Using artificial intelligence to mitigate cyber-risks

Highly-interconnected and increasingly-digitised systems are a necessary part of modern airport infrastructure. However, alongside the need for greater data-sharing, both within and across airports, this results in an increase in cyber-threats. Furthermore, vulnerabilities at these interfaces – through personnel and digital systems alike – lead to an increased threat of intrusion and potentially catastrophic disruption.

This problem is not one that we can simply train and hire our way out of as these systems and their attack surfaces do not scale linearly in complexity. Not only can artificial intelligence (AI) be utilised to mitigate these risks while enabling better situational awareness, threat detection and response at scale, but it may quickly become the best economical solution.

The challenge

To maintain situational awareness within an airport, there is generally a requirement to fuse information from multiple data sources. Suspicious behaviours are most often characterised by a series of actions rather than a single observation. Without tighter integration, a system might not find anything anomalous about someone trying to buy a last-minute ticket and being turned away. This same situation could be interpreted very differently if from every ticket counter staff were sharing information within the airport environment, enabling recognition that the same person might be attempting to buy last-minute tickets at multiple counters – a far more suspicious behaviour. Understandably, airline ticketing data sources operating with proprietary formats on proprietary systems aren’t shared even at a local level. Facilitating the connection of these data sources would logically lead to increased situational awareness; empowering security and other personnel to make more informed decisions. Legalities aside, the cost of this facilitation could pose greater risk to the system itself. Each interface between systems, with every individual granted access, would increase the potential attack surface, providing new endpoints for potential compromise.

AI can help balance this objective by providing airport stakeholders and staff with the ability to understand what’s happening at each site, while offering status updates and maintaining data privacy. These same techniques can be used to create situational awareness at a more macroscopic level, enabling federal agencies to piece together ‘big picture’ details and share relevant information to the local level.

The need

Compromised systems persist largely due to a myopic view of their activities, as detection often requires a more complete view of the entire topology of interconnections to best understand and characterise their behaviour. Airport operators, as a result, need to embrace integration.

In 2018, a study conducted by the Ponemon Institute found that organisations were compromised an average of 197 days before identifying that they had been breached, and it generally took more than two additional months to contain the incident once identified¹.

Furthermore, costs of a single cyber-breach, rising at a rate of over 10 per cent from 2017 through 2018, showed an average cost of $4.25 million per incident, while an organisation’s ability to identify and contain threats within 30 days averages savings of nearly $1.2 million per incident. With the EASA estimating over 12,000 cyber-attacks per year targeting aviation systems alone, unprepared organisations are at an ever higher risk of substantial financial and operational losses².

More concerningly, airport cyber-threats span both digital and physical access paths, and can likely be targets for political or military action, commercial espionage, disruption and cyber-crime. As airports increasingly incorporate connected operational technologies for convenience and efficiency, the size of a cyber-attack surface scales rapidly, placing an increased burden on its cyber-security personnel. These threats are amplified by the increasing prevalence of sophisticated attack software available online.

With increasing digitisation in the air traffic control environments, the threat of false messaging and malicious instruction broadcasts increase exponentially. The difficulty in human verification of invalid ATC messages is mitigated by ‘read back’ requirements. ATC tower vulnerabilities to digital and physical attacks rely on near-instantaneous recognition of data interruptions. Mapping AI to recognise and warn of these conditions could rapidly improve situational awareness and prevent disastrous outcomes.

A scalable solution

Enabling multi-source data fusion can enable and strengthen autonomous techniques for decision support and situational awareness. Achieving international-scale collaboration whilst managing the increased cyber-security risks is possible through techniques that can scale better than current state-of-the-art methods.

Creating more international standards and regulations to better safeguard against security vulnerabilities as new communication channels are set up will require regular compliance verification and organisational vigilance to be operationally relevant. Meanwhile, individual airports presently siloed within their own technological backbones could employ AI-enhanced communication and security protocols, and provide training to its user population.

