millet_airline vulnerabilities to a cyber-attack_2015
TRANSCRIPT
AIRLINE VULNERABILITIES TO A CYBER-ATTACK AND THE POTENTIAL
CONSEQUENCES
by
Alex Millet
A Thesis Submitted to the Faculty of
Utica College
August 2015
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in
Cybersecurity
ii
© Copyright 2015 by Alex Millet
All Rights Reserved
iii
Abstract
An airline that has become victim to a cyber-attack not only cripples the airline, but also has an
impact on individual travelers. The purpose of this research is to understand how a cyber-attack
would affect an airline's reservations and operations system. The research is important, as there
has been in increase in cyber-attack against airlines. The research provides information on
airlines, which have been targets of cyber-attacks, the impacts the airlines have incurred, and the
vulnerabilities exposed due to the attack. In addition, research information into the Federal
Aviation Administration's (FAA) Next Generation Air Transportation (NextGen) implementation
and its vulnerabilities. This research provides awareness of the current implications of a cyber-
attack and actions by attackers.
Keywords: Cybersecurity, Professor Cynthia Gonnella, Aviation, ADS-B
iv
Acknowledgements
I would like to acknowledge the dedication of my professors in the cybersecurity department at
Utica College. These individuals have not only helped me in each course of the program, but
have also shared their wealth of knowledge from their respective field. I would also like to thank
my capstone professor, Professor Cynthia Gonnella and her teaching assistance Professor
Carmen Mercado for their mentoring throughout this process. To my editor, Mark Low, thank
you for your assistance. A special thanks to my second reader, Tracy Cummings, a professional
within the aviation industry whom I have had the pleasure of working with and has encouraged
me throughout my career and during this capstone. Finally, I want to thank my family, friends,
and especially my partner whom have supported me on a personal level. I am fortunate to share
with them one of my biggest accomplishments in life.
v
Table of Contents
List of Illustrative Materials.......................................................................................................... vii Airline Vulnerabilities to a Cyber-Attack and the Potential Consequences ................................... 1
Definition of the Problem ........................................................................................................... 2 Deficiencies in What is Known .................................................................................................. 4
Literature Review............................................................................................................................ 7 Challenges With Passenger Data Breach .................................................................................... 7
Amtrak. ................................................................................................................................... 8
Cunard Cruise Lines. .............................................................................................................. 8 US Airways. ............................................................................................................................ 8 United Airlines and American Airlines. ................................................................................. 9 United Airlines. ....................................................................................................................... 9
Potential Infrastructure Breach Points ........................................................................................ 9 USB Storage Device. ............................................................................................................ 10
Email. .................................................................................................................................... 10 Phishing. ................................................................................................................................ 11
Eavesdropping. ...................................................................................................................... 11 Man in the middle. ............................................................................................................ 11 Denial of Service............................................................................................................... 11
DDoS................................................................................................................................. 12 Protocols. .............................................................................................................................. 14
TCP/IP............................................................................................................................... 14 HTTP................................................................................................................................. 15 TLS and SSL. .................................................................................................................... 15
Viruses. ................................................................................................................................. 15
Love Letter/I Love You. ................................................................................................... 16 Operational Impact ................................................................................................................... 17
Sony. ..................................................................................................................................... 17
FAA. ...................................................................................................................................... 17 Air Canada. ........................................................................................................................... 18
ADS-B. .................................................................................................................................. 18 Polish Airlines. ...................................................................................................................... 19
Ctrip.com International. ........................................................................................................ 20 American Airlines. ................................................................................................................ 20 Britain Civil Aviation. .......................................................................................................... 20
Potential Revenue Loss ............................................................................................................. 21 Discussion of Findings .................................................................................................................. 23
Data Breach ............................................................................................................................... 25 Inside sources seen as a threat. ............................................................................................. 25
Potential Breach Points. ........................................................................................................ 27 Operational Impacts of a Cyber-Attack .................................................................................... 29
Cyber-attack Revenue Impact. .............................................................................................. 32 Limitations ................................................................................................................................ 33 Recommendations ..................................................................................................................... 34
Passenger data. ...................................................................................................................... 34
vi
Network infrastructure. ......................................................................................................... 34 Software vulnerabilities. ....................................................................................................... 35 Disaster recovery................................................................................................................... 36
Future Research Recommendations .............................................................................................. 36
Conclusion .................................................................................................................................... 37 References ..................................................................................................................................... 40
vii
List of Illustrative Materials
Figure 1 – Equipment Roberts allegedly used seized by the FBI ........................................5
Figure 2 – Security begins with the implementation ...........................................................6
Figure 3 – Malaysia Airlines website ................................................................................14
Figure 4 – Installed ADS-B ...............................................................................................19
1
Airline Vulnerabilities to a Cyber-Attack and the Potential Consequences
In 2013, airlines transported approximately 738 million passengers (Federal Aviation
Administration [FAA], 2015). Passengers are not aware of the cyber-threats airlines face to keep
operations running smoothly. Cyber-threats can cause an airline to cease its operations at a
moment's notice. The repercussions of a cyber-attack can affect not only the airline but also the
passenger traveling or set to travel. An airline can prevent these threats implementing a robust
system. However, many have not taken a holistic view of all types of threats to their Information
Technology (IT) infrastructure. Airlines need to understand threats, define the types of threats,
and assess the risks of a cyber-attack. The purpose of this research was to recognize how a cyber-
attack would affect an airline reservations and operations system. The following questions
address the evaluation of this kind of threat: What challenges may airlines face with a breach of
passenger data? What are the potential infrastructure breach points? What operational impact
may occur during system outages? What potential revenue loss can occur due to system outages
and passenger data breach?
The aviation industry’s initial response to cybersecurity and safety was:
Cyber security has been identified as a high-level impediment to the implementation of
the Global Air Navigation Plan. The term “cyber security” encompasses the protection of
electronic systems from malicious electronic attack and the means of dealing with the
consequences of such attacks. It comprises managerial, operational, and technical
activities, and relates to the electronic systems themselves and to the information held
and processed by such systems. Currently cyber security is a relatively minor issue in
civil aviation, but this is changing. New technologies are being adopted which are
2
intrinsically more vulnerable to cyber-attack and which collectively increase the impact
from such attacks. (International Civil Aviation Organization, 2012, p. 1, para. 1)
Definition of the Problem
A breach of passenger information can lead hackers to identify individuals and
compromise their identity. Jeff Goldman, a contributing writer for Security Planet, has authored
articles related to cyber-attack breaches. In a 2012 article, Goldman wrote about passenger Ben
Sedat from Tinfoil Security, who encountered a breach in data. Sedat discovered a passenger
manifest became available during the booking process. After the breach, United Airlines
confirmed the issue, identified it, and corrected it (Goldman, 2012). This kind of breach can
result in greater financial losses and the potential for lawsuits to the airlines than it would take
airlines time to test their system and find bugs. Airlines collect passenger information in their
systems to create the Passenger Name Record (PNR). The PNR information can include name,
address, date of birth, passport number, and flight itinerary (International Civil Aviation
Organization, 2012).
Airlines' IT infrastructures have potential breach points including corporate headquarters
and airport locations. These breach points can consist of corporate routers, servers, and even
local workstations. For example, an employee unknowingly can have an infected USB storage
device with a virus. Upon introducing the device to the network, it can potentially allow entry
into the network for hackers. The virus allows hackers to infiltrate other areas of the network
searching for data or potentially causing a system outage resulting from the intrusion entry into
the network. Internal servers may contain information about revenue gains or losses, flight
scheduling information, and plans for the airlines' growth.
3
Insider threat is another means for a breach. The threat can originate from disgruntled
employees or separated employees that have not had their access revoked. Carnegie Mellon's
Computer Emergency Response Team (CERT) defines insider threat as:
current or former employee, contractor, or business partner who has or had authorized
access to an organization's network, system, or data, and has intentionally exceeded or
intentionally used that access in a manner that negatively affected the confidentiality,
integrity, or availability of the organization's information or information systems.
(Silowash et al., 2012, p. 2, para. 5)
Airlines not only rely on passengers purchasing tickets, but also passenger processing
systems and flight dispatch systems. Airlines have a variety of systems deployed to assist with
passenger travel. Some of the most common systems are Sabre, Apollo, and Amadeus. In
general, airlines depend on their reservations and flight dispatching systems to be operational
99.9 percent of the time. According to Sarah Kennedy, Director of Sabre Labs, “Sabre Labs
struggles with this as a team already, mainly because we are used to the expectation of
excellence our core businesses rightfully demand in all they do for our customers. 99.9% uptime
is no joke” (Kennedy, 2013, “Overcoming Egos Publishing Not,” para. 1). An airline system
running at optimal performance allows passenger processing and dispatching of flights to meet
their performance metrics. An outage of either or both will cause ripple effects throughout the
entire airlines' network.
Outages such as power failures, corrupted software, bad hardware, or human error will
leave passengers stranded and flights grounded causing an impact on revenue loss and if not
resolved timely, the possibility of bankruptcy. Scott Mayerowitz and Barbara Rodriguez,
reporters for the Associated Press, have authored general articles on airline and travel. In 2011,
4
Mayerowitz and Rodriguez reported that United Airlines had experienced a system failure
causing the airline to cancel 36 flights and delayed 100 other flights (Mayerowitz & Rodriguez,
2011). Similarly, Susan Carey, a Wall Street Journal reporter on airlines, aviation, and aerospace
industries reported that Alaska Airlines had experienced a significant system outage in March
2011. The system outage affected 12,000 passengers and caused the cancellation of 150 flights
(Carey, 2011). These disruptions are examples of revenue loss to the airline industry resulting
from disruption of service and operations.
