Author: Jake Hernandez, Senior Consultant, Cyber, Gallagher
Aviation Cyber Risk

COVID-19 left almost no industry unscathed as it rapidly swept across the world in early 2020. Some, however, felt the impact more immediately and more severely than most, and the aviation industry sits at the top of this list of sectors which will have to make use of new tools, technologies, and approaches to ‘build back better’ once the world begins to reopen.

Now, a year on from the beginning of the pandemic, airlines are preparing for the bounce-back. Vaccines are being rapidly administered among significant passenger populations, and industry digitisation is leading the way for ‘touchless’ travel – a key enabler for airlines to operate in the ‘new normal’. But while airlines have been reorganising and planning for their return to mainstream travel, the cybersecurity landscape has been changing, and not for the better.

Phishing fleets

The ability for large portions of the workforce to work remotely, and to do so full-time, has clearly had considerable benefits for world economies during the pandemic. But now that employees are tucked away in back bedrooms, far removed from the all seeing eyes of corporate information security teams, this has led to a dramatic increase in successful phishing attacks in all industries. Clearly pilots can’t work from home, so the aviation industry has been little affected by this scourge so far with the exception of specific functional teams.

Regrettably this is likely to change as we move through 2021, as according to SITA’s 2020 IT insights report, 86% of airlines are planning major programs to increase in-house remote access for their non-flying teams1. These initiatives will dramatically increase the targets presented to opportunistic cyber-criminals as thousands of new devices, attached to less cyber-aware employees, go live. Teams that are newly adapting to remote working may be much less security-conscious than their counterparts in other industries who’ve grown accustomed to such attacks and how to appropriately respond.

This may sound like small-fry in the grand scheme of the aviation industry’s current economic concerns, but consider that 30% of data breaches in 20202 involved internal actors (such as rogue administrators or naïve users), 22% of data breaches were caused by internal errors (misconfigurations, handing over credentials in phishing attacks) and that 58% of all breaches led to the loss of personal data, and the potential exposures speak for themselves. For example: BA’s settlement with its customers over two data breaches in 2018 may reach £2.4 billion3, on top of the £20 million it was fined by the UK Information Commissioners Office (ICO) – a sum that was only reduced from the original £183 million due to the impact of COVID-19 on the industry.

Big game season

As the world moved in an increasingly digital direction in 2020 due to the pandemic, cyber threats in general also increased throughout the year; with an average 139% increase in ransomware attacks in Q3 of 2020 compared to Q3 of 20194. Preparing proactively now may save airlines and aviation operators the pain of hardening their systems down the line, when passenger numbers and the pace of operations may have returned to normal.

Most concerning has been the rise in ransomware ‘big game hunting’ attacks where cybercriminals go deep into systems for longer periods, in an attempt to achieve huge payoffs. Rather than harvest individual credentials or computers, ‘big game hunters’ go after entire networks, seeking to exfiltrate data, destroy backups, and deploy more ransomware wherever they can go. Once all this is done, the hackers make their demands public and often threaten to release exfiltrated data or delete anything that remains.

Big game hunting is not necessarily a new concept, and it’s one that has already impacted the aviation industry. In 2018, Cathay Pacific disclosed a data breach that dated back to 2014, in which a threat actor accessed a company server and deployed malware that enabled the perpetrator to linger in the airline’s databases for years. The malware eventually began harvesting personal data in early 2015, such as passport information, email addresses, names and historic travel information – ultimately compromising the data of 9.4 million customers. The company narrowly avoided an eye watering fine from the ICO simply due to the period of time that the malware was deployed, which pre-dated GDPR, but still faces class action law suits which could impact the final financial cost.

With airlines investing heavily in ‘touchless’ travel, the digitisation of on-board systems, and greater integration between landside systems to make passenger boarding more efficient, the attack surface on offer to cyber threat actors in the industry is about to increase almost exponentially. How much would an airline be willing to pay a ransomware attacker to relinquish control of navigation or flight plan systems? The sky may well be the limit when ‘big game hunting’ eventually meets newly digitised aviation technology.

