Bugs on a Plane: Implementing a Bug Bounty in an Airline IT/OT Environment

Moderator: Elizabeth Wharton, Silver Key Strategies
Panelists: Casey Ellis, Bugcrowd Richard Szymborski, Air Canada

Bug bounty programs are a valuable tool for security efforts but only if they are correctly applied. This is particularly true for airlines who have to secure both the IT business systems and OT aircraft systems that enable the business to operate safely. Join us to learn from one airline’s journey from a vulnerability disclosure to bug bounty program and key lessons learned along the way.

SUMMARY

Elizabeth Wharton, Casey Ellis, and Richard Szymborski discuss creating and managing bug bounty programs within aviation cybersecurity, highlighting Air Canada's practical experiences and lessons learned.

IDEAS:

• TSA frequently intercepts passengers attempting to smuggle snakes onto airplanes at airports in the US.
• Southwest Airlines lost nearly $800 million due to outdated software causing holiday flight disruptions in 2022.
• One software company handles load balancing software for nearly all major airlines, creating central vulnerability points.
• Bug bounty programs have expanded significantly over the past decade, becoming critical cybersecurity force multipliers.
• Aviation cybersecurity involves complex interactions between IT systems, OT systems, aircraft operations, and passenger data.
• Air Canada took five years to establish their bug bounty program due to internal hurdles and cultural resistance.
• Lawyers identified that bug bounty researchers are not subcontractors, limiting liability and recourse if breaches occur.
• Information from bug bounty programs isn't considered privileged, thus can be discovered in litigation against companies.
• Air Canada's bug bounty uncovered a critical vulnerability allowing free air travel, surprising internal cybersecurity teams.
• Private bug bounty programs are often more manageable initially, allowing controlled environments before opening publicly.
• Bugcrowd acts as a matchmaking platform, pairing skilled hackers with organizations based on technical and security needs.
• Starting with a small-scope bug bounty program helps manage the influx of vulnerabilities and builds internal confidence.
• Bug bounty programs can reveal critical vulnerabilities even after extensive traditional penetration testing by reputable firms.
• Security researchers may repeatedly find similar vulnerabilities if initial fixes by development teams aren't correctly implemented.
• Bug bounty platforms use algorithmic matching techniques similar to dating sites to pair researchers with appropriate targets.
• Cross-functional collaboration between cybersecurity, legal, QA, and development teams is essential to successful vulnerability management.
• Regulatory bodies increasingly recognize and mandate the necessity of vulnerability disclosure programs in various critical industries.
• Establishing a vulnerability disclosure policy (VDP) publicly signals openness to ethical hackers, reducing adversarial cybersecurity risks.
• Organizations use bug bounty results as evidence to convince management about cybersecurity investment urgency and program continuation.
• Ethical hackers often specialize in particular industries, migrating between sectors like automotive and aviation due to overlapping skillsets.
• Bug bounty program success stories can be effectively leveraged to encourage third-party and partner organizations toward similar initiatives.
• Internships and junior staff members can significantly assist in vulnerability triaging, alleviating the burden on experienced cybersecurity teams.
• Gamification of bug bounty programs enhances engagement, making cybersecurity testing appealing to researchers and internal stakeholders alike.
• Transparency and openness about vulnerabilities can increase customer trust, turning cybersecurity from liability management into competitive advantage.
• Organizations increasingly recognize that vulnerabilities are inevitable, emphasizing quick detection and resolution rather than unrealistic prevention attempts.

INSIGHTS

• Cybersecurity is fundamentally about creatively outsmarting adversaries; hackers provide essential human ingenuity to defensive efforts.
• Bug bounty programs fundamentally shift organizational culture from defensive secrecy toward proactive transparency and openness.
• Liability and privilege concerns in bug bounty programs highlight legal complexities around cybersecurity disclosures and ethical hacking.
• Cross-team collaboration and communication are essential for rapidly addressing cybersecurity vulnerabilities discovered through external researchers.
• Bug bounty initiatives significantly surpass traditional penetration tests due to the expansive creativity and diversity of hacker communities.
• Companies must proactively adapt their cybersecurity strategies, recognizing vulnerabilities as an unavoidable reality requiring ongoing management.
• Using private bug bounty programs initially can help organizations comfortably transition into broader vulnerability disclosure practices later on.
• Organizations that effectively harness external cybersecurity research communities gain significant competitive advantages in risk management and trust.
• Ethical hacking communities naturally evolve and transfer skillsets between different industries, rapidly adapting to emerging technological threats.
• Regulatory and policy trends increasingly mandate transparency and openness in cybersecurity, making vulnerability disclosure programs a future standard.

