Security Warning To Airlines of New Cyber Attacks

A security breach causing an airline to ground multiple aircraft could easily lead to millions of dollars of costs

Airlines are increasingly at risk of cyber attacks that could pose significant safety issues and force carriers to ground their fleets to protect passenger welfare, causing major financial damage, security experts say.
"There are huge risks and challenges facing the airlines," Eric Lowenstein, a Sydney-based cyber-risks practice leader at insurance group Aon, said. "We are not just talking about [passenger data] privacy."

LOT Polish Airlines last month was forced to cancel 10 flights and delay 12 others in response to an attack against computers issuing flight plans at Warsaw's Okecie Airport that overloaded its network. That came a few weeks after United Airlines had grounded all its flights in the US, reportedly after bogus flight plans appeared in its system. 

In May, a US Federal Bureau of Investigation affidavit claimed American security researcher Chris Roberts had hacked into aircraft systems through the in-flight entertainment system, causing the plane to drift sideways in flight. This has yet to be verified but it has raised significant concerns in the security and insurance industry circles.

In April, Hobart Airport's website was hacked by supporters of radical group Islamic State, although no threat was made against flights in that case. "For those flying out of Hobart, it becomes a more elevated risk and security concern," Mr Lowenstein said. 

Jay Youlten, the regional director Australia, New Zealand and South Pacific at travel technology group SITA, said it was tough to prevent all security breaches.
"It is kind of like locks for cars – as soon as somebody creates the latest lock, someone has figured out how to break it," he said. "So there is a huge investment in technology to make sure these things are protected."
He said now that many airlines were providing high-speed in-flight Wi-Fi  services to passengers, it was becoming particularly important to create a demarcation between critical systems on board aircraft and passengers surfing the internet.
"The connectivity from the satellite or wherever to the aircraft, it is a major area that obviously has to have that integrity of security on it, and it does," Mr Youlten said. "But like I said, there are always challenges from people coming up with new ways to do things."

To date, the public has expressed relatively little concern about the possibility of data breaches by airlines, although to date polls have focused on the loss of personal information.

A study by security firm Unisys released last week found a third of Australians expected a data breach in the airline industry in the next 12 months. That was the lowest of any sector and far below the 58 per cent expecting a breach from the telecom industry.

But John Kendall, Unisys security program director Asia Pacific, said he believed the airline sector was increasingly at risk, in part because it hadn't yet been subject to the kind of high-profile attacks that have hit the banking and retail sectors.
"It is absolutely inevitable," he said of an airline attack, noting they held a wealth of data, including name, birthdates, passport details, credit cards and destinations, that made them a juicy target for identity thieves. "This is not all about passenger information either. We are starting to see the start of hacks into avionic systems."
Mr Lowenstein said it was essential that airlines had adequate insurance in place to protect against cyber attacks, because as a rule of thumb a simpler data breach like passenger information would cost $145 a record in terms of credit monitoring and setting up call centres. 

A security breach causing an airline to ground multiple aircraft could easily lead to millions of dollars of costs due in part to the need to rebook passengers and provide them with accommodation.

Sources said in the airline industry, technology suppliers usually bore the risk of having adequate insurance under their supply contracts.

It is understood neither Qantas Airways nor Virgin Australia Holdings has a separate cyber-security insurance policy but both have multi-layered security precautions in place. An Australian Securities and Investments Commission report on cyber resilience issued in March encouraged board-level oversight of cyber risks.

A Virgin spokeswoman said the airline's chief information security officer managed cyber risk, including regular briefings and consultations with the board and senior management team. It is understood the Qantas board is also regularly briefed on cyber-security issues.
SMH: http://bit.ly/1NR2qrE