The airline supply chain is a complex network of organizations, activities, and resources involved in the production, distribution, and maintenance of goods and services required by the aviation industry. It encompasses various stages, from the manufacturing of aircraft and components to the provisioning of in-flight services.
For the lucky ones who have achieved Air Canada’s top tier membership level, some numerous benefits and privileges come with such a status. Lounge access, upgrade credits, and fast track lanes are some of the luxuries that this elite few experience. But what happens when a top tier passenger uses another airline, say South African Airways? Heaven forbid they need to wait in queues like the regular folk…
This is where Star Alliance comes in. As members of the same alliance, South African Airways can recognize Air Canada top tier passengers and, in turn, provide the appropriate services and benefits. SITA’s Passenger Service System (SITA PSS) operates the system for processing airline passenger data. This allows passengers’ frequent flyer status to be recognized across airlines. The communication and IT vendor serves to enhance airlines’ services but, in doing so, must access airlines’ passenger data. As a result, the recent cyberattack on SITA’s Passenger Service System (SITA PSS) has meant that SITA’s clients, and their clients’ clients, have been impacted (airport cybersecurity threats).
Cybersecurity Attack on Personal Data
In late February of this year, SITA PSS’ US servers were breached, causing a compromise to passenger data. Many airlines have confirmed that none of their passengers’ financial details or passwords were exposed… Although some other personal data was affected. In most cases, the hackers accessed frequent flyer membership numbers, tier status and even members’ names. Singapore Airlines is one of the affected airlines and has reported that over 580,000 of its customers were affected. Many other Star Alliance members have communicated with at-risk passengers. Members of OneWorld, another airline alliance, have done the same, relying on SITA PSS.
Major airlines such as British Airways, Lufthansa, Cathay Pacific, and more have acknowledged an impact on their frequent flyer programs. Even airlines that do not use SITA PSS directly were affected since their frequent flyer data passes through it, demonstrating the supply chain attacks risks.
Airline Supply Chain Vulnerabilities
SITA’s services require access to a vast amount of client and passenger data. This makes it an attractive target for attackers. With SITA serving around 90% of global airlines, the risks associated with the airline supply chain increase significantly, as attackers can exploit a single vendor to access numerous airlines’ data.
Cybersecurity risks in the airline supply chain are not limited to aviation. In general, organizations across all industries are increasingly reliant on their supply chains. While this brings many advantages to operational capabilities, the supply chain is also an attack vector to cybercriminals. In fact, around 40% of cyberattacks originate from the supply chain, which stresses just how common this type of attack is.
With third parties often having access to their clients’ confidential information, the supply chain can be exploited by attackers to gain access to sensitive data—as demonstrated in the SITA PSS attack. Additionally, suppliers can be used as an infiltration method, where a malicious actor manipulates a component of the supply chain with the intent for that manipulation to reach the target organization. For example, consider the recent SolarWinds attack.
Moving to Hardware-Based Supply Chain Attacks
Cybercriminals are turning towards hardware attack tools to carry out their malicious activity. The appeal of Rogue Devices comes from their covert characteristics and harmful nature. Specifically, Spoofed Peripherals impersonate legitimate HIDs and are therefore not recognized as malicious. Network Implants, on the other hand, operate on the Physical Layer which is not covered by existing security software solutions. Additionally, Rogue Devices have various capabilities that facilitate harmful cyberattacks. This makes them valuable assets for bad actors targeting the aviation supply chain.
Hardware-based attacks, however, require the attacker to gain some form of physical access to implant the device within the target organization. Some entities are heavily secured, making it extremely difficult to gain physical access. Suppliers within the airline supply chain are typically easier to infiltrate. And with suppliers often having some level of access to an organization’s data, third parties are an alternative, and valuable, target. Hence, a supplier can find themselves victim to a Rogue Device attack.
Third Party – Entry Point
In some cases, the supply chain serves merely as an entry point for attacks. In a method known as interdiction, a perpetrator intercepts a hardware asset during transit, modifies it in a secure location, and then quickly places it back in transit to the final destination—the target organization. Alternatively, a malicious actor can insert an already-manipulated device into the supply chain, ensuring it eventually reaches the victim. Thus, the complexities of the aviation supply chain enhance the appeal of using third parties as entry points for cyberattacks.
Today, organizations rely on hundreds, if not thousands, of suppliers. And locating the origin of manipulation – should the attack be detected – is almost impossible. Moreover, attackers will not manipulate every hardware asset (asset inventory). Only a select few would have been tampered with. Hence, locating the attack source means dismantling every hardware device. A time-consuming process requiring manual efforts. Additionally, these factors significantly reduce the organization’s ability to catch the attacker. Even if the attack is detected and stopped, the perpetrator is unlikely to face any consequences.
Strengthening the Airline Supply Chain
As the airline supply chain remains a vital asset for operational efficiency, it also presents significant cybersecurity risks. Organizations must implement robust strategies to mitigate these risks and protect their data from cybercriminals, ensuring the integrity and safety of the airline supply chain.