Sabre Airline SolutionsSabre Airline SolutionsSabre Airline SolutionsSabre Airline SolutionsSecuring Airline Information Securing Airline Information on the Ground and in the Air

7 November 2012

Kuala Lumpur Malaysia

on the Ground and in the Air7 November 2012

Kuala Lumpur MalaysiaKuala Lumpur, MalaysiaKuala Lumpur, Malaysia

Confidential

Brief

Paul FeheleyPaul FeheleyyyPrincipalPrincipalSabre Airline SolutionsSabre Airline SolutionsSouthlake, Texas USASouthlake, Texas USA

Confidential 2

Common Threats Across All Industries

Some threats on airline computer systems not unique to the travel and transport industry

• Hacking, hijacking of data• Threats including service disruption

Th ft f l i f ti• Theft of personal information

Confidential 3

Common Responses

Preventative – avoid the threat before it becomes a threatActive – continuous and realtime detection of threat or fraudPost-mortem – investigate, communicate and refine

Confidential 4

What Does Make Airlines Unique / Cybersecurity?

• The nature of legacy airline systems• Sabre reservations system introduced: 1962y

• 50 years is a long time in IT

Confidential 5

What Does Make Airlines Unique / Cybersecurity?

• The complexity of the global network required to serve airlines (and inter-airline), travel agencies, and passengers themselves

• The threat to human safety inherent in travel and transport and the spectacular nature of mishapsspectacular nature of mishaps

• The unique relationship required between government agencies and travel and transport providers• Airlines carry passengers across country and state borders and therefore

have special responsibilities not tied to other industries

• The amount of personal passenger data required to be collected by travel providers – and the “chain of care” for that data

Confidential 6

travel providers and the chain of care for that data

What Does Make Airlines Unique / Cybersecurity?

• Sheer volume of passengers• …and transactions

• Larger, faster aircraft

2011: 2 3 billion passenger air trips (est )*2011: 2.3 billion passenger air trips (est.)

2020:“forecasts indicate that passenger traffic will grow at the rate of 4.1% per annum equating to 7 4 billion passenger air trips byequating to 7.4 billion passenger air trips by 2020”**

Source: *Collaborative Forum of Air Transport Stakeholders ** Airports Council International

Confidential 7

© planefinder.net

Confidential 8

Passenger Data – a Wealth of Private Information

Confidential 9

Passenger Data – a Wealth of Private Information

Typical international travel records contain• Names of all travelers and “Biodata”: age, nationality

• Including travel partners – with whom are you traveling?

• Personal data: home and overseas addresses, credit card data, emergency contact detailsg y

• Passenger journey details (air, rail, cruise, hotel, car)• ATC - authorization to carry (government permission such as visa)• Seating data (where will you sit when you travel and with whom are

you seated)• Baggage data (how many pieces, weigh of each, owner of each)Baggage data (how many pieces, weigh of each, owner of each)• Special requests of the airlines (meals, wheelchairs, special needs)

Literally hundreds of data items collected, transmitted, reviewed, stored

Confidential 10

Passenger Data – a Wealth of Private Information

Future - travel records may also contain - ?• IP address(es) of your interactions with agencies,

i liairlines• Biometric passenger data points for airport or aircraft door

verification (face, iris, fingerprint)• Images

(face, bags)

Confidential 11

Chain of Care – Passenger Data

Can be quite complex• Passenger to travel agency (online or in person)g g y ( p )• Agency to airline or airline booking system

• Booking system to payment system or gateway

• Airline booking system to airport check-in system• Check-in system to onboard staff and other local service providers• Airline to government• Airline to government

Confidential 12

Baseline Definitions

GDS – Global Distribution Systems (bookings – travel agencies)CRS – Central Reservations Systems (bookings – airlines)y ( g )FFP – Frequent Flyer Systems (passenger data – airlines)DCS – Departure Control Systems (airport check-in – airlines)

IndustryIATA International Air Transport Association• IATA – International Air Transport Association

