Upcoming changes in IT-Security from an Airline perspective

Actually, I want to tell you a little bit about what we see as an airline or as the people protecting an airline or an airline group. And my name's Martin Koka. I'm responsible for IT security architecture in the Lufthansa Group. And to explain a little bit about Lufthansa Group, basically this is the Lufthansa group, so you all know Lufthansa of course, but it's more than 300 companies.

And, and basically we as IT security, we are responsible for protecting all of them. So it's not only the Luft, Tanza, Swiss Austrian, Brussels, so the airlines, it's cargo business, it's, it, it's whatever it is and a lot of it's loyalty and so on.

And, and this shows a little bit or leads you to, to where we are at the moment. So this also helps, these are the, the latest figures from Lufthansa. So basically the, the, the, the short notices we are back. So we next to went away in 2019 when nobody was flying. But at the moment we are back. And it also shows the number of passengers we have, the, the, the, the sales we have. All of this shows you what an interesting target. The Lufthansa group is for cyber attacks. And this shows a little bit about what we are experiencing. So we are experiencing ransomware.

We've not been hit as an airline up to now. So I don't know if it's, if we are doing our job good or if we are just lucky.

I, I wouldn't bet on it. But this is, is a topic for every enterprise from my point of view. Then we have this topic of international presence. So we are everywhere around the world, there are presences next to, to in, in every country you can find. We are seeing that the geopolitical situation is changing and it has an impact on the attacks that we see. We have crime, internal external crime. We have espionage that we are hit by. We have a lot of third party services. So there we are hit by supply chain risks that we need to address.

One of the major things, of course would be a disruption of operation. Maybe some of you read about the cable that was destroyed about four months ago, which basically led to several hours of downtime for the systems and something similar could happen to, to our infrastructure. Infrastructure. So we are on the way to critical infrastructure.

So we are, we belong to the critical infrastructure with also has an impact on what we need to do to protect the business. We are also experiencing more and more fishing and social engineering and also modern ways of fishing and social engineering. And because, or one of the reasons is because the brand is quite interesting. And the last one, IOT risks. This is also something we are addressing. We're starting to look more into iot, which is not a big topic for the airline itself, but is a large topic for many of our subsidiaries, like left transportation, Hanza, cargo and so on.

And if you then look at the latest BSI paper that was, I think it was one or two weeks ago. So cyber risks is as an, is an at an all time high and we need to be aware of that. We have more software vulnerabilities. So a lot of more work for the people that do the actual operation of the IT systems. The ones found are even more critical than before.

We are, as I've been, as I already said, ransomware, phishing is one of the largest topics that we are facing and it becomes worse and worse to look into that. And we are starting to see ai, we are starting to see impersonations happening. Why are Microsoft teams? So people are addressed by people they know, like CEOs or similar people and they are impersonated using deep fake. We are seeing phishing is getting better and better and better. In the past, I mean you, you could detect phishing quite easily. This is not the case anymore. So basically what are we investing in?

We are investing a lot in patching updates. We are investing a lot in identity and access management. I have another slide for that. And we are looking into it con continuity management because of C and other topics. And we are, we continuously need to invest in new technologies because the ones we have are not up to the task anymore. This is only the past months. These are attacks that have happened. Mostly ransomware attacks, DDoS attacks that happened throughout the aviation industry. And as you can see, this is really, really a lot.

And this is in part this related to the, the war in the Ukraine going on. This is when we started to see attacks coming after political statements because we're still the flagship carrier for the German government. So the attack started as soon as the German government said something that was not fine for the attackers and this is one of the threats. But on the other hand until now, we were able to, to keep up with that.

What, so basically what you see is still an increase since September 22. It's still increasing. The numbers are still raising, they are now starting to focus on critical infrastructure. And this led for us to, to think about we are, we are looking at certain groups, what they are doing, how they act, how they work together because it's an industry that that we are facing basically they, they work, they have their own platforms. Yeah.

For example, you have like there, there, there's a platform for identity attacks, kind of a proxy you can just deploy and then you can start to take over accounts. We have, and we had this Rip Germany, which was attacking airports and airlines and also a campaign against Switzerland.

One of, one of my favorite topics and and this is, this is quite complex. So we are looking actively into zero implementing zero trust. Which doesn't mean that we are there yet, but we are looking to change the way we are looking at systems.

The, we are starting to reinvent our whole network moving from a classic parenter base approach. So this is my network, this is what I control to a zero trust approach that basically says, okay, probably we're already breached because our network is so vast, so big with so many participants that we have to assume breach. So we need to secure, we need to secure our systems differently. We need to be able to protect the systems, start more with identity. But this is also a problem. I don't know who of you was following the attacks on multifactor authentication.

So two years ago everybody said a start using multifactor application, you're fine, everything's great. Then we discovered, yes, now we are using multifactor authentication, we are using something like Microsoft Authenticator, but suddenly we're seeing text that try to take over the accounts even though we are using multifactor authentication. Then Microsoft changed their multifactor authentication, put in numerical values to make multifactor location more secure, which helped for a while.

But today we are already seeing new attacks that even our assistant against needing to put in a numerical value, which leads us to think about going the next step using a phishing resistant multifactor authentication and, and thinking about going there. This, because this is one of the major pillars, multifactor authentication and identities. It's one of the major pillars that we need to have to, to build trust. Trust can be based on authentic, on identity on devices, which is also where we invest heavily in.

We want to be able to detect the right devices that are allowed to our, to connect our network and that we know they are managed and they are still in a consistent state and being aware that there are still other devices that need to access the network for other reasons and make sure that our policy, net policy framework is working nonetheless. And the the last part is the software development lifecycle. We are also starting to develop our own software. So we were basically coming back from where we working mostly with companies doing software development for us.

So there are certain parts where we start to do our own development more to, to be more customer centric in the, the systems that we create. And there we are defining the secure software development lifecycle, putting more stress on secure software development using secure software, using a bill of materials to make sure that we actually know what we are using and what we have to look for. And also training developers on secure software development and certify them in a way. Then we have the next topic that, that we are looking into is basically AI.

And, and we are approaching this from basically two angles. One is our business wants to use ai but we need to need to make sure that it's being used in, in a secure manner and in a compliant manner. And we know that our attackers are making use of ai, as I already said, phishing letters are way better now than they were. And we are also looking into how to help our security Analysts and our seeing people with using AI to make their lives easier, to detect attacks faster, to explain attacks to the Analysts. So what they're seeing on the screen can be explained to them.

So they are, they can act faster and and better. And we are also using, starting to look into AI ops also to strengthen our operation and to be able to react faster to failures and to to problems in, in our infrastructure. So this is basically what what we do is like we want to have clear policies on what can, on what cannot be done. We want to be have user awareness. So people that want to use ai first of all know what they're doing. They know the limits, they know the chances, they know what to do with that. We want to make our users aware.

So basically if they use ai, please use our versions that we created for the group and not something you just found on the internet. And then put the respective data there. So this leads to basically at the moment we are mostly looking into open ai, which where we have our own instance running in, in our cloud to make use of JGPT and, and similar technologies. And we started to have a review board that looks into what do we want to do, what don't we want to do, which data do we want to look at and which data is should be off limits. Something I forgot about it.

No, that would be, yeah, from my side, any questions? I.