Cybersecurity vulnerability looms over the worldwide aviation industry, calling for a firm embrace on cybersecurity awareness, standards and best practices.
In late September of 2023, the Ukrainian hacktivist group IT Army launched a cyberattack on Leonardo — a Russian flight booking system (https://therecord.media/russia-flight-booking-system-leonardo-ddos). It was a widespread denial-of-service (DDoS) attack on the booking system, affecting several air carriers and downing their websites.
Such cyberattacks are taking place in the United States and other nations as well. Recently, cyberattacks were also reported at the Hartsfield-Jackson Atlanta International Airport, the Baton Rouge Metro Airport, Geneva Airport in Switzerland, and Ireland’s Dublin Airport. The vulnerability of cybersecurity compromises is real, threatening and concerning.
The Severity of Cyber Risk in Commercial Aviation
Bobby Anderson is the vice president and general manager for commercial aviation at Shift5, an IT security firm based in Arlington, VA.
“The aviation ecosystem, a key part of critical infrastructure, has grown more technically complex as it has innovated over time,” explains Anderson. “Modern connected aircraft use faster, more advanced Internet-protocol (IP) based systems, as well as traditionally isolated on board operational technology (OT) systems, which generate vast amounts of raw data. Collecting and analyzing on board data is critical in developing modern, resilient aviation cybersecurity programs, but airlines can’t access the full breadth of the data produced on board their aircraft or through their fleets. Of the on board data that they can access, processing it using existing flight data management (FDM) systems can be cumbersome, and these systems aren’t designed to make cybersecurity assessments. With comprehensive analysis and correlation, data from on board aircraft can help build aircraft operational resilience against cybersecurity risks.”
The actual reach of a cyber threat can be underestimated if one does not consider how data compromise may expand beyond network infrastructure and into mobile devices in some cases. Dr. Michael Klipstein is the former director of international cybersecurity policy for the National Security Council, and is now a strategic advisor for Baker Donelson in Washington, D.C.
“Aviation cybersecurity vulnerabilities came to the forefront in 2015 when security researcher Chris Roberts allegedly hacked into a United Airlines plane mid-flight and issued a ‘climb’ command to one of the engines, causing sideways movement in the plane,” says Dr. Klipstein.
Dr. Klipstein adds that a few years ago, a security firm discovered over a dozen vulnerable airlines using a specific manufacturer’s in-flight entertainment system, allowing them to theoretically capture credit card information used for in-flight purchases and limited control of the cabin lights, seats, and the information being displayed to customers.
“As aircraft increasingly rely upon interconnected information systems for both passengers and operations, the risk continues to increase due to the increased attack surface,” adds Dr. Klipstein. “Case in point: aircraft need to process satellite signals (GPS) for navigation; however, no assurance mechanism exists to tell the computer whether the signal is true or has been modified. Adding to this, most airlines have an app for customers to book flights, access in-flight entertainment, order meals, etc. This opens more vulnerabilities to individual devices that potentially may spread malware through the plane and onto other people’s phones, further stealing personal information. Just one example is the 2018 breach of Air Canada’s app, which impacted the data of over 20,000 customers. Not only is the plane the target — it is the vector to other targets.”
What further complicates cybersecurity efforts is the constantly changing nature of threats. What provides security today, may be weak for tomorrow’s threat. Cybersecurity requires constant vigilance and that is a challenge to the aviation community. Stephane Lagut is the global aerospace and defense sector leader with the consulting firm EY. Lagut is in Tokyo, Japan.
“The sector is hyper-vigilant, and rightly so. You are constantly thinking of the product, of passenger safety — both physical and digital — and the overall reputation, not just of your business but of the industry as a whole,“ says Lagut. “The cybersecurity efforts across the industry are always evolving because they know that the threats are evolving as well. Just because you’re ready today, doesn’t mean you’ll be ready tomorrow, and that is a constant consideration across the sector.
The threat landscape is also increasingly complex for commercial aviation as the layers of risk run wide and deep with so many different stakeholders. With such complexity, it’s just difficult to nail down the most vulnerable points of threat within the aviation infrastructure. Bad actors and hackers have many end points to explore.