Revenue loss caused by a system outage can affect an airline’s profitability. The airline is
not responsible for passenger accommodations when it is due to a system outage. For example,
Virgin Blue Airlines experienced an 11-day system meltdown by their system provider Navitaire
that cost the airline more than $14 billion dollars (Asia in Focus, 2010). Alexander Anolik, a
travel and tourism lawyer and general counsel to the Association of Retail Travel Agents,
explained that airlines provide services information on their website under the “Contract of
Carriage.” The contract of carriage is where airlines define policies and practices (Anolik, 2013).
The emergence of social media is beginning to influence how a traveler’s experience sees
airlines. Social media if not monitored produces reputational risks. In the end, social media and
the airlines reputation play a role on how the airlines handle impacting delays and cancellations.
Deficiencies in What is Known
Cyber-attacks are an ongoing issue. However, attacks on an airline’s passenger
processing and operations system can open a new wave of attacks. In 2015, Cale Guthrie
Weissman, cybersecurity and tech-politics reporter for Business Insider, reported on a 19-minute
YouTube video named “By Land, By Sea, By Air.” The video created by security researcher
Chris Roberts described the methods Roberts used to hack into an airplane (Weissman, 2015).
5
The video report posted shows how easily it was for Roberts to connect to the plane’s internal
systems.
The vulnerability exploited by Roberts is cause for alarm as the video shows how there is
little knowledge on how to prevent this kind of breach. The breach also illustrated how the
aircraft's internal systems are easily accessible and not isolated from public access. Hackers
using this knowledge can use airplanes for malicious acts, and demonstrated deficiencies in the
research. One example exploited by Roberts was ease of access to connect to the airplane’s
computer system. Additional research on how to prevent this kind of breach needs further
exploration. At some point, hackers will likely move to other areas of the airline such as flight
dispatching systems or reservation systems, in turn affecting the airlines operation and passenger
information. Figure 1 shows the equipment seized by the Federal Bureau of Investigation (FBI).
Figure 1. Equipment Roberts allegedly used seized by the FBI (Paul, 2015, “Update: Hacker on a,” para. 1).
Another area of concern relates to an infrastructure where firewalls and security
measures lack proper implementation or maintenance. Michael H. Elliot, contributing editor for
6
Scientific Computer wrote in 2015, security begins when networks have proper segmentation
with firewalls, virtual local area networks (VLAN), and demilitarized zones (DMZ). First,
installation of firewalls secures network communication between internal networks and other
networks such as the Internet. Second, once firewalls are in place and traffic rules are set,
configuring VLANs add an extra layer of protection. VLANs allow devices to communicate with
one or more local area networks (LANs) as if connected to the same wire, after which
implementation of DMZ can occur. Lastly, DMZ allows server placement on isolated networks.
This kind of segmentation will add an extra layer of security between the public access servers
and the internal network (Elliot, 2015). Figure 2 illustrates an example of a system security
implementation.
Figure 2. Security begins with the implementation of a DMZ. Three main areas of focus are illustrated, these are network and
Internet security, backup and disaster recovery, and physical and operational security (Elliott, 2005, “Secure it or Lose,” para. 3)
7
By examining the effects of cyber-attacks that have occurred against airlines and
comparing them to conventional attacks such as kinetic attacks and espionage, researchers can
identify points of interest attackers will most likely look to target. As technology advances and
airlines look to increase passenger count and increase revenue, security awareness must also
increase. A cyber-attack can occur if airlines are not careful with their infrastructure and do not
have policies in place. The safety of air passengers and the security of their personal information
are critical to the airlines.
Literature Review
A thorough knowledge and keen awareness of cyber-threats and an understanding of the
key aspects of cyber-security Internet protocols against an airline can help mitigate and prevent
the damage done by an attack. According to James A. Lewis, Ph.D., Director and Senior Fellow,
Strategic Technology Programs, “There is extensive data on power outages, flight delays and
communications disruptions that occur normally and the consequences of these routine failures
can be used to gage the effect cyber-warfare and cyber-terrorism” (Lewis, 2002, p. 1, para. 4).
Challenges With Passenger Data Breach
The airlines reservation system holds all the passengers’ information including the date of
birth, address, and form of payment (International Civil Aviation Organization, 2012). Travelers
who become potential passengers on airlines make their bookings via a multitude of websites or
by calling the airlines’ reservation center. Developing and implementing security policies and
guidelines can prevent data breaches caused by cyber-attacks or accidents caused by employee
misuse of systems. Data breaches experienced by Amtrak, Cunard Cruise Lines, US Airways,
United Airlines, and American Airlines are a few examples of recent cyber-attacks where
attackers had access to breached personal consumer data.
8
Amtrak. A passenger data breach caused by employee misuse of access brings into light
the question of whether internal control exists to prevent this type of data breach. In 2014,
Amtrak’s investigation concluded that a secretary sold passenger information to the United
States Drug Enforcement Agency (DEA) starting in 1995. The DEA paid the secretary a total of
$854,460 during that period. The data given to the DEA included each traveler’s names, credit
card number, passport numbers, and date of birth (Office of Inspector General, 2014).
Cunard Cruise Lines. In 2012, Dori Saltzman, a news editor and journalist in the travel
industry, reported that an employee at Cunard Cruise Lines sent an email with an attachment that
included 1,225 passengers’ booking reference numbers, names, and email addresses (2012).
Cunard confirmed this was unintentional and issued new book reference numbers to all travelers
exposed to the breach. The email submitted contained the heading “Emergency Notification
Urgent” which indicated that due to problems, Cunard would send new booking referencing
numbers via email in the next 48 hours (Saltzman 2012).
US Airways. Kelly Jackson Higgins, executive director and a technology and business
journalist published, “Thousands of US Airways Pilots Victims of Possible Insider Data Breach,”
where she reported that in October 2009, a group named Leonidas leaked 3,000 US Airways
pilots’ personal information. The leaked data included names, addresses, Social Security number,
and passport information (Higgins, 2011). The US Airline Pilots Association (USAPA), who
represents 5,200 US Airways pilots, has worked with the FBI on the breach. USAPA believed a
labor dispute between what was once American West pilots, and current US Airways pilots,
appear to be the reason for the data leak (Higgins, 2011). The USAPA provided all pilots 12
months of LifeLock’s identity theft program.
9
United Airlines and American Airlines. Melanie Watson, an Internet marketing
executive and contributor for IT Governance, and cybersecurity author, reported that United
Airlines and American Airlines both experienced a data breach when they each discovered the
theft of frequent flyer miles from passenger accounts by a third party vendor. Approximately
10,000 frequent flyer accounts were hacked and trips with the stolen miles booked (Watson,
2015). The two incidents, which occurred on separate occasions, should cause concern as
hackers compromised passenger information.
United Airlines. United Airlines found a data breach after launching an internal probe.
The internal probe began after a hacker group breached government data that included
government employee information and insurance holders. United Airlines detected the attack on
their system in May or June of 2015. The attackers breached data containing passenger
movement throughout United Airlines routes. United Airlines reported no relationship to the
June and July 2015 hack related to the network outages that grounded their entire fleet (RT,
2015).
Not only do airlines need to ensure their networks are safe, but also the third party vendor
systems as well. Passenger data breach allows hackers to enter into the airline’s website
reservation system and book travel reservations with the compromised passenger data. Exposure
to an attack due to the third party vendor’s poor security practices creates brand damage,
additional work in creating accounts and restoring miles, and the possibility of financial losses
(Watson, 2015).
Potential Infrastructure Breach Points
Airlines have public-facing websites that allow customers to book their reservations. The
web servers, if not correctly updated and patched, can leave holes for a cyber-attack. Karen A.
10
Forcht, professor in the Department of Information and Decision Sciences, and Richard E. Fore,
have authored general articles in security and the Internet. In 1995, Forcht and Fore wrote that
Distributed Denial of Service (DDoS) attacks could render a network or computer resources
unavailable for the intended audience to use. As no single entity has authority over the Internet,
no policies exist to secure the traffic over the Internet (Forcht & Fore 1995). Infrastructure
breach points include, but are not limited to, devices, infected emails, network attacks, and
electronic communication from disguised entities.
USB Storage Device. Neil J. Rubenking a technical editor for PC Magazine authored
“An Evil USB Drive Could Take Over Your PC Undetectably.” In his article, Rubenking stated
that users store and share files with a USB storage device but do not scan the USB device to
remove the malware, if any. When the user inserts a USB storage device into a computer, the
computer reads and then auto-runs executable files. Dangerous malware in the USB storage
device will execute and infect the computer and spread (Rubenking, 2014). Antony Savvas, a
technology journalist and contributor for ComputerworldUK.com and author of enterprise and
consumer IT, explained that once the malware has started, it would begin to replicate and re-
infect the computer at every reboot (Savvas, 2010).
Email. Email, is a low-cost medium that hackers can use to send spam. Spam emails are
emails sent to a large number of recipients that resemble those sent from legitimate companies.
