Air freight vulnerable to cyber attacks

posted on 4th April 2018

Whether cargo companies know it or not, they’re targets for security breaches, according to Faye Francy, executive director of the Aviation Information Sharing & Analysis Center (A-ISAC) and leader of Boeing’s Cyber Security team, as she attempted to shed light on the very real threats of cyber attacks affecting members of the air freight community.

“There are two types of companies,” she told CNS attendees. “Those that have been hacked and those that don’t think they’ve been hacked.” The amount of sinister activity that’s looming behind the scenes is staggering, she said. “I would recommend that all of you take this very seriously,” Francy added.

Francy was part of a panel moderated by Matthew Eggers, senior director of national security and emergency preparedness at the US Chamber of Commerce. Its other members were US Customs and Border Protection (CBP) Office of Information Technology acting executive director Tom Mills, and Hewlett-Packard (HP) client security officer of Information Risk Management, Dallas Bishoff.

Bishoff echoed Francy statements, commenting that freight businesses are targeted for a unique reason: They move valuable goods, which is of particular interest to hackers. “The disruption of the aviation industry has multibillion-dollar-a-day impacts,” Bishoff said. “And in the world we live in, there are people who can make money on the stock market by disrupting your services.” Hackers may also want to know the cost companies place on certain transactions.

SME potential vulnerability

Mills said that hackers especially prey upon entities with sloppy security systems – and small-and-medium-sized businesses may fit the bill. “There are a lot of opportunistic hackers out there,” he said. “Your information is extremely valuable – and they know that as well.” Drug cartels comprise some of the top offenders of cybercrimes, Mills revealed. Beating the “bad guys” at their game requires freight companies to bring cyber-security to the forefront, he said, and understand their vulnerability to an attack.

It’s a challenge, Bishoff acquiesced, but it’s highly necessary. “I’m glad to be here,” he told CNS attendees, “because out of all the industries I have to watch out for, aviation is my favorite.”

Cargo businesses and freight airlines need to be particularly cognizant of advanced persistent threats (APTs), Francy said. Such threats occur when hackers take their time before staging an attack. “They’re in your network for a while, and they’re persistent,” she said. “What happens is that when they’re ready, they take advantage of the data to either disrupt your operations or actually take down your [business].”

Unfortunately, most companies are unaware of the breach until the hackers have been inside of their system for six to nine months. “It’s pretty stunning that companies don’t even recognize that someone’s in their network until it’s too late,” Francy said during the CNS panel.

When they do identify the breach, it’s often because the hackers have inflicted great pain upon them, Bishoff added. “They’ve either embarrassed you, damaged your reputation, damaged your business relationships or damaged your financials.”

Hacking, Bishoff said, is a well-oiled machine. Despite the “lone-wolf” perception surrounding hackers, a number of these individuals have extensive support and financial backing. Some are funded by nation-states; others have ties to organized crime or terrorist groups. Regardless of their benefactors, these hackers pay their mortgages by stealing companies’ data, Bishoff remarked.

And they have very detailed instructions about what to do once they’re inside of a business’ network. “These people have playbooks when they see your data,” Bishoff said, “and it basically tells them to turn to page 26.” It’s a fully automated, expedited process, he explained. “Hackers can be inside of your network and all over you in 90 seconds,” he said. “That’s the current statistic.”

No company immune

No companies are immune to cyber-security issues, Francy added, not even Boeing. She revealed that she was tasked five years ago with analyzing the aircraft manufacturer’s security protocols. As part of the analysis, she spoke with the supplier management team about their processes. “When I asked what they were doing with cyber, they looked at me like I had three heads,” she said.

The team soon realized the error of their ways, however. Shortly after the conversation, one of Boeing’s 10,000 suppliers provided the team with virus-infected software. What’s terrifying, Francy said, is that the US military acquired the same materials from the supplier. “That should stop everybody because that means they [the hackers] are in,” Francy said. “We have to look at this from a holistic supply chain cycle and ask what it means for our industry and business.”

So how can the air freight sector combat security breeches? The US Chamber of Commerce’s Matthew Eggers said a good place to start is the National Institute of Standards and Technology’s (NIST) framework. The framework, which is a collection of industry-driven global standards, includes five elements: identifying, protecting, detecting, responding and recovering from threats.

“It’s all about resiliency for our industry,” Francy added. “We believe that the [perpetrators] are already inside of our networks. So, knowing that, how can we become resilient against that?” The five elements are then assessed at multiple layers and assigned a grade from one to four. Boeing, for instance, identified a number of security gaps, which served as a catalyst for the company’s new research and development activities.

Despite such advancements, Bishoff encouraged CNS attendees to avoid fear-based security protocols. Instead of approaching security as “some scary thing out there”, it’s important to tie it to a company’s business objectives, he said. For instance, all companies want to keep customers’ happy, and security breaches undoubtedly lead to unhappy clients.

He mentioned one of Hewlett-Packard’s clients who had to inform their customers that their data was severely compromised. “That was very uncomfortable and an objective most businesses want to avoid,” Bishoff said. The NIST framework, however, enables freight professions to evaluate the importance of their intellectual property without having to obtain a degree in cyber-security.

Thwarting attacks

Another way to thwart potential attacks is to join the A-ISAC, Francy said. The National Council of ISACs, which is backed by the US Department of Homeland Security, strives to boost the cyber-security of critical North American infrastructures, and Francy said the A-ISAC has done just that by educating carriers and aviation professionals about the importance of secure networks.

