Sabre Airline SolutionsSabre Airline Solutions · 2015. 7. 14. · Sabre Airline SolutionsSabre...

of 28/28
Sabre Airline Solutions Sabre Airline Solutions Sabre Airline Solutions Sabre Airline Solutions Securing Airline Information Securing Airline Information on the Ground and in the Air 7 November 2012 Kuala Lumpur Malaysia on the Ground and in the Air 7 November 2012 Kuala Lumpur Malaysia Kuala Lumpur, Malaysia Kuala Lumpur, Malaysia Confidential
  • date post

    27-Jan-2021
  • Category

    Documents

  • view

    10
  • download

    0

Embed Size (px)

Transcript of Sabre Airline SolutionsSabre Airline Solutions · 2015. 7. 14. · Sabre Airline SolutionsSabre...

  • Sabre Airline SolutionsSabre Airline SolutionsSabre Airline SolutionsSabre Airline SolutionsSecuring Airline Information Securing Airline Information on the Ground and in the Air

    7 November 2012

    Kuala Lumpur Malaysia

    on the Ground and in the Air7 November 2012

    Kuala Lumpur MalaysiaKuala Lumpur, MalaysiaKuala Lumpur, Malaysia

    Confidential

  • Brief

    Paul FeheleyPaul FeheleyyyPrincipalPrincipalSabre Airline SolutionsSabre Airline SolutionsSouthlake, Texas USASouthlake, Texas USA

    Confidential 2

  • Common Threats Across All Industries

    Some threats on airline computer systems not unique to the travel and transport industry

    • Hacking, hijacking of data• Threats including service disruption

    Th ft f l i f ti• Theft of personal information

    Confidential 3

  • Common Responses

    Preventative – avoid the threat before it becomes a threatActive – continuous and realtime detection of threat or fraudPost-mortem – investigate, communicate and refine

    Confidential 4

  • What Does Make Airlines Unique / Cybersecurity?

    • The nature of legacy airline systems• Sabre reservations system introduced: 1962y

    • 50 years is a long time in IT

    Confidential 5

  • What Does Make Airlines Unique / Cybersecurity?

    • The complexity of the global network required to serve airlines (and inter-airline), travel agencies, and passengers themselves

    • The threat to human safety inherent in travel and transport and the spectacular nature of mishapsspectacular nature of mishaps

    • The unique relationship required between government agencies and travel and transport providers• Airlines carry passengers across country and state borders and therefore

    have special responsibilities not tied to other industries

    • The amount of personal passenger data required to be collected by travel providers – and the “chain of care” for that data

    Confidential 6

    travel providers and the chain of care for that data

  • What Does Make Airlines Unique / Cybersecurity?

    • Sheer volume of passengers• …and transactions

    • Larger, faster aircraft

    2011: 2 3 billion passenger air trips (est )*2011: 2.3 billion passenger air trips (est.)

    2020:“forecasts indicate that passenger traffic will grow at the rate of 4.1% per annum equating to 7 4 billion passenger air trips byequating to 7.4 billion passenger air trips by 2020”**

    Source: *Collaborative Forum of Air Transport Stakeholders ** Airports Council International

    Confidential 7

  • © planefinder.net

    Confidential 8

  • Passenger Data – a Wealth of Private Information

    Confidential 9

  • Passenger Data – a Wealth of Private Information

    Typical international travel records contain• Names of all travelers and “Biodata”: age, nationality

    • Including travel partners – with whom are you traveling?

    • Personal data: home and overseas addresses, credit card data, emergency contact detailsg y

    • Passenger journey details (air, rail, cruise, hotel, car)• ATC - authorization to carry (government permission such as visa)• Seating data (where will you sit when you travel and with whom are

    you seated)• Baggage data (how many pieces, weigh of each, owner of each)Baggage data (how many pieces, weigh of each, owner of each)• Special requests of the airlines (meals, wheelchairs, special needs)

    Literally hundreds of data items collected, transmitted, reviewed, stored

    Confidential 10

  • Passenger Data – a Wealth of Private Information

    Future - travel records may also contain - ?• IP address(es) of your interactions with agencies,

    i liairlines• Biometric passenger data points for airport or aircraft door

    verification (face, iris, fingerprint)• Images

    (face, bags)

    Confidential 11

  • Chain of Care – Passenger Data

    Can be quite complex• Passenger to travel agency (online or in person)g g y ( p )• Agency to airline or airline booking system

    • Booking system to payment system or gateway

    • Airline booking system to airport check-in system• Check-in system to onboard staff and other local service providers• Airline to government• Airline to government

    Confidential 12

  • Baseline Definitions

    GDS – Global Distribution Systems (bookings – travel agencies)CRS – Central Reservations Systems (bookings – airlines)y ( g )FFP – Frequent Flyer Systems (passenger data – airlines)DCS – Departure Control Systems (airport check-in – airlines)

