WestJet Exec on the Evolving Cybersecurity Threats

A Boeing 787-9 Dreamliner in WestJet livery flies over a cityscape. Photo: WestJet

The cyber threat to airlines is growing as hackers use more and more sophisticated techniques to gain access to valuable customer data. Devon Smibert, director of cybersecurity at Canadian airline WestJet spoke on Sept. 5 at the Aviation Festival in London about the cyber challenges facing an airline such as WestJet, as the challenges are relevant to customers in the satellite sector.

Smibert spoke about a baptism of fire he had after joining WestJet in January this year. Smibert joined WestJet Jan. 15 and on Sunday, Jan 21., he was getting a call from WestJet’s web operations manager about a denial of service attack targeting WestJet’s rewards platform. “We were getting hundreds of thousands of attacks against our system. We have about 80,000 passengers a day. The attacks were coming from countries we don’t operate in. We had attacks from India and other countries (Russia, Pakistan). We can just block all of the traffic from those countries. But, what happened after that is that the traffic shifted to Mexico, Canada, and the U.S. So, we can’t block those. It created a new set of problems for us to solve,” he said.

These attacks — known as credential stuffing attacks — are an example of the sophisticated threats that airlines are up against as they look to connect their fleets. Hackers are able to harvest details from previous hacks, get real username and password combinations, and then deploy a sophisticated credential stuffing attack. For airlines that are working more closely with the satellite industry, this is an example of a cyber threat they are likely to encounter.

Smibert spoke of the growing sophistication of the hacking threat facing companies in the aerospace sector. He mentioned that recent research from Cybersecurity Ventures estimated that revenues from cyber crime have now reached $1.5 trillion. Smibert also gave a recent example of a cryptocurrency investor who had $24 million in a single theft drained out of their account. “Our friends at IATA say that the annual global revenues for the airline industry is $754 billion,” Smibert said. “The cyber crime industry is double of the airline industry. Hackers are extremely well funded, and largely act with impunity. A lot of these hackers operate in countries where there is tacit compliance. In North Korea, you have a State that has severe economic sanctions against them, and they use cyber to generate revenues. It is $1.5 trillion business with very low risk. They are investing heavily in Research and Development (R&D). They act more like tech startups rather than an organized crime groups. They are able to do very sophisticated things on their own. When we dissected the attack in January, they were using advanced automated orchestration against us. They were leveraging pretty intelligent software to leverage their attacks.”

This is a market that is growing in sophistication and capabilities at a rapid rate. According to Smibert, some forecasts indicate that damages from cyber crime could reach $6 trillion by 2021. Smibert cautioned companies in the aerospace sector who believe they are unlikely to be targeted by hackers. “A lot of organizations make the mistake that they don’t have anything of value for hackers,” he said. “People say ‘no one would ever target us.’ You have to stop thinking of hackers as sophisticated individuals; you have to think of them like thugs from the Walking Dead. They will comb the internet for anything of value.”

Smibert said that collaboration with partners and  real time access to data will be absolutely vital. He said that this will lead to cost savings, leveraging connectivity into Internet of Things (IOT) devices. But, companies need to understand where the data is going, and who has access to it. “You need to make sure you are not opening up access to confidential data,” he added.

Buying technology is also getting more complicated and Smibert cautioned airlines when making buying decisions on technology. “The first thing you need to do is engage with your cybersecurity team early on. Even with WestJet, someone buys technology and then goes to Information Systems (IT) and asks to hook this up and make this work. That is not the right approach. For example, we have actually hit a point terminate a project after six months of effort because the product that this vendor built, if we were to go to market with it, we would be violating General Data Protection Regulations (GDPR),” he said.

IATA Innovation Manager Houman Goudarzi also spoke at the festival and cautioned airlines in how they view Artificial Intelligence (AI) technology. Airlines need to have a digital resilience strategy, he said. “Running behind technology is a non-stop battle. Being able to adapt to change, rather running behind the next big thing is the way to go. Airlines need to adopt AI capabilities faster than others. We are seeing from hackathons how easy it is to get access to customer information from airlines,” he concluded.