Cyber attacks are on the rise, with potential repercussions for aviation safety.
Both the frequency and severity of cyber attacks are increasing in New Zealand.
Recent high profile attacks include, in 2019, a $30 million hack on Cryptopia, a cryptocurrency exchange based in Christchurch, a 2020 attack on NZX, the country’s stock exchange, a ‘ransomware’ attack on the Waikato District Health Board, and a data breach at the Reserve Bank, both in 2021.
Across the Tasman last year, 10 million Australians had their private medical records published on the ‘dark web’ – a part of the internet requiring a special browser to access – after the government refused to pay $US10 million to the attackers, believed to be based in Russia.
Meanwhile, the GCSB – New Zealand’s lead agency for cyber security and resilience – says it’s prevented 200,000 cyber attacks on New Zealand since November 2021.
In its summary of activities and incidents for 20221, Cert NZ – the government agency monitoring and reporting on cyber attacks – noted a 25 percent increase in financial loss since 2021, to $20 million, from 8000 reported incidents.
Its research indicates attacks will become more common, harmful, and advanced. It also found the government doesn’t have the ability to keep New Zealanders safe from these attacks.
But does it affect me?
It's already happened in New Zealand aviation. A serious attack was recently launched against a New Zealand aviation organisation, which disrupted its business for several weeks.
It’s not just customer and financial data that’s at risk. Jonathan Mayne, who leads the CAA’s airworthiness certification team, says if maintenance records of aircraft get hacked, engineers will have no way of knowing the airworthiness status of those aircraft.
“More and more maintenance providers and maintenance control systems are online, so this is a valid time to take cyber protection seriously.
“Aircraft maintenance records might be on a basic spreadsheet held in cloud storage. A cyber attack may block your access to those records, so you have no idea when a component needs replacing, or when an engine is due for overhaul. It’s clear the impact this would have on aviation safety.”
Penny Stevenson, CAA Chief Advisor of Safety Management, agrees.
“A cyber security incident could absolutely present a threat to the safety of aircraft, aviation safety-related equipment, products, and services.”
Penny says this is especially the case for larger organisations or those relying heavily on technology in their operation.
“Such an organisation may develop and use a security programme. In some cases they’ll be required to, by the rules under which they’re certificated.
“This programme is to minimise the risk of interference with their systems, where it may endanger the safety of operations.
“Any such programme would be expected to integrate with their safety management system.”
You’re never too small to hack
Senior Threat Analyst with Cert NZ, Sam Leggett, agrees that organisations should make the risk from cyber attacks part of their standard risk process.
“That’s because cyber attackers are opportunistic in nature.
“In many cases, they do go after low-hanging fruit. While you might think your business isn’t a target, the reality is quite different.”
You don’t, for instance, have to be a big or rich organisation to be attacked.
The US-based Avionics News2 made cyber security the cover story of its November 2022 issue saying, “Cyber criminals are actively going to start targeting aircraft digital networks.
“Aircraft industries are particularly vulnerable to financially motivated attacks as they contain sensitive personal and corporate data.”
It went on to report that potential attacks can come from novice attackers – who can nevertheless cause a complete stop to operations – all the way through to large-scale criminal hackers, and state-sponsored hackers.
Former CAA Security Specialist Reem Daoud says there are many different ways New Zealand organisations can be attacked.
“At one end, you have ‘phishing’ attacks, which are the most common form of attack. They’re fake emails pretending to be from a reputable source, but which are actually harvesting your credentials. And at the other end, you have ransomware attacks – as the name suggests, demanding money not to damage an organisation.
“But it can be as simple as a staff member innocently visiting a corrupted website, which then begins unauthorised downloads into the organisation’s technology.
“Or it could be a staff member downloading an infected file.”
What can you do?
Sam Leggett recommends organisations patch and update their software regularly.
“That means installing the latest version of operating systems, software, and applications used on any corporate devices. Make sure these updates come directly from the vendor of that product.
“Making sure those applications are up-to-date is really key – those updates strengthen your security where it may be vulnerable.
“Also, implement some form of backup. If an incident does occur, you can start restoring from those backups and get back to normal business as quickly as possible.”
Sam says it’s worth regularly testing the backups to make sure they’re working as they should.
“Storing backups in a separate location – ideally somewhere that’s physically secure, and that only authorised people have access to – is crucial. That way, they’re separate from business operations if something untoward happens.”
Sam says organisations can also implement an incident response plan, which can be as simple as outlining what to do if something goes wrong.
“Having this in place means if something happens, instead of wasting time trying to work out who to call and what to do, it's already laid out for you, and it's nice and clear.”
Penny Stevenson agrees. “Such a response plan could be included in the existing emergency response plan participants currently have in place within their safety management systems.”
Sam also advises operators to use complex passwords on personal and business accounts, and two-factor authentication.
“This is an extra layer of protection – the first is your username and password, and the second may be a code sent to your mobile number.”
Reem Daoud says it’s important to apply strong email security policies for any incoming or outgoing emails, such as using a trusted email service or creating effective spam filters.
She also recommends toughening systems up by adhering to the GCSB’s New Zealand Information Security Manual, and always observing best practice by keeping systems up-to-date and patching them consistently.
“Run regular security testing and security awareness training for staff.”
Reem says that ‘endpoint security’ is key to protecting yourself.
“This is just a way of protecting your devices, such as desktop computers, from any malicious attack.
“Installing antivirus software and firewalls is a great way to achieve endpoint security.”
Reem also says organisations should limit the degree to which employees have access to the organisation’s data. “Their access need only be enough for them to carry out their work,” she says.
“Also, educate your employees about the risks of an attack, and apply a ‘zero trust’ approach – that means nothing is assumed to be trustworthy – across the organisation.”
Reem says if your organisation is attacked, never pay a ransom to cyber criminals.
“Investigate to identify the source of the attack, and isolate the infected systems – for instance, disconnect from the entire network.”
Where to go for help
Anyone can report a cyber incident to CERT NZ(external link) whether they’re an individual, a small business, or a large organisation. Also notify the CAA Security Regulation Unit at security.regulation@caa.govt.nz.
CERT NZ provides free and confidential advice to help deal with the incident, and help you move forward in a more cyber-secure manner. It also has a range of free resources on its website to help organisations improve their cyber security.
If you think the attack is of national significance, you can report it to the National Cyber Security Centre.
For more information
For the last three years the International Civil Aviation Organization (ICAO) has been developing cyber security guidance for member states like New Zealand, to build on.
The CAA is considering what cyber security rules and guidelines are appropriate to New Zealand aviation and, in June 2023, is joining the second annual meeting of the ICAO Aviation Cybersecurity Panel, in Montreal, as an observer.
In 2021 EASA – the European Union Aviation Safety Agency – released a paper, Opinion 03/2021 Management of information security risks, outlining the need to protect the aviation system from, and make it more resilient to, what it’s calling ‘information security’ events and incidents.
And, in 2022, it launched an online community network(external link) designed for aviation cyber security professionals to share information and collaborate on initiatives to combat attacks.
Footnotes
1 To read more, see cert.govt.nz: 2022 summary(external link)