Hand on your heart: when was the last time your company ran a cyber-attack simulation? Would you know what to do if your company got hacked? Who to contact? How to react? What to tell the media and how to respond? Cyber-crime is on the rise – and aviation and air logistics are prime targets for a multitude of reasons, from boredom to malicious intent, data-theft, sabotage, intelligence, and, and, and... The list goes on. So, does your company have a strategy in place when it comes to Cyber-security, or is it high time now to get things moving?
Cyber-crime has a lot in common with Covid-19. Not simply from a basic virus perspective, since cyber-crime covers much more than simply ransomware, but from the aspect that it is an invisible
threat that may or may not happen, and if it does, its effect has very varying degrees of severity. Cyber-crime knows no boundaries and has a global reach. From that point of view, it has much in
common with the air logistics industry, too.
Aviation is a prime target for cyber-criminals, given the mass of data (and physical goods/people) that flows through the supply chain – be it passenger services or cargo. According to an analysis carried out in 2019 by Thales and Verint (who publish The Cyberthreat Handbook), the aerospace sector is now the fifth most targeted sector for cyber-attacks. In MAY20, easyJet reported that it had been the victim of a “highly sophisticated” cyber-attack wherein email addresses and itineraries were hacked providing access to the credit card details of 2,200 travelers, and opening the door to fraudulent email correspondence, identity theft, and illegal online purchases.
In the previous two years, British Airways, Cathay Pacific, Delta Airlines, LOT, Bristol Airport, ST Engineering Aerospace, to name but a few, all suffered similar fates. The latest breach affected India’s largest airline, IndiGo, in DEC20. “There is a possibility that some internal documents may get uploaded by the hackers on public websites and platforms,” IndiGo said in a statement. “We realize the seriousness of the issue and are continuing to engage with all relevant experts and law enforcement to ensure that the incident is investigated in detail.”
Needless to say, this sort of exposure is highly detrimental to a company’s image, shares, and future (not to mention the resulting damage to all individuals whose data have been laid bare) – given that aviation by its nature is built on the trust that safety and security are ensured at all times.
Threats, bets, and jets…
The current Covid-19 crisis is a threat in more ways than one. On the one hand, furlough and working from home increase a company’s vulnerability, as information access is taken out of the normal office environment to a less secure network, plus the “human firewall” loses some of its already fragile effectivity*. A Malwarebytes analysis reported in mid-2020 that “since the start of the pandemic, remote workers have caused a security breach in 20% of organizations.”
On the other hand, with so many people in lock-down and bored – or even frustrated internal staff - the attraction of hacking into a system also increases. Hacking on a bet is just another aspect in a very varied scope of cyber-attack possibilities which range from phishing all the way through to cyber-terrorism – infiltrating avionics and bringing down planes. (*ENISA published a paper on 09DEC20 illustrating the top 15 cyber-threats, which shows an increased threat from “insiders”). Add to this, the hugely important and potentially highly lucrative Covid-19 vaccine logistics supply chains coming into operation, and another very clear security risk opens up: one that IBM already alerted authorities to at the end of NOV21, saying it had uncovered “a global phishing campaign” focused on organizations associated with the cool-chain supply process, urging governments and involved parties to be vigilant.
The human firewall – the weakest link
Pina Melchionna, president of the Canadian Institute of Traffic and Transportation, participating in a Canadian Security Intelligence Service (CSIS) industry briefing on the vaccine security threat in DEC20, stated "A chain is only as strong as its weakest link and I think that absolutely holds true for the supply chain. The project vaccine deployment is so large and involves so many organizations working against aggressive timelines that I think bad actors are hoping to capitalize on sloppiness in the supply chain. And [the] supply chain is very data-rich."
While the IBM phishing discovery involved fraudulent emails being sent in the name of a high-ranking Haier-Biomedical executive, the ransomware attack by Hades on road-feeder Forward Air’s operational and information technology systems in mid-DEC20, illustrated the knock-on effects such an attack can have. Forward Air was forced to halt IT processes and move to manual handling, causing huge delays in data and shipment handling across its supply chain from shippers to airports.
Close the gate after the horse has “boarded”…
Unfortunately, there is no such thing as a “zero risk” level to be reached when it comes to cyber-security, and the many actors along the air cargo supply chain, mostly with their own IT set-ups and interfaces, pose a multitude of risks in the same way as the growing tendency to shared information platforms and greater transparency. Whilst, first and foremost, companies should be highly selective in their IT and partnership decisions, ensuring “security by design” as well as “security by life-cycle” (You can learn more about this in a Flightglobal webinar held on 02DEC20: https://www.flightglobal.com/on-demand-webinars/cyber-proofing-your-organisation-the-new-challenges-for-the-cso/140842.article ), which basically means that all processes should have security as a core design focus, and that this security is ensured for the lifespan (often one to two decades) of the product or process, the ultimate objective is to work on the weakest link, which is generally “the human firewall”.
In a 2020 mimecast report, 51% of organizations had suffered a ransomware attack leading to an average of 3 days’ downtime, yet only 1 in 5 organizations offer monthly awareness training to staff. Training and awareness is paramount to an improved cyber-security strategy. Most importantly, companies should ensure that they have a clear crisis strategy in place and that all staff know what steps are to be followed in the event of a cyber-attack. All possible (and impossible) scenarios should be considered in advance, along with mitigation plans and decisions to ensure minimum damage and ongoing smooth operations. And that mitigation plan should include media management to avoid a negative aftermath, too.
So, how hot is your cyber-security?
We always welcome your comments to our articles. However, we can only publish them when the sender name is authentic.