    IndustryIATA International Air Transport Association• IATA – International Air Transport Association

    • Governments – local, national and regional travel governance authorities

    • Customs, immigration, police, cybersecurity, quarantine/biosecurity

    Confidential 13

  • Risk Assessment Across The Travel Journey

    The Customer Travel Process

    Customer

    Initiation Reservation Embarkation Conclusion

    Airport Check-in Physical Border Arrival

    Reservations System CRS/GDS

    Frequent flyer System

    Touch Points

    Web Site, Call Center, In-person

    Departure Control System DCS

    Airline CRM Database

    Border Crossing Database

    Departure Control System DCS

    Data Sources

    Other Domestic and International Authority Data Sources

    Journey

    Confidential 14

  • Threat Assessment And The Passenger Travel Process

    Ch k i /P b d P t b d/ P t i l

    Threat Assessment From Reservation to Post arrival

    Check -in/Pre -board Analysis

    PNR, Check -in Record Border Crossing Record

    Border Control

    Post -board/Pre -arrival AnalysisReservation Analysis

    Post -arrival Analysis

    PNR, Profile, FFP, CRM Data

    Reservations System CRS (“Res”)

    Border Control

    Reservations System CRS ( Res ) Frequent Flyer System

    Working Air Crew Database

    Departure Control System (DCS)Border Crossing Database

    Departure Control System (DCS)

    Other Domestic and International Authority Data Sources

    QikQik AnalysisQikThreat Analysis

    Reservation Booked Check -in Boarding ArrivalIn Air Post Arrival

    +3 days-1 yr.

    Qik Analysis Qik Threat Analysis Threat Analysis Threat Analysis

    Confidential 15

    Qik yQik eat a ys s y y y

  • Physical Document Threats

    Physical documents are still very much a part of airline culture• Airline-issued such as boarding passes and baggage tagsg p gg g g• Government issued – including passports, visas• Right-to-travel for example unaccompanied child, doctor permission

    Authenticity of these documents –critical because fraudulent documentscritical because fraudulent documents can pose national security threats, flag immigration fraud, aid in human trafficking and more

    Airlines often responsible for validating such documents

    Confidential 16

    such documents

  • Physical Document Threats – A Progression

    Confidential 17

  • Physical Document Threats – A Progression

    Confidential 18

  • The Way Forward - Electronic Documents?

    • Becoming more popular with passengers• …but carry their own level of threaty

    • Mobile boarding passes

    • NFC / touch / tap check-in

    • RFID permanent bagtag

    • Bluetooth-aware systems

    Confidential 19

  • The Way Forward - Electronic Passenger Processing

    Airlines and passengers embracingelectronic passenger processing

    SITA – Airline IT Trends Survey 2012

    www sita aero

    Confidential 20

    www.sita.aero

  • Fraud

    Confidential 21

  • Cards: Airlines Accept Billions in Payments

    PCI compliance: critical• Challenges via telephone: airline call centersg p• Via websites: booking, electronic ticketing• In person: travel agencies, airport and city ticket offices• Using physical devices: airport kiosks• Onboard aircraft: duty free, purchases services (food/upgrade)

    Each point of purchase carries its own threatEach point of purchase carries its own threat• Fraud against the airline• Credit card abuse against the passengerg p g

    Confidential 22

  • In-flight – Unique Cybersecurity Considerations

    As on-ground technology advances, so does in-air technology

    Avionics, better and smarter

    “Fly-by-wire” and “glass cockpit”

    Passenger centric onboard systemsPassenger-centric onboard systems• IFE, wired and wireless• In-flight wifi, ground-based and satelliteg , g• In-flight mobile: SMS, voice and data

    Confidential 23

  • In-flight Wi-Fi and Mobile

    Confidential 24

  • In-flight and digital / electronic flight bag

    Passenger in-flightg gtechnology must notinterfere with in-flightsystems

    Confidential 25

  • In Conclusion – Thank You !Thank You !

    Airlines, travel and transport companies face several unique challenges in regard to data security

    Mix of legacy and new technologies must all adhere to IT security policies and practicespolicies and practices

    Inter-operability among competing companies and government agencies is critical and complex

    Travel volume and passenger demand for faster better processing leadTravel volume and passenger demand for faster, better processing lead us into a digital future

    Confidential 26

  • Brief

    [email protected]@sabre.com

    Confidential 27

  • Sabre Holdings

    Sabre Airline Solutions, the Sabre Airline Solutions logo, Sabre Holdings, Qik, Qik Analysis, and Sabre, are trademarks and / or service marks of an affiliate of Sabre Holdings Corp. All other trademarks, service marks and trade names are the property of their respective owners.

    © 2012 Sabre Inc. All rights reserved.

    Confidential 28