AI, Cloud Vulnerabilities, GPS Spoofing Highlight Cybersecurity Concerns

AI, Cloud Vulnerabilities, GPS Spoofing Highlight Cybersecurity Concerns

On Sept. 18, 2024, U.S. Sen. Maria Cantrell, chair of the Senate Committee on Commerce, Science and Transportation, stated cyberattacks on the U.S. aviation industry were up 74% since 2020 during a hearing on aviation cybersecurity threats. The attacks are coming from many directions.

Dr. Jeff Hall,NCC Group
Dr. Jeff Hall,
NCC Group

“In the past year, airlines and airports have faced challenges with cloud vulnerabilities and the plethora of shared aviation data,” says Dr. Jeff Hall, principal security consultant and North America aerospace lead for security consultant NCC Group. “With a surge in ransomware attacks targeting airlines and airports, the TSA cybersecurity mandate imposed new requirements for airports and airlines to improve their cybersecurity resiliency. Lastly, Distributed Denial-of-Service (DDoS) attacks targeting airports have become more frequent.”

Philippe Morio,ICAO
Philippe Morio,
ICAO

Legacy systems and outdated technology also remain under attack. “Many aviation systems, especially those in air traffic control and aircraft operations, are based on legacy technologies that are difficult to secure and update, making them prime targets for cyberattacks,” said Philippe Morio, cybersecurity expert for the International Civil Aviation Organization.

And as supply chains and third-party inclusion expand, cyber hackers are using these targets to find weak spots to attack the aviation industry. “The aviation sector heavily relies on a complex supply chain, including third-party software and service providers,” Morio said. “Attacks on these suppliers, like software supply chain breaches, can have significant downstream effects on airlines and airports.”

A Closer Look

When breaking down the various cyberattacks, the number of vulnerabilities is staggering. But knowing where these weak spots are is crucial to defending them.

As more computing systems rely on the cloud for storage, the more vulnerable they become to cyberattacks. “Cloud environments hosting MBDE (model-based design environment) platforms provide flexibility and scalability but expose critical vulnerabilities in storage, identity management, APIs, networking and backup systems,” Hall said.

Shared aviation data involves many departments as well as third-party providers. This includes ATC systems, supply chain data, airport operations data, aircraft systems, aircraft maintenance data, airline data, frequent flyer and loyalty programs, flight and crew scheduling systems, drone communication networks and weather and navigational data (GPS spoofing and jamming).

GPS spoofing and jamming of weather and navigational data is not widespread across the globe — yet. Hot spots include conflict zones such as the Sinai Peninsula as well as non-conflict zones such as China and Myanmar. Large-scale events such as the Olympics also see a spike in GPS spoofing and jamming at the local level.

“GPS satellites are 12,000 miles up in the sky, GPS spoofers are only 10 miles away from the airplane, so the RF signals that you receive from the satellites are a lot weaker than what’s on the ground,” David Woodcock, principal applications engineer with customer and product support at Honeywell Aerospace, told an Oct. 8 webinar. “Jammers and spoofers overpower the GPS receivers on the aircraft. With regard to GPS spoofing on weather radar, ground returns may be interpreted as weather and vice versa. Incorrect GPS altitude can cause excessive bleed-through or incorrect radar horizon. You’re either too close to everything or everything is too far away.”

In addition, cyber hackers are leveraging artificial intelligence in their attacks. “Artificial intelligence is used for offensive and defensive cybersecurity in the aviation industry,” Hall said. “Criminals are using AI for sophisticated attacks involving phishing and social engineering. In 2019, criminals used an AI-generated voice deepfake to impersonate the CEO of a U.K.-based energy firm and tricked a senior executive into transferring $243,000 to a fraudulent account. In 2023, security researchers found that cybercriminals can exploit AI-powered chatbots like ChatGPT to automate phishing and Business Email Compromise (BEC) attacks.”

Simply put, cyber hackers are using every tool at their disposal to attack the aviation industry.

Fighting Back

Just as cyberattacks are taking many forms, thwarting cyberattacks takes a multi-pronged approach as well.

Lawrence Baker,NCC Group
Lawrence Baker,
NCC Group

“The TSA cybersecurity requirements introduced in 2023 focus on network segmentation, access control, continuous monitoring and patching vulnerabilities,” said Lawrence Baker, managing consultant and aerospace technical lead for NCC Group Transport Practice. “Airlines and airports are implementing robust cloud security frameworks and encrypting shared aviation data. Airlines are focusing on solutions to reduce the impact of ransomware attacks, such as backup and disaster recovery measures, system redundancy, and more resilient operational strategies to ensure the continued operation of critical services while under attack. Vulnerability scanning, monitoring and automated defenses are used to protect against DDoS attacks.”

