Industry-wide approach required in changing cyber-security environment
The head of technology at the nation’s biggest airport has called for an industry-wide conversation on the threats posed by cyber-attacks.
Sydney Airport general manager technology Stuart Rattray made the call during a presentation at this year’s Australian Airports Association annual conference that outlined the increasing sophistication and rapidly changing nature of cyber security threats.
“We all stand together in cybersecurity so ourselves, governments, airports, airlines, Airservices Australia, our supply chain – we’re all so connected now through processes, people, customers but also through IT,’’ he said.
“If one of us is under attack, we can think of ourselves as all being under attack.
“So this is a call out to airports of Australia to think about ourselves as a community, as a bunch of connected businesses.”
Mr Rattray warned about the snowballing risk to airports of data loss or operational disruption from increasingly sophisticated hackers.
He counselled against relying solely on IT teams to take care of cyber security, noting there was a generally accepted rule that 80 per cent of cyber risk was about people while only 20 per cent was about the technology
“So as leaders of airport businesses, we all have that responsibility and accountability,’’ he said, “You can’t hand this off to the IT team to fix.”
Although the theft of personal or sensitive government or corporate information often dominates the headlines, there have been a number of cyber attacks against infrastructure.
These include a 2015 case where malware brought down an electricity grid in the Ukraine, and a 2013 case where Istanbul Airport lost its passport control capabilities.
More recently, the WannaCry ransomware attack took out German rail operator Deutsche Bahn and Britain’s National Health Service.
Mr Rattray said cyber attackers either wanted to steal data from an IT system because it was valuable or wanted to get into a system to interrupt a business.
“Information about people, personal data, is highly valuable,’’ he said. “If you have a customer database in your airport — and as we move closer to that customer and to that guest relationship we all will hold customer data — that’s hugely valuable. Names, addresses, dates of birth.
“The other type of information they’ll try to steal from you is information about your business. So the IP that makes your business special and better than all the rest, that‘s valuable and people will try to come in and take that from you.”
The technology expert said the loss of confidential information could have financial implications, result in a loss of customer confidence and lead to extortion from ransomware.
But arguably more important was the loss of system integrity and business data in a complex airport environment that relied on accurate information being passed between stakeholders.
He urged airports to look beyond traditional IT and consider vulnerabilities in operational technology in terminals.
“This is about your baggage system and your gates and your security system,’’ he said.
“These systems are all now plugged into each other and plugged into the internet, that’s how we control them.”
The good news, according to Mr Rattray, is that there are established risk remediation and risk assessment strategies.
He said airports also did not have to reinvent risk frameworks because there were several cyber security frameworks available from organisations such as the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).
“It also gives you the opportunity to measure and benchmark yourself,’’ he said. “So as you’re gaining maturity in cybersecurity you can measure yourself against benchmarks and understand where you are relative to your risk appetite.”
But regardless of how much IT was built around a person with security, firewalls and virus scans, Mr Rattray said it could be bypassed if a human made a mistake.
He said employees with access to technology and information need to know what to do and what not to do.
“Part of any good cyber security approach is the right policies, policies around how to share information internally and externally, policies around asset management,’’ he said, emphasising the importance of ongoing training.
He noted a good way to embed good practices was to make it personal for employees, drawing on the similarities between cyber security in businesses and at home.
“The number one way cyber criminals will get onto your system is through email,’’ he said. “So as an email user you need to understand not to click on the link from someone you don’t know, not to open up that attachment from someone you don’t know.
“That’s equally applicable if you’re at your desk at work or if you’re at your PC at home.”
Another way to improve cybersecurity from a people perspective was to assess it by sending phishing emails to staff to see how many clicked on the link.
He said this was not designed to embarrass or bring attention to people who clicked on the link – but to measure where an organisation’s cyber security maturity stood.
At the very least, he recommended airports start with four protections the Australian Signals Directorate recommends all government departments have in place.
These cover application “whitelisting”, which specifies which applications are allowed to run in an IT environment and prevents unapproved programs from running, as well as restrictions on administrative privileges and patching applications and operating systems.
Patches are released when software manufacturers discover a potential vulnerability in their product that could be exploited by hackers.
“You, as businesses, need to take that patch and plug it in so you’re protected,’’ Mr Rattray said. “You’ve typically got between 24 and 48 hours to do that before a bad guy builds something to attack through that hole.
“So keeping patching up to date is critical. If you do nothing else with cybersecurity, that’s a really important one.”
Mr Rattray said there were a number of tools and systems that detected attacks but it was important to know how to respond and recover.
“Don’t assume you will ever be fully protected with cybersecurity,’’ he said “Work through what to do when you are attacked. That’s about continuity and it’s about incident response plans and communication analysis.”
He also warned that cybersecurity was never done: it was a continual process of assessment, building and testing defenses — and then doing it again.
“This world around us is moving very, very quickly in this space,’’ Mr Rattray said. “We have to continually assess and test and improve.’’
By Steve Creedy
About Steve Creedy
An award-winning journalist, Steve began covering aviation in the United States in the early nineties before returning to Australia later that decade and editing The Australian’s aviation section for 17 years. He is editor of Airline Ratings and has co-authored books on industry initiatives aimed at reducing greenhouse emissions.
Steve has joined the AAA to write interesting and informative editorial on the aviation industry.