Airlines Call for Unified Cybersecurity After Seattle Airport Attack
The U.S. federal government must streamline and harmonize cybersecurity requirements that impose an “unnecessary burden on industry,” said Airlines for America Cybersecurity Managing Director Marty Reynolds during a recent U.S. Senate hearing on aviation cybersecurity. This call for action comes in the wake of the August ransomware attack on Seattle-Tacoma International Airport (SEA), which highlighted vulnerabilities in the aviation sector.
Reynolds testified before the Senate Commerce, Science, and Transportation Committee, emphasizing that airlines are required to file “multiple reports to different federal agencies” regarding cybersecurity incidents. This complex system reduces the effectiveness of both voluntary and mandatory reporting frameworks, increasing the likelihood of noncompliance among airlines.
The ransomware attack on SEA occurred on August 24, disrupting essential operations for several days. Critical systems such as email, baggage handling, and terminal message boards were compromised, leading to stolen data. The incident is currently under investigation by the U.S. Federal Bureau of Investigation (FBI).
“The federal government probably did not intend to create an environment where 45 cybersecurity incident reporting frameworks with divergent requirements are in effect,” Reynolds stated. “For sectors like transportation, which involve numerous regulators, this patchwork of disharmonized cybersecurity requirements is especially burdensome.” He urged for “consistent and harmonized cybersecurity regulations and oversight” across federal agencies to improve overall security in the aviation industry.
Senator Maria Cantwell (D-Wash.) echoed these concerns during the hearing, noting that the SEA attack is not an isolated incident. She referenced prior breaches, including a hacker accessing internal systems at San Francisco International Airport in 2020 and another spoofing incident at San Antonio Airport the same year. Cantwell emphasized the importance of protecting passengers’ personal data, citing that over 2,000 credit card details were stolen in a previous breach.
To combat these cybersecurity threats, Cantwell highlighted recent FAA reauthorization legislation that establishes processes to track and evaluate aviation cyber threats. The legislation also created a designated cybersecurity lead at the FAA to focus on these issues.
Lance Lyttle, Managing Director of SEA, informed lawmakers that the airport had implemented a robust cybersecurity program, frequently tested and audited. However, he cautioned that no cyber defense is completely impervious, especially as cybercriminals continually evolve their tactics. “Anyone who clicks on the wrong link or opens the wrong email poses a risk, regardless of annual training or multi-factor authentication,” Lyttle noted.
Reynolds further stressed the necessity for the U.S. government to share timely cyber threat information with airlines and airports. He pointed out that existing information-sharing processes often lack the speed required for relevance and do not consistently validate whether current policies effectively address cybersecurity challenges. “The information airlines receive from federal agencies is often not timely or consistent,” he testified.
The aftermath of the SEA attack necessitated rapid adjustments in communication strategies, as email systems were down and terminal message boards were dark for over a week. SEA resorted to daily teleconferences, text messages, temporary signage, and in-person communication to maintain operations. Over 7,000 checked bags had to be manually transported due to failed baggage handling systems.
“Our focus post-incident includes strengthening our identity management and authentication protocols, alongside enhancing our systems and network monitoring,” Lyttle added. Reynolds concluded by stating that “the best cybersecurity programs are threat- and risk-based, data-informed, outcome-focused, and flexible enough to adapt to evolving threats,” underscoring the importance of a proactive approach to cybersecurity in aviation.
Related news: https://airguide.info/category/air-travel-business/travel-health-security