This morning’s report that American Airlines grounded flights in Chicago, Miami, and Dallas/Ft Worth due to computer issues is just the latest in a string of computer glitches causing consequences in the physical world. In July, United Airlines was forced to ground many domestic flights after what was described as a “network connectivity issue”. In June, United again was forced to ground flights due to “automation issues”. Airlines increasingly rely on computer and network connected systems for their day to day operations and when these systems fail or networks become unreachable, the effects can cascade quickly. Cloud technologies are seen as a solution to availability problems in much of the IT world, but the potential consequences to using these types of systems in critical infrastructure, like airport ticketing, control, and automation systems can be serious and far reaching.
According to a recent report by Amadeus, airports are increasingly moving to use of cloud-based technology solutions for their Common Use (i.e., passenger check-in) systems.1 Today, airports primarily use technology based on the Common Use Terminal Equipment (CUTE) standard, which was initially developed back in 1984, over the more recent Common Use Passenger Process Systems (CUPPS) standard of 2008.2 There are significant drawbacks to using either of these standards. Most notably, they are difficult to update because both the application and hardware need to be updated together. So, although cloud-based solutions enable greater flexibility in passenger check-in, as well as faster and easier patching, these systems also present a new set of security risks and potential consequences.
Moving applications to the cloud leads to outsourcing of an airline’s cybersecurity posture to the cloud provider.3 This arrangement can be beneficial to airports, which often have understaffed information technology (IT) departments that are often small and unable to handle large incidents quickly. For example, London Gatwick Airport’s IT department needed one full week to update all of its systems after HeartBleed.4 However, outsourcing to cloud providers also means that onsite IT personnel may not have as much control when failures occur in cloud services. Furthermore, there are vulnerabilities currently associated with cloud technology that cannot be addressed by corporate IT or IT policy in the same way that traditional infrastructure allows. For example, there have been recent incidents where cloud providers have wiped data improperly, allowing future cloud customers to see data.5 Cloud services could also be vulnerable to memory scraping attacks, in which data that are encrypted while at rest are taken from the server’s active memory.6 Because Common Use systems store passenger information, this approach to memory storage could lead to leaks of personally identifiable information (PII). In addition, cloud services may suffer unexplained outages, such as occurred during the recent outage to a major cloud provider, which lasted more than 24 hours.7 If these types of outages occur, onsite IT personnel can do very little to respond to the situation. Cloud outages have already had devastating effects on business: according to one study, cloud outages have cost businesses more than $71 million since 2007.8 In the worst case, a cloud outage affecting Common Use systems could halt the activity of an airport.
To mitigate these problems, airlines must ensure that their cloud providers provide the necessary security measures that will help protect PII and prevent downtime. In particular, because availability is a major concern for Common Use systems, airlines should use cloud services that store their applications in multiple locations or otherwise provide disaster recovery services so that an outage at a single data center will not affect the activity of an entire airport. Private cloud services, particularly those aimed specifically at serving the airlines, could provide the airlines with the ability to tailor their cloud services to the airlines’ needs and to better safeguard PII.9
The Common Use technology that is currently in use is outdated, and a cloud solution could make this technology both easier to use and easier to patch, thereby rendering it more secure. However, as airports switch to this cloud technology, they must be aware of the risks involved in doing so. The vulnerabilities associated with a cloud system are different from those associated with traditional in-house IT systems. Airports must be aware of these differences and must know how their responses to outages or attacks will need to be altered going forward before making the transition to relying on cloud-based services.
This post was written by: Rose Sloan
1 IT makes sense to share: making the case for the cloud in Common Use airport technology, Accessed on July 11, 2014.
2 IATA – Common Use News, Accessed on July 11, 2014.
3 Cloud Computing & Cyber-Security, Accessed on July 11, 2014.
4 IT makes sense to share: making the case for the cloud in Common Use airport technology, Accessed on July 11, 2014.
5 Cloud Computing Snafu Shares Private Data Between Users, Accessed on July 11, 2014.
6 How hackers scrape RAM to circumvent encryption, Accessed on July 11, 2014.
7 Adobe Creative Cloud crash shows that no cloud is too big to fail, Accessed on July 11, 2014.
8 Cloud failures cost more than $71 million since 2007, Accessed on July 11, 2014.
9 HP Converged Cloud Services for Airlines, Accessed on July 11, 2014.