Airlines Grappling with Cybersecurity Threats

Electronic data exchange is becoming a huge part of airline operations as many airlines shift transactions online to cut on costs. Many airlines are also launching online eCommerce website wheres travelers can purchase anything from frequent flyer miles to luxury items, hotel bookings, car bookings and exclusive tour offers in exotic resorts and many more.

But lurking behind these innovative business models and services is the shadow of cyberthreats and online credit card fraud.
Cybersecurity: Airlines lost $1.4 billion in 2010 to online credit card fraud
According to the 2010 Deloitte Airline Fraud Report, the scale of credit card fraud increased rapidly in the years between 2006 and 2009, driven largely by the tremendous growth in online bookings. Today's traveler is likely to book their ticket on online travel agencies like Expedia, Priceline, Orbitz, Travelstart or on airline websites' booking engines. Given that many users are purchasing tickets online for the first time or are not well attuned to the existing cyberthreats and online fraud, cybercriminals are shoving their way into the online booking business to take advantage of naive customers and lax airline online security systems.

On average, an airline loses a whopping $2.4 million per year to fraud.  Almost half of the airlines surveyed said that fraud associated with e-commerce and the Internet had increased between 2008 and 2009. Some 35% noted an increase in card fraud associated with point of sale or handheld devices, and 22% noted an increase in the number of attempts to breach IT security and firewalls.

Today's traveler and travel is never complete without sophisticated devices such smartphones, iPads, laptops, netbooks and bluetooth enabled devices which make our travel experience lot more bearable. Sadly these are also the softest targets for cybercriminals who may attack from airport lounges; attacks include identity theft, rogue Wi-Fi hotspots to new wirelessly-accessible e-passports. Some airports provide free Wi-Fi services but it's extremely difficult for a traveler to tell the difference of free Wi-Fi from a rogue free, set up to steal client information.

As more African travelers take to the skies, African banks must install extra layers of security authentication in the debit cards and credit cards beyond the information displayed on the card which is normally sufficient for a transaction.

How airlines lose money to cybercriminals
Airlines lose money to cybercriminals mainly through hacking incidents and attempts to breach its security walls.  Hacking groups and networks can compromise an airline's information security wall and in the process steal sensitive credit card information from the airline and its customers. Negative perceptions on the security of an airline's website and the subsequent loss of trust in the airline's security systems can also drive customers to book their flights with more trusted agents such as online travel agencies thus adding extra expenses to the airline and loss of business and also exposing the travelers to even greater online threats. Recently the website of the Israeli airline was disrupted by a Saudi hacking network although in this case, no sensitive financial or flight information was stolen from the airline but the airline was forced to take its website down as a result of the attack thus disrupting its online operations.

Although credit card fraud is regarded as a serious risk by most airlines, the Deloitte Report found that only about 50% of the airlines had a formal system in place to track this fraud.

The weakness is being addressed, however. The new 2011 Cybersource Airline Fraud Survey found that in 2010, airlines lost a total of $1.4 billion due to online credit card fraud perpetrated through their websites, representing 0.9% of total worldwide online ticket sales. But these figures were 31% better than the findings from the previous survey in 2008.

Airlines are doing everything they can to address the problem of credit card fraud, and to comply with the Payment Card Industry Data Security Standards (PCI-DSS), a security standard developed in 2006 by the major international payment schemes to provide protection to their cardholders. Any organization that processes, stores or transmits cardholder data is required to comply with these standards.

Low Cost Airlines at Greatest Risk of Credit Card Fraud
Further work on the issue will progress matters even more. In particular, there is a need to assist airlines that have less experience of online sales. These tend to suffer from the highest rates of fraud as a percentage of sales. Low-fare airlines have the lowest rates of fraud, probably because of their online savvy and increased awareness that every cent counts.

Credit card fraud: Countermeasures by IATA
IATA does not collect statistics on online fraud, but is active in this area. It has developed the Perseuss program, which offers a secure platform where airlines can legally share information about known fraudulent activity. The data can be matched with airline sales data, such as e-mail addresses or IP addresses, to identify suspect transactions. Perseuss is a subscription service, and more than 60 airlines are now involved to various degrees.

“Some airlines have recouped the annual cost of Perseuss in just a few months,” says Christophe Kato, IATA’s Project Manager for the Perseuss program. “We don’t offer this service to make a profit. The value is to the community of users, and what they can bring to the table through their meetings and new relationships.”
IATA has also developed its own PCI-DSS program, which secures and protects BSP sales via agencies. Whenever a credit card is used, airlines must ensure their systems are in line with PCI-DSS.

“IATA plays a significant role in trying to prevent cyber credit card crime,” says Kato. “Ensuring that PCI-DSS is correctly implemented means the risk can be passed from the airline to the merchant.”
Detecting fraud is another important area. Some airlines use automated systems to do this; others tend to do larger numbers of manual checks. “It is really a question of trying to spot anything that is suspicious,” says Kato. “It is not an exact science. Some airlines have in-house fraud analysts, while others outsource to specialist companies. Risk scores can be applied to each transaction, and those with the largest risk scores can then be given manual checks.”

The terrorist cyberthreats to airlines
Terrorists don't just blow up planes, they also perpetuate terror on the airlines through the internet. A case in point is the recent hacking of an Israeli airline website by a Saudi Group.

Greater cyberthreats with new generation of aircraft
Losing money is one thing; losing lives is something else again. Cyber terrorism poses especially serious challenges for airlines that will be taking delivery of the new generation of aircraft. In some cases, it may even require airlines to rethink the structure of their security and IT divisions.

