The aviation industry’s collective response to threats posed by cyber threat actors targeting entities in the aviation sector has been under examination in recent years, and noteworthy data breaches, including those of airlines British Airways, Cathay Pacific and EasyJet, have also brought issues of data security in the sector to the forefront. Cyber threats pose major safety and security concerns to an industry that is dependent on the correct functioning of information technology (IT) and operational technology (OT), and any threat to their functioning could result in a catastrophic event. Concerningly, there has been a reported increase in the number of cyber attacks targeting aviation entities amid the ongoing COVID-19 pandemic – a global issue that has rocked the aviation industry, putting strain on resources, funds and capacity. The following article will examine this reported increase in cyber attacks and discuss why they might have increased during this period.
The sudden imposition of border closures, travel restrictions and lockdown measures in early-to-mid 2020 – which have continued to the present day – in efforts to prevent the spread of the coronavirus meant that most international and domestic passenger flights were abruptly cancelled. According to figures provided by the International Air Transport Association (IATA), global passenger traffic declined 65.9% in 2020 compared to 2019; specifically, international passenger traffic fell by 75.6% and domestic traffic by 48.8%. However, as passenger traffic fell, cyber attacks impacting the aviation sector were reported to have increased.
A ‘Think Paper’ published by Eurocontrol in early July 2021, using European Air Traffic Management Computer Emergency Response Team (EATM-CERT) data, highlighted that amid the pandemic, there has been an increase in reports of cyber attacks targeting the aviation industry. Significantly, there was a 530% increase in cyber attacks that were reported to or identified by EATM-CERT in 2020 compared to 2019, and 61% of these attacks targeted airlines. Notably, these figures represent only those reported to or identified by EATM-CERT, meaning an unknown number will have gone undetected and/or unreported.
It should also be noted that these figures apply to European aviation entities only; the figures for the rest of the world may vary regionally. While there is no equivalent data set for the global aviation sector, a survey conducted by Airport Council International (ACI) World of more than 100 airports found that 61.5% of the respondents had been targeted by cyber attacks in 2020.
Why target aviation?
The risk posed by cyber attacks to aviation entities varies depending on the threat actor, their motivation and their capability. State actors are a significant concern to the aviation sector as they possess the capability to create major disruption to operations. State actors may also use cyber espionage to pursue technological or commercial advantage. In recent years, there have been several examples of state-sponsored actors being implicated in cyber attacks and espionage targeting the aviation sector, including those backed by Russia, China and Iran.
Aviation entities are a highly desirable target for cyber attacks as they possess significant quantities of valuable data, for instance, passengers’ personal identifying information (PII), airport security arrangements and manufacturers’ avionics designs, which could be used for follow-on fraudulent activity and as leverage in extortion. Notably, even more data is being captured by entities, particularly airlines, amid the pandemic – such as health records, vaccination status and travel history – which will also likely be targeted for theft. Also, as part of critical national infrastructure, disruption to aviation operations through a cyber attack, such as a debilitating ransomware attack, could have much wider impacts beyond the aviation environment.
The aviation sector also comprises an extensive supply chain, which itself presents a number of risks and vulnerabilities that may be exploited by threat actors. There have been numerous examples over the past year of cyber attacks targeting third-party suppliers to aviation entities resulting in data loss incidents. A cyber attack targeting SITA – a leading IT provider for the air transport industry – which was acknowledged by the company in March 2021, resulted in data belonging to dozens of airlines being leaked, and the full extent of the breach is yet to be ascertained.
There are several possible implications for stakeholders from cyber incidents, such as loss of data, disruption to operations and financial impacts, including loss of revenue, fraudulent transactions, ransom payments and financial penalties by authorities. In October 2020, British Airways was ordered to pay a GBP 20 million fine by the UK’s Information Commissioner’s Office (ICO) for a data breach resulting from a cyber attack that occurred in 2018 – the fine was reportedly settled in early July 2021; however, the final balance is undisclosed. Additionally, data breaches can impact the reputation of an organisation, particularly if consumers feel their data is not being properly safeguarded.
Cyber attack types
The Eurocontrol paper, noted above, outlines the overall percentage of types of cyber attacks reported in 2020, the top three of which were data theft (36%), fraudulent websites (35%) and phishing (16%). Also highlighted is the increase in ransomware attacks, which affect one aviation stakeholder globally every week and accounted for 5% of attacks in 2020. In one such example, in March this year, it was reported that data belonging to US low-cost carrier Spirit Airlines was leaked on the dark web following a ransomware attack that has been attributed to the Nefilim ransomware group. Also, the Brazilian aircraft manufacturer Embraer was reportedly the victim of a ransomware attack in late 2020, resulting in sensitive data belonging to the company being leaked.
