Cybersecurity training for the commercial and private aviation



Overview

For decades, when we were using the words “airline security” or “aviation security”, we were usually referring to unlawful seizure of aircrafts, destruction of aircrafts, hostage‐taking, forcible intrusion, weapons or hazardous devices intended for criminal purposes, or use of an aircraft for criminal purposes or terrorism.

Cybersecurity is the new challenge for the aviation industry.

Customers and employees of commercial or private aviation expect that the same level of protection extends to the digital assets that reside on aviation systems. Airlines are obliged to respect this expectation, especially after the new privacy regulations, including the General Data Protection Regulation (GDPR).

The commercial and private aviation must comply with cyber security and privacy laws and regulations, and must follow international standards and best practices that protect their customers and employees.

A new cybersecurity culture is necessary. It refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms, values and expectations of customers regarding cybersecurity. Managers and employees must be involved in the prevention, detection, and response to deliberate malicious acts that target systems, persons, and data.

During the past decades, airlines have made substantial investments in information technology solutions that contribute to improved operational efficiency, safety, and customer satisfaction. The more complex and interconnected the systems, the more awareness and training is required for all managers and employees that use these systems.

Cybersecurity awareness for all managers and employees in the commercial and private aviation is necessary, in order to make information security considerations an integral part of every job.

We tailor the program to meet specific requirements. You may contact us to discuss your needs.


Modules of the tailor-made training

Introduction.

- Important developments in the commercial and private aviation industry after the new privacy regulations, including the General Data Protection Regulation (GDPR).

- Understanding the challenges.

- An overview of some of the attacks described below, that are suitable for the objectives of the training. At the end of the presentation we will cover one or more of these attacks in depth.

- 2018, a cyber attack against Cathay Pacific, 9.4 million breached records.

- May 2020, a cyber attack against Easyjet, 9 million breached records. The hackers gained access to the email addresses and travel information of about 9 million customers.

- 2018, a cyber attack against British Airways, the personal data of 429,612 customers and staff was stolen. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

- June 2015, a cyber attack against Polish airline LOT disrupted the airline's ground-control computers, leaving it unable to issue flight plans and forcing it to cancel or delay flights.

- May 2020, cyber espionage targeted air transportation and government actors in Kuwait and Saudi Arabia.

- September 2019, Airbus revealed that hackers engaged in a series of supply chain attacks targeting four of the company’s subcontractors.

- 2017, one of the employees of Heathrow Airport lost a USB key containing confidential files relating to the identity of passengers, the routes taken by official members of the British government, and information related to the airport's surveillance cameras and runways. There was neither a password nor an encryption system.


Who is the “attacker”?

- Countries, competitors, criminal organizations, small groups, individuals, employees, insiders, service providers.

- Hacktivists and the aviation industry.

- Professional criminals and information warriors.

- Cyber attacks against passengers, baggage, cargo, catering, systems, staff, and all persons having authorized access to systems and data.


How do the adversaries plan and execute the attack?

- Step 1 – Collecting information about persons and systems.

- Step 2 – Identifying possible targets and victims.

- Step 3 – Evaluation, recruitment and testing.

- Step 4 - Privilege escalation.

- Step 5 – Identifying important clients and VIPs.

- Step 6 – Critical infrastructure.


Employees and their weaknesses and vulnerabilities.

- Employee collusion with external parties.

- Blackmailing employees: The art and the science.

- Romance fraudsters and webcam blackmail: Which is the risk for the aviation industry?


Social Engineering.

- Reverse Social Engineering.

- Common social engineering techniques

- 1. Pretexting.

- 2. Baiting.

- 3. Something for something.

- 4. Tailgating.


Phishing attacks.

- Spear-phishing.

- Clone phishing.

- Whaling – phishing for executives.

- Smishing and Vishing Attacks.


Cyber Hygiene.

The online analogue of personal hygiene.

- Preparing and maintaining records.

- Entering and retrieving data into computer systems and devices.

- Researching and compiling reports from outside sources.

- Maintaining and updating files.

- Responding to emails and questions by telephone and in person.

- Ensuring that sensitive files, reports, and other data are properly tracked.

- Dealing with personnel throughout the company as well as external parties, customers, suppliers, service providers.


Case studies.

We will discuss the mistakes and the consequences in one or more of the following case studies:

2018, the cyber attack against Cathay Pacific.

May 2020, the cyber attack against Easyjet.

2018, the cyber attack against British Airways.

June 2015, the cyber attack against Polish airline LOT.

May 2020, cyber espionage targeted air transportation and government actors in Kuwait and Saudi Arabia.

September 2019, the cyber attack against Airbus.

2017, the leak at Heathrow Airport.

- What has happened?

- Why has it happened?

- Which were the consequences?

- How could it be avoided?

Closing remarks and questions.


Target Audience

The program is beneficial to managers and employees working in the commercial and private aviation industry. This includes pilots (captains, copilots or first officers, flight engineers or second officers), flight attendants, administrative personnel, ground and station managers and employees, reservation sales agents, ticket agents. It has been designed for all employees that provide services and have authorized access to systems and data.


Duration

1 hour to half day, depending on the needs, the content of the program and the case studies. We always tailor the program to the needs of each client.


Delivery format of the training program

a. In-House Instructor-Led Training program - designed and tailored for persons working for a specific company or organization (Board members, executive management, risk managers and employees etc.). In all In-House Instructor-Led Training programs an instructor from Cyber Risk GmbH that is approved by the Client travels to the location chosen by the Client and leads the class according to the needs of the Client and the Contract.

b. Online Live Training program - synchronous (real time, not pre-recorded) training program that takes place in a live virtual meeting room using platforms like Zoom, Webex, Microsoft Teams etc. In all Online Live Training programs, instructors from Cyber Risk GmbH that are approved by the Client tailor the method of delivery (interactive, non-interactive, etc.) to the needs of the Client, lead the virtual class, and answer questions according to the needs of the Client and the Contract.

c. Video-Recorded Training program - professional, pre-recorded training program. Instructors from Cyber Risk GmbH that are approved by the Client tailor the training content according to the needs of the Client and the Contract, and they record the training content in a professional studio. The training material (including any subsequent updates) is licensed by Cyber Risk GmbH to the Client for training purposes. Clients can incorporate the recorded videos to their internal learning system. Video-Recorded Training programs include Orientation Video Training and Compliance Video Training programs.


Instructor

Our instructors are working professionals that have the necessary knowledge and experience in the fields in which they teach. They can lead full-time, part-time, and short-form programs that are tailored to your needs. You will always know up front who the instructor of the training program will be.

George Lekatis, General Manager of Cyber Risk GmbH, can also lead these training sessions. His background and some testimonials: https://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf


Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html


Cyber Risk GmbH, some of our clients