Complex legacy systems leave airlines ripe for security turbulence

The recent disruption that left American airspace momentarily without a single Delta Air Lines jet was not the result of a security breach, but it is an indicator that airlines are highly susceptible to interruptions due to legacy computing systems and 24-hour uptime requirements, according to experts.

In the case of Delta, some up front spending would have prevented a problem that ended up costing them more in lost revenue. The nature of air travel is these disruptions usually end up affecting mission critical customer facing applications, so any downtime is quite obvious and has far-reaching effects.

“It was less of a security issue and more of a data centre incompetency,” noted security expert Michael Ball of the Delta situation in an interview with IT World Canada. The choice not to implement redundancy, probably as a means to save money, he said, meant the airline ultimately lost more money in revenue than the cost to establish a back up system.

In an era where threats to cybersecurity and ransomware are commonplace, Ball said transportation, including airlines, along with financial services and healthcare are key targets for disruptive actors, and the more complex the system, the more potential points of failure. Factor in legacy systems, and there’s plenty of windows for hackers, or a higher likelihood that something is bound to fail.

“If you have one weak system in your environment that is reachable, you only need that one,” said Ball. An easily accessible legacy system can be a road into the rest of the network. An older server, for example, may not alert modern security tools. “A hacker can sit in that box for a while.”

And if you ever see a blue screen of death (BSOD) on an airport screen, be concerned, as it’s an indication that an old version of Windows is still being run. Bell said many airlines probably have a mix of older systems that include mainframes and AS400 systems. “The requirement of airlines to interact with each other as well as airports causes some degree of complexity.”

Not surprisingly, Canada’s major airlines were not willing to comment – IT World Canada reached out to Air Canada, Porter Airlines and WestJet. In an email, an Air Canada spokesperson said it continually evaluates risks and enhances its systems. “We have backup systems and contingency plans in place. We also confer frequently with other large IT users to share best practices. For security reasons, unfortunately, we cannot discuss these matters in detail as the effectiveness of our measures is in part contingent on keeping them confidential.”

WestJet did not provide comment in time for IT World Canada’s deadline, but like Air Canada, Porter responded with an email statement: “Porter uses technology to support our passengers and business in a variety of ways. These systems are upgraded when necessary and have redundancies to mitigate against downtime for any reason.”

An example of Porter’s investments in mission critical technology include working with Console Inc. to bypass the public Internet to privately connect with “mission-critical” partners, including Amazon Web Services and business-critical aviation software.

Ball’s perception of Porter and WestJet is that they are fairly tech savvy, and said it’s important to keep in mind that it takes 18-to-24 months to pull the trigger on a significant project with an sizeable and complex airline as a well as the necessary testing for software deployments.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Gary Hilson
Gary Hilson
Gary Hilson is a Toronto-based freelance writer who has written thousands of words for print and pixel in publications across North America. His areas of interest and expertise include software, enterprise and networking technology, memory systems, green energy, sustainable transportation, and research and education. His articles have been published by EE Times, SolarEnergy.Net, Network Computing, InformationWeek, Computing Canada, Computer Dealer News, Toronto Business Times and the Ottawa Citizen, among others.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now