Security Warning To Airlines of New Cyber Attacks

slide_4.jpg

A security breach causing an airline to ground multiple aircraft could easily lead to millions of dollars of costs

Airlines are increasingly at risk of cyber attacks that could pose significant safety issues and force carriers to ground their fleets to protect passenger welfare, causing major financial damage, security experts say.
"There are huge risks and challenges facing the airlines," Eric Lowenstein, a Sydney-based cyber-risks practice leader at insurance group Aon, said. "We are not just talking about [passenger data] privacy."

LOT Polish Airlines last month was forced to cancel 10 flights and delay 12 others in response to an attack against computers issuing flight plans at Warsaw's Okecie Airport that overloaded its network. That came a few weeks after United Airlines had grounded all its flights in the US, reportedly after bogus flight plans appeared in its system. 

In May, a US Federal Bureau of Investigation affidavit claimed American security researcher Chris Roberts had hacked into aircraft systems through the in-flight entertainment system, causing the plane to drift sideways in flight. This has yet to be verified but it has raised significant concerns in the security and insurance industry circles.

In April, Hobart Airport's website was hacked by supporters of radical group Islamic State, although no threat was made against flights in that case. "For those flying out of Hobart, it becomes a more elevated risk and security concern," Mr Lowenstein said. 

Jay Youlten, the regional director Australia, New Zealand and South Pacific at travel technology group SITA, said it was tough to prevent all security breaches.
"It is kind of like locks for cars – as soon as somebody creates the latest lock, someone has figured out how to break it," he said. "So there is a huge investment in technology to make sure these things are protected."
He said now that many airlines were providing high-speed in-flight Wi-Fi  services to passengers, it was becoming particularly important to create a demarcation between critical systems on board aircraft and passengers surfing the internet.
"The connectivity from the satellite or wherever to the aircraft, it is a major area that obviously has to have that integrity of security on it, and it does," Mr Youlten said. "But like I said, there are always challenges from people coming up with new ways to do things."

To date, the public has expressed relatively little concern about the possibility of data breaches by airlines, although to date polls have focused on the loss of personal information.

A study by security firm Unisys released last week found a third of Australians expected a data breach in the airline industry in the next 12 months. That was the lowest of any sector and far below the 58 per cent expecting a breach from the telecom industry.

But John Kendall, Unisys security program director Asia Pacific, said he believed the airline sector was increasingly at risk, in part because it hadn't yet been subject to the kind of high-profile attacks that have hit the banking and retail sectors.
"It is absolutely inevitable," he said of an airline attack, noting they held a wealth of data, including name, birthdates, passport details, credit cards and destinations, that made them a juicy target for identity thieves. "This is not all about passenger information either. We are starting to see the start of hacks into avionic systems."
Mr Lowenstein said it was essential that airlines had adequate insurance in place to protect against cyber attacks, because as a rule of thumb a simpler data breach like passenger information would cost $145 a record in terms of credit monitoring and setting up call centres. 

A security breach causing an airline to ground multiple aircraft could easily lead to millions of dollars of costs due in part to the need to rebook passengers and provide them with accommodation.

Sources said in the airline industry, technology suppliers usually bore the risk of having adequate insurance under their supply contracts.

It is understood neither Qantas Airways nor Virgin Australia Holdings has a separate cyber-security insurance policy but both have multi-layered security precautions in place. An Australian Securities and Investments Commission report on cyber resilience issued in March encouraged board-level oversight of cyber risks.

A Virgin spokeswoman said the airline's chief information security officer managed cyber risk, including regular briefings and consultations with the board and senior management team. It is understood the Qantas board is also regularly briefed on cyber-security issues.
SMH: http://bit.ly/1NR2qrE

 

« VP of Marketing
UK Police 'Skim the Surface' of Cybercrime »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Palo Alto Networks

Palo Alto Networks

Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with technology that is transforming the way people and organizations operate.

DoSarrest Internet Security Ltd

DoSarrest Internet Security Ltd

DOSarrest is a fully managed security firm specializing in cloud based DDoS protection services to a worldwide client base.

Alliance for Cyber Security (ACS)

Alliance for Cyber Security (ACS)

An alliance of all major players in the field of cyber security in Germany with a mission to strengthen Germany’s resistance to cyber-attacks.

CybergymIEC

CybergymIEC

CybergymIEC is a global leader in cyber defense solutions and training services.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

ID Agent

ID Agent

ID Agent provides a comprehensive set of threat intelligence and identity monitoring solutions.

bwtech@UMBC

bwtech@UMBC

The bwtech@UMBC Cyber Incubator is an innovative business incubation program that delivers business and technical support to start-up and early-stage cybersecurity/IT products and services companies.

Cyber Resilient Energy Delivery Consortium (CREDC)

Cyber Resilient Energy Delivery Consortium (CREDC)

CREDC performs multidisciplinary R&D in support of the Energy Sector Control Systems Working Group’s Roadmap of resilient Energy Delivery Systems (EDS).

Plurilock Security Solutions

Plurilock Security Solutions

Plurilock is a real-time cybersecurity solution that uses artificial intelligence to identify, prevent, and eliminate insider threats.

Procsima Group

Procsima Group

Procsima Group was created to help you achieve good IT management and security excellence.

The ai Corporation

The ai Corporation

The ai Enterprise Fraud Solution is an on-prem or cloud-based self-service, machine learning fraud detection and prevention tool set.

ColorTokens

ColorTokens

ColorTokens Xtended ZeroTrust Platform protects from the inside out with unified visibility, micro-segmentation, zero-trust network access, cloud workload and endpoint protection.

Barikat Cyber Security

Barikat Cyber Security

Barikat is a provider of information security solution and services including security analysis and compliance, security testing, managed security services, incident response and training.

1Password

1Password

1Password combines industry-leading security with award-winning design to bring private, secure, and user-friendly password management to everyone.

Zephyr Project

Zephyr Project

The Zephyr Project strives to deliver the best-in-class RTOS for connected resource-constrained devices, built to be secure and safe.

Allentis

Allentis

Allentis provide adapted solutions to ensure the security and performance of your information system.