Decoded: Why aviation industry is a tempting target for cyberattacks

Low-cost airline SpiceJet suffered a ransomware attack on Wednesday. This disrupted flight schedules, leaving passengers stranded in many airports. While SpiceJet has said none of its crew and employee credentials were compromised, the incident has raised questions about aviation security in the event of a cyberattack.

What is ransomware (R-ware)?

Ransomware is malicious software, which encrypts networks and locks out the owner/users. The bad actor then demands payment to decrypt the system and allow users to regain access to their own systems. This is typically accompanied by threats to delete the data, or “brick” the system altogether.

R-ware targets all sorts of commercial networks. Successful attacks have targeted oil companies and power utilities. Government networks with public-facing systems, which need to allow anybody to connect, are especially vulnerable. Favourite targets include municipal websites, and other government systems. Travel-related websites are vulnerable for similar reasons.

At least 280 R-ware attacks were reported in April (according to the Malwarebytes database), with five of these in India.  

How vulnerable is the aviation industry?

The civil aviation industry uses many different systems, with different levels of access and vulnerabilities. Potential vulnerabilities include IP networks of flights, Air Traffic Controls (ATCs) and traffic management systems, Fly-By-Wire control systems on planes, other in-flight interfaces, fleet and route planning systems, passenger reservation systems, frequent flyer programmes and travel portals.

Ticket portals allow anybody to check flight status, book flights, pay for tickets, etc., and also connect to other travel-related systems. There is sensitive data here, including credit card and bank details, contact numbers, addresses, and so on. Airlines also use internal systems to manage duty rosters, track planes, and such. If this system gets hacked, there would be operational chaos.

Planes themselves have onboard in-flight and cockpit systems to track and manage loading status, fuel, navigational systems, and to control the plane, monitor engine functions, operate wheels, cargo hatches, maintain communications, etc. Civil flights are also on the internet.

In addition, the ATC connects to planes in flight and gives orders about flight path, landing and take-off schedules, among other things. Airports also have systems to track parked planes.

If a plane’s in-flight system gets hacked, there would be serious physical risk. And if the ATC is hacked, there could be a nightmare, with multiple flights at risk of collision and other dangers. There has, however, been no reported incident anywhere in the world of a cyberattack this drastic.

How often do airlines get hacked?

Aviation is a juicy target. It’s a 24x7 industry, which cannot afford delays or loss of customer credibility. It has oodles of data, and there’s the terrifying prospect of deliberate malfunctions that put lives at risk.

Swissport, which handles cargo and ground services in 285 airports across 45 nations, suffered R-ware-related disruptions in February in the most recent known ransomware incident prior to SpiceJet. About 20 discount airlines suffered hack-related disruptions in 2021 (not all R-ware). The air travel IT specialist, Geneva-based SITA, which operates passenger processing and management systems for multiple airlines, was hit in 2021, leading to passenger data being stolen.

In 2021 a Hong Kong-based airline lost 9.4 million passenger records and a UK-based airline lost 9 million customer records to hackers. Credit card information and frequent flyer data of about 4.5 million customers of Air India were lifted in 2021.

How can airlines buttress cybersecurity?

Airlines and aviation systems need to secure customer data, and also data transmission to ground controls. They also need to secure onboard systems and sensors. Airports, ATCs, satellite and navigation service providers, all need to cooperate in this task.

Various organisations such as the International Civil Aviation Organisation, European Union Aviation Safety Agency, Airport Council International and International Air Transport Association have tried to set standards for cybersecurity. This means securing aviation data stored on cloud, and firewalling off systems with multi-factor authorisation required to access the highly sensitive networks