The Cyber Threat to Aviation

In the last year and a half aviation has been heavily impacted by the pandemic and subsequent grounding of the global fleet. Something else happened during this time, there was a sharp increase in the number of cyber incidents.
Threat actors (those responsible for initiating cyber-attacks) took advantage of the pandemic panic to increase their efforts. There were even emails from what seemed to be the Federal Government or Public Health Agency trying to obtain personal information and credentials from citizens through targeted emails about COVID updates and CERB payments.

As of May 31, 2021 the government has reported on its website that $7,400,000 has been lost through over 21,000 scams related to COVID alone.

These attacks and others have been directed at people and businesses across Canada, including aviation. But with recovery only now just starting, aviation is in a particularly vulnerable position. Many aviation operators are not in a place to be able to recover from a bad cyber hit.

Cyber Risk and Attacks in Aviation

As more and more computer equipment is installed on aircraft, the number of digital communications with them also increases as does the concern of onboard cyber security.

For instance, if a virus makes its way into an AMO’s computer systems the safety of their ground operations can also be compromised. If, during a maintenance check, a company device is connected to an aircraft’s onboard systems that aircraft is now also compromised.

John Pawlicki, the CEO of OPM Research and aerospace technology veteran, recently wrote in an article for DOM Magazine, “…now that aircraft are essentially flying networks in the sky, they are targets attackers will not ignore.” If you are looking for more information of the cyber risk specifically to aircraft, I highly recommend looking him up.

In a recent cyber risk training seminar provided by Intact Public Entities, the expert presenter told the story of a personal security and airline computer systems security expert Chris Roberts. In 2015 Roberts was banned from flying on United Airlines after publicly stating that while midflight he had hacked into the airliner’s computers via the on-board Wi-Fi and was attempting to deploy the plane’s oxygen masks.

Related stories about Roberts also state that he had once even taken command of an aircraft and caused it to briefly change course.

Due to the nature of cyber-attacks, which can compromise the reputation of a company, not many businesses are going to reveal they have been the victim of an attack. There are, however, larger enterprises whose incidents are known.
In August 2018 Air Canada’s mobile app users had their personal data (including passport information) compromised. Over 20,000 travelers were affected.
In July 2020 there was an attack on Garmin which encrypted several of their servers and created a service outage to their customers, including those who had Garmin GPS devices installed in their aircraft.

Several US airlines were impacted by a threat actor sponsored by the Chinese government who had been collecting passenger details.
Cyber-attacks are not just a concern for Big Business

It may seem like only large companies such as airlines or international providers are going to be targeted. That is simply, and unfortunately, untrue. Big Businesses have an enormous amount of security in place to prevent most attacks directed at them – they are harder targets while small businesses can be easy pickings.

April Canada, an insurance company providing cyber coverage, found that 85% of data breach incidents were to small business. These businesses do not have the same resources to protect themselves – be it in order to gain access to the funds (or crypto currency like Bitcoin) to pay a ransom, react swiftly in working to notify and reassure their customers, or implement the necessary changes to prevent another attack.
Not to mention the additional risk caused by more and more employees working from home, on unsecured networks or devices, which may cause easier access to malicious entities.

April Canada also estimated that the average cost of a ransomware attack to a small business was $713,000, including loss of income due to business interruption and reputational damage. The largest loss I have seen personally to date is for a $30,000 ransom to unencrypt an AMO’s data and allow them to operate again.

Types of Cyber Attacks and Motivations

There are so many types of attacks that can be made digitally. In the same cyber training session mentioned above the expert presenter also pointed out that if something is online someone out there is going to try to hack it and there is no end to the potential damages. There were even people looking into how to hack thermostats to ransom heat in the winter!

While most data breaches end the same way – a breach of your company or personal information resulting in monetary, reputational, and/or physical damage, some of the most common biggest methods of attack are as follows.

1. Phishing, This can be broken down in many different subcategories, but the result is the same, tricking someone into believe a fraudulent communication and revealing confidential information.

(Example. A fake delivery email from a supplier getting you to log into a spoofed site and giving away your password and access to your account.)

2. Malware, Short for Malicious Software, this is a file or code that gain access to your system and allows a threat actor to access your data and systems. This can lead to “code exploits” which uses a flaw in security to allow an intruder remote access to your network.

(Example. A malware file gets into a network, allowing someone to steal and sell your data.)

3. Social engineering, This can actually be a non-technical strategy used by interacting with an attacker who often succeeds into tricking people into violating a company’s security practices.

(Example. An email directed at you from your “boss” directing you to send a payment to a “new client” who is really the threat actor.)

4. Human error. Unintentional action by a person than allows any of the above breaches to occur.

(Example. Clicking a suspicious email attachment which downloads malware into your network.)

Apart from the financial aspect there are other reasons why someone might want to commit a cyber-attack. Sometimes it is considered ‘Hacktivism’ where the person feels a sense of justice in exposing something they deem corrupt. There has also been a rise in state sponsored hacking by foreign powers where they are targeting large companies to finance their government or gain access to a rival nation’s information.

Of course, there are criminal organizations expanding into cybercrime.
There is an additional risk from dissatisfied employees looking to get back at their bosses, who may provide company passwords or straight access to their company’s data. I once worked with someone who revealed that they had left a program in their former employer’s system to delete their data 5 years after she left their employ.

Cyber Insurance Coverages

Cyber Insurance is still relatively new, which allows for a broad range of wordings and arrangements of coverage. Most policies' coverage can, however, be broken down into 2 main categories.

1. First Party Coverages. These are costs directly related to your business and getting it operational again. They include Business Interruption (gross earnings from when you were unable to operate), reputational damage, extortion expenses and payments, and regulatory and payment card industry fines and penalties.

2. Third Party Coverages. These coverages are for costs you are legally required to pay for damages to anyone else affected by an attack made against you, including multimedia (infringement of offline/online media agreements) and security and privacy breach liability (data breaches).

There are also additional coverages included in most policies for costs related to forensic and mitigation expenses, reporting, notification to customers, credit monitoring, additional defense, digital asset losses and reconstruction and more.
A few of the more specialized insurers include even more additional coverages for Cyber Crimes (which may otherwise be excluded under a standard property policy) for funds transfer fraud, theft of funds, and corporate identity theft.

Cyber policies come in a large variety of limits, ranging from as low as $25,000 to $5,000,000 and higher so they are designed to fit every type of operation.

Additional Benefits of Cyber Insurance

Cyber Insurance is not just about the coverage for when things go wrong. Cyber Insurance is also about risk management to reduce your chances of being the victim of an attack.

Nearly all cyber insurance policies come with access to insurer provided risk management resources or access to services like CyberScout. These services include access to online tools, videos, and training to help your employees know how to recognize suspicious emails and respond to a cyber incident.

Some insurers even provide monitoring of the Dark Web to ensure your data is not compromised and provide alerts of the same.

Cyber insurance is also different from most other types of coverage because of the urgency and specialized nature of claims. In order to react quickly claims are reported directly to the insurance company who staff experts in the cyber field – not insurance, are multilingual, and are available 24/7. They know how to lock down your systems, gain access to crypto currency to pay ransoms, negotiate terms, and even start remediation with your clients if their information was compromised.

As cyber threats become increasingly frequent and severe it is important to remember nothing is 100% safe, and no matter how much we prepare we can still be vulnerable. That is why we have insurance, it will be there before, during and after an attack.

Sandy Odebunmi has been an aviation insurance broker for over 30 years during which time she has specialized in General Aviation and creating affordable solutions for her clients and aviation associations across Canada. She is now the Vice President of Aviation at Sound Insurance Services in Toronto. 416-642-6360