Cyber risk is an ever-evolving threat to organisations and the nature of the aviation industry means it has particular features that make it especially vulnerable to would-be hackers.
According to Eoghan Daly, a director with BDO who leads the firm’s cybersecurity work, since the beginning of the Covid-19 pandemic the sector has seen a “dramatic” increase in the number of cyberattacks directed at staff, operations, and critical IT infrastructure.
“For some organisations in the sector, working from home, outside of the safety of organisational IT security perimeters, has become the norm,” says Daly. Given this and other security-related risks facing the sector linked to the war in Ukraine, cyber security continues to be high on the risk agenda with the threat profile only increasing, he adds.
Major breaches associated with airlines such as British Airways, EasyJet and Cathay Pacific have been reported in recent years – Daly points out that there are likely to be many more that never hit the headlines. “In each case listed above, the report result was a breach of personal records, highlighting the value cyber criminals place on personal information.”
Certainly, it is something of an understatement to say that the aviation industry collects sensitive information – this ranges from passenger information including passport details and data about their own employees, as well as sensitive legal and financial information related to purchasing and leasing contracts. Daly notes that intellectual property information related to prospective deals, purchase prices, pricing models and matrices is of immense value to would-be hackers.
“The most valuable information in the sector is the price Boeing and Airbus charge for airplanes,” he says.
Among the most significant threats to the aviation industry in terms of cyber security is organised crime. Daly points out that aircraft leasing firms make payments for millions of euro on a regular basis. “Business Email Compromise [BEC] fraud is reasonably easy to prevent, but is still one of the most common cyber-enabled frauds,” he explains. “Many businesses do not have the correct email settings in place, enabling cyber criminals to spoof email addresses and initiate successful BEC frauds.”
As geopolitical tensions continue to grow, this could also leave certain airlines vulnerable to a potential cyber attack.
“Many airline brands are closely associated with their home country, such as Aer Lingus in Ireland and British Airways in the UK, and could become a target due to the fallout of the war in Ukraine,” says Daly. “Disruption to summer holiday plans, and leaving passengers stranded overseas, would result in significant disruption and political pressure.”
There is also an ideological threat, as so-called hacktivists could potentially choose to target airlines and other actors in the aviation industry as a means of protest against its contribution to carbon emissions.
Carmel Somers is a board member of Cyber Ireland, a member of the European Cyber Security Organisation (ECSO) and also leads the Cyber Skills Initiative at Technology Ireland ICT Skillnet. According to Somers, as air travel begins to pick up, “cybersecurity becomes front and centre in aviation again”. And as aviation businesses increase their reliance on technology, to improve operational efficiency and reduce costs, they are also increasing their “attack surface”, meaning the various weaknesses cyber threat actors can leverage to achieve their objectives.
“Once you begin to introduce technology, unless you look at the risk involved and how you protect those transactions, you potentially leave yourself open at a lot of crossover points for cybersecurity breaches,” says Somers.
She references a recent report that highlighted how 97 out of 100 of the world’s largest airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, dark web exposure or code repositories leaks. Interestingly, however, the report found that Dublin Airport was one of only three large international airports to pass all their tests without a single major issue being detected. “They are clearly doing a lot of things right,” she says.
According to Somers, the common denominator in almost all cybersecurity attacks is that organisations have failed to constantly train and educate their people.
“It is often simple issues like they’re not protecting their websites, or they’ve got exploitable vulnerabilities or even something as basic as outdated software,” she says. “It’s people clicking links, it’s people receiving emails. Most of the attacks are not hugely sophisticated – you do get those but most of the ones that impact companies are due to just not doing the basic hygiene and risk assessment of the system that they have. And if you are not doing the basic stuff right, then you are definitely not doing the big things right.”
Technology Ireland ICT Skillnet has a portfolio of cybersecurity programmes, many of which are free of charge. It also subsidises programmes including master’s programmes so that business people can understand the risks involved, says Somers. Education and awareness are huge, she says.
“It should be part of induction when you hire new people, and every year you should be retraining and reskilling, showing them examples of things you do not click on or reply to. There may be an investment but at the end of the day, the cost of a potential breach dwarfs that investment.”