Email can contain unknown threats if the user opens an attachment or if the user clicks on links
inside the email. A few ways to prevent email malware infection at work are not opening any
unsolicited email, saving the attachment instead of opening it, running a virus scan prior to
opening the attachment, marking items as junk mail, and not using work email addresses
(Targeted News Service, 2011).
11
Phishing. Phishing not only comes in email form, but it also comes in the form of fax
and letters via post mail. Consumers received a letter in the mail stating they have won airline
tickets. The criminals embedded the printed letters with real airline logos and included what
appears to be the office address of the airline’s headquarters. The criminals also included the
URL link to the airline’s legitimate website. Further, the letter congratulated the consumers and
included a phone number to call and redeem the tickets (US Fed New Service, Including US
State News, 2012).
Eavesdropping. Eavesdropping occurs by using a radio that can operate at 1090 MHz in
combination with an open source ADS-B receiver. A terrorist can use eavesdropping to their
advantage as they can tap into an aircraft communication. The terrorist is easily able to locate the
exact location of the aircraft and cause a flight to deviate by injecting false information to flight
crews. Terrorist perform this by using simple radio frequencies allowing the terrorist to bring
down an aircraft and potentially causing loss of life. Eavesdropping alone is harmless; however,
it is the groundwork for a more refined attack. Lack of full encryption not only prevents
discovering eavesdropping, but it also makes it impossible (Barreto & Kacem, Costa, &
Wijesekera, 2014).
Man in the middle. Causing confusion to the air traffic control is another goal of a
hacker. Man in the middle gives the hacker using the eavesdropping method mentioned above
the ability to alter captured data packets transmitted by the aircraft. Once the hacker has altered
the data pack, the hacker sends the altered data to air traffic control, providing false information
and creating mass confusion (Barreto et al., 2014).
Denial of Service. Similar to the man in the middle or eavesdropping techniques, denial
of service can cause havoc. Hackers use denial of service to feed mass amount of fake flights
12
into air traffic control system. The mass amounts of fake flights would cause controllers to be
unable to determine which flights are real and which are not effectively rendering objective
communication to live flights useless. Essentially, hackers use denial of service to cause a
diversion such as loss of communications with aircraft in order to mask their real objective
(Barreto et al., 2014).
DDoS. Cyber-attackers use DDoS attacks for reasons such as extortion, political
sabotage, and even cyber terrorism. Margaret Rouse, writer for TechTarget, stated that hackers
use servers to launch DDoS attacks by installing code into servers and compromising them. The
servers then allow attackers to launch the DDoS to the victim’s site. A type of DDoS attack
called network-centric is another method used by hackers. This type of attack overloads services
and applications by inundating them with packets and causing degradation of service (Rouse,
2013). Robert McGarvey, a technology reporter for various publications, authored articles on
payments and banking. In 2013, McGarvey reported that a political driven DDoS attack took
place against the Patelco Credit Union in Pleasanton, California and University Federal Credit
Union in Austin, Texas (McGarvey, 2014).
Russian airline Aeroflot is an example of a politically driven cyber-attack. In 2010,
Aeroflot experienced a DDoS attack that caused their online ticketing system to be unavailable
from July 15th to the 24th. Pavel Vrublevsky, a prominent Russian computer programmer,
entrepreneur, and the former CEO of ChronoPay, a credit card payment processing company,
instigated this attack. A court convicted Vrublevsky after he hired two hackers, Igor and Dmitry
Artimovich, to carry out a cyber-attack against the Russian Flagship Air Carrier, Aeroflot.
Officials believed the attack prompted the airline to end its business contract with Assist, a
13
competing e-payment and credit card processing business (Russian Legal Information Agency
[RAPSI], 2013).
A similar attack occurred in 2015 that caused the Malaysia Airlines Company website to
experience an outage. Customers attempting to access Malaysia Airlines’ website and planning
to make travel bookings saw instead, another page. The website displayed an image imitating the
common Internet browser error 404 page not found message, but instead the website displayed
“404 – Plane Not Found.” A group, Lizard Squad, performed the hack, although the French news
agency Agence France-Presse provided no motivation. Additionally, according to media reports,
in other geographical regions containing versions of the airline’s website, the hacked website
displayed the wording “ISIS will prevail” (Agence France-Presse, 2015).
Following the attack, Paul Armstrong, editor for CNN reported that Malaysia Airlines
issued a post on their Facebook account, notifying customers that the data breach had no
information containing passenger data. The post also stated that the hackers redirected only the
Domain Name System (DNS). Malaysia Airlines was working to restore their website with their
service provider and expected to be operational within 22 hours. In the meantime, Malaysia
Airlines redirected users to an alternative link for their booking service (Armstrong, 2015).
Figure 3 shows the hacked website seen by customers.
14
Figure 3. Malaysia Airlines website hacked by Islamic State jihadists known as Lizard Squad (AFP, 2015 “Hackers Target
Malaysia Airlines,” para. 1).
Protocols. Protocols are rules that control communication between computers on a
network. Each protocol is required to ensure that communication is available between all types
of computer hardware and applications (Florida Center for Instructional Technology, 2013).
Examples of protocols are: Transmission Control Protocol/Internet Protocol (TCP/IP), Hypertext
Transfer Protocol (HTTP), Transport Layer Security (TLS), and Secure Sockets Layer (SSL)
(Florida Center for Instructional Technology, 2013).
TCP/IP. TCP/IP handles managing communications between the application layer and
transport layer on a network (Forcht & Fore, 1995). TCP/IP spoofing is a method attackers use to
imitate a computer that is known by the network. Computers on a corporate network have their
15
own Internet Protocol (IP) address that identifies the computer. An attacker can use spoofing to
gain access to not only that computer but also other devices on the network such as network
servers and other computers (Forcht & Fore, 1995).
HTTP. The HTTP protocol is an Internet-based protocol that networks use in conjunction
with TCP for sending and receiving web pages. Cyber-attackers intercept the HTTP request and
redirect users to a phony website. Cyber-attackers use phishing scams via email that have a link
to a fake website (Forcht & Fore, 1995). In 2012, Paul McNamara, a news editor for Network
World, received an email from US Airways containing a confirmation code for a trip. The email
contained information not only referencing the confirmation code but also displayed a check-in
link for a flight (2012). The link provided by the phishing email directed unsuspecting customers
to a fake website maintained by the hackers that required the user to enter personal information
(McNamara, 2012).
TLS and SSL. TLS and SSL work in conjunction with each other by providing an extra
layer of security over the Internet when accessing websites, email, and other applications. The
Heartbleed bug found in 2014 exposed a vulnerability in a version of OpenSSL, an open source
implementation of SSL and TLS protocols. Heartbleed allowed sessions to remain open between
servers and clients. This open session allowed for the capture of user identification (ID)
accounts, passwords and other sensitive information (CODENOMICON, 2014). In 2015, Robert
Hackett, a writer for Fortune author of various articles in data breaches, explained that not all
corporations have fully corrected the vulnerability with the Heartbleed bug (Hackett, 2015).
Viruses. One of the most common and widely used methods for attack is malware that,
once executed, replicates itself, exposes vulnerable corporate networks, and renders back doors
for cyber-attackers to use. Spam email, or files downloaded unknowingly from a website, might
16
contain a variety of viruses (Microsoft, 2014). Tom Nevin, contributing author for African
Business has written articles related to IT security. In 2001, Nevin explained that a computer
virus could stay dormant for years until some certain mechanism activates it or activated by the
creator (Nevin, 2001).
Laura Gordon-Murnane, a freelance writer and information professional has authored
articles in security. In 1999, Gordon-Murnane explained, viruses’ purpose and malignity are as
diverse as the number of viruses out on the Internet. Some are created to be a nuisance. Others
are created to force a customer to pay for a so-called service or program required to disable the
virus. During this time, a service is created by the author of the original virus. Other more potent
viruses are created to cause havoc on the system and expose vital and valuable personal data
(Gordon-Murnane, 1999).
Viruses range from simple, and almost harmless, to very complex virus programs created
to wreak havoc on systems. The viruses are dangerous and built with a specifically designed
purpose. In 2012, Sharon Weinberger, a national security reporter, wrote an article referencing
the top ten viruses. Weinberger’s lists included the Love Letter/I Love You as one of the most
destructive viruses (Weinberger, 2012).
Love Letter/I Love You. In 2000, a cybercriminal distributed emails with an attachment
labeled “I Love You.” Those that opened the email and launched the attachment received a
surprise. The file contained a virus that overwrote image files along with using the Windows
address book to forward the email to the first 50 email addresses (Weinberger, 2012). Viruses
that use email as a means to spread cause mail servers to overrun with requests and render them
useless. In 2000, Bill May, a reporter for The Journal Record, reported that the Federal Aviation
Administration's (FAA) Mike Monroney had shut down its email servers after a virus infected
17
the server and worked to restore files lost from a back-up source (May, 2000).
Operational Impact
An operational impact of a cyber-attack is measured the same as maintenance, power
outage, or any other cause when the system becomes unusable or unavailable. Cyber-attacks are
complex and dynamic in nature. Attacks, once successful, allow hackers go to work. Hackers
conducted attacks similar in nature on Sony, the FAA, Air Canada, Ctrip.com, American
Airlines, Polish Airlines, and Britain Civil Aviation. If not corrected, the vulnerabilities seen in
Automated Dependent Surveillance-Broadcast (ADS-B), a system used by airlines to
communicate their location to air traffic control towers, will join the growing list of systems
attacked.