Human-AI teams must achieve collaboration and integration for the value of AI as an investment in cyber-security to be reinforced

An AI-augmented aviation workforce

AI system requirements for mission critical tasks are strict to maintain high confidence and low latency. Human-AI teaming is a powerful solution that addresses this requirement, creating collaborations where AI-powered systems provide decision support and situational awareness to empower human operators to better perform.

The NIST Framework for Improving Critical Infrastructure Cybersecurity outlines five key steps for organisations to take, and AI-powered solutions have the capability to greatly improve organisational ability in each of these areas:

Identify

Models of tradecraft built from shared data can be used to link malicious behaviour across multiple sources separated in time and space back to particular actors, and help to infer motive, intent and target – well before a human expert.

Protect

Autonomous countermeasures can be deployed through AI-powered agents trained for anomaly detection and system configuration repair, providing a critical window for human operators to respond should a threat manifest. With proper procedures and policy enforcement, intelligent, autonomous countermeasures constitute a necessary component of any effective framework for efficient and rapid threat response.

Detect

Automated analyses of system behaviour, network traffic and human behaviour can be leveraged to create a holistic view of daily operations – without the overhead of human labour and explicit communication to manually fuse data sources. Statistical models can be used to simulate outcomes of various failure modes and attacks, providing informed impact assessments without the overhead of live exercises on premise.

Respond and Recover

The introduction of autonomous agents for cyber-security tasks provides the opportunity for rapid response, buying time through automated triage for airport personnel to devise a response strategy to contain, remove and recover from adverse events. Utilising models derived from events simulated in cyber-ranges on virtual airport infrastructure, it will be possible to create AI-powered solutions that work alongside airport cyber-security teams to act as force multipliers, automate tasks and improve real-time situational awareness.

Training and educating the airport workforce

AI is also poised to revolutionise workforce education. This includes both initial training and continuing education, enabling cyber-security educators to create a dynamic, adaptive, personalised curriculum for each user to enable rapid remedy generation. AI-enhanced training will ease the vulnerabilities associated with understaffing by developing a more familiarised airport staff stakeholder workforce.

To this end, an AI-enhanced technology transfer approach should include the ‘Five E’s’:

• Explanation and justification of how embracing digital transformation and leveraging technology will help improve airport performance and safety
• Enlightenment on the technologies that airport operators can adopt for their airport to achieve digital readiness
• Environmentally-centric descriptions of the key steps involved in digital transformation peculiar to an airport
• Education on recognising the major challenges, risks and opportunities involved in airport digital transformation
• Edification on best practices relating to digitalisation from design to implementation for airports.

Risk management/incident response

A properly educated and informed workforce is a crucial component of a modern digital airport. Proactive risk management requires a level of awareness that dictates that everyone with system access should be trained to identify and respond to common attack vectors in line with a well-defined cyber-security policy (such as reporting phishing e-mails or other social engineering strategies). A crisis communication policy, for instance, proactively anticipates how best to instruct the public in the event of a cyber-attack.

We know that as systems are increasingly linked together, the attack surface of the airport’s infrastructure will grow both in terms of systems and personnel. To achieve broader organisational cyber-literacy, each airport operator should devise an institutional policy promoting cyber-education and periodic refreshment for all employees.

Fortunately, proactive risk management measures can be implemented in a more cost-effective manner with the assistance of AI-powered techniques. These include:

• Pushing warning notifications to users when they are violating (or are on track to violate) the airport’s cyber-security policies
• Autonomously notifying the airport’s cyber‑security team when anomalous behaviour is detected
• Providing rapid mechanisms to sequester potentially compromised systems, isolating them from the airport’s network.

AI can also improve how incident response is trained, performed and measured by incorporating and using automated, adaptive methods as part of an incident response strategy.

As mixed human-AI teams achieve greater collaboration and integration into the airport’s cyber-security response protocol, the value of AI as an investment in cyber-security is further reinforced. Performance measurements should note dramatic reductions in lost data, time-to-breach detection and time-to-threat containment. Time is money after all.

References:

1. “Cost of a Data Breach Report”, Ponemon Institute, 2018
2. Ibid