Securing aircraft and associated systems against potential cyberattacks ensures the safety and integrity of communication, navigation and operational systems.
In 2015, Chris Roberts, a cybersecurity consultant told the FBI he hacked into computer systems aboard airliners up to 20 times and even managed to control an aircraft engine during a flight, according to federal court documents. He told investigators he did it via the in-flight entertainment systems. Roberts also said that once he even hacked into the systems and then overwrote code, enabling him to issue a “CLB,” or climb, command.
In 2018 The Cathay Pacific Airways data breach resulted in 9.4 million accounts being breached with stolen data including credit card information, passport information and phone numbers. This attack was the direct result of negligence by the airline carrier to keep its data secure from malware; it was a full-scale attack on their servers. The attacks continued until May 2020.
Cybersecurity aims to prevent events like these. Cyberattacks are one of the top concerns for the aviation industry, and it is imperative for airline companies to mitigate risks and protect their flights and sensitive data from having them happen.
Securing Aircraft and Data
The aviation industry has undertaken a massive digital transformation over the past 15 to 20 years, from the corporate side of the airline to the aircraft, its ground and its interconnected systems. With these digital systems and advanced technologies, the industry requires necessary cybersecurity measures in order to sustain and ensure safety, reliability and resilience.
The primary role of aviation cybersecurity is to secure aircraft and associated systems against potential cyberattacks. This includes ensuring the safety and integrity of communication, navigation and operational systems on board the aircraft. “The uniqueness of aviation in relation to cybersecurity lies in the complexity and interconnectedness of its systems, which operate both on the ground and in the air,” says Roy Arad chief revenue officer at Cyviation, New York City. “Upcoming EASA Regulations Part IS will require airlines to address cybersecurity comprehensively and start proactively monitoring and mitigating cyber threats to comply with these new standards.”
Cybersecurity plays an integral role in the day-to-day operations of aviation. Michael Goodfellow, technical officer, global interoperable systems, air navigation bureau, International Civil Aviation Organization (ICAO), Montreal compares it to safety, “rarely seen or publicly appreciated, but its absence is quickly observed and seriously missed. What makes cybersecurity unique in aviation is that while assets must be protected, this cannot be done at the expense of the safety of operations and the personnel involved.”
Cybersecurity ensures that data being transmitted from an aircraft to organizational networks is always protected to prevent the unauthorized theft of information. The continuous mitigation of risk forms a key component of cybersecurity activity. Josh Wheeler, senior director entry into service & client services at Satcom Direct Inc., Melbourne, Fla., says it’s the numbers that explain why this matters. “In 2023, the cost of cyber data breaches averaged around US$4.45 million. This doesn’t include reputational damage. Alarmingly, the average time to detect a violation was nearly four months. With 53% of users not changing passwords regularly or recycling the same password across different accounts and additionally, an alarming 57% of users writing passwords on sticky notes for all to see, some eight billion data records were compromised.”
Wheeler adds that “if your airframe is connected to your organization’s internal network or intranet and there are no cyber protocols or strategies in place, passengers are as vulnerable on the aircraft as if they were sitting in a coffee shop. Altitude does not make data exchange secure. If the internet is visible to the aircraft, then the aircraft data is visible to the internet. Aviation cybersecurity is like terrestrial cyber security in that it operates via an extensive supply chain network and as such airports, FBOs, trip planners, fuel management systems, caterers etc. can all affect cyber vigilance.”
Satcom Direct EIS training gives crew, flight department and ops team essential understanding of onboard connectivity systems. (Photo: Satcom Direct)
Preventing Aviation Cyberattacks
To minimize the risks of aviation cyberattacks, aviation companies are taking appropriate measures. National Business Aviation Association’s (NBAA) Security Council recommends that operators take the following steps to help protect their companies:
- Assess the level of risk for the aircraft and mobile devices based on location and operation
- Develop formal policies regarding the use, storage and sharing of flight department data that mitigate the risks of hacking or corruption
- Establish best practices for device usage, especially away from the home network (i.e. international travel, etc.)
- Protect aircraft identification information by prohibiting public distribution of aircraft photos, registration information and other identifying features
- Publish social media usage and network policies that mitigate the risk of sensitive data leaking from the organization
Organizations and operators must actively educate their staff, suppliers and passengers about what can be done to reduce a cyber event. Training and education are essential. Satcom Direct runs cyber awareness courses constantly updated for aviation IT professionals, crew and passengers. Its Aviation CyberThreat Awareness course is designed specifically for business aviation professionals, owners and operators. The program navigates the complexities of security and cyber threat prevention from an aviation perspective.
