However, three airports passed all the operational tests for cybersecurity without a single major issue. They were Amsterdam Airport Schiphol in the Netherlands, Helsinki Vantaa Airport in Finland, and Dublin Airport in Ireland. In the course of their investigation, ImmuniWeb’s security researchers targeted the airports on the list with OSINT-based discovery and monitored some Dark Web marketplaces and forums. The researchers also undertook what they call “non-intrusive security testing of public cloud storage (AWS S3)”, along with examining public code repositories (like GitHub).
Exposure on the Dark Web is a critical indicator of weaknesses in an airport’s security posture, since criminals, terrorists, and nation state-sponsored threat actors buy and sell login credentials and other security-relevant information on Dark Web marketplaces. That so many major airports were (and still are) exposed on the Dark Web doesn’t come as a surprise to cyber threat intelligence professionals.
They point out that the main challenge many security operations centres, threat hunting teams, and public safety professionals are facing when gathering open source intelligence. The problem is that most lack the tools and capabilities to securely access and investigate on the Dark Web while maintaining adequate operational security.
Exposure on the Dark Web is by far not the only problem plaguing the surveyed airports. The majority of airport websites showed a variety of security vulnerabilities that open them up to attacks from the outside. ImmuniWeb found that 97% of the airport websites contained outdated web software, and 24% of the sites contained known and exploitable vulnerabilities in Content Management Systems (CMS) and web components, such as jQuery. Outdated software usually does not contain patches for vulnerabilities that have previously been identified and can be used by attackers. Web isolation provides a solution that doesn’t require rebuilding such systems from the ground up. It precludes web code from being processed locally on a developer’s or traveller’s browser. Streaming a visual display of the web session from a secure container in the cloud to users instead, web isolation solutions such as Authentic8’s Silo prevent exposing their computers or smartphones to web-borne risks.
As far as Mobile Application security goes, the report states that 100% of the mobile apps that are used or offered by the airports contained at least five external software frameworks. All of these mobile apps also contained at least two vulnerabilities each, and the list of perils doesn’t end there: on average, 15 security or privacy issues were detected per app. The bottom line is that unprotected apps become easy targets for attackers. Functional isolation of all web activities outside the organisation’s IT perimeter may be necessary to prevent airport data and operational security breaches.
These IT security problems threatening airline passengers and airport operations alike are exacerbated by negligent and careless data storage setup and maintenance, the survey found. ImmuniWeb’s scan for public clouds revealed the usage of AWS S3 public cloud storage by 12 airports. Three of these airports had data buckets that were publicly accessible and contained a considerable volume of visibly sensitive data, and 33 airports rely on third parties to process or store potentially sensitive data, deploying in total 88 different services.
Another recent study, commissioned by the World Economic Forum (WEF), puts the ImmuniWeb results in perspective. The WEF realised that any single point of failure in the system that happens for any reason could feed disinformation to all the other interconnected aviation parts, which could imperil the transportation mode as a whole. In its report ‘Advancing Cyber Resilience in Aviation: An Industry Analysis’, the WEF says that the aviation industry needs to understand shared risk – your risk is my risk - and develop market incentives to nudge industry players to improve cyber capabilities across the supply chain. According to the WEF study, employee negligence or malfeasance drove 66% of the insurance claims submitted by companies impacted by cyber incidents. External threat actors caused 18% of the incidents, “other” reasons were behind 9% of them, while direct social engineering attacks caused 3%. Network business interruption came in at 2%, along with “cyber extortion” (ransomware), which also accounted for 2%.