Sony. In 2014, Sony reported that hackers had taken down the Sony PlayStation
Network; however, reported no compromising of user data. Sony’s PlayStation Network was
down approximately a week and caused game players outcry (Express Computer, 2014). Sophie
Knight and Malathi Nayak, journalists for Reuters, reported that authorities diverted American
Airlines flight 362, which was traveling from Dallas to San Diego, due to a bomb scare in which
a top Sony executive was traveling (2014). The FBI investigated the bomb threat that coincided
with the Sony hack and further coincided with the bomb scare (2014). Diversions of this kind
cause high anxiety for all passengers, not to mention the cost to the airline for rebooking
passengers who may have missed connecting flights (Knight & Nayak, 2014).
FAA. Aliya Sternstein, senior correspondent for NextGov, authored articles on
cybersecurity and homeland security systems. In 2015, Sternstein reported the FAA experienced
an attack when hackers deployed malicious software on the FAA’s computer system. The virus,
spread by email, was only affecting administrative computers. The FAA raised concerns that
18
virus vulnerabilities leave the system at risk for cyber-attacks and their effects on the air traffic
control systems could be substantial (Sternstein, 2015).
Air Canada. In 2003, the Welchia worm attacked Air Canada’s systems rendering the
airline’s ability to process passengers at reservations centers and call centers. The Welchia
worm, designed to remove the ‘Blaster’ worm by downloading updates directly from Microsoft,
did the opposite. The Welchia worm locked out administrators preventing them from removing
the ‘Blaster’ worm and updating computers. Air Canada’s experience caused delays and
numerous cancelations of flights (Airline Industry Information, 2003).
ADS-B.Andy Greenberg covers data security, privacy, and hacker culture for Forbes. In
2012, Greenberg reported that a new system known as ADS-B was set to be in place by 2020.
ADS-B shifts how aircraft communicate their location to air traffic control towers. Today,
airplane communications depend on towers for radars to track and coordinate their locations. The
new system, ADS-B, moves the communication to regular radio frequency and is an as easier,
cheaper, and safer means of communication (Greenberg, 2012).
The FAA completed the deployment of 634 ADS-B to ground stations in 2014.
According to the FAA, 6,000 general aviation aircraft and 225 commercial aircraft have been
equipped with ADS-B Instrumentation (FAA, 2015). Figure 4 shows Surveillance and Broadcast
service as of February 2015.
19
Figure 4. Installed ADS-B at 634 ground stations (FAA, 2015, ADS-B Today, para. 6).
Deployment of new technology such as the FAA’s Next Generation Transportation
Systems (NextGen aircraft tracking, will need to be able to withstand a cyber-attack. NextGen
will also need to perform with minimal to no vulnerabilities to its systems. NextGen’s use of
ADS-B technology has prompted criticism that its design architecture is not secure enough and
will be vulnerable to cyber-attacks. Network security consultant and hacker, Brad Haines (also
known as RenderMan), is concerned that ADS-B does have vulnerabilities. Since transmission
occurs over radio waves at 1090 MHz for commercial aviation and 978 MHz for general
aviation, injecting flights into the system is possible. Injection attacks are just one example,
others include eavesdropping, man in the middle, and denial of service (Haines, 2012).
Polish Airlines. Eric Auchard and Wiktor Szary, journalists for Reuters, reported in 2015
that Polish Airlines experienced a cyber-attack causing their systems to become inoperable. A
DDoS attack disabled the Polish Airlines system used for issuing flight plans, which
subsequently caused 1,400 passengers stranded at Warsaw’s Chopin airport. The flight plan
20
system was down for about five hours, not only stranding passengers, but also grounding planes
(Auchard & Szary, 2015).
Ctrip.com International. A cyber-attack forced China’s biggest travel agency offline for
12 hours. The customers who attempted to reach Ctrip.com via the website or mobile application
reached a page displaying service unavailable. Technicians for Ctrip.com worked to restore
servers damaged by the attackers (AsiaOne, 2015).
American Airlines. Brigham A. McCown is a contributor for Forbes. In his article titled,
“American Airlines Grounded. Accident or Potential Cyberattack?” McCown (2013) reported
that in April 2013, American Airlines experienced an outage with their computer system. The
outage caused delays and cancelations of about 2,000 of their daily flights. The cause of the
outage was unknown. However, reports attributed the outage to a communication issue between
American Airlines and their central reservation system run by Sabre Holdings.
Airlines are dealing with attacks which impact a large number of their flights throughout
their systems may not only face the challenge of restoring its systems, but also the snowball
effect caused by cancellations and delays. The disruption continues by creating a cascading
effect that may take days, if not weeks, to resolve. Further, the disruption affects the airline’s
long-term bottom line as they deal with the aftermath of a cyber-attack.
Britain Civil Aviation. David Morgan a reporter for ABC News reported on a hijacking
of communication radio transmission to airplanes usually transmitted by the air traffic control.
Britain’s civil aviation issued a safety alert after air traffic controllers overheard the pilot’s
communication to and from unknown sources providing the pilots with false instructions. The
hackers used a portable transmitter to communicate with the pilot. Investigations point to the
hackers using a transmitter, which cost $450 and which requires a license to operate legally
21
(Morgan, 2011). According to Morgan, Richard Dawson, president of U.K.’s Guild of Air
Traffic Controller stated, “This is a criminal act which could ultimately result in a serious
accident. The problem is that the people making these spurious calls are mobile and can be very
difficult to trace” (Morgan, 2013, Hackers Attack Air Traffic, para. 6).
Potential Revenue Loss
Susan Berfield, a writer for Bloomberg Business Week, reported in 2014 that the breach
experienced by Target greatly affected company revenue during the crucial holiday shopping
season. Target was a perfect example of the significant impact a cyber-attack had on its business
and the revenue loss resulting from the attack. Revenue is the most important area for any
company providing services or goods. A cyber-attack cannot only affect revenue, but future
standings of the company. The cyber-attack on Target led to net profits dropping 46%, costing
$61 million, and over 80 civil lawsuits. Companies are under increased pressure to raise profits
more than applying security measures to the organization (Berfield, 2014).
Similarly, Sony Pictures saw a revenue impact on a second cyber-attack in 2014. Tim
Hornyak, an IT reporter on telecommunications, science, and technology reported that $35
million was the cost estimate from Sony’s 2014 cyber-attack. Included in the figure is $15
million to repair damaged equipment, investigation, and remediation (Hornyak, 2015).
Aeroflot Airlines is another example that shows the impact on revenue due to a cyber-
attack. The cyber-attack, driven by the DDoS attack and lasting several days denying access to
ticket sales, came with a hefty price. Assist, Aeroflot’s processing company, lost $488,090 in
revenue. Aeroflot, felt a great impact as a result of the cyber-attack, reported a loss of more than
$4.75 million in revenue (Russian Legal Information Agency, 2013).
22
Chris Harris, a freelance journalist, has authored numerous publications in Information
Management and Enterprise for InformationWeek. In 2011, Harris reported that in one year,
small enterprises lost an average of $55,000, midsize enterprise lost an average of $91,000 or
more, and large enterprises had losses exceeding $1,000,000. The figures explained are only for
IT outages and are not part of a cyber-attack. However, adding a cyber-attack event to the
figures, the figures can triple, costing millions of dollars in loss to the enterprise (Harris, 2011).
Airlines Reporting Corporation (ARC), which settles all transactions between airlines and
United States travel sellers, noted an increase in fraud in 2011. ARC reported an increase in
unauthorized, fraudulent charges of airline tickets with a face value of all tickets issued at one
million dollars, with one single instance at over $77,000. The fraudulent charges according to
ARC were from phishing emails aimed at travel agents and independent contractors. Travel
agencies received an email that appeared to the travel agents as if the message came from Global
Distribution Systems (GDS). The email directed the agents to a website to make bookings on
which hackers track personal information (Dark Reading, 2011).
Similarly, China's largest travel agency Ctrip.com encountered a cyber-attack that cost
Ctrip.com a loss of $1.44 million per hour. The outage experienced by Ctrip.com cost a total of
$16.8 million excluding the cost of hardware replacement. The attack coincidently occurred after
Ctrip.com received $250 million subsidies from Priceline.com LLC (AsiaOne, 2015).
The deployment of the FAA’s NextGen ADS-B also comes at a cost due to increased
implementation costs. The initial systems came with benefits, however; it currently is of little use
to commercial airlines at this time. The cost of NextGen has outweighed the benefits. NextGen
has increased cost for both FAA and airspace users by $588 million (Targeted News Service,
2014). Brianna Ehley, a journalist at The Fiscal Times reported in 2014 that the estimate of
23
NextGen’s $4.5 billion cost though 2035 is about $400 million more than the original cost. The
Inspector General warns the cost could even go higher (Ehley, 2014). The FAA’s number of
underlying programmatic reforms associated with NextGen hinders the implementation of new
capabilities to realize all full benefits. The cost of NextGen will eventually affect commercial
airlines when systems in the aircraft need replacement (Targeted News Service, 2014).