• Governments – local, national and regional travel governance authorities

• Customs, immigration, police, cybersecurity, quarantine/biosecurity

Confidential 13

Risk Assessment Across The Travel Journey

The Customer Travel Process

Customer

Initiation Reservation Embarkation Conclusion

Airport Check-in Physical Border Arrival

Reservations System CRS/GDS

Frequent flyer System

Touch Points

Web Site, Call Center, In-person

Departure Control System DCS

Airline CRM Database

Border Crossing Database

Departure Control System DCS

Data Sources

Other Domestic and International Authority Data Sources

Journey

Confidential 14

Threat Assessment And The Passenger Travel Process

Ch k i /P b d P t b d/ P t i l

Threat Assessment From Reservation to Post arrival

Check -in/Pre -board Analysis

PNR, Check -in Record Border Crossing Record

Border Control

Post -board/Pre -arrival AnalysisReservation Analysis Post -arrival

Analysis

PNR, Profile, FFP, CRM Data

Reservations System CRS (“Res”)

Border Control

Reservations System CRS ( Res )

Frequent Flyer System

Working Air Crew Database

Departure Control System (DCS)

Border Crossing Database

Departure Control System (DCS)

Other Domestic and International Authority Data Sources

QikQik AnalysisQikThreat Analysis

Reservation Booked Check -in Boarding ArrivalIn Air Post Arrival

+3 days-1 yr.

Qik Analysis Qik Threat Analysis Threat Analysis Threat Analysis

Confidential 15

Qik yQik eat a ys s y y y

Physical Document Threats

Physical documents are still very much a part of airline culture• Airline-issued such as boarding passes and baggage tagsg p gg g g• Government issued – including passports, visas• Right-to-travel for example unaccompanied child, doctor permission

Authenticity of these documents –critical because fraudulent documentscritical because fraudulent documents can pose national security threats, flag immigration fraud, aid in human trafficking and more

Airlines often responsible for validating such documents

Confidential 16

such documents

Physical Document Threats – A Progression

Confidential 17

Physical Document Threats – A Progression

Confidential 18

The Way Forward - Electronic Documents?

• Becoming more popular with passengers• …but carry their own level of threaty

• Mobile boarding passes

• NFC / touch / tap check-in

• RFID permanent bagtag

• Bluetooth-aware systems

Confidential 19

The Way Forward - Electronic Passenger Processing

Airlines and passengers embracingelectronic passenger processing

SITA – Airline IT Trends Survey 2012

www sita aero

Confidential 20

www.sita.aero

Fraud

Confidential 21

Cards: Airlines Accept Billions in Payments

PCI compliance: critical• Challenges via telephone: airline call centersg p• Via websites: booking, electronic ticketing• In person: travel agencies, airport and city ticket offices• Using physical devices: airport kiosks• Onboard aircraft: duty free, purchases services (food/upgrade)

Each point of purchase carries its own threatEach point of purchase carries its own threat• Fraud against the airline• Credit card abuse against the passengerg p g

Confidential 22

In-flight – Unique Cybersecurity Considerations

As on-ground technology advances, so does in-air technology

Avionics, better and smarter

“Fly-by-wire” and “glass cockpit”

Passenger centric onboard systemsPassenger-centric onboard systems• IFE, wired and wireless• In-flight wifi, ground-based and satelliteg , g• In-flight mobile: SMS, voice and data

Confidential 23

In-flight Wi-Fi and Mobile

Confidential 24

In-flight and digital / electronic flight bag

Passenger in-flightg gtechnology must notinterfere with in-flightsystems

Confidential 25

In Conclusion – Thank You !Thank You !

Airlines, travel and transport companies face several unique challenges in regard to data security

Mix of legacy and new technologies must all adhere to IT security policies and practicespolicies and practices

Inter-operability among competing companies and government agencies is critical and complex

Travel volume and passenger demand for faster better processing leadTravel volume and passenger demand for faster, better processing lead us into a digital future

Confidential 26

Brief

paul.feheley@sabre.compaul.feheley@sabre.com

Confidential 27

Sabre Holdings

Sabre Airline Solutions, the Sabre Airline Solutions logo, Sabre Holdings, Qik, Qik Analysis, and Sabre, are trademarks and / or service marks of an affiliate of Sabre Holdings Corp. All other trademarks, service marks and trade names are the property of their respective owners.

© 2012 Sabre Inc. All rights reserved.

Confidential 28