Aviation Cybersecurity Under Scrutiny Following Seattle Airport Cyberattack
The U.S. federal government needs to harmonize and streamline cybersecurity requirements that place an “unnecessary burden on industry” and undermine the effort to deter bad actors, Airlines for America Cybersecurity Managing Director Marty Reynolds told Congress.
During a recent U.S. Senate hearing on aviation cybersecurity called in the aftermath of the August hacker attack on Seattle-Tacoma International Airport (SEA), Reynolds noted airlines are required to file “multiple reports to different federal agencies” detailing cybersecurity incidents, reducing “the effectiveness of voluntary and mandatory reporting frameworks and [increasing] the likelihood of noncompliance.”
The Aug. 24 ransomware attack on SEA, which has refused to pay any ransom, caused disruptions for days as email, baggage systems and terminal message boards went down and data was stolen. The attack is being investigated by the U.S. Federal Bureau of Investigation (FBI).
The “federal government probably did not intend to create an environment where 45 cybersecurity incident reporting frameworks with divergent requirements are in effect," Reynolds said. "[But for] sectors like transportation, with numerous regulators and relationships across sectors, this complex patchwork of disharmonized cybersecurity incident reporting requirements is especially burdensome."
He added airlines need "cybersecurity regulations and oversight" to be "consistent and harmonized across the federal government.”
Wrong Click
SEA Aviation Managing Director Lance Lyttle told lawmakers that the airport had built a strong, frequently tested and audited cybersecurity program. "But there is no impenetrable cyber defense, not only because cybercriminals are always evolving their tactics, but also because an organization’s protections are only as strong as the individuals who work within the system,” he said. “Anyone who clicks on the wrong link, opens the wrong email or connects to the wrong Wi-Fi is a risk—no matter how many annual trainings they are required to attend or multi-factor authentications they are required to enter.”
Lyttle said SEA scrambled to find alternate means of communication as sending emails became impossible and terminal message boards remained dark for more than a week. “We held daily teleconference calls, relied heavily on text message, used temporary signage and did a lot of in-person communication,” he explained. “None of this is revolutionary, but when we have all become so reliant on technology, it can be hard to readjust.”
More than 7,000 checked bags had to be manually transported to aircraft as baggage handling systems went down, he said. Flight delays and cancellations were limited because airline systems were not affected and SEA improvised, including stationing workers throughout the airport to help guide passengers. Some airlines used paper boarding passes when airport systems at common-use desks became inoperative.
“Our focus in the wake of this incident includes steps such as strengthening our identity management and authentication protocols, as well as enhancing our monitoring of our systems and network,” Lyttle said.