Cyber Security in Aviation Facing Increased Challenges: A variety of moving pieces makes it hard to mount a proactive defense against hackers

Cyber Security in Aviation Facing Increased Challenges: A variety of moving pieces makes it hard to mount a proactive defense against hackers

In June, the Baton Rouge Metropolitan Airport in Louisiana suffered a cyberattack on its administration system as part of a larger cyberattack by a ransomware group. Flight operations were not affected. In April, the international cyber hacking group Anonymous Sudan claimed credit for website outages of Hartsfield-Jackson Atlanta International Airport and UPS. Both websites were restored within a couple of hours, and both companies stated there was no impact on their operations.

In February, websites for seven German airports were knocked offline by a cyberattack. Affected airports included Dusseldorf, Nuremberg and Dortmund, but other systems were not affected. In September 2022, hackers used a phishing campaign to access personal information of some customers and employees of American Airlines.

This is just a sample of the cyberattacks that target the aviation industry. The scope of the aviation industry that could be affected includes aircraft and all interconnected functions, interfaces and systems, including ground, in-flight and maintenance operations and related processes. These incidents could impact safety, business operations and the company’s reputation. The reach could expand beyond the initial company under attack to its third-party partners.

According to Eurocontrol, a pan-European, civil-military organization dedicated to supporting European aviation, 52 cyber attacks were reported in 2020, 48 attacks in 2021, 78 attacks in 2022 and 27 attacks through May 2023.

How Hackers Find Vulnerabilities

According to cyber security company SOCRadar, there are four primary types of attacks on the aviation industry seen between 2020 and 2022. They are:

• Ransomware: 22%

• Data breach: 18.6%

• Phishing: 15.3%

• DDos (denial-of-service): 7.3%

Another 16% of attack types are unknown or fall into the “other” category. “Other” attacks include a backdoor attack, data theft, hijacks, social media scams and a website bug.

Motivation

When hackers launch cyberattacks, their goals typically fall into one of three categories: money, political and revenge. For many hackers, they want to steal data such as personal information, credit card numbers, passport numbers and other data they can then sell to the highest bidder. In some instances, they hold IT systems hostage until a ransom is paid. Other hackers attack for political reasons or as part of state-sponsored attacks to steal information to weaken other countries. And there are those hackers who have their own reasons for taking revenge against the company.

Another reason? Some hackers attack a company’s environmental records to damage their reputation. Others engage in cyberattacks simply to get credit and elevate their own reputation in the cyber community. And there are others who do it just for fun and excitement.

Challenges for Aviation

Companies throughout the aviation industry are at risk for the next cyberattack. Unfortunately, they also face numerous challenges to implementing effective cyber security to thwart those attacks.

For starters, hackers are finding a variety of ways into aviation systems. These include vulnerable APIs (application programming interfaces, or software), website applications, mobile apps and third-party partners with vulnerable systems.

“As aviation becomes more and more connected, the attack surface for potential cyber threats expands by introducing additional entry points for cyber attackers who are continuously adapting their tactics and techniques to exploit vulnerabilities in the aviation infrastructure, making it crucial to address vulnerabilities proactively,” Dorian Pantea, director of cyber security advisory and assurance for Air Canada, told a June 1 webinar.

That connectivity of systems results in connections in unexpected places of the supply chain, according to William Harvey, head of cyber security assurance and compliance at IAG Tech, a community of IT and digital professionals from the International Airlines Group (IAG).

One example Harvey provided during a June 1 webinar was vending machines at the aviation facility that connect online to notify the vendor when to refill the machines. It’s just one of many systems, third-party and otherwise, that look to connect with the aviation system that often is overlooked. “Not all organizations have necessarily architected their networks to safely have so many different organizations and business equipment using their networks for business-enabling purposes,” he said.

Legacy systems — outdated hardware or software still in use — provide another avenue for hackers to enter aviation systems. Legacy systems were designed without considering advanced cyber threats, making them more susceptible to attacks because there’s a lack of updates, patching and maintenance, Pantea said.

The many different regulations in the aviation industry also present a major hurdle for cyber security. Instead of one clear set of standards, the aviation industry must deal with local, state, federal and international regulations that often vary greatly from regulatory body to regulatory body.

“It depends on where you are,” said Lawrence Baker, managing consultant and aerospace technical lead for NCC Group Transport Practice. “We’re on a journey. Things don’t move that quickly in the aviation industry because there’s a lot of established processes and relationships and so on that need to happen in lockstep to make sure as a global industry that everyone acts in the same manner.”

Some regions are progressing faster than others. For example, in the European Union and the United Kingdom, there are ongoing initiatives involving regulations to improve cyber security, Baker said, but other regions around the world are behind. More collaboration needs to be done across the industry and the globe so there are more consistent and robust cyber regulations for everyone.

