Aviation Cybersecurity Under Scrutiny Following Seattle Airport Cyberattack
He added airlines need "cybersecurity regulations and oversight" to be "consistent and harmonized across the federal government.”
The U.S. federal government needs to harmonize and streamline cybersecurity requirements that place an “unnecessary burden on industry” and undermine the effort to deter bad actors, Airlines for America Cybersecurity Managing Director Marty Reynolds told Congress.
During a recent U.S. Senate hearing on aviation cybersecurity called in the aftermath of the August hacker attack on Seattle-Tacoma International Airport (SEA), Reynolds noted airlines are required to file “multiple reports to different federal agencies” detailing cybersecurity incidents, reducing “the effectiveness of voluntary and mandatory reporting frameworks and [increasing] the likelihood of noncompliance.”
The Aug. 24 ransomware attack on SEA, which has refused to pay any ransom, caused disruptions for days as email, baggage systems and terminal message boards went down and data was stolen. The attack is being investigated by the U.S. Federal Bureau of Investigation (FBI).
The “federal government probably did not intend to create an environment where 45 cybersecurity incident reporting frameworks with divergent requirements are in effect," Reynolds said. "[But for] sectors like transportation, with numerous regulators and relationships across sectors, this complex patchwork of disharmonized cybersecurity incident reporting requirements is especially burdensome."
He added airlines need "cybersecurity regulations and oversight" to be "consistent and harmonized across the federal government.”
Sen. Maria Cantwell (D-Wash.), chair of the Senate Commerce, Science and Transportation Committee, said during the hearing the attack on SEA is not an isolated incident and that airlines and airports are vulnerable. “In 2020, a hacker accessed internal systems at San Francisco International Airport,” she said. “In 2020, San Antonio Airport had its website spoofed.”
Cantwell added: “When airport and airline systems are compromised, it also puts passengers’ personal data at risk. For instance, in 2020 hackers stole the credit card information of over 2,000 passengers.”
She noted the FAA reauthorization legislation passed by Congress earlier this year establishes “a process to track and evaluate aviation cyber threats.” It also created the position of a designated cybersecurity lead at the FAA.
Wrong Click
SEA Aviation Managing Director Lance Lyttle told lawmakers that the airport had built a strong, frequently tested and audited cybersecurity program. "But there is no impenetrable cyber defense, not only because cybercriminals are always evolving their tactics, but also because an organization’s protections are only as strong as the individuals who work within the system,” he said. “Anyone who clicks on the wrong link, opens the wrong email or connects to the wrong Wi-Fi is a risk—no matter how many annual trainings they are required to attend or multi-factor authentications they are required to enter.”
Reynolds said it is critical for the U.S. government to share cyber threat information with airlines and airports, as is the aviation sector generally sharing information and best practices.
“However, the existing information sharing processes lack the speed necessary for relevance and do not consistently validate if existing policies and regulatory requirements achieve their desired policy outcomes,” he testified, adding: “Although federal agencies have made strides to improve information sharing such as multi-agency threat bulletins, information sharing among federal agencies and with the aviation sector needs to improve. The information airlines receive from federal agencies is often not timely or consistent.”
Lyttle said SEA scrambled to find alternate means of communication as sending emails became impossible and terminal message boards remained dark for more than a week. “We held daily teleconference calls, relied heavily on text message, used temporary signage and did a lot of in-person communication,” he explained. “None of this is revolutionary, but when we have all become so reliant on technology, it can be hard to readjust.”
More than 7,000 checked bags had to be manually transported to aircraft as baggage handling systems went down, he said. Flight delays and cancellations were limited because airline systems were not affected and SEA improvised, including stationing workers throughout the airport to help guide passengers. Some airlines used paper boarding passes when airport systems at common-use desks became inoperative.
“Our focus in the wake of this incident includes steps such as strengthening our identity management and authentication protocols, as well as enhancing our monitoring of our systems and network,” Lyttle said.
Reynolds, a retired U.S. Air Force brigadier general, said "the best cybersecurity programs are those that are threat- and risk-based, data-informed, outcome-focused and flexible enough to address evolving threats."