Bringing all of these segments in the aviation industry together in a cohesive manner is required across the industry to tighten cybersecurity. “Collaboration in aviation cybersecurity involves building partnerships across sectors,” Morio said. “Regulatory frameworks, such as ICAO and EASA (European Union Aviation Safety Agency) standards, govern compliance and promote cybersecurity governance within the industry. Information sharing is crucial for exchanging threat intelligence and best practices among stakeholders. Data collaboration enhances situational awareness, while resource sharing pools expertise and tools to strengthen defenses. Together, these elements create a proactive approach to addressing cybersecurity challenges in aviation.”

Members of the aviation industry also are using AI to defend against cyberattacks. “The application of AI for cybersecurity defensive purposes is moving at a rapid pace, as are the commercial offerings using this type of technology,” Baker said. “AI can be used for threat detection and predictive analytics by analyzing traffic in real-time, identifying patterns that may signal a cyberattack, and using machine learning models to learn from previous attacks and detect anomalies.”

Nat Iyengar,Jet Aviation/NBAA
Nat Iyengar,
Jet Aviation/NBAA

Efforts to stop GPS spoofing and jamming are ongoing, but involve different players, which slows the process. Some solutions are as simple as avoiding areas where GPS spoofing and jamming are prevalent. “The routing you use into the Middle Eastern areas is very important,” Nat Iyengar, National Business Aviation Association International Operations Committee chair and captain at Jet Aviation Business Jets (Hong Kong) Ltd., told an Oct. 8 webinar. “Many come across Egypt and clip the corner of Jordan; you’re guaranteed to get spoofed there. The further south you can stay of the Sinai Peninsula, the better.”

Keep in mind, too, that GPS spoofing and jamming can come from the air and the ground. “Everyone is reporting spoofing when they’re airborne, but beware there are certain areas where that signal may be corrupted on the ground,” Iyengar said. “Be disciplined and check your position information to make sure your IRS isn’t initialized with a bad position.”

Original equipment manufacturers are working to combat GPS spoofing and jamming, but it’s a slow process. “For the OEMs, what they are planning for the future, they have quite a long runway to get those,” Steve Thorpe, director of standards and training and senior captain for Merck Sharp & Dohme, told an Oct. 8 webinar. “They have to do all the testing, do the certifications, get it into the OEMs and get it all approved. Whereas the folks doing the spoofing, if they want to change what they’re doing, it’ll take a week and they’re doing something different. So our hands are tied with the response.”

Business jet manufacturers are working to combat cybersecurity concerns, but it is up to the individual operator to be proactive in combating GPS spoofing and jamming according to members of the NBAA International Operations Committee. Gulfstream image.
Business jet manufacturers are working to combat cybersecurity concerns, but it is up to the individual operator to be proactive in combating GPS spoofing and jamming according to members of the NBAA International Operations Committee. Gulfstream image.

As such, it’s up to the individual operator to be proactive in combating GPS spoofing and jamming. “Each operator has to develop their own procedures and understanding of how they’re going to react to terminal area or crew EGPWS warnings,” Iyengar said. “That’s not something an OEM is ever going to come out with guidance and tell you how to do it. That’s something you’re going to have to do yourself.”

When creating that plan, aviation and security personnel need to prioritize specific elements rather than trying to plug all the leaks at once. “They should prioritize network segmentation and access control, continuous monitoring and threat detection, regular patching, and vulnerability management,” Hall said.

This allows them to develop a cyber resilience strategy and establish protocols for damage tolerance and recovery, ensuring that systems can switch to backups or failover to continue functioning during an incident. “Incident response and recovery to restore systems quickly and safely to ensure the continuity of services, training and awareness to reduce human error — which remains one of the weakest links in cybersecurity — and coordination between industry and government agencies like the TSA and CISA are crucial, along with sharing information about new threats and vulnerabilities,” Hall said.

There are still many moving pieces to a cohesive cybersecurity approach as cybersecurity evolves to prevent future attacks. “Cybersecurity is likely to evolve in the near future to prevent attacks through increased integration of AI and machine learning, cyber resilience and redundancy, increased collaboration between government and industry, strengthened cloud security and data protection, incorporated blockchain technology, and using zero trust architectures,” Baker said. “Government regulation and adopting industry standards will improve cybersecurity, but the adoption rate is hard to predict as it depends on lawmakers’ actions. Currently, Europe’s legislation for aviation cybersecurity is further advanced than that of the U.S., for example.”

Maintaining collective awareness and working together to thwart cyberattacks is crucial in the fight against cyberattacks. “Collective efforts will empower us to leverage diverse insights and resources, enhancing our ability to navigate the complexities of today’s security landscape,” Morio said. “Together, we can build a more resilient framework to meet these challenges head-on.”