QUOTES:

• "TSA almost on a daily basis stops someone from trying to sneak snakes onto airplanes at US airports." — Elizabeth Wharton
• "Southwest Airlines during the holiday season of 2022, where over 16,000 passengers' flights got delayed." — Elizabeth Wharton
• "We didn't invent VDP or bug bounty, that was prior art, but we did pioneer the idea." — Casey Ellis
• "Cybersecurity is inherently a human problem... it's creative adversaries." — Casey Ellis
• "VDP is basically neighborhood watch for the internet." — Casey Ellis
• "We should have done it earlier." — Mel Crocker (quoted by Richard Szymborski)
• "Regardless of the subject, if you have passionate people... it'll be hugely positive or hugely negative." — Richard Szymborski quoting Mark Nasr
• "We found... over 13 critical vulnerabilities... where a person can travel basically for free." — Richard Szymborski
• "Transparency is anti-fragile. The quicker you can recognize that... the better." — Casey Ellis
• "Organizations that have taken this and done it well... they're actually going out and saying, 'Hey, look at what we're doing.'" — Casey Ellis
• "Bugcrowd gets all the researchers." — Richard Szymborski
• "We had interns... at least I had bodies to help with the triage." — Richard Szymborski
• "The internet just in general has a tendency to say yes to questions like that." — Casey Ellis
• "Basically what we've built is like a dating website for people to break computers." — Casey Ellis
• "We didn't have an IoT security problem in 2012... and then we suddenly did." — Casey Ellis
• "The bug bounty program... was the easiest one... I don't have to build infrastructure." — Richard Szymborski
• "Transparency is actually a thing that can create confidence and trust." — Casey Ellis
• "It's happening now. Whether we go into a bug bounty program or not, there are hackers out there." — Richard Szymborski
• "Cyber wasn't what cyber is right now. So within Air Canada, we were about seven people." — Richard Szymborski
• "It's a general phenomena that I think is kind of unique to the idea of engaging the hacker community." — Casey Ellis

HABITS:

• Actively reaching out to senior management for insights and support regarding cybersecurity programs and initiatives.
• Regularly engaging directly with cybersecurity researchers to maintain clear and open lines of communication and trust.
• Conducting outreach at security conferences like DEF CON and BSides to attract skilled ethical hackers and researchers.
• Using gamification strategies in cybersecurity programs to drive higher engagement from external researchers and internal teams.
• Establishing strong relationships between cybersecurity teams, legal teams, developers, and QA teams for quick vulnerability mitigation.
• Leveraging interns and junior staff effectively for triaging and handling initial influx of vulnerability reports and disclosures.
• Proactively adjusting the scope of bug bounty programs to manage workload and prioritize critical vulnerabilities effectively.
• Ensuring cybersecurity policies and disclosures are clearly visible and accessible on public-facing websites and documentation.
• Regularly performing "health checks" to ensure cybersecurity communication channels like security.txt files are properly configured.
• Taking full ownership and accountability for cybersecurity initiatives within the organization to avoid delays and ensure progress.
• Actively communicating cybersecurity success stories internally to gain continuous funding and executive support for programs.
• Prioritizing rapid vulnerability patching to avoid repeat disclosures and reduce cybersecurity risks and associated costs.
• Maintaining transparency regarding vulnerabilities found and their resolutions, building trust among stakeholders and end-users.
• Adapting cybersecurity programs based on real-time feedback from both internal stakeholders and external research communities.
• Encouraging cross-training and collaboration between cybersecurity (red team and blue team) to create cohesive "purple team" operations.

FACTS:

• Southwest Airlines' software issues in 2022 holiday season caused nearly $800 million in financial losses.
• Bug bounty program at Air Canada uncovered a vulnerability allowing passengers to travel for free.
• Air Canada took five years from initial idea to full implementation of their bug bounty program.
• 70% of Bugcrowd's programs are private, contrary to the public perception of majority open programs.
• Bug bounty disclosures aren't considered legally privileged, meaning they can appear in legal discovery.
• TSA routinely intercepts passengers trying to smuggle snakes onto airplanes at US airports.
• Medical device cybersecurity significantly accelerated around 2016 following increased regulatory scrutiny.
• Bug bounty researchers are not subcontractors, limiting companies' legal recourse if breaches occur.
• FDA issued post-market cybersecurity guidance in 2015 and pre-market guidance in 2018 for medical devices.
• Penetration testing by major consulting firms often misses critical vulnerabilities later found via bug bounties.
• Air Canada initially started their bug bounty with around 100 cybersecurity researchers specialized in aerospace.
• Many ethical hackers move fluidly between automotive and aviation sectors due to similar technologies.
• Bug bounty results can significantly influence corporate cybersecurity policies and management investment decisions.

REFERENCES:

• Silver Key Strategies
• Bugcrowd
• Air Canada
• TSA
• DEF CON
• BSides Conference
• Aviation ISAC
• Burp Suite
• Gran Turismo (film)
• FDA cybersecurity guidance

ONE-SENTENCE TAKEAWAY:

Proactive vulnerability disclosure and bug bounty programs significantly enhance cybersecurity through transparency, collaboration, and hacker engagement.

RECOMMENDATIONS:

• Start cybersecurity programs small, scaling incrementally to manage resources and gradually build internal team confidence.
• Clearly define vulnerability disclosure policies publicly to attract ethical hackers and manage cybersecurity risk effectively.
• Establish cross-functional cybersecurity teams involving legal, development, QA, and security personnel for efficient vulnerability management.
• Leverage private bug bounty programs initially to comfortably transition into broader vulnerability disclosure and bug bounty efforts.
• Use gamification and rewards to increase engagement and participation in internal and external cybersecurity vulnerability programs.
• Prioritize transparency regarding cybersecurity vulnerabilities to enhance stakeholder trust and position cybersecurity as a competitive advantage.