-
Sabre Airline SolutionsSabre Airline SolutionsSabre Airline
SolutionsSabre Airline SolutionsSecuring Airline Information
Securing Airline Information on the Ground and in the Air
7 November 2012
Kuala Lumpur Malaysia
on the Ground and in the Air7 November 2012
Kuala Lumpur MalaysiaKuala Lumpur, MalaysiaKuala Lumpur,
Malaysia
Confidential
-
Brief
Paul FeheleyPaul FeheleyyyPrincipalPrincipalSabre Airline
SolutionsSabre Airline SolutionsSouthlake, Texas USASouthlake,
Texas USA
Confidential 2
-
Common Threats Across All Industries
Some threats on airline computer systems not unique to the
travel and transport industry
• Hacking, hijacking of data• Threats including service
disruption
Th ft f l i f ti• Theft of personal information
Confidential 3
-
Common Responses
Preventative – avoid the threat before it becomes a threatActive
– continuous and realtime detection of threat or fraudPost-mortem –
investigate, communicate and refine
Confidential 4
-
What Does Make Airlines Unique / Cybersecurity?
• The nature of legacy airline systems• Sabre reservations
system introduced: 1962y
• 50 years is a long time in IT
Confidential 5
-
What Does Make Airlines Unique / Cybersecurity?
• The complexity of the global network required to serve
airlines (and inter-airline), travel agencies, and passengers
themselves
• The threat to human safety inherent in travel and transport
and the spectacular nature of mishapsspectacular nature of
mishaps
• The unique relationship required between government agencies
and travel and transport providers• Airlines carry passengers
across country and state borders and therefore
have special responsibilities not tied to other industries
• The amount of personal passenger data required to be collected
by travel providers – and the “chain of care” for that data
Confidential 6
travel providers and the chain of care for that data
-
What Does Make Airlines Unique / Cybersecurity?
• Sheer volume of passengers• …and transactions
• Larger, faster aircraft
2011: 2 3 billion passenger air trips (est )*2011: 2.3 billion
passenger air trips (est.)
2020:“forecasts indicate that passenger traffic will grow at the
rate of 4.1% per annum equating to 7 4 billion passenger air trips
byequating to 7.4 billion passenger air trips by 2020”**
Source: *Collaborative Forum of Air Transport Stakeholders **
Airports Council International
Confidential 7
-
© planefinder.net
Confidential 8
-
Passenger Data – a Wealth of Private Information
Confidential 9
-
Passenger Data – a Wealth of Private Information
Typical international travel records contain• Names of all
travelers and “Biodata”: age, nationality
• Including travel partners – with whom are you traveling?
• Personal data: home and overseas addresses, credit card data,
emergency contact detailsg y
• Passenger journey details (air, rail, cruise, hotel, car)• ATC
- authorization to carry (government permission such as visa)•
Seating data (where will you sit when you travel and with whom
are
you seated)• Baggage data (how many pieces, weigh of each, owner
of each)Baggage data (how many pieces, weigh of each, owner of
each)• Special requests of the airlines (meals, wheelchairs,
special needs)
Literally hundreds of data items collected, transmitted,
reviewed, stored
Confidential 10
-
Passenger Data – a Wealth of Private Information
Future - travel records may also contain - ?• IP address(es) of
your interactions with agencies,
i liairlines• Biometric passenger data points for airport or
aircraft door
verification (face, iris, fingerprint)• Images
(face, bags)
Confidential 11
-
Chain of Care – Passenger Data
Can be quite complex• Passenger to travel agency (online or in
person)g g y ( p )• Agency to airline or airline booking system
• Booking system to payment system or gateway
• Airline booking system to airport check-in system• Check-in
system to onboard staff and other local service providers• Airline
to government• Airline to government
Confidential 12
-
Baseline Definitions
GDS – Global Distribution Systems (bookings – travel
agencies)CRS – Central Reservations Systems (bookings – airlines)y
( g )FFP – Frequent Flyer Systems (passenger data – airlines)DCS –
Departure Control Systems (airport check-in – airlines)
IndustryIATA International Air Transport Association• IATA –
International Air Transport Association
• Governments – local, national and regional travel governance
authorities
• Customs, immigration, police, cybersecurity,
quarantine/biosecurity
Confidential 13
-
Risk Assessment Across The Travel Journey
The Customer Travel Process
Customer
Initiation Reservation Embarkation Conclusion
Airport Check-in Physical Border Arrival
Reservations System CRS/GDS
Frequent flyer System
Touch Points
Web Site, Call Center, In-person
Departure Control System DCS
Airline CRM Database
Border Crossing Database
Departure Control System DCS
Data Sources
Other Domestic and International Authority Data Sources
Journey
Confidential 14
-
Threat Assessment And The Passenger Travel Process
Ch k i /P b d P t b d/ P t i l
Threat Assessment From Reservation to Post arrival
Check -in/Pre -board Analysis
PNR, Check -in Record Border Crossing Record
Border Control
Post -board/Pre -arrival AnalysisReservation Analysis
Post -arrival Analysis
PNR, Profile, FFP, CRM Data
Reservations System CRS (“Res”)
Border Control
Reservations System CRS ( Res ) Frequent Flyer System
Working Air Crew Database
Departure Control System (DCS)Border Crossing Database
Departure Control System (DCS)
Other Domestic and International Authority Data Sources
QikQik AnalysisQikThreat Analysis
Reservation Booked Check -in Boarding ArrivalIn Air Post
Arrival
+3 days-1 yr.
