Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Edy Almer
Edy Almer
Connect Directly
E-Mail vvv

Airports & Operational Technology: 4 Attack Scenarios

As OT systems increasingly fall into the crosshairs of cyberattackers, aviation-industry CISOs have become hyper-focused on securing them.

Finding and fixing vulnerabilities across airport operational technology networks may not be sexy, but the damage and confusion a successful attack can cause is nothing short of sensational. These critical airport systems include baggage control, runway lights, air conditioning, and power, and they're managed by means of network-connected digital controllers. They are much less organized than conventional IT networks, are rarely monitored as closely, and are often left untouched for years.

It's an emerging threat that has sparked the attention of dozens of airport CISOs we speak with regularly. Their concerns run the gamut from the mundane to straight out of the movies. Here are four risk vectors we hear about often:

Threat 1: Baggage Handling
Baggage-handling systems consist of an intricate latticework of automatic conveyor belts that ensure that both person and luggage arrive together at the same destination. Because they are the most customer-facing OT system found in airports, they're a common target. For a variety of reasons, checked bags are regularly tagged for extra security checks. A malicious actor can easily hack into the baggage-handling system to either redirect a bag to another flight or prevent it from being subject to a secondary security check in order to smuggle something illicit or dangerous onto the plane. 

These systems are extremly attractive targets for an attack because they can be executed remotely; the attacker wouldn't even need to board the plane. All that's required is  for a single person to fall for a simple phishing email and an attacker can introduce OT-specfic malware into the airport network. This malware will find its way to the baggage handling system to execute the attack.

Threat 2: Aircraft Tugs
Most planes can't reverse or maneuver safely or efficiently on the ground without using aircraft tugs (the airplane equivalent of tugboats). Tugs are usually vehicles that latch on the wheel bar or axle and are essential to do the kind of maneuvering needed to back a plane into the gate to connect the jet bridge and other deplaning equipment. Many modern tugs are wireless, and there's a huge push to make all next-gen tugs wireless, driverless, and OT and IT connected.

Attackers could potentially hijack a tug's weight sensors and back a large jet into a gate at the velocity used for a small plane, causing it to crash through the wall of the airport. Creative attackers could also hack these systems for other purposes beyond physical damage, which is likely why CISOs frequently mention this risk vector. 

Threat 3: De-icing Systems
De-icing is a routine maintenance function that is performed on the ground. Planes need to be de-iced because at typical cruising altitudes, around 35,000 feet, temperatures dip as low as minus 60 degrees Fahrenheit. To prevent ice from forming on the wings, body, and other critical mechanical structures, a special chemical treatment is applied to the outside of the plane.

The liquid chemicals used for de-icing are stored at on-site facilities. These facilities use OT devices to regulate and maintain the composition of de-icing chemicals. If those systems were attacked and the composition of the solution altered, this could easily cause ice to form on the body of a plane. Even a single millimeter of ice can dramatically affect the aerodynamics and ability of a plane to maneuver. Tampering with the aerodynamics of a plane by hacking into de-icing systems is one way to cause it to crash without loading explosives onto it, which is likely why as obscure a risk vector as it is, de-icing systems are often one of the first OT systems airports monitor.

Threat 4: Fuel Pumps
When planes are refueled at airports, this is done either by fuel trucks or hydrants that pump gas from storage tanks in the ground. These storage tanks, known as "fuel farms," are connected via a sprawling network of underground pipes that use OT systems to regulate the valves, controls, and equipment used to store, transfer, and dispense various types of jet fuel used by commercial aircraft.

An attacker could, for example, hack into a fuel farm, causing the wrong type or mixture of fuel to be pumped into a plane, resulting in anything from engine problems to an explosion.

These are not theoretical risks — chances are an airport you frequent is susceptible to one or more of the above attacks. However, especially in light of the recent Boeing 737 plane crashes, it's important that we don't lapse into fearmongering. These networks are not exposed because airport cybersecurity teams are asleep at the wheel. In fact, the only reason we even know about them is because they're making it a priority to address them in what we observe to be a thoughtful, responsible manner. And that's a good thing.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Edy Almer leads Cyberbit's product strategy. Prior to joining Cyberbit, Almer served as vice president of product for Algosec. During this period the company's sales grew by over four times in five years. Before Algosec, Almer served as vice president of marketing and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
5/10/2019 | 12:55:41 AM
Take extra step
We can now safely say that there is always a silver lining behind every dark cloud. Companies are now taking the extra step to ensure that security is guaranteed at their firm after major data breaches keep occuring over the years at several establishments.
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.