For some aviation companies, it all comes down to what Dr. Jeff Hall, principal security consultant and North America aerospace lead for security consultant NCC Group, calls basic cyber hygiene and preparedness, or a lack thereof. “Overall preparedness is not the best,” he said. “They usually have a document on paper of how it will happen, but when you start talking to them and ask if they have exercised their plan, you get a lot of silence.”

When reviewing those compliance documents, some haven’t been reviewed in a few years. Perhaps they don’t have messaging ready for the media. They haven’t practiced their recovery plans and don’t know how to get systems back online.

One reason for this lack of preparedness could be the lack of talent experienced and knowledgeable not only in cyber security but also IT and connectivity specific to the aviation industry.

A final challenge is one of the most difficult to overcome: cost. “Cost can become unmanageable,” Harvey said. According to IMARC Group’s “Aviation Cyber Security Market: Global Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028” report, the global aviation cyber security market size reached $4.3 billion in 2022. That number is expected to reach $6.5 billion by 2028.

How Companies Can Protect Themselves

While the challenges are daunting, there are solutions available to aviation industry members to strengthen their cyber security and protect their entities.

Education

Educating every worker on cyber security is essential to prevention. For example, ongoing education on how to spot suspicious intruders is one way to thwart attacks. Phishing — using legitimate-looking emails, texts and other messages — to induce users to reveal personal information or click on links that unleash malware remains a prominent tool for hackers.

“There’s still going to be somebody who always clicks the link or opens the PDF file without thinking twice because email looks very legitimate,” Hall said. “Everything looks right about it, even the wording, so unless you have the sense in the back of your head like, ‘Maybe I need to check with somebody inside before I click this or open this file,’ but they generally don’t so that’s still the best way in.”

Another option is to put together a cyber security attack response plan and routinely run practice drills in all areas of business operations so every employee understands his or her role in that response and how to implement it. This response plan should also be updated regularly to meet the evolving cyber attacks.

Additional educational opportunities are available through the International Air Transport Association (IATA), which offers in-person and virtual aviation cyber security courses.

Lawrence Baker, NCC Group
Lawrence Baker, NCC Group

Harmonize Regulations

Having a variety of regulations throughout the aviation industry leaves it open to complexities and gaps that lead to vulnerabilities. Therefore, there’s an immediate need for consistent cyber regulations that can only be achieved by collaboration through the aviation industry. That goal requires all regulatory bodies to come together to create universal standards that can be applied across the globe by every industry member. How to reach that goal remains a challenge that will continue to take time.

Transparency

Bringing awareness to all aspects of cyber security is a key way to ward off cyber attacks. “There’s generally a lack of trust to share risk information with aviation stakeholders,” said Brian Brown, senior cyber security engineer — aircraft for Atlas Air, told a June 1 webinar. This goes beyond just threats or attacks to include information on systems.

“The aviation industry sharing cyber security-related information such as threat intel, best practices and incident data enables all the stakeholders in the industry and the ecosystem to stay informed about the emerging threats, risks and vulnerabilities,” Pantea said. “This leads to robust cyber security strategies and proactive defenses to strengthen all stakeholders.”

Dr. Jeff Hall, NCC Group
Dr. Jeff Hall, NCC Group

Invest in Training

Training current employees on the cyber security is imperative to protect systems and effectively respond if a cyber attack occurs. One way to do this is to perform awareness sessions on cyber security on a regular basis in every department of the company.

It’s also important to bring in cyber security experts who are knowledgeable about aviation IT and systems. In addition to training cyber security experts on this technology today, members of the aviation industry can help train future cyber security experts.

Pantea recommends partnering with academia to develop these programs so students going into the aviation industry are learning about cyber security before they graduate. He also suggests getting as many interns as possible to learn cyber security skills in a real work environment.

Incorporating cyber security training organically within the industry will be especially effective because those persons already understand how the aviation industry works.

Third-Party Partners

Any third parties connected to your company’s systems must be equally vigilant about cyber security to prevent attacks through their systems. “The aviation sector is quite unique in the amount of dependency that each aviation organization has on each other,” Baker said. “It’s a web of transnational organizations that have to trust each other, and historically that’s worked fine. Cyber security has really rocked the boat, and now those relationships are being tested and exploited.”

Aviation companies must meet with those third-party partners to discuss vulnerabilities, possible solutions, and, of course, the budget to implement cyber security processes and protections. It’s important that both parties understand the risks involved by connecting systems and work together to manage cyber security. By working together, cyber security becomes ingrained from the onset of the relationship, benefiting all involved.

Become Cyber Resilient

When a company is cyber resilient, they can effectively participate, recover and adapt to the challenges of cyber security. “In summary, the real thing to take away from this is to think resilience and not security,” Baker said. “No defense is perfect. You need to think about what’s going to happen when it goes wrong and how can I learn from lessons of the past. How can I test for when the worst happens and recover from that situation so that I’m a resilient organization?”

Being able to fight through a cyberattack and retain functionality is key to strengthening not only individual aviation companies but the entire aviation industry as a whole.