There are a lot of signs confirming the (near) future positive trends in Information Security investments by airlines and airports all around the world. According with the analysis made by SITA, a Geneva based company specialist in air transport communication and information technology (IT) solutions, the entire aviation industry considers Information Security as a priority for both the internal information (73%) and customer data (68%). The SITA’s analysis underlines how the 68% of the IT professionals working for 188 airlines is going to increase the budget for Information Security solutions, while the 34% has already increased it by 1 and 6% with the 2008 one. The report explains that service outsourcing is also showing a positive trend as a consequence of the need for a better costs management. 62% of the airlines (and airports) has already outsourced all or most of the security processes to specialised companies with the aim to increase the efficiency of the countermeasures at lower overall cost. In the future, even more should outsource their security to external companies, since 29% claimed to have planned an increase in service and solutions outsourcing in the next couple of years.
But which are an airline group’s main IT security needs?
SITA’s Executive Summary of the “Global Airline IT Security Survey 2009” provides an in-depth view of the current status of IT Security awareness within airlines. The survey shows encouraging signs of improvement in security awareness in the sector. Respondents in the survey estimated that airlines are exposed each year to 28 incidents of network slowdown as a result of malware presence on the network. However, since most of them are only worried by viruses and regularly update Antivirus products I wonder if the number of incident is actual or is simply based on their current detection capability. Just think that 51% of the airlines has a permanent patching/upgrade process (22% claims to have updated the AV less than 2 month ago) while 26% has a sort of real-time upgrade process focused on the Firewalls or IP Gateways, 36% on the IPS (Intrusion Prevention System) and only 11% has a real-time/on-going Security Event management process. This suggests that, among airlines security is still strictly tied to the Antivirus solutions and there’s still a lot to do about in reinforcing defences against all the other security threats. Another interesting thing worth notice is that, despite a growing use of e-ticketing and remote access to the travel information, booking and frequent flyers programs, authentication and data confidentiality risks are underevaluated. Most of airlines don’t use any kind of VPN or Strong Authentication systems making access to personal customer information quite easy for an attacker. Access to a frequent flyer account on a carrier’s website can give an attacker the possibility to redeem miles collected using a program with free tickets or give the unauthorized user access to personal information.
Compliance to international regulations and standards is also a major area of focus for SITA. According to the report, 42% of respondents overall explained that they received input into IT compliance as both industry compliance (73%) and customer information compliance (68%) are considered important to the airlines’ business.
Interestingly, among the key compliance initiatives there are the PCI DSS (Payment Card Industry Data Security Standard – a guideline to help organizations that process card payments prevent credit card fraud and hacking) and the ISO27001, an auditable international standard which defines the requirements for an Information Security Management System that, as a Lead Auditor ISO27001, I’ve often referred to in this site. Honestly, I’m a bit skeptical about the degree of compliance of the airlines to this latter. The ISO27001 is designed to ensure the selection of adequate and proportionate security controls to protect an organisation’s valuable information assets and not many companies, neither among those operating in the TLC market, have the security awareness and readiness to achieve such a demanding certification. Nevertheless, such a certification is for sure suitable for an airline, that manage internal and external information, and need to protect them since they are critical (for the business, for the company’s image, for the customers’ trust, for compliance with the laws, etc.).
In fact, the SITA report shed some light to the challenges faced in the field of compliance within the sector. First of all resources, then skills and budget play a fundamental role as top priority challenges for IT professionals supporting compliance issues. This is another area where outsourcing could address the specific needs of each airline.
