Airlines have a big part to play in implementing new strategies to promote better cybersecurity because they’re the number one target. (Photo: ICAO/Getty Images/iStockphoto)
I spend a lot of time traveling internationally. So I naturally spend a lot of time on planes, and I get all the benefits of the new technological developments in the aviation industry, like in-flight Wi-Fi, quick and easy biometric identification, smart baggage tracking, and more.
Not having to clock out of my work when I’m flying is awesome. That said, I believe that these new technological developments, while improving the experience for frequent fliers like myself, may also increase the danger of cybersecurity threats in the aviation industry.
These threats have been around for a while, but they’re constantly growing and increasing. For example, ransomware attacks within the aviation supply chain have increased 600 percent in a single year. Whatever the reason, global aviation authorities and airlines alike need to step up to fill the security gap.
The Risk is Real
The most obvious reason attacks have increased is that everything is going digital. We’ve started to rely more and more on technologies that connect to the internet, and the aviation industry is doing the same thing. As a result, there are more vulnerabilities for malicious actors to exploit.
Another reason is the use of commercial off-the-shelf (COTS) software onboard planes and throughout the aviation supply chain. COTS is software that wasn’t specifically and solely built for the aviation industry but instead could function in any industry. A good example is the Microsoft 365 Office suite or commonplace database software like MongoDB, both of which are in common use in airlines’ daily operations.
These types of software can be a security issue because aviation authorities don’t have full control over the software. Vulnerability detection and patching is largely left up to the software vendor, with questionable success. For instance, I remember reading about a major American Airlines breach last year that affected over 1700 people. The attackers exploited the company’s Microsoft 365 account by way of a phishing attack that successfully obtained sensitive credentials from an employee.
The risk is actually greater with ground and airline systems than with in-flight software. That’s because in-flight systems have to undergo stringent testing and adhere to the strict guidelines laid out by DO-326A, the “Airworthiness Security Process Specification,” in the U.S. and ED-201A, the “Aeronautical Information System Security Framework GUidance” in the EU. The guidelines have been overwhelmingly successful in preventing cybercriminals from accessing avionics systems during flight. By contrast, airports, airline systems, traffic management systems, and more have frequently been targeted and remain vulnerable to attacks.
Airlines Need To Step Up
I think airlines have a big part to play in implementing new strategies to promote better cybersecurity because they’re the number one target. So I’ll offer my advice to those companies. There are a couple best practices you can follow to reduce vulnerabilities and breaches.
I recommend implementing a vulnerability disclosure program of some kind. These types of programs provide some kind of reward, whether that be a monetary reward or flight miles, etc., to independent security researchers who discover and disclose vulnerabilities in certain airline systems. If you do choose to implement such a program, you’ll need to lay out guidelines or an automated form to allow researchers to submit accurate and clear vulnerability reports.
You’ll also need to ensure that certain types of vulnerabilities are explicitly excluded from the reward. After all, you definitely don’t want researchers doing surprise vulnerability testing on in-flight systems and causing a safety problem, or launching a “test” denial-of-service attack on your website that could result in real customers not being able to schedule flights. You can see an example of a good vulnerability disclosure program implementation on the United Airlines website.
The other thing you can do is redouble your efforts in securing COTS software and teaching employees how to use it in the safest way possible. For example, the phishing attack that resulted in the American Airlines breach may not have occurred if the employee had been adequately trained to recognize such threats. Phishing attacks continue to be among the top threats facing the industry, so better training will help you prevent a decent percentage of attacks.
Neither of these recommendations is a silver bullet for aviation cybersecurity, but they represent a good start.
Cybersecurity is a Team Effort
Ultimately, even after individual airlines and airports have done all they can, there will always be threats and vulnerabilities. As attacks increase, we need to get smarter in how we address them. Airlines, manufacturers, developers, and every other part of the aviation supply chain can and must take part in efforts to protect aircraft, staff, and passengers alike from cyber threats.
Vance Hilderman
This article was provided by Vance Hilderman, the principal founder/CTO of three aviation development/certification companies including TekSci, HighRely, and AFuzion. Hilderman has trained over 31,000 engineers in over 700 aviation companies and 30+ countries. His intellectual property is in use by 70% of the world’s top 300 aviation and systems developers worldwide, and he has employed and personally presided over 500 of the world’s foremost aviation engineers on 300+ projects over the past 35 years. AFuzion’s solutions are on 90% of the aircraft developed over the past three decades.