“The A-ISAC has brought all competitors into the same room to share information about what they’re seeing,” she told attendees of the CNS panel. Not competitive knowledge, she clarified, but what’s going on in their networks and how they’re being attacked.

“We’re doing that because these guys basically use the same tactics, techniques and procedures against the different victims they’re pursuing,” Francy said. In fact, they target carriers, freight forwarders and shippers the same way they target banks, she revealed. “So while we’re operating in the aviation-critical infrastructure, financial services is very relevant to us because we all have financial transactions,” Francy said. By acquiring data from other companies and industries, members of the A-ISAC can reduce their risk of a security breach, she explained. “We’re doing what the bad guys are doing – we’re talking to each other,” Francy said.

In addition to joining the A-ISAC, cargo professionals should create security profiles, Bishoff said. Such profiles, which adhere to industry standards, highlight security concerns that can impair a system’s operating environment. They also go a long way in preventing cyber attacks that result from plugging into an unsecure network, such as that of a customer.

“There’s an old saying that you inherit the evils on the other side of the network,” Bishoff said. “So you have to watch out.”

——–

Attracting new blood: #Aircargoissexy

In the CNS panel he moderated, Robert Kennedy, vice president of consulting services at Aviation Strategies International, joked that he’s on a joint mission with CNS President Warren Jones to hashtag #Aircargoissexy. He was being facetious, of course, but Kennedy believes that the air freight sector could benefit from a major image overhaul. “I had the good fortune of having people welcome me to the air cargo field, and I did find it sexy a few years back,” Kennedy said. “But it was not by design. So how do we make it a desirable career path?”

CNS executives want to know the same thing, and they feel the sector is not currently doing enough. The panel, which included Russell McCaffery, dean of transportation programmes at Florida’s Broward College; Jupiter Airline Services Manager Rula Fakhouri; Tim Strauss, Hawaiian Airline’s vice president of cargo; and Ian Morgan, Qatar Airways’ vice president of cargo for the Americas, posed the following question at the beginning of the session: “Do you think the big bureaucratic organizations are doing more than just raising flags that education is key to attracting an enhanced grade of executives into transportation?” An overwhelming majority of the audience polled said no.

“We’d like to turn that around,” McCaffrey said, “and we think there are a lot of ways to turn it around.” Education is key, he said. Even so, McCaffrey acknowledged that education is often a tough sell in a healthy economy. When times are tough, people flock to school; when the economy improves, people rush to find jobs. “Our industries are inversely related – regrettably – so while there’s always talk about the need for workforce succession planning, we’re seeing fewer and fewer students because people are jumping back into the workforce,” McCaffrey said. This trend leads to an influx of air freight professionals without bachelor’s or even associate’s degrees. “And that’s probably okay for the time being, because you just need folks to help out with the industry,” McCaffrey conceded. Still, he encouraged employers to eliminate barriers to education for employees and create an environment conducive to learning.

Like McCaffrey, Morgan advocates education as a means to professional success, but he advised CNS attendees to look beyond a potential employee’s credentials. “There is so much talent out there that we’re not allowed to develop because of the requirements to enter the field, such as a bachelor’s degree,” he said. Instead of viewing education as something that only takes place in a classroom, Morgan recommends taking a broader approach. What the industry needs, he said, is a programme that amalgamates work experience with life experience.

“A lot of people join this field [right out of high school] as entry-level workers,” Morgan said. “But the cream rises quickly to the top.” Those with bright futures in air cargo could obtain certifications via CNS and their local college that would be recognized industry-wide, he hypothesized. Such a scenario would allow industry executives to develop rising talent – which, Morgan said, “we definitely need.”

Quick Response Training (QRT) grant

CNS is currently spearheading a similar initiative via its Quick Response Training (QRT) grant, which is offered in conjunction with the International Air Transportation Association (IATA) and McCaffrey’s employer, Broward College. The $500,000 QRT grant enables cargo professionals in Florida to attend more than 25 courses at the IATA Training Center in Miami for free. Subjects range from cargo security to warehousing operations to specialty cargo handling and the courses are open to any full-time cargo employee at a for-profit Florida business.

McCaffery believes that the QRT has the potential to be a game-changer in the airfreight sector. “What we’re doing is working with the industry to provide you with the type of employees you need,” he told CNS attendees. Employers consistently bemoan the challenges of retaining entry-level workers, such as warehousing professionals and transport planners. “It’s very costly for employers to hire at that level because the turnover is so high,” McCaffrey said.

He’s hopeful that Broward College’s grants to develop certifications for entry-level positions will combat this trend, however. “Maybe you don’t necessarily need a [person with a] bachelor’s or associate’s degree, but having a little bit of education within our industry and having a piece of paper that an employee can hold and you, as employers, can see, may make you a little more likely to hire that person,” McCaffrey said.

Jupiter Airline Services’ Rula Fakhouri said that freight professionals would be “foolish” to not take advantage of the opportunities CNS is providing. IATA certification is like the “Good Housekeeping Seal of Approval,” Fakhouri said, and having joint CNS/IATA endorsement is something airfreight employees should embrace wholeheartedly. She told CNS attendees that the QRT grant also has the power to level the playing field in the air cargo industry. So far, only California and Florida have benefitted from the program, but Fakhouri revealed that CNS is likely eyeing other states to partner with, as well.

Morgan similarly praised CNS’ strides to elevate the level of professionalism in the air freight sector via the QRT, stating that “we can turn things around if we collaborate as an industry”. So, #Aircargoissexy may never trend on Twitter, but perhaps it could become the industry’s new catchphrase.