Qik Analysis Qik Threat Analysis Threat Analysis Threat
Analysis
Confidential 15
Qik yQik eat a ys s y y y
-
Physical Document Threats
Physical documents are still very much a part of airline
culture• Airline-issued such as boarding passes and baggage tagsg p
gg g g• Government issued – including passports, visas•
Right-to-travel for example unaccompanied child, doctor
permission
Authenticity of these documents –critical because fraudulent
documentscritical because fraudulent documents can pose national
security threats, flag immigration fraud, aid in human trafficking
and more
Airlines often responsible for validating such documents
Confidential 16
such documents
-
Physical Document Threats – A Progression
Confidential 17
-
Physical Document Threats – A Progression
Confidential 18
-
The Way Forward - Electronic Documents?
• Becoming more popular with passengers• …but carry their own
level of threaty
• Mobile boarding passes
• NFC / touch / tap check-in
• RFID permanent bagtag
• Bluetooth-aware systems
Confidential 19
-
The Way Forward - Electronic Passenger Processing
Airlines and passengers embracingelectronic passenger
processing
SITA – Airline IT Trends Survey 2012
www sita aero
Confidential 20
www.sita.aero
-
Fraud
Confidential 21
-
Cards: Airlines Accept Billions in Payments
PCI compliance: critical• Challenges via telephone: airline call
centersg p• Via websites: booking, electronic ticketing• In person:
travel agencies, airport and city ticket offices• Using physical
devices: airport kiosks• Onboard aircraft: duty free, purchases
services (food/upgrade)
Each point of purchase carries its own threatEach point of
purchase carries its own threat• Fraud against the airline• Credit
card abuse against the passengerg p g
Confidential 22
-
In-flight – Unique Cybersecurity Considerations
As on-ground technology advances, so does in-air technology
Avionics, better and smarter
“Fly-by-wire” and “glass cockpit”
Passenger centric onboard systemsPassenger-centric onboard
systems• IFE, wired and wireless• In-flight wifi, ground-based and
satelliteg , g• In-flight mobile: SMS, voice and data
Confidential 23
-
In-flight Wi-Fi and Mobile
Confidential 24
-
In-flight and digital / electronic flight bag
Passenger in-flightg gtechnology must notinterfere with
in-flightsystems
Confidential 25
-
In Conclusion – Thank You !Thank You !
Airlines, travel and transport companies face several unique
challenges in regard to data security
Mix of legacy and new technologies must all adhere to IT
security policies and practicespolicies and practices
Inter-operability among competing companies and government
agencies is critical and complex
Travel volume and passenger demand for faster better processing
leadTravel volume and passenger demand for faster, better
processing lead us into a digital future
Confidential 26
-
Brief
[email protected]@sabre.com
Confidential 27
-
Sabre Holdings
Sabre Airline Solutions, the Sabre Airline Solutions logo, Sabre
Holdings, Qik, Qik Analysis, and Sabre, are trademarks and / or
service marks of an affiliate of Sabre Holdings Corp. All other
trademarks, service marks and trade names are the property of their
respective owners.
© 2012 Sabre Inc. All rights reserved.
Confidential 28