Bruce Schneider, a chief technology officer at Resilient Systems, published in 2015 that
newer generation planes such as Airbus A350, A380, and the Boeing 787 Dreamliner have one
network. The network contains both, the plane’s internal network and passenger wireless Internet
(Wi-Fi) connections. Mixing the aircraft computer systems network with the passenger cabin
Internet connection could allow a terrorist the means to have multiple planes to collide. The
terrorist could be sitting at the back of the plane or on the ground working on taking control of
the plane (Schneier, 2015).
Additional revenue impacts may include the protection airlines pay for victims of a data
breach. US Airways provided their pilots who were part to the data leak exposure with 12
months of life LifeLock (Higgins, 2011). LifeLock provides consumers with identity protection
costing in the range of $9.99 to $29.99 a month depending on the services (LifeLock, 2015).
Discussion of Findings
We live in a world today where communications and trade are global. The convenience
of communication and the technological advances of the Internet as well as other networks have
allowed companies worldwide to have unprecedented reach and access in a global scale.
Technological advances have allowed businesses, including airlines, to thrive. It is unsurprising,
however, that having a global reach and access to systems halfway around the world, has also
allowed hackers to infiltrate networks and databases of businesses, credit card companies, retail
24
businesses, as well as airlines. Recent cybersecurity threats and actual breaches of networks are
highlighting the very pressing need for countermeasures to prevent and thwart these types of
cyber-attacks. Recognizing cyber-threats such as passenger data breaches, vulnerable breach
points, and the short and long-term impact on operations and revenue are main areas. Airlines
need to increase their focus and preemptive measures to avoid or minimize the potential for a
cyber-attack. The number of cyber-threats and actual attacks in the last several years leading up
to 2015 are on the rise.
Airlines constitute a significant target for cyber criminals for various reasons. Chief
among them, the amounts of personal data that run through airline systems ranging from
customer name and addresses to passport information and credit card information. Passenger
data processed by airlines make for an easy target for criminals looking to access databases and
selling information for identity thefts. Terrorism is a main concern as well. Evolving technology
both on the aircraft in the air and systems on the ground become more and more automated and
dependent on networks and virtual environments. There is growing concern for terrorist
organizations hacking these systems and potentially accessing sensitive information or even
control of aircraft handling or air traffic with the goal of causing major disruptions.
Meanwhile, airlines continue to cut costs and corners to please investors. This is alarming
as resources needed to prevent attacks or loss of information may reduce by the airlines in the
interest of increasing revenue. A well-orchestrated attack on the reservations system of a major
airline can carry with it a disruption in air traffic on an international scale. This kind of
disruption can potentially strand passengers for days, while allowing hackers to control and
access personal passenger information and financial data. Hackers can sell the personal
information to another party or use the information for a myriad of purposes.
25
Cyber-attacks have the potential to financially impact the short and long term revenue
prospects of an airline business, with effects that can ripple through the whole industry.
Corporate executives that keep attack information private for fear of disclosure of a cyber-attack
hinder sharing of information to other executives to formulate a stronger defense. Facing cyber-
risks should encourage airlines to question how much money the company spends in information
security and whether profits are more important than system and network safety. This especially
is a concern when a cyber-attack can lead to a data breach. Protecting passenger data then
becomes a priority for airlines to ensure the data is secure and not readily accessible to
unauthorized persons.
Data Breach
Passengers who are making reservations or traveling trust that their personal information
remains secure by airlines. An airline that experiences a data breach containing vital passenger
information, may lead to passenger identity theft if landed in the wrong hands. Victims of
identity theft then have to fight damages and recover money spent on correcting the damages
from the identity theft.
Inside sources seen as a threat. Insider threat is a significant vulnerability that needs
addressing. Employees can plan or perform malicious acts during their work hour. Amtrak is a
researched example of insider threat. An employee was breaking policy and selling passenger
information is a display on how the employee mishandled passenger data. Companies and
agencies that control private information should not allow employees to extract information
without proper authorization. In turn, government officials should not bribe employees with
access to information. Instead, the government should officially request information through
proper channels. Allowing the government not to follow the proper procedures, exposes the
26
government practices and can place the company in a liable situation.
Cunard Cruise lines is another example where a data breach occurred. In this case, the
employee sent an email with future traveler’s information that included booking references.
Companies should not send passenger information via email if possible. The emails left
traveler’s bookings exposed to others travelers. This kind of mistake can, not only be costly but
an inconvenience to travelers. Anyone who would have gotten ahold of this information, could
have called in and requested changes and even cancelations, costing Cunard revenue.
Similarly, an ex-employee leaked personal information of pilots for US Airways. The
information leaked was pilot related personal information from what once was America West
Airlines. US Airways mishandled this personal data and should not have given the data to
individuals who could easily expose this information. It is understandable that union personnel
need this information for other purposes. However, the union should have gathered that
information on its own. Employees that are in the process of leaving the company should have
their access to sensitive information reduced and monitored. Immediate termination of employee
access should occur upon their release. The monitoring of the users account especially those with
access to employee personal information should occur. The information leaked although not
passenger related still leaves each pilot and their families’ personal information at risk of misuse.
Employee use of USB storage device needs monitoring. USB storage devices are popular
and employees use the devices to share files or take files home to continue their work. The use of
USB storage device containing sensitive information should not occur. An employee can cause a
problem if an anti-virus program does not protect their home computer. The USB storage device
can become infected and taken into the office where if inserted can infect the computer and
spread. Airlines must protect their company by ensuring that security programs scan USB
27
storage devices when inserted into a computer. Airlines can also choose not to allow the use of
these devices unless the airline’s IT department is providing an encrypted USB storage device.
The mishandling of the USB storage device can expose the data if the USB storage device itself
was lost or even stolen. Protecting passenger data presents a unique challenge since airlines
depend on the sound integrity of their network infrastructure as well as third party vendors. It is
within these infrastructures that airlines need to implement security protocols to prevent data
access through weak points.
Airlines, like other companies, have vulnerable breach points exploited by a cyber-attack.
Attacks occur if an airline’s technology security measures and policies are lacking. Networks and
protocols used for communication are underlying architecture inherent to vulnerabilities. Cyber-
attackers can exploit protocols to hide their identity when attacking. These attacks include email
infected with attachments. However, the email itself is not harmful until the attachment is open.
An employee transferring files via a universal serial bus (USB) storage device can have a worm
hidden unbeknown to them.
Potential Breach Points. Airlines passengers have a variety of ways to access their
reservation either from a website, mobile application, or calling the airline’s reservation call
center. Hackers may use the same access that passengers have to find a way into the airline’s
system. They can use email, phishing, or even a USB storage device as means of attack.
While many email service providers and other servers have become increasingly capable
of identifying and addressing vulnerabilities by separating emails with potentially infected
attachments, learning to identify these threats will mitigate the risks and lower frustration. After
completing a reservation, the airline’s website sends a confirmation email. The confirmation
email usually contains passenger name, itinerary, email address, and frequent traveler
28
information, if entered. The email also contains the booking reference number, referred to as
PNR or Record Locator.
Hackers can potentially use email to send spam used to deceive travelers by providing
false information including links to candid websites. With the user unaware or not attentive to
website links in emails, the user clicks on the link and directed to what appears to be that
airline’s website. The website may prompt for personal information such as login information to
their airline account and even verification of their person information. The hacker can use this
information to their benefit in two ways. First, the hacker can use the personal information for
identity theft, and second, the hacker can use the user’s airline account information as an entry
point into the airline’s servers. There are several potential breaches waiting to happen in a variety
of websites, from different types of companies worldwide, which may be holding personal data
from customers. This is just one area where airlines must be aware of the state of their servers.
Vulnerabilities found in web servers that IT departments have not kept up-to-date are
enticing for hackers. One main example of this was the Heartbleed vulnerability. This allowed a
hacker to capture user names and password that transmitted over TLS and SSL. If servers are not
patched, the vulnerability will leave airlines unprotected, allowing hackers a way into the
servers. Heartbleed provides attackers with the easiest form of access to a secured server, a
database of active usernames, and passwords. A hacker’s most successful attack is one that is a
targeted attack.
Malaysia Airlines experienced such an attack that took their website down. The website
displayed an error message, however instead of page not found it displayed plane not found. This
was an insult to the airline’s most recent loss of aircraft. The attack caused an operational impact
29
to the company. Hackers reminded potential customers that the airline recently lost a plane,
which had vanished with very little information that could lead to any recovery of the airliner.
Operational Impacts of a Cyber-Attack
Airlines could experience significant operational impact if a cyber-attack were to occur.
A cyber-attack can cause airline delays, misplaced passengers, and cause significant data loss as
well as potentially affecting a company’s performance and financial security. An impact to
employee’s workload also increases. Pulling employees off their regular duties to perform other
duties such as assisting with identifying and resolving the issue also add to the impact. The most
recent attack on Polish Airlines is an example of the magnitude of impact. The airlines’
passengers remained, sitting in planes that were unable to take-off, check-in counters with long
lines, and reservation call centers overloaded with calls. If criminal or terrorist attackers targeted
one of the major airlines such as United Airlines or American Airlines, the impact could last
more than just a few hours. Due to the complexity of their networks, it may take days or weeks
to recover.