“Identifying common hacking techniques, attack methodology and current cybersecurity concerns within aviation supports building awareness about inherent vulnerabilities,” Wheeler says. “Modules relating to data protection during international travel are complemented by information pertaining to the use of personal digital devices before, during and after a flight. [We offer] three levels of service to support cybersecurity mitigation.” Its SD Private Network transforms the aircraft cabin into a secure corporate workspace, effectively making the aircraft as secure as an office while also giving visibility to a network to which typically corporate IT had no access.
One of Cyviation’s main goals is to educate both the public and aviation professionals about the importance of cybersecurity. “We believe that cyber attacks on aircraft are a matter of when, not if, and we must be prepared for such events,” Arad says. “Continuous education, training and implementation of advanced cybersecurity solutions are crucial to safeguarding aviation from evolving cyber threats.”
“Cybersecurity is a cross-cutting issue and team sport,” Goodfellow says. “Various parts of organizations (both aviation and non-aviation) need to work together to successfully identify, mitigate and respond to cyber threats.”
Josh Wheeler, senior director entry into service & client services at Satcom Direct Inc. (photo: Satcom Direct)
Aviation Cybersecurity Evolution
Aviation cyber attacks didn’t just start overnight, but Goodfellow says, “At first, little attention was paid to cybersecurity in aviation. We started with simple CRC checks and similar mechanisms, mainly to ensure data integrity in the system, without worrying about any threat actors. Beginning in the late 2000s, ICAO began to work on how cybersecurity was going to factor into and potentially impact aeronautical communications systems and equipment. Currently, cybersecurity in ICAO is a very active area of work, involving international organizations, government, industry, academia and other stakeholders who are all working to help develop practical and pragmatic solutions to problems in their respective spaces.”
Cybersecurity is a dynamic sector and Wheeler says the changing practices of malevolent actors partly trigger its evolution. “As the attacks become more sophisticated, the response or proactive protection needs to evolve. It really is a game of cat and mouse, not just for aviation but for all users of technology platforms.”
Recent cyber-attack developments include the increased use of AI technology and machine learning to target victims and evade detection layers. AI-powered phishing/smishing/vishing attacks and deep-fake scams are also on the rise. Simple computer viruses and Trojan horses have transformed into highly sophisticated ransomware, spyware and advanced persistent threats (APTs). Malware is designed to disrupt operations and steal data and funds.
Wheeler says a notable development in the cyber security sphere is the increase in nation/state-sponsored cyberattacks. “Such attacks are carried out for espionage, to sabotage critical infrastructure and can influence geo-political events. With each new development comes an equal and opposite development in terms of cybersecurity. However, the key recommendation is that aviation organizations, stakeholders, and suppliers be cyber vigilant and employ various tools to mitigate the threat. A combination of human understanding, implementation of tech protocols and investment in robust cyber management solutions can help protect aviation assets.”
Aviation Cybersecurity Strategies
A robust aviation cybersecurity strategy combines advanced technology with continuous education and training. Since no solution can be entirely foolproof against cyberattacks, Arad stresses it is essential to maintain a high level of awareness and preparedness. “At Cyviation, we offer a comprehensive suite of products that complement each other, including SkyRay for assessment and mitigation, SkyWiz for training, Sky Beep as a cockpit device, and SkySIEM for event management. These tools, combined with ongoing training, form the backbone of a strong cybersecurity strategy.”
ICAO has developed a cybersecurity strategy that includes seven pillars (www.icao.int/aviationcybersecurity/Pages/Aviation-Cybersecurity-Strategy.aspx) that cover the most important factors in protecting from, recognizing and addressing cyber threats. “People are often the most important defense against cyber threats, which is why there is a dedicated pillar in the strategy on training and awareness,” Goodfellow explains. “Apart from this, good cyber-hygiene—making sure that systems, training and procedures are up to date, etc.—and having staff being cyber-aware are some key best practices.”
Wheeler explains an effective cyberstrategy is driven by cyber awareness, vigilance and education. “Recognizing that the cyber landscape is dynamic and then implementing the right technologies, policies, procedures and controls to implement solid security management systems are vital. Operators need to discuss all these elements with their connectivity provider to reduce risk. The in-flight connectivity must be paired with a robust, secure ground infrastructure that can support secure connectivity solutions. There is no one size fits all and the operator must trust the connectivity provider to tailor the security system according to their needs.”
Wheeler lists the following questions for flight departments/fleet operators/owners to ask:
- Do you have a cyber protocol in place if someone asks for it?
- Is the company hardware and software updated with patches, security updates, and firmware updates? Do you ask your vendors about their cyber activity?
- Are passengers allowed to bring non-corporate/non-qualified digital devices (phones, tablets, etc.) aboard the aircraft?
- Is the onboard wireless network encrypted and are scheduled password changes made?