“With the world-wide aviation ecosystem, you are talking about a very broad and multi-dimensional threat landscape, so there’s no way to make a single, monolithic assessment about the overall risk,” says Vince Dova, vice president of security at Cyemptive Technologies in Snohomish, WA. “Just as important is how each one of those segments is subdivided: you have the aircraft themselves, the supply chain that builds and maintains them, the navigation and air traffic control infrastructure that guides them in flight, (including space-based comm-nav systems), the business systems that support operations, and the airports where they take off, land, and refuel.”
Grant Geyer is the chief product officer at industrial and critical infrastructure cybersecurity firm Claroty. Geyer has a similar vantage point to Dova: there are many players in the end-to-end aviation supply chain. He says that aviation has become a more attractive target for threat actors aiming to disrupt essential operations due to its increased interconnectedness with the global supply chain.
“Organizations can create a complete asset inventory and implement fixes/compensating controls, such as secure remote access, to prevent attacks and mitigate cyber risks,” says Geyer. “Cybersecurity was initially created to protect data, but now nation state actors are recognizing that future wars will not be fought with bombs and bullets, but by taking out another nation’s critical infrastructure. What was made clear from the shutdown of Colonial Pipeline from a cyberattack, is that attacks can cause cascading failures in other sectors that can cause harm to national security, economic security and public safety.”
If constant change in the threat landscape, added to the overall complexity of the aviation supply chain and stakeholders, is not enough to chew on, there’s also budget constraints as well. Cybersecurity isn’t cheap, especially in an industry that is already price competitive. William “Hutch” Hutchison is the CEO of SimSpace and a former U.S. Army fighter pilot. He points out that globally, commercial aviation has also been struggling with financial hardships that make it difficult to invest heavily in cybersecurity.
“Over the last few years, the global aviation industry has been left reeling by a post-pandemic sucker punch that hit the sector with over $185 billion in losses,” says Hutchison. “Once a bastion of American prosperity, airlines were forced into survival mode, cutting staff from their workforce and flights from their schedule. Capital preservation was the default setting for boards across the country, but as the sector emerges from the wrath of economic instability, CEOs and CISOs want to know where to invest to ensure long-term growth. The north star of success in aviation continues to be the safety of passengers, systems, and the data they house. However, for decades this safety was only challenged by spilled coffee, crosswinds and external market forces.
Setting Standards and Implementing Best Practices
Setting industry-wide standards for cybersecurity is generally a best practice in many industries. It’s also an effective means of breeding an environment of cyber hygiene and raising overall industry standards in the worldwide aviation community.
Two international standards — the DO-326A/ED-202A Airworthiness Security Process Specification and DO-355A/ED-204A Information Security Guidance for Continued Airworthiness — provide a necessary framework for compliance by operators with security of airworthiness. Both standards were jointly authored by the Radio Technical Commission for Aeronautics and the European Organization for Civil Aviation Equipment (EUROCAE). Operators, original equipment manufacturers (OEMs), the FAA and the European Union Aviation Safety Agency (EASA) also participated to provide some guidance beyond what OEMs recommend.
But is this enough? Are deeper and more specific standards needed?
“As I understand it, the Aircraft Information Security Program (AISP) is not required to follow the framework requirements of DO-326A/ED-202A and that this may be self-selected by the manufacturer and operator,” says Kevin O’Connor, director of threat research for the cybersecurity firm Adlumin in Washington, D.C. “Given that the application of the framework is voluntary, not a rule-making oversight authorities can enforce, if the requirements for this type of framework were instead codified and appropriately funded for enforcement, it would position the U.S. as a real leader in international aerospace cybersecurity.”
Lawrence Baker is the aerospace technical lead in the transport practice at the NCC Group in Manchester, United Kingdom. He explains that DO-326A/ED-202A and DO-355A/ED-204A are focused on aircraft airworthiness, with the former focused on aircraft certification and the latter on continued airworthiness.