Similarly, a virus such as the one Air Canada experienced also impacted operations. Air
Canada could have avoided the “Blaster” virus if the airline removed the virus when fist
discovered to prevent distribution. Having anti-virus protection is not enough, as the program
needs updates with the latest virus definitions to be effective. A virus may not only cause a
system to become inoperable but also cause stressful situations for staff. Airlines not only need
to worry about their systems but also must be mindful of the FAA’s systems in use.
Airlines rely on the FAA’s ability to approve take-offs and landing of planes. The FAA
has had its own series of attacks and vulnerabilities. The FAA experienced its own cyber assault
when a virus infected their system. FAA employees received an email with the subject, I Love
30
You. Once the employees opened the email it caused the virus to spread. Luckily, it did not
spread past the administration’s computers. Had this virus spread to computers at the air traffic
control tower, the virus could have inhibited the controller’s ability to give clearance for aircraft
to land. This would force the aircraft to divert to alternative airports assuming the virus had not
affected the computers in those control towers. The vulnerability found with the FAA shows that
airlines are not the only ones at risk. As the FAA works with airlines to test and implement the
tracking system NextGen, airlines need to ensure security is a priority.
The FAA’s deployment of the ADS-B system is one the airlines have been waiting for,
and in some locations, the implementation of the NextGen system is in place. Cost saving for
airlines, especially in fuel and flight time, are heralded, but at what risk? The system has
vulnerabilities that need the FAA to address. Just as all new software, ADS-B comes with
vulnerabilities, which hackers look for to expose and use to hack. The release of new software
and hardware for NextGen, questions the security if the system. NextGen connects to the Internet
and uses locally installed software, which makes the NextGen system more vulnerable to attack.
Since the system is Internet-based and connected via IP, the network is susceptible to
compromising and allows other systems to be at risk. ADS-B has no data level authentication
and uses unencrypted communication.
A method previously discussed that is available to a hacker or even terrorist against ADS-
B is eavesdropping. There are websites and mobile applications such as flightaware.com and
Flightradar24, which allow a user to track a flight, whereas eavesdropping uses physical
hardware to monitor radio waves. Using physical hardware to perform eavesdropping allows the
hacker to track communication packets between the ground and aircraft. A hacker or terrorist
using a man in the middle method to alter the systems information is just one cause for concern.
31
For example, the aircraft is flying in one location and after the hacker alters the data packet and
retransmits the data, it could show the aircraft 800 miles of course heading on a collision course.
The data received would cause the aircraft to alert and ask for a course correction, unbeknown
that the correction is false.
Similarly, DDoS is a third method that hackers can use. If hackers penetrate the NextGen
software and use DDoS, the attack can affect not only air-traffic controllers but also aircraft
themselves. Hackers can use the same method of supplementing flights to the aircraft systems,
causing aircraft computers to warn of a collision. In turn, the response from the aircraft system
would alert the pilots to climb or dive to avoid what is a non-existent aircraft. If cyber attackers
intercept NextGen ADS-B based communication, the attacks may use the information to breach
the aircraft’s internal network.
Airlines that provide in-cabin entertainment and wireless Internet need to consider the
risks as well. As noted, Chris Roberts claimed to hack into several aircraft while he was
traveling. Roberts asserted that he was able to adjust the planes altitude is another method a
hacker could mimic. Airlines need to ensure Internet connectivity within the aircraft do not have
links between themselves. A traveler using personal wireless devices such as a computer, tablet,
or smartphone can possibly introduce additional vulnerability.
In Robert’s case, he accessed the main system from a small panel located near his seat.
He was able to attach his laptop to a network port that was available to access the planes
network. Taken a step further, hackers could use the in-flight wireless system to gain the same
access without bringing attention to themselves. Any combination of all these methods not only
can cause a loss of life but also can have a huge impact on the airlines revenue.
32
With such a wide variety of methods for cyber-attacks, an airline experiencing a breach,
perhaps from a simple spam email running through their servers can deal with it while
maintaining control of its operations. However, a more complex and widespread attack can
cripple its systems and if not soon corrected can rapidly escalate into an operational nightmare
affecting the airline on a global scale.
Cyber-attack Revenue Impact. Airlines today are more interested in making profits and
cost reduction than they are about customer service and security. In 2015, airlines have yet to
measure the cost due to a cyber-attack to an airlines’ system. Airlines already suffer operational
and revenue impact due to weather. A cyber-attack added into the mix can be even more costly.
If an airline were to experience systems outage, disruptions would not only be felt in their
operations, but also displace travelers and cabin crewmembers. In addition, airlines also need to
add the cost of marking to rebuild their brand. The revenue impact can move to the airlines
ability to process credit card data.
A major airline is a large enterprise company with high revenue. Harris explained the
outages exceed $1 million for just IT costs. This revenue impact is an estimate. Airlines will still
need to add the cost of hotels, rebooking of travelers on their airline or other airlines and
coverage for crewmembers that are out of time and no longer can work the flight. Additional cost
off when outside security consultation, overtime, and the possibility of staff augmentation need
consideration, along with new hardware and software to assist in resolving and mitigating future
risks.
Ctrip.com is an example of how costly a cyber-attack can be. Ctrip.com lost $1.4 million
an hour alone just because the website was down. Calculating the initial loss of revenue, and then
adding operations, the reservations center, and cost of keeping employees on the clock, the costs
33
could exceed $16-20 million. As the airline begins their recovery process and other internal
teams within the airline investigate the attack, the cost can continue to accumulate. This may
leave investors to question how an attack could have happened and may demand answers from
the enterprise. Airlines would not only need to respond but also reduce the risk of a reoccurring
event. There is an additional potential for the company’s stock price to drop due to news
reporting on the breach and lack of consumer confidence. An example given in the research is
the Target breach where after the breach Target experienced a 46% drop in profits.
Additionally, vendors used by airlines especially those used for frequent flyer programs
considered revenue impacting present cyber-attack vulnerabilities. The frequent flyer miles
stolen from passenger’s accounts and used by hackers to travel, have a value attached. Research
found a few examples with the United Airlines and American Airlines breaches. The airlines not
only are out the value of the bookings made from the hacked accounts, but also need to replace
the missing miles from those accounts. The attack also leaves travelers having to monitor and
change their login information and leave the airline potentially in having to issue new frequent
flyer numbers. Airlines should not place a cost to protecting customer and employee data.
Limitations
The research on Chris Robert’s legitimacy of taking control of the flights he hacked
needs further investigation. Information found during the research is not clear on whether or not
Robert’s claims are false. There is no empirical proof of the actual attack. Furthermore, any data
collected by the FBI during their investigation remains sealed. This fact may be due in part to the
vulnerabilities exposed to airlines and aircraft systems. Aircraft manufacturers as well as airlines
may be in the process of patching systems to avoid future breaches. Only then, when the
investigation is complete and preventative measures are in place, will we see a clear picture of
34
whether or not a system hack emerges. Limitations on research were in part due to the very
nature of cyber-attack threats. Between 2013 and 2015, hackers used the advances in technology
to enhance disruption of local or global systems.
Recommendations
Airlines need to focus on several areas from securing passenger data to identifying weak
points in their infrastructure, software vulnerabilities, and disaster recovery. The loss of control
to any area is a serious threat and impacts an airline’s standing. The impact of a cyber-attack not
only affects the airlines, but also has an effect on travelers.
Passenger data. Protection of data especially passenger data is important to avoid data
exfiltration. Adding an encryption layer of protection ensures data remains secure. Several
options for encrypting and decrypting data are available to ensure data is protected when in
transit or dormant. For example, symmetric encryption methods utilize key protected data. Any
information sent or received remains secure from attacks and the user is able to decrypt the
information after private key input. Another widely available encryption method for businesses
is asymmetric encryption. This encryption type allows companies, including airlines, to provide
users with a public encryption key. All data remains secured on transfer despite having a public
key. Decrypting data with a private decryption key by the receiving user ensures data stays
within the allowed parties. Additional scrutinizing and limiting employee access to passenger
data needs to occur. To avoid the compromise of passenger data, IT departments need to monitor
employee access on a regular basis.
Network infrastructure. Infrastructure protection needs to be included in all network
designs. Tools used to accomplish this include remote management, secure communications, and
distribution monitoring. IT departments need to perform daily and weekly network scans for
35
vulnerabilities to limit risk. These scans will help find any risk, and allow time for mitigation of
these risks. Network scans can identify points on the network that are available for hackers to
perform their attack. Network equipment received from a manufacturer or reseller needs to be
configured using a baseline configuration with standard security settings and not deployed with
the default configuration running. Network devices configuration should be documented and
readily accessible for reference, however restricted to only employee whom require the access.
IT department should perform regular router maintenance along with audits. This will ensure
holes in the firewall and routers are current and not altered. The use of intrusion prevention
systems (IPS), also known as intrusion detection and prevention systems (IDPS) will assist with
prevention of a cyber-attack. Using IPS will assist in the monitoring network traffic and system
activities for malicious activity.
Software vulnerabilities. Patch management application to base computer operating
systems needs to occur at regular intervals, including updates and install patches applied in a
timely manner. These include common industry software such as the Microsoft Office Suite,
where IT personnel should also monitor and update when releases are available. The IT
department must check for any vulnerabilities and updates to any new software introduced to the
environment. Any new software introduced, checked, and run by the IT team inside a test
environment prior to full activation will minimize threats to the system. Implementation of
encryption and decryption of stored and shared data provides additional security measures. This
will ensure passenger personal information as well as payment methods remain secured. The
software should follow vigorous testing cycles and vulnerability assessment. The use of virtual
machines to test new software will mitigate the risks of any system vulnerabilities.