The International Civil Aviation Organization (ICAO) has identified cyber terrorism as a distinct threat to the aviation industry that needs attention. On 17 November 2010, a new ICAO Recommended Practice related to cyber threats was adopted and became applicable on 1 July 2011. It suggests that each ICAO Contracting State should develop measures to protect information and communication technology systems used for civil aviation purposes from interference that could jeopardize the safety of civil aviation. Vulnerability assessments relating to cyber security are recommended, with the objective of evaluating the efficiency of mitigation measures and identifying vulnerabilities from a threat-based perspective.

Chamindra Lenawa of Air Astana says the airline has a resilient system with several layers of defense. “Our main servers are at our operational hub in Almaty, but we have the core operational structure replicated on an offline copy in Astana,” Lenawa notes. “As for the data itself, we also have hot‑standby systems, which replicate the data of critical systems in the form of regular snapshots so that if for any reason the data becomes corrupted, we have standby systems that can be activated quickly.”

Cyber terrorism’s increasing threat to airlines has been enhanced by globalization and the ubiquity of the Internet. An attack on an airline’s IT systems can be regarded as cyber terrorism if it brings down or paralyzes any critical system. But this can extend to the more frightening possibility that it could actually cause damage to an aircraft.

“Many future efficiency gains will be based on network connectivity and electronic data exchange,” says Ken Dunlap, IATA’s Director of Security. “The new generation of aircraft will be much more interactive in terms of automated electronic data exchange than the present generation of aircraft. These new aircraft are being discussed as ‘all-electric’ models. It is not only the primary fly-by-wire flight controls; they will have a whole range of systems operating electronically, and data will be updated automatically in real time, rather than the static updating that takes place today.”

Ensuring that this data is transferred between the ground and aircraft securely is the challenge airlines must address. It is essential that all stakeholders in the civil aviation industry work together to ensure there are no glitches.

The movies come to life
“This is a relatively new concern for airlines,” says Pascal Andrei, Director of Aircraft Security at Airbus. “Conventional security threats, such as bombs, disruptive passengers, smuggled baggage, and cargo are already being managed effectively, although these are constantly evolving. Now airlines must learn to manage cyber threats.”
Cybersecurity: With new generation aircraft and the threats of cyber terrorism, future terrorists may not need to blow themselves up to inflict terror in the aviation industry

In the film Die Hard 2, an aircraft’s systems were fooled by cyber hackers into thinking it was flying 200 feet higher than it actually was, through resetting the instrument landing system.

Andrei says this is no longer merely a fictional scenario. “It is not just a matter of ensuring that the channels of data transmission are secure, but also of ensuring that the information transmitted through those channels is correct. Aircraft have to rely on external data coming into the aircraft. If that information is not correct, it could jeopardize the safety of the flight.”

Manufacturers deliver aircraft with security features embedded, but once the aircraft has been delivered, it is the responsibility of the airline to maintain that level of security throughout the life of the aircraft.
“Airlines need to understand the threat evolution associated with new IT technologies,” says Andrei. “These new technologies can be taken hostage. Airlines need to know what they need to do to protect and maintain the level of security on the aircraft itself, which is the last line of defense.

“With more and more open systems and electronic connections between the various stakeholders in the air transport industry, the risks are increasing,” he adds. “All applications have potential bugs, and this, coupled with the interconnectivity between the aircraft and the ground, creates the challenge.”
Opening the doors

The aircraft manufacturers have already started a dialogue with airlines about these matters, but much more needs to be done to bring other stakeholders into the discussions. Airbus’s annual Aircraft Security Users Panel (ASUP) meetings have been running—strictly behind closed doors—for several years now, bringing together the heads of security at airlines with Airbus. This year, for the first time, Boeing was invited to attend the ASUP meeting, and Andrei says that next year Bombardier and Embraer will also be invited.

Boeing understands the importance of collaborative efforts and is itself part of industry groups, such as the US Department of Transportation’s Rapid Response Team. “We are working with everyone in the aviation industry to develop recommendations for common industry-wide security standards,” says Toby Bright, Boeing Commercial Airplanes Executive Vice President of Sales. “We have no competitors when it comes to safety and security, only colleagues.”

In October 2011, at the IATA AVSEC conference, a panel discussion highlighted the importance of bringing more stakeholders into these sorts of talk. “Airlines, OEMs, airport operators, and air navigation service providers all need to be fully aware of the challenge of providing accurate information within secure communication channels,” says IATA’s Dunlap.

“Five years ago, I was spending most of my time on the physical aspects of airline security,” he continues. “Now I am spending the majority of my time on technology and data exchange issues. Whether it involves airport or aircraft security, the focus now encompasses the integrity of the data stream in addition to the physical aspects of the systems.”

This new outlook is why airlines may need to rethink their security and IT divisions. The way forward will blend a diverse mix of skills.

Dunlap says that airlines must optimize their organizations to provide secure electronic communications, not only for ground‑based systems, but also for electronic data exchange between their ground systems, airport systems, air navigation systems, and their aircraft.

“Does this come under the responsibility of the IT division or the Security division?” he asks. “Airlines are already dealing with these questions today.”

The answers are vital to the future of the industry. 

Work can be republished with attribution. Email Us africadomainnames@gmail.com


Email Us at FlightAfricablog@gmail.com
0 Responses
blog comments powered by Disqus

Post a Comment