It may have only lasted for an afternoon, but a recent meeting of key figures in Australia’s cyber and aviation industries highlighted the potential cascade of events that could quickly unfold if a cyber attack on an Australian airport – or, worse still, airplane – were successful.
In a complex, finely-tuned industry where a single unchecked bag can cause massive disruptions, the prospect of a successful cybercriminal attack on an airport – in which check-in systems might be disrupted, planes delayed, air traffic control disrupted, perishable or essential supplies delayed, or even physical signalling manipulated – is keeping authorities up at night.
Just a few weeks ago, more than two dozen government, Australian Federal Police officers, airline and airport representatives gathered to talk through the likely response in a wargaming exercise – one of a series of ongoing ‘wargaming’ exercises driven by Minister for Cyber Security Clare O’Neil – that explored potential vulnerabilities in airports’ cyber defences.
Practicing a potential “nightmare scenario” is crucial to a quick response in the event of a successful breach, Department of Home Affairs deputy secretary of cyber and infrastructure security Hamish Hansford told the Sydney Morning Herald.
“When an incident like this happens in real life, we need a plan in place that’s exercised rather than thinking it through for the first time.”
Each segment of the industry has its own appetite for risk management and cyber security protections, but by identifying key players and surfacing the issues beforehand, Australia’s cyber authorities are hopeful they can make critical infrastructure organisations better prepared to act quickly and decisively in the event of a national cyber emergency.
And while Australia may never have suffered a major cyber breach of key aviation interests, it’s not for lack of trying: as recently as March, members of pro-Russian hacker forum Killnet were threatening to target 10 Australian airports as part of a distributed denial-of-service (DDoS) campaign that had already hit a range of university websites.
The EATM-CERT Aviation Cyber Events Map, which tracks reported incidents affecting the worldwide industry, has already documented 41 cyber attacks facing the aviation industry in the first half of this year, compared to 78 incidents during all of last year and 48 in 2021.
As cyber criminals ramp up their campaigns against a sector that is fighting to recover from the three extremely disruptive years of the Covid-19 pandemic, such instances are continuing to play on the minds of aviation industry figures challenged by the industry’s sheer size, interconnectedness, and complexity – which leaves everything from operational systems to frequent flyer programs exposed in different ways.
Airlines recognise the importance of securing customer data, Delta Airlines senior vice president and chief communications officer Tim Mapes told a CES 2023 forum earlier this year, with cybersecurity crucial to ensuring airlines earn and maintain customer trust.
“It’s the lifeblood of our ability to provide customer service,” Mapes explained. “The more we might know about you, the more likely we are to get you the best offer or best service.”
But to deserve that trust, he continued, “it takes everything from investing in cybersecurity and all of the infrastructure that makes it safe, to seeing that you as a customer get a return on your investment when you trust Delta with that bit of information.”
Building a cyber resilient global industry
The disruption of the pandemic has been fingered as a key reason cyber issues have become so fraught: with airlines and airports investing heavily in technology-driven innovation to reinvent the customer experience, the UN’s International Civil Aviation Organisation (ICAO) has warned that “digital advances exposed the sector to cybersecurity threats across all stakeholders.”
“The civil aviation sector is global by nature, and so is the interaction of systems and data flows that transcend national borders and individual organisations,” the agency noted, with a formal UN resolution last year urging member states to “design and implement a robust cybersecurity culture”.
This includes broader sharing of cyber security threat intelligence, and collaboration on the development of a “horizontal, cross-cutting and functional approach” that spans aviation safety, aviation security, facilitation, air navigation, communication, surveillance, air traffic management, aircraft operations, airworthiness, and other disciplines.
ICAO has also encouraged adoption of its formal Aviation Cybersecurity Strategy and Cybersecurity Action Plan (CyAP), which lays out 32 priority actions and 51 tasks that it believes will improve members’ cybersecurity postures.
The 2010 Beijing Convention (Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation) and 2010 Beijing Protocol (Protocol Supplementary to the Convention for the Suppression of Unlawful Seizure of Aircraft) offer “means for dealing with cyber attacks against civil aviation,” ICAO has noted in encouraging member states to work together on the issue.
With new postgraduate degrees now specifically focused on aviation cybersecurity, the industry is regrouping to build out the cyber skills pipeline to support its response, even as industry bodies increasingly play a role as well.
Industry body the International Air Travel Association (IATA) has offered its own guidance on cyber security strategies, offering formal policies addressing cyber security risk assessment and supply chain oversight – a key issue whose importance has been highlighted in every sector, most recently by financial services regulator APRA.