“There are other jointly authored standards by RTCA and EUROCAE covering different aspects, including DO-393A/ED-205A, which provide guidance for the certification Air Traffic Management ground systems and DO-392/ED-206 Guidance on Security Event Management, as well as a number of other standards currently in development,” says Baker. “EUROCAE produced ED-201 Aeronautical Information System Security Framework Guidance that provides context to aviation cybersecurity and a framework for how various organizations can interact, though there is no RTCA counterpart to this. There are several other cybersecurity standards produced by various aviation industry bodies. The cybersecurity industry itself contains a multitude of standards, which while not aviation specific, are often applicable to the sector.”
Standards are a good start. But there’s much more follow-on work to be done. Quentin Hodgson is a senior researcher at the RAND Corporation in Washington, D.C. He says that standards are useful starting points, but they are by no means sufficient on their own to meet the challenge of cybersecurity threats.
“Implementing standards needs to be risk-based, not compliance-based. We have seen that even when companies and organizations start from a risk perspective — what are the threats we face and how could they impact operations — they inevitably devolve into a compliance-based approach — have we implemented a particular security control,” says Hodgson. “This approach is not dynamic enough to adapt to a changing threat landscape. And we know that regardless of rhetoric, the bias is towards implementing new technology before the security implications are fully understood. In aviation safety and security, it is critical to not let this happen. Even more important is that we need aircraft that can operate safely even when subject to cyberattack. That’s job #1, because we cannot assume that our preventative measures will prevent all attacks. More standards are not the answer; better approaches to ensuring security and resiliency are.”
Standards and regulations have good intentions, but they do require the allocation of resources like training, simulation, patching, and constant monitoring. Aimei Wei is the chief technical officer (CTO) and founder at Stellar Cyber, a cybersecurity company that protects critical infrastructure operations based in San Jose, California. She opines that standards help less mature organizations understand the “rules they need to play by.” “More mature organizations are less at risk from less mature organizations,” says Wei. “That said, regulations without training, process and rigorous monitoring do not get the desired result. The idea of regulation in many people’s minds is a dirty word or seen as overhead that takes away from productivity or product margin. That is true, however, if we want to see the aerospace industry reduce risk, in a global supply chain environment, something must be done. And the standards help to implement and sustain minimum actions to reduce risks. Since aerospace is a global market and supply chain, this is extremely difficult with each region trying to push their own views. It will take time for the economics to be worked out in terms of the right amount of regulation and what cost to each supplier in the chain.”
Ian Ferguson, vice president of marketing for Lynx Software Technologies, advises stakeholders in the aviation industry to take a multi-layered approach and implement layered cybersecurity defense to match the level of potential impact. And he’s also not a big fan of more standards.
Instead, he directs focus onto three things: thinking about security implementations as a first-class citizen during the development phase; recognize that security capabilities in a deployed system have to improve over time; spend as much time, resources, or money, on recognizing if a system has been compromised as they do on creating a large vault door in an attempt to block initial incursions.
“By treating cybersecurity as a risk management function rather than a cost center, mission-critical firms can make smart investments in resilience. Conduct rigorous vulnerability testing and cyber exercises. Where is the weakest link? Is it a system or a human? How do those areas get enhanced?”
He further advises investigating how systems we create could be compromised for nefarious purposes. “Recall the Mirai attack in 2016, in which malware reprogrammed Linux-based consumer devices like IP cameras and DVRs into launching attacks on popular internet sites,” explains Ferguson. “Outsourcing is OK. Many companies initially created their own security solutions due to concerns about leaking intellectual property or customer information outside the organization. The reality is that if your expertise is in an area other than security, it’s best to outsource this work to a partner that focuses just on that. We have often seen hackers picking targets — a police force or school district, for example — where it is not the focus of the organization.”
Removing the “Unknown Unknowns”
Bolstering aviation data and networks to be completely free from cyberattack is a daunting task. Just as one door of vulnerability closes, another one opens. As “Hutch” Hutchison notes, the journey of a thousand miles begins with a single step to mitigate the risk of an attack and reduce the dwell-time of ubiquitous attackers.
Says Hutchison: “If an aviation organization loses less than one percent of their customers as a result of a data breach, millions of dollars in revenue could be lost. Carriers and manufacturers need the data and insight into their IT and [operational technology] OT environments to see what is working, and what isn’t. By removing the ‘unknown unknowns’ of cyber threats, businesses can achieve the maximum levels of protection needed to keep their company safe.”