Why Airports Should Act on Cyber Security in 2017

2016 marked a turning point in the field of cyber security, with several disturbing events.

Key trends included ransomware attacks against organizations and individuals, ‘exploits’ against banks based on flaws in Swift and Visa payment networks, and Mirai (meaning “the future” in Japanese) DDOS attacks against critical infrastructure.

These disturbing and unprecedented developments have led respected cyber security researcher, John Naughton, to ask if the internet now fulfils the criteria of a failed state. Further contributing to the pathos of danger and threat, prestigious cryptologist Bruce Schneier has begun to question whether there is some end-game through these myriad threats for a large international actor, with seemingly internet-destroying capacities.

Given the current threat and the potential damage to the aviation industry, policy-makers and operators must make haste in developing effective countermeasures.

Risk in the airport environment is accentuated by the increasing level of networking and the enhanced use of digital tools by airport and airline operators. This blog entry describes current cyberattack paths, and outlines key countermeasures.

Ransomware Attacks

A ransomware attack is where an adversary obtains access to a system and encrypts all the data so the user can no longer read/access it. The adversary then demands a ransom, normally in a 24h timeframe, to be paid in Bitcoin (an anonymous cryptocurrency) in exchange for decrypting the data which they have accessed. Non-compliance with the ransom demand means a loss of the data. (For a proper breakdown, I’d highly recommend this article in WIRED magazine).

The statistics behind ransomware attacks show rich and easy pickings for the potential attacker. According to Barkly, a company specialized in guarding against ransomware, nearly 47% of organizations have been hit by ransomware attacks this last year, with the average ransom of $679 US, and reaching up-to $17000 (in terms of publicized payoffs).

What could this mean for an airport?

The worst-case scenario would comprise a skilled attacker accessing core operational data AND networked back-up facilities. The encryption and subsequent loss of the data would seriously disrupt operations, placing the airport at a standstill while the event is being resolved.  This kind of attack could also lead to significant costs related to ad-hoc restructuring of airport systems to overcome the crisis.

Available mitigation options?

Ransomware mitigation approaches include protecting against backdoor access and regularly backing up data in a secure fashion.

There are two key ways to prevent backdoors in the airport system:

First, system security can be promoted by offering an attractive ‘bug-bounty scheme’ to white-hat hackers, rewarding these individuals for information about system vulnerabilities. Second, engaging in external system audits with cyber security professionals can ensure that airport system vulnerabilities are promptly exposed and potential flaws are resolved. If the airport systems are effectively “hardened”, then they are unlikely to be subject to a ransomware attack.

In order to reduce the damage caused by a Ransomware Attack, airport IT professionals should regularly back-up all data onto an air-gapped system (wherein there is no Internet/Bluetooth access to the servers and no direct networking with the airport system) allowing for faster recovery from a ransomware attack. Furthermore, access to the air-gapped servers should be limited to security cleared staff with very clear access protocols. This precaution is to avoid a ‘Stuxnet’-type attack against non-internet systems through infected external devices (Stuxnet was a US/Israeli malware device targeted against an Iranian nuclear power-plant in 2010, proving the potential fallibility of air-gapped systems).

Payment (or other) Network Attacks

2016 has been bookended by two major ‘bank heists’. The largest, against the Bangladeshi Central Bank, involved the robbers walking away with approximately $81 Million. The second, a ‘distributed’ attack against Tesco Bank, used the Visa online payment system to access 40,000 regular bank accounts and drain them.

There are two elements of concern for airports with regards to payment network attacks; first, and least worrying, airport implementations of card payment networks (and distributed payment systems) could result in attacks against the cards used. Research from Newcastle University in the wake of the Tesco Bank attack indicates that the Visa payment network is particularly susceptible to this type of attack. Second, and truly worrying, is that the ICAN Public-Key Directory strongly resembles the Swift system.  If a hostile actor should ‘game’ this directory in the same fashion, it could put serious operational pressure on border authorities.

What could this mean for an airport?

The worst-case scenario would include attacks against the PKD and commercial payment networks. For an airport, this would pose significant stress on the border control process, likely resulting in unacceptable risk or serious delays as well as a loss in revenue through the almost-certain need to halt payments and ATM withdrawals throughout the airport. Furthermore, should an airport be the source of the PKD breach or payment network infiltration, they expose themselves to additional risk.

Available mitigation options?

The problems with these types of attacks is that the airports themselves can do very little to mitigate against the risks that they pose, as they are structural flaws rather than local vulnerabilities. Airports should follow best practice for both PKD and commercial payment systems. Equally anti-fraud measures for acquisition, such as Two-Factor Authentication, are recommended. Ultimately the best mitigating factor for airports is to actively lobby for the protection and improvement of ICAO PKD directives and to work with Visa and Mastercard to ensure the correct implementation of commercial payment networks.

DDOS (Distributed Denial of Service) Attacks

Distributed Denial of Service Attacks (DDOS) are network attacks aimed at bringing down a target or vulnerable critical point for a period. Traditionally, these are used as a diversion tactic while employing another attack, such as a ransomware attack (see Part 1). However, DDOS attacks can also be used to achieve strategic objectives through the simple disruption of a network, as seen in Russia-affiliated DDOS attacks against Estonia in 2007.

In 2016, DDOS changed when Mirai (meaning “the future” in Japanese) reared its ugly head. Mirai is a DDOS platform built on Malware which affects Linux devices which have not been changed from their factory settings.  The platform logs in and seizes control of the device automatically in order to direct the capacity of the device against the Mirai platform target. Many of you are probably using servers or IoT devices contributing to the Mirai ‘botnet’.

While the power that this structure yields is formidable, what makes it especially dangerous is the fact that the source code is open (you can see it here), meaning that anyone with rudimentary computing knowledge can commandeer this powerful DDOS framework to their own end. Brian Krebs, a leading cyber security researcher and first target of this attack, has labelled the advent of Mirai as the ‘democratization of censorship’. While attacks on journalism are lamentable, what is truly threatening about Mirai is it’s use for strategic aims, such as against Liberia, shutting down the Internet in the entire country, and in cutting off internet access to nearly 1 million German residents.

What could this mean for an airport?

The worst-case scenario of a DDOS attack is that key systems are knocked offline, meaning that the airport becomes essentially ‘blind’. Imagine if screening was being sent for remote analysis and subsequently lost, or if cloud flight management systems are being used and they too become inaccessible.

Available mitigation options?

Thankfully, the worst is highly avoidable, due to effective mitigation factors. Content Delivery Networks (CDNs), such as Cloudfare, provide DDOS absorption capacities, attempting to isolate and absorb the attack by rerouting the traffic to “void” or into their distributed excess server capacity elsewhere, leaving the attacked infrastructure up and running.

However, airports should take into account the fact that a truly high-scale DDOS attack (as we have seen with Mirai) could potentially overrun the network itself and bring the entire thing crashing down. Furthermore, as WIRED points out, we should be wary of ‘not knowing the adversary’.  Given the current mutation of the Mirai botnet, we do not know which version might present itself to airport network security teams should they one day be attacked. The best precautionary measure is to have a highly trained and mission ready ‘crisis cell’ within the airport IT department ready to work in liaison with a coalition of cross-industry professionals to contain and eradicate such a threat if/when it might occur.