Conversely, the top three attacks reported by the ACI survey’s respondents were phishing (77%), malware (51%), and denial of service (21%). In February 2020, the US Federal Aviation Administration (FAA) issued a situation report highlighting that aviation personnel “working on COVID-19-related matters” are more vulnerable to COVID subject-based phishing emails. Phishing emails can be difficult to detect given the efforts made by cyber criminals to ensure they look legitimate. Additionally, the imitation of known organisations in the sector and the use of sector-specific terminology makes recipients more likely to be deceived by a phishing email.
Phishing attacks have not only been directed at aviation entities amid the pandemic but also their passengers. Last year, Dubai-based Emirates warned of threat actors using the airline’s name in phishing email attacks targeting passengers claiming to offer refunds for cancelled flights. The incident came at a particularly pertinent time as air operators were increasingly using email communications to keep travellers informed of flight updates in relation to the evolving pandemic.
Why have cyber attacks increased?
Whilst an improvement in the detection of potential cyber attacks and incident reporting, as a result of increasing cyber awareness, likely contributed to the increase in reported cyber attacks in 2020, these factors will not have accounted for the significant increase and as such, this is likely largely due to a rise in cyber attacks being conducted.
There is no single reason for the reported increase in cyber attacks amid the COVID-19 pandemic; rather, it is the result of several factors. Notably, the pandemic has forced entities, not limited to aviation, to alter their business practices. This means technology is being used in ways businesses may not be familiar with, and therefore their cybersecurity systems may not be adequate to defend against attacks. In the past year, several virtual private network (VPN) services, which have become vital for many organisations to allow employees to work remotely during the pandemic, have been targeted by cyber attacks and breaches. In April, US-based cybersecurity company Mandiant, a subsidiary of FireEye, released a report in which they claimed that Chinese hackers are believed to be responsible for hacking into VPN software as part of efforts to access the networks of US defence industry companies.
An insight report, which was published in April 2021 by the World Economic Forum (WEF) and Deloitte with input from multiple aviation experts, indicates that the impact of the pandemic, including the significant reduction in passenger flights, has forced entities to reallocate funding and resources to operations that ensured business continuity. This, in turn, means that funds apportioned for cyber security are likely to have been reduced at a time cyber criminals have attempted to exploit vulnerabilities created by the pandemic.
Additionally, the aviation sector is continuously innovating and developing new technologies to increase the safety of flight operations and to improve the overall flying experience. However, the WEF and Deloitte report highlights that that “rapid innovation” and the continuous development of technology puts the sector at increasing risk of future cyber attacks. Notably, the pandemic has driven the development of biosafety technology, including digital systems to verify passengers’ COVID-19 vaccine status. There have already been examples of cyber attacks targeting the health sector, which has had impacts on aviation, particularly related to digital COVID-19 vaccination certificates. Such technology was developed under certain time pressures, and this itself raises concerns for cyber security as potential vulnerabilities may have gone undetected as a result of rushed quality-checking processes.
The noted rise in cyber attacks amid the COVID-19 pandemic highlights developing concerns within the aviation industry regarding the threat posed by cyber attacks targeting entities in the aviation sector. While the Eurocontrol paper notes that there has been no reported impact on flight safety as a result of a cyber attack, the potential for such a risk remains, particularly from sophisticated threat actors – including those that are state sponsored – that possess the capability to conduct an attack that could result in significant disruption.
Over the coming year, the aviation sector, particularly cargo operations, will continue to play a significant part in the successful delivery of COVID-19 vaccinations to countries around the world. Cargo flights, unlike passenger flights, have largely been exempt from travel restrictions imposed in response to the pandemic, given the importance of air freight in the carriage of medical supplies. However, the production and distribution of vaccines has become both a target for criminals and a means for geopolitical rivals to exercise soft power, and the aviation sector – along with other sectors involved in the vaccine supply chain – are therefore increasingly likely to be targets of illicit cyber activity. Indeed, in December, the US technology firm IBM reported that it had uncovered a global cyber-espionage phishing campaign targeting the COVID-19 vaccine ‘cold chain’, including organisations involved in the transport and storage of vaccines.
Furthermore, it is likely that the upward trend of attacks targeting the sector will persist as the pandemic continues to evolve. As further technology is developed to assist in safe travel, such as solutions to verify COVID-19 vaccinations, this will also create new targets for cyber criminals. It is therefore more important than ever that stakeholders prioritise cyber security and take immediate action to protect their information and operational technology.