Air passengers’ growing desire for a seamless digital experience is putting airports at greater risk of cyber attack, a new study has found.
The report from PA Consulting, Overcome the Silent Threat, said that a “hyper-connected model” where passengers in airports wanted fast internet and digital engagement with airlines and retailers brought “a larger attack surface for cyber criminals to exploit”.
There were 1,000 cyber attacks each month on aviation systems in 2016, according to the European Aviation Safety Agency.
Last year, Latam Airlines and Ukraine’s Boryspil airport were indiscriminately hit by ransomware, and in 2016 Vietnam Airlines had to carry out its operations at airports by hand after hackers took down its website.
David Oliver, global travel security lead at PA, said: “There’s a steady trend of the customer being more demanding, expecting more and more connectivity and a more and more seamless experience and that puts the pressure on the airports to innovate . . . and integrate things in a way they wouldn’t have done previously.”
John Abel, senior business director at tech company Oracle, which provides cyber security services to the airline industry, said customers were creating “billions of data points” and this made securing systems harder: “Every connected device is increasing the amount of data we have to look at, so a human looking at the data can’t do it any more.”
In January, Munich airport opened an information security hub, bringing together the airport owner’s IT specialists with European aviation experts to develop strategies and approaches to defending against cyber attacks.
The PA report said developments such as smart boarding gates and biometric immigration controls increased speed and reliability but were “less mature” and “could also expose airports to new risks and unknown threats”.
It also identified other weak points, such as replacing humans giving pilots clearance to take off with digital instructions instead: a pilot could identify a suspicious voice command but perhaps not a message from a malicious source. “This will further increase the opportunities for cyber-terrorism activities through the issuance of false clearance messages,” the report said.
Aircraft now regularly broadcast their movements on the ADS-B system, and anyone with “an inexpensive receiver” could track their exact position. It is “a significant new security risk to airport operators”, said the report, which looked at four unnamed global airports.
The complex interaction of several data systems used by airports, including connections with other databases, increased risks, too. These “external vulnerabilities, third-party companies, may mean security is not in your control”, said Mr Abel.
Mr Oliver said he was surprised that cyber security was not taken as seriously as physical or personal security: “Cyber is mainstream in that it’s on the risk register at executive level but it wasn’t mainstream with the same priority as the physical was.”
Overcome the silent threat