Cyber crime second biggest risk to airlines

Information sharing could help draw attention to attacks says local expert

Cyber crime attacks now run at number two on the list of threats for local airlines, according to findings from one Sydney-based ethical hacking outfit.

Presenting the report to Asia Pacific aviation security conference AVSEC 2011 in Canberra this week, Pure Hacking chief technology officer, Ty Miller, said cyber crime attacks came second only to natural disasters as risks to airlines.

A panel discussion with the aviation industry revealed increasing fears employees could work with cyber criminals to exploit airline information and critical infrastructure.

"We need much greater information sharing, not just within a particular industry but across industries and government so that things like multi-staged attacks where different things are being attacked can be pieced together may actually be prevented," Miller told Computerworld Australia.

Australian disclosure laws currently prevented effective information sharing, Miller said, as they allowed companies to keep hacking attempts or successes secret from the wider industry.

Similar worms to the Stuxnet worm may be created to pose a threat to airlines, according to Miller, though the nature of the worm would have to be targeted at specific equipment used by the industry in order to be successful.

"It needs to be designed to run on custom hardware that is controlling the equipment and the designers of the worm would have had to break into a number of different companies including hardware manufacturers and Iran's nuclear facility," he said. "It's basically industrial espionage to get detailed designs of the facility and access to the firmware running on the equipment. "

The same concept for the Stuxnet worm, which affected uranium enrichment facilities and thousands of PC in Iran last year, was still a cause for concern, as it could be adapted to affect the avionic equipment of an aircraft. Miller said the potential outcome could be catastrophic.

"If someone had the funding, means to penetrate an airline and access to equipment, it could happen" he said. "In the movie Die Hard 2 the terrorists change the instruments to read that it was flying 200 metres higher than it actually was so the plane crashed into the ground while it was trying to land. This is now a reality."

Miller had already found a compromise on an airline network during a scheduled penetration test, allowing him to hack one computer and access critical infrastructure owned by the unnamed company.

"This included capturing credit cards, documents, plans, communications and databases," he said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU