Security has long been a serious concern for the airline industry, with a particular increase in the number and degree of restrictions since 9/11. More recently, however, the industry has been forced to reckon with risks that are harder to detect: cyber attacks. In addition to taking place in the invisible space of computer networks, cybersecurity guidelines are constantly changing, and attacks keep evolving. With this in mind, the commercial flight industry is poised to start making significant changes to ensure passenger security.
An Investment Priority
One of the clearest indicators of just how seriously airlines are taking cybersecurity concerns comes from the 2017 Air Transport IT Trends Insights study. Ongoing since 1999, the 2017 study showed 9 out of 10 airlines planned major cybersecurity improvements in the next three years. With a diverse group of airlines represented, including top international companies and small carriers, this response suggests the entire industry is poised to improve cybersecurity standards.
Protected Plane Data
Improving airline system security can take many forms, as a recent attack on British Airways – a credit card skimming hack – demonstrates; while some attacks are focused on flight interference, others are about passenger data or money. As such, protecting airline data will demand an equally diverse approach. Some commercial aviation security systems will prioritize better data distribution processes, along with detection and alerting capabilities, while others focus on the weaknesses in in-flight entertainment. And of course, airlines can’t afford to overlook security weaknesses on their websites and apps that could provide a way in for hackers.
Though the British Airways hack didn’t actually impact any flights, in revising their security standards, airlines should be aware that such website-focused threats might actually be the biggest risk facing airlines at present. In one analysis, researchers found that malicious bots make up 43.9% of all airline site traffic. This is almost twice the average of any other industry, and the majority of bots targeting airline sites are moderate to advanced, meaning that they aren’t easily detected. These bots may come from unauthorized online travel agencies, competitors, and, of course, criminals seeking to steal credit card information, loyalty points, and other information.
As for more substantial threats to flights, rather than simple threats against data, the jury is still out. In 2015, for example, a man named Chris Roberts claimed to have used the in-flight entertainment system to take control of some aircraft systems, though his breach was never confirmed, and officials deny he was successful. In contrast, in 2016, cybersecurity experts with the Department of Homeland Security did execute remote penetration of a Boeing 757. They used radio frequency communications, but because this was a test, the plane was safely parked on the tarmac at the time of takeover.
For now, commercial air travel is the safest way to travel in the United States; no one has died in an incident involving an American airline operating inside the states since 2009 – but that doesn’t mean airlines should continue operating at current standards. When it comes to cybersecurity, change is the only constant, and it’s the only way to keep a system, and the people who use it, safe.