Cybersecurity training for the commercial and private aviation



Overview

For decades, when we were using the words “airline security” or “aviation security”, we were usually referring to unlawful seizure of aircrafts, destruction of aircrafts, hostage‐taking, forcible intrusion, weapons or hazardous devices intended for criminal purposes, or use of an aircraft for criminal purposes or terrorism.

Cybersecurity is the new challenge for the aviation industry.

Customers and employees of commercial or private aviation expect that the same level of protection extends to the digital assets that reside on aviation systems. Airlines are obliged to respect this expectation, especially after the new privacy regulations, including the General Data Protection Regulation (GDPR).

The commercial and private aviation must comply with cyber security and privacy laws and regulations, and must follow international standards and best practices that protect their customers and employees.

A new cybersecurity culture is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values and expectations of customers regarding cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.

During the past decades, airlines have made substantial investments in information technology solutions that contribute to improved operational efficiency, safety, and customer satisfaction. The more complex and interconnected the systems, the more awareness and training is required for all managers and employees that use these systems.

Cybersecurity awareness for all managers and employees in the commercial and private aviation is necessary, in order to make information security considerations an integral part of every job.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.


Target Audience

The program is beneficial to managers and employees working in the commercial and private aviation industry. This includes pilots (captains, copilots or first officers, flight engineers or second officers), flight attendants, administrative personnel, ground and station managers and employees, reservation sales agents, ticket agents. It has been designed for all employees that provide services and have authorized access to systems and data.


Modules of the tailor-made training

Introduction.

- Important developments in the commercial and private aviation industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).

- Understanding the challenges.

- An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

- 2018, a cyber attack against Cathay Pacific, 9.4 million breached records. Following the attack, 10,000 clients have engaged in a class-action lawsuit against EasyJet. The complaint was filed in May 2020 at the High Court in London.

- May 2020, a cyber attack against Easyjet, 9 million breached records. The hackers gained access to the email addresses and travel information of about 9 million customers.

- 2018, a cyber attack against British Airways, the personal data of 429,612 customers and staff was stolen. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

- June 2015, a cyber attack against Polish airline LOT disrupted the airline's ground-control computers, leaving it unable to issue flight plans and forcing it to cancel or delay flights.

- May 2020, cyber espionage targeted air transportation and government actors in Kuwait and Saudi Arabia.

- September 2019, Airbus revealed that hackers engaged in a series of supply chain attacks targeting four of the company’s subcontractors.

- 2017, one of the employees of Heathrow Airport lost a USB key containing confidential files relating to the identity of passengers, the routes taken by official members of the British government, and information related to the airport's surveillance cameras and runways. There was neither a password nor an encryption system.


Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the aviation industry.

- Professional criminals and information warriors.

- Cyber attacks against passengers, baggage, cargo, catering, systems, staff, and all persons having authorized access to systems and data.


How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.


Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the aviation industry?


What do we need? How can it be exploited?

- a. Speed and convenience.

It is difficult to balance speed, convenience and security.

- b. Effective and efficient accesss to the web site, computers and systems.

Examples of challenges and risks.

- c. Great customer service.

Example - how it can be exploited.

- d. A nice facility and great housekeeping.

Example - “The cleaning staff’s hack”.

- e. Food, drinks and entertainment.

Point-of-sale (POS) fraud and challenges.

Credit card cloning.

- f. Internet access.

Honeypots, rogue access points, man-in-the middle attack.

- g. Security.

Unauthorized access is a major problem, and social engineering is a great tool for attackers.

- h. Privacy.

The aviation industry is considered one of the most vulnerable to data threats.

- i. Money (if they can sue the service provider for negligence).

What must be protected?

- Best practices for all employees that provide services and have authorized access to systems and data.

- What to do, what to avoid.

- From client satisfaction vs. cyber security, to client satisfaction as the result of cyber security.


Malware.

- Trojan Horses and free programs, games and utilities.

- Ransomware.


Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.


Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.


Cyber Hygiene.

The online analogue of personal hygiene.

- Preparing and maintaining records.

- Entering and retrieving data into computer systems and devices.

- Researching and compiling reports from outside sources.

- Maintaining and updating files.

- Responding to emails and questions by telephone and in person.

- Ensuring that sensitive files, reports, and other data are properly tracked.

- Dealing with personnel throughout the company as well as external parties, customers, suppliers, service providers.


Case studies.

We will discuss the mistakes and the consequences in one or more of the following case studies:

2018, the cyber attack against Cathay Pacific.

May 2020, the cyber attack against Easyjet.

2018, the cyber attack against British Airways.

June 2015, the cyber attack against Polish airline LOT.

May 2020, cyber espionage targeted air transportation and government actors in Kuwait and Saudi Arabia.

September 2019, the cyber attack against Airbus.

2017, the leak at Heathrow Airport.

- What has happened?

- Why has it happened?

- Which were the consequences?

- How could it be avoided?

Closing remarks and questions.


For more information, you may contact us.


Terms and conditions

You may visit: https://www.cyber-risk-gmbh.com/Terms.html





Cyber Security Training

Cyber security is ofter boring for employees. We can make it exciting.


Online Cybersecurity Training

Online Training

Recorded on-demand training and live webinars.

In-house Cybersecurity Training

In-house Training

Engaging training classes and workshops.

Social Engineering Cybersecurity Training

Social Engineering

Developing the human perimeter to deal with cyber threats.


For the Board Cybersecurity Training

For the Board

Short and comprehensive briefings for the board of directors.


Cybersecurity Assessment

Assessments

Open source intelligence (OSINT) reports and recommendations.


High Value Targets Cybersecurity Training

High Value Targets

They have the most skilled adversaries. We can help.





Which is the next step?

1

You contact us

2

We discuss

3

Our proposal

4

Changes and approval

5

We deliver







Cyber Risk GmbH, Cyber Risk Awareness and Training