Software glitch grounds thousands of flights

The vulnerability of automation in aviation was underscored on July 19 after the American cybersecurity company CrowdStrike distributed a security software update, causing an estimated 8.5 million computers running Microsoft Windows to crash and left unable to properly restart.

The resulting outage, called the largest outage in the history of information technology, disrupted businesses and governments around the world.

Affected industries included airlines, airports, banks, hotels, hospitals, manufacturing, stock markets and broadcasting.

On the first day of the outage, over 5,000 scheduled flights globally were cancelled. Up to last Monday, hundreds of flights in the US were cancelled.

Aviation resides in a rapidly changing technological environment. As a result, there are continuous technological improvements in all areas of aviation operations, including airline reservations systems, aircraft design and manufacturing, airline operations and air navigation systems.

These technological upgrades reduce human intervention, minimising errors with improved efficiencies and saving time and money.

In the early days of international commercial air transport, airlines used manual reservation systems. Travellers had to either visit or call an airline reservations office to make flight bookings.

At that time, the airlines and travel agents relied heavily on the official airline guide published by Aircraft on Ground, which contained elements of an airline's flight schedules and fares.

In January 1963, Trans-Canada Airlines (TCA) implemented the first computer-based airline reservation system, ReserVec, using punched cards and a transistorised computer.

Terminals were placed in all of TCA's ticketing offices, allowing for speedy airline reservations.

In 1953, American Airlines (AA) CEO sat next to R Blair Smith, a senior IBM sales representative, on a flight from Los Angeles to New York.

The AA CEO invited Blair to visit the airline's reservations system and examine ways IBM could improve it. AA and IBM began to develop an automated airline reservation system (ARS), resulting in a 1959 venture known as the semi-automatic business research environment (SABRE).

By the time the network was completed in December 1964, it was the largest civil data-processing system in the world.

Other airlines established their own systems. Pan Am launched its PANAMAC system in 1964. Delta Airlines launched the Delta Automated Travel Account System in 1968.

United Airlines and Trans World Airlines followed in 1971 with the Apollo Reservation System and Programmed Airline Reservation System, respectively.

Soon, travel agents began pushing for a system that could automate their side of the business by accessing the various ARSs directly to make reservations.

Fearful this would place too much power in the hands of agents, AA executive Robert Crandall proposed creating an industry-wide computer reservation system as a central clearing house for US travel.

In 1976, United Airlines began offering its Apollo system to travel agents. While it did not allow them to book tickets on United's competitors, the marketing value of the convenient terminal proved indispensable. SABRE, PARS, and DATAS were soon released to travel agents as well.

Computer technology aided the development of the global distribution systems (GDS), which are computerised network systems owned or operated by companies that enable transactions between airlines and travel agencies. The GDS mainly uses real-time inventory, such as the number of seats on flights available from the airlines.

GDS is different from a computer reservation system. Primary customers of GDS are travel agents who make reservations on various reservation systems run by the airlines. GDS holds no inventory, as the inventory is held on the airlines’ reservation system.

A GDS system has real-time links to an airline's database. For example, when a travel agency requests a reservation on the service of a particular airline company, the GDS system routes the request to the appropriate airline's computer reservations system.

Airline reservation systems may be integrated into a larger passenger service system, which also includes an airline inventory system and a departure control system.

An example is the Common Use Terminal Equipment (CUTE), which is an advanced system implemented in most airports and used to enhance operational efficiency and passenger-handling. Multiple airlines can access and use shared terminal equipment such as check-in counters, boarding gates and baggage-handling systems. This approach to resource management is particularly beneficial in airports with high passenger traffic, enabling a more flexible and dynamic use of terminal space and facilities.

The CUTE system is complemented by Common-Use Self-Service (CUSS), which is a shared kiosk offering airport check-in to passengers without the need for ground staff. The CUSS can be used by several participating airlines in a single terminal.

Centralised reservation systems are vulnerable to network-wide system disruptions.

CrowdStrike Holdings is a very reputable American cybersecurity technology company that provides endpoint security, threat intelligence and cyber-attack response services globally. CrowdStrike produces a suite of security software products for businesses, designed to protect computers from cyber attacks.

The Falcon Sensor product, CrowdStrike's vulnerability scanner, installs an endpoint sensor at the operating-system kernel level on individual computers to detect and prevent threats. It routinely distributes patches to its clients to enable their computers to address new threats.

On July 19, CrowdStrike distributed a configuration update for its Falcon sensor software running on Windows PCs and servers.

The update caused computers to go into either a boot loop or boot recovery mode. A boot loop is a problem that occurs on computing devices when they repeatedly fail to complete the booting process and restart before the sequence is finished, preventing the user from accessing the regular interface.

Initially, until the root cause of the problem was identified, some airlines cancelled all flights to prevent further exacerbation of the problem.

The outage raised questions about oligopoly and centralisation in the information technology sector.

The majority of the world's computers use Microsoft Windows, creating a technology monoculture that reduces resiliency.

Critical infrastructure expert Gregory Falco said, "Cyber security providers are part of this homogeneous backbone of modern systems and are so core to how we operate that a glitch in their operations will have similar impacts to failures in systems that are household names."

Security experts are now suggesting more redundancy to avoid single points of failure in the future.