We asked the CISO's (Chief Information Security Officer) of two large Belgian institutions (Brussels Airlines and the ULB) how they deal with cybersecurity threats. These are sectors that are often attacked, and therefore need a heightened sense of urgency when it comes to cybersecurity. Olivier Markowitch for the ULB (Université Libre de Bruxelles) and David Callebaut for Brussels Airlines sat down with our journalists to talk about the risks to their security, how they deal with them, and what is important to keep in mind to control these risks.
To what extent are cybercrime and cyberwar really an issue in the aviation sector today?
David Callebaut: "Both dangers certainly count as a hot topic within our business, for the simple reason that we play a crucial role in transporting people. If passenger traffic suddenly comes to a halt, we can fortunately fall back on interim solutions. During the pandemic, for instance, many of us learnt to hold meetings remotely, via Microsoft Teams for instance. But these are not permanent, fully-fledged alternatives. We all feel that, whether for work or purely for pleasure, we still need to make that physical move from time to time. If that option falls away, we are in serious trouble. And I don't just mean us as a commercial enterprise, but society as a whole."
What types of cyberrisks does our country face and which sectors are most targeted?
Olivier Markowitch: "All sectors are targeted and affected: there are attacks against some of our ministries, against our banks, our universities, our hospitals and our companies. Currently, there are still many crypto-locker attacks (encryption of the organisation's data by the attackers and demand for a ransom to be paid in bitcoins to obtain the decryption key). But there are also attacks by "penetration" of computer systems and spying on activities or extracting data from the targeted computer system. These attacks are sometimes carried out at the same time as crypto-locker attacks.
Organisational systems are attacked in a stealthy and often undetected manner by so-called Advanced Persistent Threats (APTs): the attackers then remain discreetly in the systems to collect as much data as possible, or, waiting for a specific piece of information for example. These attacks are non-destructive, precisely to allow the attacker to remain as long as possible within the targeted computer system. There are also denial of service (DOS) attacks (and more often DDOS or distributed denial of service), their aim is to make a web service provided by the targeted organisation inaccessible."
To what extent does a hospital a possible cyberattack into account?
'We address this eventuality very actively and invest a relatively large amount of time and resources to prevent it. Since the onset of COVID, hospitals are often victims of ransomware. They seem to be an easy victim and the impact of a cyber-attack is high because human lives are at stake. Moreover, hospitals work with very critical data and are highly digitalised. In our case, every process has a digital component and that gives cybercriminals many potential access points.'
'A cyberattack is still too often seen as something one-off. It does not yet lead to a structural policy. We make a conscientious effort to have the right protection techniques in place and we make sure we are ready for it. But as a sector we are still too reactive. We also very often work with what are known as legacy systems, i.e. devices that still work with software from 20 years ago. These tend to be medically certified equipment to which we are not allowed to change anything.'
'Fortunately, there is growing awareness that we need to take steps quickly. We are more active with it than the average SME. But if we look at concrete measures or implementation, we are not yet at the level of the banks, for instance, even though we handle equally sensitive data.’