The Internet of (dangerous) Things (IOT)

IoT-based technologies are already being deployed by aviation’s top companies to exceed customer expectations in offering a seamless experience. According to a study by Deloitte, published in 2020, 86% of industry leaders expect tangible benefits from IoT within the next three years. Moreover, the study goes on to suggest that over 37% have already started implementing IoT improvements to their processes, in order to keep rising costs in check. Everything from aircraft manufacture to baggage reclaim is seeing significant investment in IoT technology.

Despite its benefits, however, IoT brings unique dangers to airline operators. To enable ‘touchless travel’, improve customer experience, and generally increase efficiencies, airline systems need to be integrated with the myriad third-parties that support air travel. For cyber-attackers, the possibilities are nearly endless. The integrated ecosystem of the IoT means that an attack on one can very easily become an attack on all. Most recently, European airline IT specialist, SITA, was itself the victim of an attack that it called ‘highly sophisticated’ just last month. Luckily for the company, which provides outsourced passenger service systems to 90% of the world’s airlines, high-risk data such as credit card information appears to have not been compromised, however the breach has impacted dozens of carriers that are now having to manage the impacts to their customers, and review their cyber risk exposure. These kinds of attacks, targeting infrastructure and systems which are common to many airlines, creates aggregation risk – another reason why specialist advice from aviation brokers and consultants is critical.

Airlines are no longer single data entities but nodes in a network of networks, and IoT technology will serve to increase a company’s cyber risk exposure far beyond the limit of their firewalls and into the environments of all partners with whom they share data.

Deploying a risk-led approach to prepare for the future

With post-pandemic budgets squeezed, and investment focused on making air travel as seamless as possible, there is little change left on the table for cyber-security. Cyber is now an integral part of an airlines risks register and more than ever, it is imperative airlines understand their cyber risk and assess whether some of this risk can be transferred to the insurance market; making sure that their reemergence from one crisis does not set the conditions for another.

At Gallagher we recognise that risk is the intersection of threats and an organisations assets – without an understanding of both, how can risk be transferred appropriately? Many brokers offer off-the-shelf cyber products, or even add-ons to existing policies that focus solely on the threat and leave out what it is that makes your company unique. At Gallagher we question whether these policies have been designed to protect the airline, or are simply a measure to tick a box on an airline’s risk register. This could lead to limits far below the expected impacts of incidents such as data breaches, or even mean that you completely lack cover for events that occur within the complex webs of interrelationships with third-parties (as demonstrated by the recent SITA case).

We often find that many aviation clients (and many of Gallagher’s larger accounts more broadly) have not closely linked their risk transfer through insurance to the specific nature of the threats they face, the risks likely to materialise to their business, and the investments they’ve already made in protecting themselves: this tends to lead to obtaining off-the-shelf cyber policies which inevitably don’t necessarily transfer the financial risk as intended, and are fundamentally at risk of not being an accurate reflection of the client’s risk profile nor how they would want such a policy to respond in the event of a major incident. They also tend to not be well-integrated with the airline’s broader response to a crisis, which can only be understood when the process is couched in a risk-led consulting approach that leads to a number of potential improvements and outcomes which reduce cyber risk – only one of which is insurance.

Companies need an understanding of where risk transfer is provided, enhanced or self-retained and when bespoke insurance coverage may be best suited. At Gallagher our Cybair insurance products are tailored specifically to each client, and our specialist consultants work with your teams to develop a deep understanding of your business model, current controls, and future business plans. This provides us with a real-time assessment of your current exposure to the threats you may face and enables us to deliver a clear assessment of your risk, maximum potential losses and, most crucially – what you can do about it.

What kind of threat actor poses the greatest risk to your new revenue management system? How are attackers likely to target a newly released passenger mobile app? Have you mapped all of your data flows with third-parties? Our consulting teams provide a comprehensive and easy to understand report, detailing all areas of exposure – and how these are addressed – to share with Senior Management. This allows strategic decisions to be made on how to protect your business and maximise shareholder value in the long term, particularly over longer time horizons where the potential size and extent of losses from cyber incidents becomes increasingly uncertain.

COVID-19 has changed everything, and cyber-security is no different. Those airlines most responsive to change will be those that emerge the strongest, so get in touch to see how Gallagher can support your plans for the future. We also look forward to welcoming you on our Cybair cyber risk webinar for aviation, scheduled for April 22nd 2021, details of which will go out shortly.