Several major U.S. airports were recently targeted by pro-Russian hackers identifying themselves as Killnet in a distributed denial-of service (“DDoS”) campaign. The hackers warned of the attack on their Telegram channel on the evening of Sunday, October 9, 2022, and carried out their threats the following day – a busy Monday morning travel day. Killnet flooded the target airports with junk data which overwhelmed the target servers, rendering the external-facing websites of the airports inaccessible. A DDoS attack happens when a massive number of machines are directed to bombard the target with traffic. This attack is an example of a typical DDoS attack, which happens when a network or system becomes overwhelmed, and it cannot respond to service requests.
While the websites were inaccessible for several hours on Monday, the majority were back online later that day. The TSA has confirmed that the attacks, “did not disrupt airport operations or access to information."1 Because there was no actual intrusion into any of the subject airports’ critical internal networks or systems, the attack’s impact was relatively minor in comparison to a ransomware attack or other malicious intrusion.
However, this event has further strengthened the government’s desire to impose additional cybersecurity requirements on airport and airline operators. In response to the cyber attack, the TSA signaled that in addition to recently issued regulations requiring airports and airlines to, “designate a cybersecurity coordinator and report cybersecurity incidents, conduct a cybersecurity assessment, and develop remediation measures and incident response plans,” it would, "soon issue additional performance-based cybersecurity requirements for critical aviation systems."2 Meanwhile, the FAA has also placed conditions on carriers and airports requiring enhanced cybersecurity measures as a condition to receiving grants and construction funding, and is likely going to promulgate additional regulations intended to protect the networks and systems required to safely operate aircraft.3
Most cyber policies provide coverage to address DDoS attacks, similar to the one described above. DDoS attacks are generally considered network security incidents, or as some policies define them—security breaches or failures. Most cyber policies provide for the recovery of response costs and/or business interruption damages stemming from the DDoS attack and any third party liability claims that may arise from the incident. The language of most policies provide coverage for DDoS attacks on a computer system or network of the insured, as well as “computer system” servers hosted by third parties under a written contract with an insured, or networks connected through “cloud computing” and the internet.
If an insured believes that they may incur response costs or business interruption damages or that a claim could result from the incident, it would be wise to notify their carrier to meet the reporting requirements of most policies. In the most recent attacks, the reality is that because the websites were only inaccessible for a short period and were relatively easily restored, damages may not exceed many insureds’ retentions, especially if internal resources were able to resolve the issue without the need for costly outside vendors.
If you were impacted by these attacks, or find yourself facing a similar attack in the future, we recommend the following steps be taken:
As a global leader in human capital solutions, risk advisory and broking services, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
1 US to add cybersecurity requirements for critical aviation systems
2 Id.
3 Id.