Several days after the Port of Seattle announced a “possible” cyberattack on its systems, Sea-Tac Airport is still mostly offline, causing chaos among travelers and serving as a constant warning not to take security lightly. Ask me how I know.
Fortunately, the outage caused by the recent hack did not result in planes being grounded or air traffic control double booking a runway. These resources, which are managed by the government, are much more insular.
What we are experiencing now – and since the authorities have not yet provided a timetable for recovery – is not a disaster but rather a vivid example of why we have regulations about where we lay our eggs.
For my part, I found out on Sunday when – and I hesitate to even mention it because apparently no one knows about this wonderful service – I tried to reserve my spot in security through the SEA Spot Saver. The service was offline and caused an error that you don’t even need to know about to cause deeper problems.
If I had been a good reporter and read my own publication over the weekend, I would have known that this was the result, among other things, of a completely rigged DNS configuration of the port’s web architecture. (The Spot Saver site is still offline, but the feature has been revived by Clear for the time being.)
Fortunately, I didn’t have to check any luggage (they were officially warned against this) and the security checks weren’t particularly strict, possibly because an overturned semi-truck was blocking all southbound traffic on I-5.
At the airport, the large screens you’d normally lurk under to find your flight were ominously dark. But given the endless construction going on in Sea-Tac, I chalked that up to electrical work.
It was only at the S-Gates that the extent of the problem became clear. All the screens in this area were dark: the TVs above the waiting areas, the multi-displays that showed travelers the way to the gates, the gate agents’ monitors, the gate information displays themselves.
Although my boarding pass directed me to a gate, I couldn’t be sure it was the right one, so I asked the staff there. They confirmed it and I asked about the hack.
“It’s definitely some kind of… show,” they agreed, politely omitting the same part of the word I’d used. All airport systems shared by multiple airlines were down: baggage handling, they said, was the worst affected. They ignored (don’t tell anyone!) their own baggage size regulations and didn’t bother to gather “volunteers” to check bags at the gate and expedite boarding. Communication between airlines was laborious.
The gate counter was mostly offline, I was told, as it’s an official shared system between Alaska, Delta and everyone else who comes to the S gates. They couldn’t display the flight number, boarding groups or delays (half an hour for my flight) except over the PA system – which was extremely competitive due to the need to constantly repeat the current gate numbers. Nearby, there were paper signs at one gate announcing the last departure, even though that was obviously hours ago.
The tablets they use to check in passengers worked, but “only to a limited extent,” they said. Flight or seat changes were not possible. (“I think I might have been upgraded to first class,” I ventured hopefully, but they just shooed me away.)
In situations where digital infrastructure breaks down, sometimes those who cling to analog resources come across as smart rather than old-fashioned. Today was not the case: while I waited, every few minutes someone came to the gate with a paper ticket saying they were departing from here. Some were lucky enough to be told it was just a few steps away, while one unfortunate soul was redirected all the way to the N-Gates – the exact opposite, as you can imagine, of the S-Gates.
The solution, offered by both gate agents and paper signs on empty displays, was: use the app. But it is precisely because of problems like this week that no one can really trust “the app”: Because “the app” is just as vulnerable to hacker attacks as the port.
What was extraordinary was that a hacker was able to take down so many systems at once. We must not assume that baggage handling, gate management and security checks cannot be completely isolated and separated. This is an airport, not a nuclear power plant.
At the same time, it seems wrong that the system’s resilience is so low. Of course, the airport intranet can go down – but the entire public website? Baggage routes and gate updates too? All on the same network? We’ve known for centuries how important it is to separate critical systems and have built this into our power and network infrastructure, so that if one person runs two hairdryers at once, the whole neighborhood doesn’t come down.
I’m not complaining because I was inconvenienced. To be honest, this airport visit was no better or worse for me personally than any other. But I saw countless people upset by the government’s poorly secured and probably woefully understaffed IT infrastructure.
When the government talks about rehabilitating critical infrastructure, this is exactly what they’re talking about. Yes, it’s also about the 1980s-era COBOL-based computer that controls traffic lights, dams, or missile silos. But it’s events like this – and not so much the Crowdstrike debacle – that really expose the soft, vulnerable underbelly of local and national systems. It’s a worryingly large attack surface, with comparatively few resources available to maintain it.
That it’s not as valuable a target as, say, a financial institution or a data broker has deterred many would-be attackers, but that’s changing. Ransomware, for example, has proven to be extremely profitable and easy to automate, and AI (we knew it had to play a role somewhere) is accelerating credential theft through spearphishing operations. All of this means that the trend of extorting unlikely targets (schools, libraries) is only going to grow – but these attacks can be prevented, just as they have been in the private sector, where they’ve been expected for decades.
Those traveling through Sea-Tac should definitely allow extra time to get through the airport and install the appropriate apps. State and city officials are doing their best to keep everyone updated on this crisis page.
