A senior official from Tampa International Airport (TPA) told US lawmakers the risk of a cyber attack “without question represents the preeminent and persistent threat” to global aviation.
The comments came during a Sept. 6 joint hearing of the House Homeland Security Committee’s Cyber security and Transportation Security subcommittees, held to examine cyber threats to aviation.
“In today’s modern and technologically advanced airports, there are virtually no areas or functions that do not rely at some level on a digital network,” TPA EVP-IT and general counsel Michael Stephens said. “The operational importance of these systems makes airports immensely appealing targets and potentially vulnerable to malicious cyber threats, such as criminal organizations and state sponsored actors.”
In his testimony, Stephens said US airports have reached a point “where voluntary compliance is no longer adequate,” and asked lawmakers to consider mandating the adoption of “uniform minimum cyber security standards and frameworks.”
He also said the “human factor remains the most highly exploited vector” for breaching cyber defenses, and threat awareness and information security training programs for airport, airlines and aviation industry employees are “perhaps one of the most effective and cost-efficient ways of increasing airports’ and airlines’ cyber security readiness.”
Lawmakers also heard from Christopher Porter, chief intelligence strategist at cyber security group FireEye, Inc., who testified that state-backed hackers are “routinely” targeting the US aviation industry through cyber espionage to steal industrial secrets from manufacturers, researchers and operators of military and civilian aircraft.
Porter called cyber espionage the “most common cyber threat facing the aviation industry,” and said that hackers sponsored by China, Russia and more recently Iran have all “targeted the US or its close allies for theft of aviation secrets.” All three countries also routinely target ticketing and traveler data, shipping schedules and even partner industries like railways or hotels as part of their counterintelligence efforts, Porter added.
However, Porter reminded lawmakers that, because cyber-espionage is routine, “it should not be viewed as destabilizing.”
“When cyber espionage operators get a foothold on a system, they can often use that access for stealing information or to launch a disabling or destructive attack using the same technology,” Porter said. “But they rarely choose to do so, and in the US, there are significant redundancies in place to ensure safety. A crashed IT system does not mean a crashed plane, and it’s important for the public to keep that in mind.”