36
Disaster recovery. Testing disaster recovery can help reduce downtime from a cyber-
attack. Following the disaster recovery process that allows fallback to servers and networks,
which hackers have no knowledge of, can ensure that compromising of the secondary network
has not taken place. The use of virtual servers and secured networks with DMZ in place will
assist mitigating an outage due to a cyber-attack.
Future Research Recommendations
There is a need for further research to identify areas accessible to travelers when on an
aircraft, the vulnerability of NextGen, and passenger data in the GDS. Additional research into
how the aircraft manufacturers install the internal aircraft wiring focusing on the aircrafts
network will provide a better assessment of these areas of vulnerability. The research should also
focus on the possibility of a terrorist taking control of the plane while in the air as seen in Chris
Robert’s YouTube video in which he illustrated taking control of the aircraft. Does a traveling
passenger have access to the aircraft network?
The NextGen system requires in depth understanding to identify and assess potential
system vulnerabilities. Due to time constraints, it was not possible to research additional sources
found. Concerns in the system vulnerability by both the airlines and the FAA need addressing.
One concern is an entire overhaul of the Nation’s Air Traffic Control Systems, and consequently,
air traffic control systems around the world, that will impact all network and system securities. A
new implementation will test the compatibility factors in addition to the security measures of
such systems. There is a need for the minimization of possible cyber-attack breaches and weak
points. Such corrections and updates will have to occur in a test environment to ensure
addressing of all NextGen system vulnerabilities.
37
In-depth research is required on passenger data. Most airlines use GDS, in which the
storage of the data is outside the company’s control. GDS hold all passenger travel records that
occurred in the past, all current travel, and all future travel. The GDS, a third-party vendor,
handles not only passenger data and the security of the data; it also handles security, and access
to the data by the authorized person. The research should include what security measures are
currently in place and what steps are in place to handle a data breach.
Conclusion
The purpose of this research was to recognize how a cyber-attack would affect an airline's
reservations and operations system. A major airline has a scope of operations that reach global
scale. As such, airlines face a challenge preventing a breach of passenger data within their
infrastructure. The data breach can occur from a multitude of areas that include inside threats.
Once the threat has occurred, the breach or outage can cripple several major systems and
networks and will have a significant impact on the airlines operation and rendering passengers
stranded across the globe. Airlines’ consideration in identifying a threat or realizing the length of
time it takes to identify a threat needs addressing.
Cybersecurity in aviation is changing; the adoption of new technology increases the risk
of a cyber-attack. Airlines have become more reliant in implementing new technology to
streamline their business and increase profits. The vulnerabilities that may occur need addressing
and mitigation by the airlines. Failure in addressing the risks decreases the possibility of the
airline surviving such an impact.
By 2020, completion of the NextGen system by the FAA is to be operational not only in
the United States but also throughout other countries. This NextGen system transitions from
radar to satellite technology and increases the efficiencies of planes to operate closer to other
38
aircraft. Given that satellite positioning is more reliable than radar, it provides the ability to
increase air travel. NextGen comes with both benefits and drawbacks, which are due to the
vulnerabilities of the system.
Organizations in aviation have taken a lead in fighting cybersecurity and creating
techniques for mitigation. IATA is leading the fight against cyber-attacks. The IATA is the
association of airlines around the world that support many areas of aviation. Their activities help
formulate industry policy on critical aviation issues such as cybersecurity. IATA holds
conferences to encourage aviation personnel in senior roles to engage in research and create
polices in an effort to fight cyber-attacks. Aircraft manufacturers such as Boeing and Airbus
have ongoing research to help combat cybersecurity attacks.
There is need for airlines to expand beyond physical security to address cybersecurity in
more detail. Airlines deficiency in cybersecurity policies and procedures exist to some extent and
some systems are inadequate, leaving airlines with vulnerabilities for a cyber-attack to occur.
These cyber-attacks affect not only the revenue of the airline; it influences the traveler’s plans
with the airline.
Airlines and manufactures collaborating towards standards and identifying issues in
cybersecurity allows for transparency of key issues that need attention. Access to intelligence
will enhance the airlines ability to take action and prepare for threats by implementing
cybersecurity procedures. Ensuring the standards with highest of criteria will maintain air
transportation successively safe and secure from cyber-attacks.
Not all the consequences of adding more systems and enhanced global networks are
negative. Airlines and aircraft manufactures are today working closer together than ever before.
Major improvements to systems protect aircrafts against online threats. The FAA’s adoption of a
39
new generation of Air Traffic Control system will further reduce aircraft movement threats and
attacks.
Throughout the history of aviation, past attacks as well as accidents have made the
industry stronger. It is no different in terms of cybersecurity. The threat of cyber-attacks have
pushed the Information Technology community and the airline industry to implement the
adoption of new systems and the inclusion of measure to make aircraft and airline travel safer
than ever before. It is by bridging the gap between systems weaknesses and the prevention of
cyber-attacks that is making travel as secure and seamless as possible for the growing traveling
public worldwide.
40
References
Agence France-Presse. (2015, January 26). Hackers Target Malaysia Airlines, Threaten Data
Dump. Agence France-Presse Retrieved from http://www.securityweek.com/lizard-
squad-hackers-target-malaysia-airlines-website
Airbus Defence and Space’s Cybersecurity unit places innovation at the very core of its
participation in the International Forum on Cyber Security [Press release]. (2014, January
21).
Retrieved from: http://airbusdefenceandspace.com/newsroom/news-and-features/airbus-
defence-and-spaces-cybersecurity-unit-places-innovation-at-the-very-core-of-its-
participation-in-the-international-forum-on-cyber-security/
Air Canada’s operations affected by computer virus. (2003). Airline Industry Information
Retrieved from http://search.proquest.com/docview/210537164?accountid=28902
Anolik, A. (2013, May). The obligations of airlines and the rights of passengers. GPSolo, 30(3),
11-14. Retrieved from
http://search.proquest.com/docview/1432017418?accountid=28902
ARC Reports Increase In Unauthorized Airline Ticketing. (2011, December 12) DARKReading
Retrieved from http://www.darkreading.com/risk/arc-reports-increase-in-unauthorized-
airline-ticketing-/d/d-id/1136797
Armstrong, P. (2015, January 26). Malaysia Airlines website hacked by 'Cyber Caliphate'. CNN
Retrieved from http://www.cnn.com/2015/01/25/asia/malaysia-airlines-website-hacked/
Asia in Focus. (2010, October 11). Virgin blue mulls legal action after computer systems crash.
Retrieved from http://search.proquest.com/docview/759366633?accountid=28902
41
AsiaOne. (2015, May 29). China's biggest online travel agency Ctrip goes offline after hacker
attack. AsiaOne Retrieved from http://news.asiaone.com/news/asia/chinas-biggest-online-
travel-agency-ctrip-goes-offline-after-hacker-attack
Auchard, E., & Szary, W. (2015, June 22). Polish airline, hit by cyber attack, says all carriers are
at risk. Reuters Retrieved from http://www.reuters.com/article/2015/06/22/us-poland-lot-
cybercrime-idUSKBN0P21DC20150622
Barreto, A., Kacem, T., Costa, P., & Wijesekera, D. (2014, November 19). Security
Requirements Analysis of ADS-B Networks. Retrieved from http://ceur-ws.org/Vol-
1304/STIDS2014_T06_KacemEtAl.pdf
Berfield, S. (2014, Feb). From cyber crime to Canada, target had a very bad year. Business Week.
Retrieved from http://www.bloomberg.com/bw/articles/2014-02-26/from-cyber-crime-to-
canada-target-had-a-very-bad-year
Brown, V. (2012, April 1). New Phishing Scam Contains Fake US Airways Itinerary. Retrieved
from http://www.bbb.org/blog/2012/04/new-phishing-scam-contains-fake-us-airways-
itinerary/
Carey, S. (2011, June 28). Business technology: Outages at airlines can spiral --- aviation-
industry computer breakdowns unleash more problems faster than those in other fields.
Wall Street Journal Retrieved from
http://search.proquest.com/docview/873840244?accountid=28902
CODENOMICON. (2014, April 29). Retrieved from The Heartbleed Bug: http://heartbleed.com
COT security alert - bin laden -themed phishing emails. (2011, May 03). Targeted News Service
Retrieved from http://search.proquest.com/docview/864605738?accountid=28902
42
Ehley, B. (2014, September 29). Why the FAA's $4.1B NextGen May Be a Flight Risk. The
Fiscal Times Retrieved from http://www.thefiscaltimes.com/Articles/2014/09/29/Why-
FAA-s-41B-NextGen-May-Be-Flight-Risk
Elliott, M. H. (2005). Secure it or lose it. Scientific Computing & Instrumentation, 22(6), 16-22.
