WestJet Exec Highlights Changing Cyber Landscape

The cyber threat to airlines is growing as hackers use more and more sophisticated techniques to gain access to valuable customer data. Devon Smibert, director of cybersecurity at Canadian airline WestJet, spoke at the Aviation Festival in London about the cyber challenges facing an airline such as WestJet. It is very relevant to customers in the satellite sector.

Smibert spoke about a baptism of fire he had after joining WestJet in January this year. Smibert joined WestJet Jan. 15 of this year, and on Jan. 21, he already received a call from WestJet’s web operations manager about a denial of service attack targeting WestJet’s rewards platform.

“We were getting hundreds of thousands of attacks against our system,” he explained. “We have about 80,000 passengers a day. The attacks were coming from countries we don’t operate in. We had attacks from India and other countries (Russia, Pakistan). We can just block all of the traffic from those countries. But, what happened after that is that the traffic shifted to Mexico, Canada and the U.S. So, we can’t block those. It created a new set of problems for us to solve.”

These attacks known as “credential stuffing” attacks show the sophisticated threats that airlines such as WestJet are up against as they look to connect their fleets. Hackers are able to harvest details from previous hacks, get real username and password combinations, and then deploy a really sophisticated credential stuffing attack. For airlines working more with the satellite industry, this is an example of the cyber threat they are likely to encounter.

Smibert spoke of the growing sophistication of the hacking threat facing companies in the aerospace sector. He said recent research from a company called Cybersecurity Ventures estimated that revenues from cyber crime have reached $1.5 trillion. Smibert also gave a recent example of a cryptocurrency investor who had $24 million in a single theft drained out of their account.

With annual global revenues for the airline industry at $754 billion, Smibert said, the cyber crime industry is double of the airline industry.

“Hackers are extremely well-funded, and largely act with impunity,” Smibert said. “A lot of these hackers operate in countries where there is tacit compliance. In North Korea, you have a state that has severe economic sanctions against them and using cyber to generate revenues. It is $1.5 trillion business with very low risk. They are investing heavily in research and development. They act more like tech start-ups rather than an organized crime group. They are able to do very sophisticated things on their own. When we dissected the attack in January, they were using advanced automated orchestration against us. They were leveraging pretty intelligent software to leverage their attacks.”

And this is a market that is growing in sophistication and capabilities at a rapid rate. Smibert said there are forecasts that damages from cyber crime could reach $6 trillion by 2021. Smibert cautioned companies in the aerospace sector believe they are unlikely to be targeted by hackers.

“A lot of organizations make the mistake that they don’t have anything of value for hackers,” he said. “People say no one would ever target us. …. They will comb the internet for anything of value.”

Smibert said having real-time access to data and having collaboration with partners will be absolutely vital. He said this will realize cost savings, leveraging connectivity into IoT devices. But, he said, companies need to understand where the data is going and who has access to it. “You need to make sure you are not opening up access to confidential data,” he added.

Buying technology is also getting more complicated and Smibert cautioned airlines when making buying decisions on technology.

“The first thing you need to do is engage with your cybersecurity team early on,” he said. “Even with WestJet, someone buys technology and then goes to IT and asks to hook this up and make this work. That is not the right approach. For example, we have actually hit a point terminate a project after six months of effort because the product that this vendor built, if we were to go to market with it, we would be violating GDPR regulations.”

Houman Goudarzi, innovation manager at IATA, also spoke at the festival and cautioned airlines regarding how they view AI technology. He said airlines need to have a digital resilience strategy. “Running behind technology is a non-stop battle,” he said. “Being able to adapt to change, rather than running behind the next big thing is the way to go. Airlines need to adopt AI capabilities faster than others. We are seeing from hackathons how easy it is to get access to customer information from airlines.”