Protecting airports from cyberincidents

Protecting airport information systems from cyberincidents is no trivial task. Even a relatively minor glitch can lead to chaos, flight delays, and lawsuits from disgruntled passengers. As a good illustration of the phenomenon, the 2016 Delta Airlines computer system crash caused trouble for hundreds of thousands of people around the world. Facing massive expenses and operational dysfunction, airport administration scrambles to prevent chaos following an attack. It’s no wonder that airports represent such attractive targets for ransomware attacks.

Another reason airports draw criminal attention is passenger information: Airport systems usually hold not only travel document data, but also payment information. And that’s an issue not only for customers, but for the airport itself; modern data protection laws give no quarter to organizations that are lax on data protection. For example, Heathrow Airport was fined £120,000 for the loss of a flash drive containing operating information, including the details of several security service employees.

Famous airport cyberincidents

You don’t have to look far to find examples of destructive cyberincidents affecting air transportation.

• In the summer of 2017, during the ExPetr (aka NotPetya/PetrWrap) global pandemic, the website and online departure board at Kiev’s Boryspil International Airport were taken down, causing a number of flights to be postponed;
• Another ransomware attack targeted Hartsfield-Jackson Atlanta International Airport. In March 2018, it was forced to disable parts of its website and advise passengers to check information directly with their airlines. The airport also had to turn off its Wi-Fi network to confine the infection, further inconveniencing passengers;
• During Christmas 2019, Albany International Airport experienced a ransomware attack. This time, the attack did not affect operations at the airport itself, nor, it seems, did any passenger data suffer — the cybercriminals encrypted internal documentation only (including backups). All the same, the administration agreed to the attackers’ demands and paid the ransom;
• In April 2020, unknown persons compromised two San Francisco International Airport websites and injected them with malicious code for stealing user credentials. The attackers’ goals were unclear (as was their degree of success), but airport employees were required to reset their mail and network passwords.

How to protect airports from cyberattacks

A modern airport is a gigantic structure brimming with information systems. More often than not, critical systems are isolated from office and public networks, but attackers do not need to attack critical infrastructure to wreak havoc. The functioning of airlines, as well as numerous marketplaces and services, depends on the normal operation of simpler IT systems.

To protect all of that infrastructure, airport cybersecurity teams need real-time intelligence on the latest cyberthreats. To that end, Germany’s Munich Airport, which takes cybersecurity very seriously, contacted us recently.

The airport authorities subscribed to Kaspersky Advanced Persistent Threat Intelligence Reporting service, which gives access to our investigative data and provides information about the methods, tactics, and tools modern cybercriminals employ, as well as indicators of compromise. In addition, the Munich team acquired access to our Threat Lookup service to get detailed data on detected threats, as well as to Kaspersky Threat Data Feeds, which can be connected to automated protection systems.

Read more here about how we’re helping Munich Airport fight cyberthreats.