Retrieved from http://search.proquest.com/docview/219846928?accountid=28902
FAA Airport Planning and Environmental Division. (2015, January 26). Passenger Boarding
(Enplanement) and All-Cargo Data for U.S. Airports. Retrieved from FAA website:
http://www.faa.gov/airports/planning_capacity/passenger_allcargo_stats/passenger/?yea
FAA. (2015, May 4). NextGen: Automatic Dependent Surveillance–Broadcast. Retrieved from
FAA website: https://www.faa.gov/NextGen/update/progress_and_plans/adsb/
Florida Center for Instructional Technology. (2013). Chapter 2: Protocol. An Educator's Guide
to School Networks. Tampa, FL.
Forcht, K. A., & Fore, R. E. (1995). Security issues and concerns with the internet. Internet
Research, 5(3), 23-31. Retrieved from
http://search.proquest.com/docview/219874742?accountid=28902
Greenberg, A. (2012, July 25). Next-Gen Air Traffic Control Vulnerable To Hackers Spoofing
Planes Out Of Thin Air. Forbes Retrieved from
http://www.forbes.com/sites/andygreenberg/2012/07/25/next-gen-air-traffic-control-
vulnerable-to-hackers-spoofing-planes-out-of-thin-air/
Goldman, J. (2012, May 2012). United Airlines Suffers Security Breach. eSecurity Planet
Retrieved from http://www.esecurityplanet.com/network-security/united-airlines-suffers-
security-breach.html
43
Gordon-Murnane, L. (1999). Cyber-threats: Protect against computer viruses with alerts,
warnings, and advisories. Searcher, 7(7), 59-65. Retrieved from
http://search.proquest.com/docview/221091183?accountid=28902
Grossbart, S. (2014, Dec 29). SONY'S HACKING CRISIS. Us Weekly, 48-49. Retrieved from
http://search.proquest.com/docview/1642185535?accountid=28902
Hackett, R. (2015, April 7). On Heartbleed's anniversary, 3 of 4 big companies are still
vulnerable. Fortune Retrieved from http://fortune.com/2015/04/07/heartbleed-
anniversary-vulnerable/
Haines, B. (2012, July 15). Hacker + Airplanes = No Good Can Come Of This. Retrieved from
http://korben.info/wp-
content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20-RenderMan-
Hackers-plus-Airplanes.pdf#page=28&zoom=auto,-275,588
Higgins, K. J. (2011, April 7). Thousands of US Airways pilot’s victims of possible insider data
breach. DARKReading Retrieved from http://www.darkreading.com/attacks-
breaches/thousands-of-us-airways-pilots-victims-of-possible-insider-data-breach/d/d-
id/1135529?
Hornyak, T. (2015, Feburary 4). Cyberattack to cost sonly 35m in IT repairs. Computer World
Retrieved from http://www.computerworld.com/article/2879480/2014-cyberattack-to-
cost-sony-35m-in-it-repairs.html
International Civil Aviation Organization. (2012, July 10). Guidelines on Passenger Name
Record (PNR) Data. Retrieved from https://www.iata.org/iata/passenger-data-
toolkit/assets/doc_library/04-pnr/New%20Doc%209944%201st%20Edition%20PNR.pdf
International Civil Aviation Organization. (2012, November 19-30). Cyber security for civil
44
aviation. Retrieved from
http://www.icao.int/Meetings/anconf12/WorkingPapers/ANConfWP122.1.1.ENonly.pdf
Kennedy, S. (2013, May 6). In pursuit of a glorious train wreck. Retrieved from
http://www.sabre.com/newsroom/in-pursuit-of-a-glorious-train-wreck/#hide
Knight, S., & Nayak, M. (2014, August 25). Sony exec’s flight diverted as hackers make bomb
threat, attack PlayStation Network. Financial Post Retrieved from
http://business.financialpost.com/fp-tech-desk/post-arcade/sony-execs-flight-diverted-as-
hackers-make-bomb-threat-attack-playstation-network
Lewis, J. A. (2002). Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber
Threats. Center for Strategic and International Studies. Retrieved from
http://csis.org/files/media/csis/pubs/021101_risks_of_cyberterror.pdf
LifeLock. (2015). Protecting Your Identity. LifeLock Retrieved from
http://www.lifelock.com/dm/gbrd/?promocodehide=GOOGSEARCH35&gclid=CJzs7Ka
ZwMYCFQoTHwodIVUHJg
May, B. (2000, May 05). `I love you' virus shuts down networks of some agencies, businesses.
The Journal Record Retrieved from
http://search.proquest.com/docview/259379252?accountid=28902
Mayerowitz, S., & Rodriguez, B. (2011, June 19). United recovering from canceled, delayed
flights. USA Today Retrieved from
http://usatoday30.usatoday.com/money/topstories/2011-06-19-2267976545_x.htm
McCown, B. A. (2013, April 16). American Airlines Grounded. Accident or Potential
Cyberattack? Forbes Retrieved from
45
http://www.forbes.com/sites/brighammccown/2013/04/16/american-airlines-grounded-
accident-of-cyber-attack/
McGarvey, R. (2014). DDoS takes aim at vulnerable credit unions. Credit Union Times
Retrieved from http://search.proquest.com/docview/1581286784?accountid=28902
McNamara, P. (2012). A phishing tale about the one that got away. Network World, 29(14), 34.
Retrieved from http://search.proquest.com/docview/1034895853?accountid=28902
Microsoft. (2014). What is a computer virus? Retrieved from
https://www.microsoft.com/security/pc-security/virus-whatis.aspx
Morgan, D. (2011, August 29). Hackers Attack Air Traffic Control. ABC News. Retrieved from
http://abcnews.go.com/US/story?id=95993
Nevin, T. (2001, 04). Computer virus - know the enemy. African Business, 39-40. Retrieved
from http://search.proquest.com/docview/220435773?accountid=28902
Office of Inspector General. (2014, September 30). SECRETARY PROVIDES CONFIDENTIAL
PNR INFORMATION FOR PAYMENT. Retrieved from
https://www.amtrakoig.gov/reports/all_investigations?date_filter[value][year]=2014&ter
m_node_tid_depth=All
Paul. (2015, April 17). Update: Hacker on a Plane: FBI Seizes Researcher’s Gear. the security
ledger Retrieved from https://securityledger.com/2015/04/hacker-on-a-plane-fbi-seizes-
researchers-gear/
RT. (2015, July 31). United Airlines ‘hacked’ by group likely responsible for OPM breach-
report. RT QUESTIONS MORE Retrieved from http://www.rt.com/usa/311208-united-
airlines-hacked-opm-group/
46
Rouse, M. (n.d.). Distributed denial-of-service attack (DDoS). TechTarget Retrieved from:
http://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack
Rubenking, N. J. (2014, August 7). An Evil USB Drive Could Take Over Your PC Undetectably.
PC Magazine Retrieved from http://securitywatch.pcmag.com/hacking/326196-an-evil-
usb-drive-could-take-over-your-pc-undetectably
Russian Legal Information Agency (2013, June 24). Accused hacker denies attacking Aeroflot's
website. Russian Legal Information Agency Retrieved from
http://rapsinews.com/judicial_information/20130624/267894077.html
Saltzman, D. (2012, June 26). Update: Cunard Data Breach Exposes 1,200-Plus Cruise
Passengers. Cruise Critic Retrieved from
http://www.cruisecritic.com/news/news.cfm?ID=4878
Savvas, A. (2010). USB devices guilty in many malware attacks. Computerworld, 44(23), 2.
Computerworld Retrieved from
http://search.proquest.com/docview/817732622?accountid=28902
SCAMMERS LURE VICTIMS WITH FAKE FREE PLANE TICKETS. (2012, Jul 25). US Fed
News Service, Including US State News Retrieved from
http://search.proquest.com/docview/1027616443?accountid=28902
Schneier, B. (2015, April 21). Hacking Airplanes. Retrieved from
https://www.schneier.com/blog/archives/2015/04/hacking_airplan.html
Silowash, G., Cappelli, D., Moore, A., Trzeciak, R., Shimeall, T. J., & Flynn, L. (2012,
December). Common Sense Guide to Mitigating Insider Threats 4th Edition. Retrieved
from http://resources.sei.cmu.edu/asset_files/TechnicalReport/2012_005_001_34033.pdf
47
Status of FAA's efforts to operate and modernize the national airspace system. (2014, Nov 18).
Targeted News Service Retrieved from
http://search.proquest.com/docview/1628855397?accountid=28902
Sternstein, A. (2015, April 6). Exclusive: FAA Computer Systems Hit by Cyberattack Earlier this
Year. Retrieved from http://www.nextgov.com/cybersecurity/2015/04/faa-computer-
systems-hit-cyberattack-earlier-year/109384
Sony says playstation users' data safe after recent attack. (2014). Express Computer. Retrieved
from http://search.proquest.com/docview/1555994892?accountid=28902
Watson, M. (2015, January 13). Thieves target American and United airlines, dozens of free trips
booked. Retrieved from http://www.itgovernanceusa.com/blog/thieves-target-american-
and-united-airlines-dozens-of-free-trips-booked/
Weinberger, S. (2012, March 19). Top Ten Most-Destructive Computer Viruses. Smithsonian
Retrieved from http://www.smithsonianmag.com/science-nature/top-ten-most-
destructive-computer-viruses-159542266/?all
Weissman, C. G. (2015, May 18). “Have fun with it... carefully”: The alleged plane hacker
showed how he could hack planes in 2012. Business Insider Retrieved from
http://www.businessinsider.com/plane-hacker-talks-about-plane-hacking-at-grrcon-2012-
2015-5