Cybersecurity continues to be a critical issue for the entire aviation industry. In a recent report titled “Aviation Cybersecurity: Scoping the Challenge,” the Atlantic Council think-tank Scowcroft Center for Strategy and Security highlighted the risks and challenges faced by aviation as growing use of technology opens more avenues for cyber attacks. “The digital attack surface the aviation sector presents to its adversaries continues to grow in such a way that both managing risk and gaining insight on it remain difficult,” the report’s authors concluded in the executive summary. The report was underwritten by Thales.
“Management of aviation-cybersecurity risk remains challenging,” the report said. The first challenge involves “trying to weave aviation cybersecurity into flight safety, security, and enterprise information technology.” Another set of challenges “orbits the relationship between aviation-sector suppliers and customers regarding cybersecurity, with many finding it difficult to incorporate best practices into purchases, as well as difficulties in developing consensus on adequate cybersecurity risk management and transparency.”
The result of the lack of attention paid to cybersecurity is that, according to the report, “Cyberattacks against aviation organizations appear to be increasing.” These range from attacks on IT systems, for example, ransomware and theft of personal information to targeted attacks such as one that caused problems with flight information displays at Odessa International Airport in Ukraine. There are indications that “adversary techniques are rapidly evolving,” the report noted, such as sophisticated attacks like spoofing of GPS signals in the maritime realm. As ADS-B “is quickly becoming a cornerstone of the air traffic management system…Outages, caused by either signal interruptions or spoofing, could rapidly cause operational impacts.”
The report further stated: “New aircraft designs use advanced technology for the main aircraft backbone connecting flight-critical avionics as well as passenger information and entertainment systems in a manner that makes the aircraft an airborne interconnected network.”
When it comes to the equipment connecting aircraft, the report said, “The architecture of this airborne network may allow read and/or write access to and/or from external systems and networks, such as wireless airline operations and maintenance systems, satellite communications, email, the internet, etc. Onboard wired and wireless devices may also have access to portions of the aircraft’s digital data buses that provide flight critical functions.”
According to Josh Wheeler, Satcom Direct senior director of cybersecurity, “This isn’t found within business aviation today, but these system integrations are definitely on the horizon.”
He pointed out that his company’s routers, which are installed on business jets, receive only positioning data from the aircraft’s avionics. But as more aircraft systems are connected to the internet, “the potentials are endless and eventually could pose a serious problem.”
Among Satcom Direct customers, Wheeler said, “The most common types of attacks we see from connected devices on an aircraft [local-area network] are ransomware, command control, and brute force attacks. Many of these don’t need specific software but try to compromise websites or are sent via email.”
Of more concern, according to the report, is that “as increased physical security hardens and wireless connectivity increases throughout a multitude of aviation systems, there is a growing risk that aviation-cybersecurity vulnerabilities may become a credible vector for terrorist actors—either enablement of physical attacks or as an end goal in themselves.”
The International Civil Aviation Association published its Cybersecurity Strategy to address these issues and set out a vision for global cybersecurity: “that the civil aviation sector is resilient to cyber-attacks and remains safe and trusted globally, whilst continuing to innovate and grow.”
To make this happen, ICAO envisions a concerted effort among aviation stakeholders “to act in unison, and support the new ICAO Cybersecurity Strategy.” This would include, from a broad viewpoint, considering cybersecurity at all stages of contracts and system design.
The report summarizes the cybersecurity situation with a number of recommendations, including setting global standards, increasing transparency in contracts and system design; working together to manage risk; sharing cybersecurity information just as the industry shares flight safety information; communicating about potential cybersecurity incidents and incorporating cybersecurity considerations in accident and incident investigations; and not only developing but adopting regulations and standards that already address aviation cybersecurity.