Secure Your City: Airports

by Sarah Harvey / June 13th, 2019

Why is cybersecurity for airports important? According to the FAA, more than 2.6 million passengers fly in and out of US airports on a daily basis. That’s 2.6 million people who rely on – and expect – airports, airlines, and aircrafts to deliver secure services. As the cybersecurity threat landscape continues to evolve, it’s more important than ever that the airline industry understands and effectively mitigates the risks they’re faced with. After all, whether it’s an airport, an airline, or an aircraft, there are cyber risks in every facet of the airline industry.

Cybersecurity Threats Before You Get to the Airport

You don’t have to physically be inside of an airport to experience a breach. In 2018, British Airways announced that 380,000 transactions were compromised during a breach of the airline’s website and app. Fortunately, no travel or passport details were compromised, but payment information was obtained and linked back to Magecart, a threat group that has compromised over 800 e-commerce sites worldwide.

Air Canada experienced a similar breach of its mobile app, which resulted in compromised personal information, including passport numbers, of approximately 20,000 users.

When you consider all the components that make the airline industry successful and innovative, you realize just how important cybersecurity for airports must be because of how many attack surfaces are available to hackers. How could thorough, continuous penetration testing have changed or prevented these breaches? How could a tried and true detection and monitoring system have alerted airlines earlier?

Cybersecurity Threats Inside of Airports

Physical security is of the upmost importance to airports, but cybersecurity for airports goes hand-in-hand with physical security. Why? Cybersecurity attack vectors can be inside of airports themselves.

The US Customs and Border Protection (CPB) program called Biometric Exit, has caught privacy professionals’ and consumers’ attention. Biometric Exit is a facial recognition system currently being rolled out at departure gates in 17 airports across the US. By 2021, the CPB hopes that 97% of airports will be able to utilize this technology. The idea is to increase efficiency by replacing manual identity verification – no more interaction initially needed between a passenger and an airline employee. But biometric technology brings up so many privacy and cybersecurity issues: what other ways could airports use facial recognition technology? Who is collecting this data, and where is the cross-reference data coming from? Are they using the data in any way other than identity verification? How long is biometric data being stored? Is the public allowed to have an opinion on when, where, and how this technology is implemented? How will this program impact cybersecurity for airports?

The flight information displays at Cleveland Hopkins International Airport recently went blank, with all other systems functioning. Email temporarily went down, but no other operations were impacted. This incident is still under investigation by the FBI, plus city and airport officials. The immediate assumption is that this was some type of cyber hack, but no conclusions has been found yet.

In-Flight Cybersecurity Concerns

There is an obvious and major concern for protecting aircrafts themselves from cybersecurity attacks, but how else could an aircraft be compromised? Along with new technology in airports comes new technology in aircrafts. Cameras have been fitted to airplane seats, specifically when there is in-flight entertainment technology, and two senators have raised privacy concerns. They’ve asked 16 international airlines the following questions:

Does your airline currently use, or has ever used, cameras, microphones, or sensors to monitor passengers?
What purpose do the cameras, microphones, or sensors serve and in what circumstances may they be activated?
If you have or currently do utilize cameras, microphones, or sensors to monitor passengers, provide details on how passengers are informed of this practice.
Provide comprehensive data on the number of cameras, microphones, and sensors used by your fleet, and the type of information that is collected or recorded, how it is stored, and who within your airline is responsible for the review and safekeeping of this information.
Confirm what security measures you have in place to prevent data breaches of this information, or hacking of the cameras, microphones, and sensors themselves.
Are the cameras used in any biometric identity capacity, and if so, under what authority?

The senators have proposed bipartisan legislation, the Passenger Privacy Protection Act of 2019, in hopes of prohibiting airlines from having cameras in in-flight entertainment systems. If not properly secured, could this technology be the next attack vector for malware?

The Need for Effective Cybersecurity Strategies

Effective cybersecurity strategies for airports, airlines, and aircrafts keep passengers, their data, and their privacy safe. We haven’t seen a major cyber attack on an airport yet and we hope that cities across the globe take the responsibility of cybersecurity for airports seriously. If you’re interested in learning more about effective cybersecurity strategies, contact us today.