Hacktion stations

The aviation industry relies extensively on computer systems for both ground and flight operations but, increasingly, they are becoming vulnerable to attack. Steve Knight looks at what precautions African airlines can take to create and maintain cyber security.

There is no doubt that computer systems are changing the way we all live and work – and never more so than in the aviation industry.
Some systems are directly relevant to the safety of aircraft in flight, others are operationally important, and many directly affect the service, reputation and financial health of the industry.
Despite the fact that Africa still has the lowest overall internet population penetration rate – just 28.7% in June 2016 – its airlines are competing in a global marketplace and have to be judged against international standards.
And, with the continent’s proven ability to technology jump, for example moving from little or no IT straight into mobile devices, aviation cyber security concerns are growing at a rapid pace.
So where does this leave some of the smaller African airlines, often under-resourced and struggling to keep their heads above water, and what can they do to protects themselves and stay secure in the modern technology minefield?
Cyber expert Oliver Pinson-Roxburgh, EMEA director for solutions architecture at Alert Logic, has a very clear view, particularly about the ground-based areas of security: “First things first, you need to decide what is the right level of security for your business and you need to know what is at risk,” he said.
“You should consider all processes involved that require you to collect, store, use and dispose of data.
“The next step is to consider how valuable, sensitive or confidential the information is and what damage could be caused if there was a security breach.”
Pinson-Roxburgh, who has worked in the security industry for 15 years, believes that understanding data is hyper critical – particularly as it allows organisations to become audit ready and on track to address the next steps for general data protection regulation (GDPR).
“The airline industry challenge is the breadth of sensitive data that is both accessed and maintained, as well as very large disparate networks being managed,” he said. “In addition, many airlines are innovating their approaches with mobile apps and online tools. As an organisation grows and uses different systems, so does its attack surface area.”
Pinson-Roxburgh was keen to warn against cutting corners on security. “If people were tempted – and I wouldn’t advise it for this type of industry – to adopt open source solutions, for example, the costs can seem minimal on the face of it but, overall, to manage and maintain they will get into the tens of thousands of dollars without factoring in staff to monitor the solutions on an on-going basis.
“Expertise to secure a network is normally based on the amount of in-sourcing businesses will do. To stand up to the attacks of today, lacking good analysts will affect your effectiveness to spot attacks and be able to respond to an incident.
“Again, if you look to in-source the detection, you will need intelligence teams to research the latest threats and ensure you have a fighting chance of keeping ahead of even the most basic low-level attacks.”
Some African airlines’ problems could be even more basic, according to Noel Hannan, cyber and digital innovation lead at GoSecure UK. His company is a subsidiary of C3IA Solutions, which is one of only 13 businesses to be certified by the UK Government’s new National Cyber Security Centre (NCSC).
“If we take the principles of confidentiality, integrity and availability as the three tenets of cyber security, then availability may well be the overriding requirement – or have the highest business impact – for an African airline,” he said.
“For anyone attempting to develop international and/or internal airline operations in-country, the desire to leverage information technology as a force multiplier is obvious. If a small organisation can manage its own scheduling, fleet maintenance, supply chain and online booking, in addition to interfacing safely with other organisations continent-wide and internationally, then it stands a good chance of survival in a hostile commercial environment.
“However, in practical terms, if system outages, for example, were to ground aircraft, revenue would quickly dry up. Typical sources of system outages could centre around power distribution, which is a continent-wide issue.
“Any airline would need to focus on the reliable distribution of power to its information systems, its locations and its facilities, as the highest priority.”
Additionally, heating, ventilation and air conditioning provisioning all need to be addressed, as failures in these services in the varied but uniformly demanding African environments would have a damaging effect to the availability of critical systems.
According to Hannan, technical issues, too, could affect smaller airlines.
“There is a predominance of old technology in use in Africa, which presents a significant challenge in terms of cyber security,” he said “The technical vulnerabilities of unsupported operating systems such as Windows XP are well documented and would present a large attack surface to any aggressor. Additionally, external organisations, perhaps themselves beholden to European or US legislation, may be unwilling or unable to accept interfacing to such risky systems. Use of legacy technology could, therefore, isolate an organisation inside its own borders.”
Of course, in some others areas of the world, airlines would naturally look straight to cloud solutions. But would such solutions be available (and affordable) to an African company?
“Hosted outside the continent, this would certainly make elements of the availability problems go away,” said Hannan. “However, this would be limited to the offshore elements of the system. The client devices and local internet connectivity would still be subject to home-grown issues, and the provision of service would also be entirely dependent on availability of suitable bandwidth in and out of the country.”
He also pointed out that African companies were also unlikely to have much internal government support in terms of cyber security, such as a national strategy, a national computer emergency response team (CERT), or a national technical authority to turn to for advice and assistance at times of crisis (Tunisia is a rare exception, with a CERT established for some time).
However, there is some help at hand. In 2015, the International Air Transport Association (IATA) published the second edition of its aviation cyber security toolkit to assist airlines in raising awareness and understanding the cyber risks to their organisations. The toolkit includes:
• A situational assessment of cyber security in the industry;
• An introduction to cyber threats;
• A framework for assessing risk; and
• Guidance material for setting up a cyber security management system.
The content will be included in this year’s edition of the organisation’s security manual.
IATA also runs three-day aviation cyber security workshops in various locations around the world – the next is in London on May 3, followed by another in Istanbul later the same month.
The organisation says that after completing this course people will be able to locate and prioritise cyber risks in their aviation businesses, deploy assessment tools for specific cyber-related risk, analyse their company’s cyber risk profile, recommend risk mitigation processes, and implement cyber security management system (CSMS) guiding principles within their businesses.