The recent disruption that left American airspace momentarily without a single Delta Air Lines jet was not the result of a security breach, but it is an indicator that airlines are highly susceptible to interruptions due to legacy computing systems and 24-hour uptime requirements, according to experts.
In the case of Delta, some up front spending would have prevented a problem that ended up costing them more in lost revenue. The nature of air travel is these disruptions usually end up affecting mission critical customer facing applications, so any downtime is quite obvious and has far-reaching effects.
“It was less of a security issue and more of a data centre incompetency,” noted security expert Michael Ball of the Delta situation in an interview with IT World Canada. The choice not to implement redundancy, probably as a means to save money, he said, meant the airline ultimately lost more money in revenue than the cost to establish a back up system.
In an era where threats to cybersecurity and ransomware are commonplace, Ball said transportation, including airlines, along with financial services and healthcare are key targets for disruptive actors, and the more complex the system, the more potential points of failure. Factor in legacy systems, and there’s plenty of windows for hackers, or a higher likelihood that something is bound to fail.
“If you have one weak system in your environment that is reachable, you only need that one,” said Ball. An easily accessible legacy system can be a road into the rest of the network. An older server, for example, may not alert modern security tools. “A hacker can sit in that box for a while.”
And if you ever see a blue screen of death (BSOD) on an airport screen, be concerned, as it’s an indication that an old version of Windows is still being run. Bell said many airlines probably have a mix of older systems that include mainframes and AS400 systems. “The requirement of airlines to interact with each other as well as airports causes some degree of complexity.”
Not surprisingly, Canada’s major airlines were not willing to comment – IT World Canada reached out to Air Canada, Porter Airlines and WestJet. In an email, an Air Canada spokesperson said it continually evaluates risks and enhances its systems. “We have backup systems and contingency plans in place. We also confer frequently with other large IT users to share best practices. For security reasons, unfortunately, we cannot discuss these matters in detail as the effectiveness of our measures is in part contingent on keeping them confidential.”
WestJet did not provide comment in time for IT World Canada’s deadline, but like Air Canada, Porter responded with an email statement: “Porter uses technology to support our passengers and business in a variety of ways. These systems are upgraded when necessary and have redundancies to mitigate against downtime for any reason.”
An example of Porter’s investments in mission critical technology include working with Console Inc. to bypass the public Internet to privately connect with “mission-critical” partners, including Amazon Web Services and business-critical aviation software.
Ball’s perception of Porter and WestJet is that they are fairly tech savvy, and said it’s important to keep in mind that it takes 18-to-24 months to pull the trigger on a significant project with an sizeable and complex airline as a well as the necessary testing for software deployments.