A few weeks ago, Cleveland Hopkins Airport was hit with a ransomware attack. The attackers hijacked the airport’s flight display systems so that instead of seeing arrivals and departures, all travelers could see was CHA’s logo. While inconvenient, the attack appeared to be benign and CHA chose not to pay.
According to the FBI, the U.S. government does not encourage the paying of ransoms, but acknowledges that technical issues, timeliness and cost of restarting systems from backup might sway a company towards payment. Even in cases where the ransom is paid and systems are restored, it's wise to assume the network is still compromised. Re-infections can occur, and if the attackers left a backdoor in the network your problems are far from over. So, it's imperative to run vulnerability scans and risk assess your networks.
When it comes to cybersecurity, airport CIOs and security managers typically attend only to their Information Technology (IT) networks. As IT networks become more secure, cyberattackers have had to find new ways into target networks. As a result, they’ve become increasingly focused on finding and exploiting vulnerabilities in Operational Technology (OT) networks.
IT networks pertain to digital systems used to create, manage, move and store data. OT networks, on the other hand, control physical systems. At airports, critical systems including baggage control, runway lights and air conditioning systems are all powered by OT or Industrial Control System (ICS) networks. OT systems generally pre-date IT networks and unlike IT systems, were designed to be left alone for long periods of time. Despite their criticality, OT systems at airports and elsewhere are rarely subject to the same level of monitoring and oversight as conventional IT systems.
That’s due in great part to the facts that that OT systems were considered to be beyond the reach of cyber attackers. That may have been true for a long time, but in 2015, the Ukrainian power station Prykarpattyaoblenergo fell victim to a cyberattack that shut down power for 225,000 people right before Christmas. That cyberattack was a game changer in that it showed the world that OT systems could be compromised, to great effect. There have been other successful hacks of OT systems since then, including ransomware attacks.
As a result, we’ve seen a huge spike in the number of airport Chief Information Security Officers (CISOs) reaching out to us to explore how they can protect their OT networks. It’s not technically difficult for an attacker to move from an IT system – say a laptop or a web server – to an OT network controller, which is usually a Windows machine, but attacks on OT systems can cause substantial physical damage or paralyze airport operations, which can substantially raise the stakes.
So, when it comes to their industrial networks, airport CISOs we talk to are less concerned about whether an attacker will demand a ransom or steal data, and extremely concerned about how vulnerable their systems are to any attack. Their concerns that run the gamut from the mundane to straight out of the movies. Here are four we hear often enough that we wanted to share them:
1) Baggage Handling Systems
Because they are the most customer-facing OT system found in airports, they’re a common target. These systems are extremely attractive targets for an attack because oftentimes, they can be executed remotely -- the attacker wouldn’t even need to board the plane to execute the attack. All that’s required is for a single person to fall for a simple phishing email and an attacker can introduce OT-specific malware into the airport network -- malware designed to find its way to the baggage handling system to execute the attack.
2) Aircraft Tugs
Many modern tugs are wireless, and there’s a huge push to make all next-gen tugs wireless, driverless and OT and IT connected. Attackers could potentially hijack a tug’s weight sensors and back a large jet into a gate at the velocity used for a small plane, causing it to crash through the wall of the airport. Creative attackers could hack these systems for other purposes than physical damage, which is likely why airport CISOs across the globe mention this risk vector.
3) De-icing Systems
The liquid chemicals used for de-icing are stored at on-site facilities. If those systems were attacked and the composition of the solution was altered, it could easily cause ice to form on the body of a plane. Tampering with the aerodynamics of a plane by hacking into de-icing systems is one way to cause it to crash without loading explosives onto it, which is likely why as obscure a risk vector as it is, de-icing systems are often one of the first OT systems airports monitor.
4) Fuel Pumps
An attacker could, for example, hack into a fuel farm, causing the wrong type or mixture of fuel to be pumped into a plane, resulting in anything from engine problems to an explosion.
5) People Movers
People Movers or Automated Guideway Transit (AGT) systems are OT-powered autonomous shuttles that ferry airline passengers between terminals. If a cyberattacker were to compromise its signal or safety systems, they could effectively grind operations to a halt, or in a worst-case scenario, cause a shuttle, or shuttles, to crash.
These are just a sampling of the OT-related attack scenarios that cybersecurity leaders at airports around the world are concerned about - irrespective of whether the attackers want a ransom, are making a political statement or have some other agenda.
The unfortunate reality is that it is way easier to breach an organization's cyberdefenses than it is to defend them. Thankfully, we are seeing airports take a thoughtful and proactive stance in addressing these and other industrial network security vulnerabilities.
Edy Almer leads Cyberbit’s product strategy. Prior to joining Cyberbit, Almer served as VP of Product for Algosec, during this period the company’s sales grew by over four times in 5 years. Before Algosec, Almer served as VP of Marketing and Business Development at Wave Systems, an enterprise security software provider, following its acquisition of Safend where he led business development, marketing and product management. Prior to Safend, Almer managed encryption and endpoint DLP products within the Endpoint Security Group at Symantec. Almer also was CTO for Partner Future Comm, Orange's Corporate VC arm, and served in the IDF intelligence corps. Almer holds a B. Sc. in Electrical Engineering from the Technion and an MBA from Tel Aviv University.
