Security in the Sky: How Airlines Approach Security During Turbulent Times

Grounded planes, cancelled routes, and profits stalled. That’s the reality faced by many if not all airline operations globally today. But, in a time when budgets are tight, airlines are still compelled to protect their systems and data, including those that aren’t directly related to their avionics systems.

Airlines are seen as symbolic targets for nation-state actors due to the wide range of host countries they originate from and the national identity that they represent. But the threat landscape has recently widened to include both financially motivated cyber criminals that are after customer data and syndicates attempting cyber espionage to target airlines’ trade secrets. The fact remains that whilst planes may not be in the air at the moment, airlines continue to collect and retain sensitive data, including credit card information, passport details, frequent flyer program data, and even accommodation bookings information.

Airlines are aware of the personal information they possess, and so are hackers, hoping to cash in on sensitive data. In Europe alone, recent high-profile breaches (some of which have been reported on in ZDNet and Forbes) have impacted over 400,000 people and fines imposed have reached the hundreds of millions of dollars. In Australia and other countries, daily attacks on airports are being reported and assessments of the application security of the world’s top 100 airports have identified areas for improvement. In the first half of 2019, for example, there were 30 publicly reported attacks on airports, and we see that trend continue today.

Travelers, and those that continue to shop via airline loyalty program-linked credit cards, are entrusting airlines with their information. If sensitive information is leaked, it’s nearly impossible to gain customers’ trust back.

The challenge at hand is compounded by what International Civil Aviation Organization (ICAO) called the ‘system of systems’, citing how highly interconnected systems significantly increasing the risk of security threats. The aviation industry is dependent on distributed architectures for delivery of efficient services, including distributed networks and interdependent physical and cyberspace functions. A set of systems that not only is highly interconnected, but has multiple OEMs and airline partners accessing the network at any given time, further enhancing the risk profile.

So, at a time when industry stalwarts like Qantas have grounded 90% of planes and Virgin Australia moved into administration, how do those looking to ride out the difficult times invest in protecting critical systems and data to avoid punitive action by GDPR and PCI/PII regulators and minimize the risk of ransomware and other malware attacks?

In the immediacy, it would be logical to consider three core steps to maximize economy and impact.

1. Prioritize the issues and defend in depth by isolating critical assets

Ransomware and malware are on the rise and are largely successful due to their ability to replicate across environments faster than detect/respond tools and protocols can react. Containment and least privilege micro-segmentation is particularly relevant to industry’s with ever-expanding interconnected systems like aviation and their offshoot loyalty and shopping programs. For some, this will be the main priority, while others may look to improve patching methods, securing the devices of remote workers, or gaining visibility into applications and where data is used and stored. Part of this prioritisation is not only the what, but the where. Just because a critical application needs attention doesn’t mean that the required security control has to be appropriately designed for or have the capacity to cater across the entirety of the IT estate. Rather, the best approach is to start small and targeted, where you’ll have the biggest impact – be it select PCI workloads under regulation, critical ERP applications, or workloads running loyalty programs with PII.

2. Maximize the multiplier

Security professionals need to look at vendor ecosystems to close gaps, but also pair those with what’s already deployed in their own IT estates to gain the most value. These alliances can drastically extend the range and capability and ensure future infrastructure changes are not limited by security’s capability to follow. This will effectively extend both capabilities today and the lifetime value of a solution overall. Looking for things like apps in partnering solution marketplaces and a REST API in usage from potential vendors is a good indicator of the ability to create and continue to expand alliances to help IT maximize the multiplier.

3. Consider operationalization

Security teams are generally stretched in good times, now it’s more important than ever to consider the operational overhead of any new technology being implemented. Disruption to operations may be less impactful if people and planes aren’t flying all the usual routes with the usual frequency. However, technology absorption can be an overlooked or underappreciated element in any new solution. With teams distributed and working remotely, and some enterprises running reduced staff, the rollout journey from contract to BAU is critical to the success and time to value of any investment made.

Ultimately, by being strategic in assigning security priorities to both the what and the where, considering any hidden costs involved (i.e., professional services expenses relating to deployment, which can add significant sums, and ongoing day to day operational costs), airlines can spend fewer dollars whilst still addressing the most critical aspects of their business security.

Will we see future breaches, yes, but with this approach the damage can be contained so airlines will live to fly another day.

For more information on how Illumio is helping one airline, Cathay Pacific, protect its crown jewels during this time, check out this case study.