMs, airport operators, and air navigation service providers all need to be fully aware of the challenge of providing accurate information within secure communication channels,” says IATA’s Dunlap.
“Five years ago, I was spending most of my time on the physical aspects of airline security,” he continues. “Now I am spending the majority of my time on technology and data exchange issues. Whether it involves airport or aircraft security, the focus now encompasses the integrity of the data stream in addition to the physical aspects of the systems.”
This new outlook is why airlines may need to rethink their security and IT divisions. The way forward will blend a diverse mix of skills.
Dunlap says that airlines must optimize their organizations to provide secure electronic communications, not only for ground‑based systems, but also for electronic data exchange between their ground systems, airport systems, air navigation systems, and their aircraft.
“Does this come under the responsibility of the IT division or the Security division?” he asks. “Airlines are already dealing with these questions today.”
The answers are vital to the future of the industry.
More information on www.iata.org/perseuss