Passwords, Procedures and Protocol
One of the easiest, yet frequently overlooked cybersecurity solutions is having a robust password that is changed regularly. Wheeler says many business aircraft operators fail to implement this option. “Some CEOs and owners just want to get online and connect and passwords are deemed an inconvenience. Alarmingly, many jets are not configured with their own passwords.”
Wheeler cites the following procedures and protocol (most of which simple actions) for protecting against cyberattacks:
- Using passwords to protect cabin Wi-Fi is an obvious one. Flight departments can be reluctant to create Wi-Fi passwords due to the perceived inconvenience to passengers, yet the inconvenience of learning a password far outweighs the potential risks. You can even put passwords into a QR code for passengers to scan when they board.
- Interestingly password length trumps complexity in terms of strength as it is harder for the decoders to crack a long password, say the first line of a favorite song, than it is to figure out a short password that includes numbers, special characters and letters.
- Think before connecting. It is better to switch off auto-connect and actively decide which Wi-Fi networks to connect to if you’re in a public space, an FBO, or MRO. If you’re not sure the Wi-Fi is legitimate, stay on the cellular network.
- Make a habit of locking devices and securing them with a password. Don’t use a USB drive unless you know it is yours.
- Don’t plug devices into unfamiliar docking stations.
- If you travel, use a virtual private network, VPN, for an encrypted connection. This creates another layer of defense when logging on to a hotel or FBO network.
- Equally, when traveling to a new country, ask the technology department to confirm if it is high risk in terms of cyber events and if it is, leave data-rich devices at home and use loaner devices.
The Satcom Direct Data Center Attack Map indicates attempted cyber events. (Photo: Satcom Direct)
Encryption
Encryption plays a strong role in cybersecurity, and is vital to ensure the integrity and confidentiality of data within aircraft systems. Goodfellow says encryption is made even more challenging in aviation because of the nature of the avionics that are widely deployed. “High levels of encryption add a computational cost in aeronautical communications that some installed avionics are not able to handle and therefore decisions need to be carefully made on the tradeoffs with respect to achieving the desired level of security with the required level of safety performance for those systems. Encryption plays a key role in digital signatures that the industry relies on for maintenance and configuration control such as ensuring that software parts have not been modified, that LRUs are correctly adopted by the aircraft, and that PDLs are correctly authenticated.”
Many aircraft systems currently lack adequate encryption, exposing them to potential cyber threats. Cyviation can identify vulnerabilities in aircraft systems caused by inadequate encryption and recommend implementing robust encryption protocols and hardening systems to protect against unauthorized access and cyberattacks.
While Satcom Direct links are encrypted by the provider, Wheeler says the encryption ends once the traffic reaches the ground station. “If this ground station is hosted in a country with a high risk for data compromise, passengers may want to consider encrypting data over the entire internet. VPNs can be tricky on an aircraft as most VPNs come at a high data cost.”
Aviation Cybersecurity Regulations and Standards
Earlier this year, the U.S. National Institute of Standards and Technology (NIST) released version 2.0 of its Cybersecurity Framework. These updated guidelines provide a template for the aviation community to follow; it’s a joint effort across several nations, all providing guidance.
Wheeler explains that there are other guidelines in place. “The International Air Transport Association (IATA) has prepared a useful document that explores risks and solutions for aviation, and regulatory frameworks are being created at regional levels. The industry is aware, but we would benefit from further cooperation and knowledge sharing.”
IATA supports industry-wide aviation cybersecurity activities to coordinate and calibrate, through advocacy, standards, services and guidance material development, for the most appropriate level of holistic cybermaturity for the industry. IATA’s Aviation Cybersecurity Strategy is focused on three main principles in support of the airline industry.
- Communities of Trust: development of communities of trust among the different stakeholders to tackle complex challenges over aviation cybersecurity and resilience.
- Information Exchange, Standards and Recommended Practices: articulation and coordination of different activities and forums in support of better awareness and information exchange as well as the development of standards and recommended practices and guidance material.
- Center of Excellence: establishment of strong collaborations for increased knowledge and crosspollination of ideas.
Initially, aviation cybersecurity focused primarily on IT and OT systems on the ground; however, Arad says over the past three years, there has been a noticeable increase in “technical glitches” on aircraft, prompting regulatory bodies to address these threats more rigorously. “New regulations are now being implemented to ensure that potential cyber vulnerabilities are proactively assessed and mitigated, reflecting the evolving nature of cybersecurity in aviation. Both EASA and the FAA have issued new regulations that mandate proactive assessment and mitigation of potential cyber vulnerabilities in aviation. These regulations are designed to ensure that airlines and other aviation stakeholders take necessary steps to protect aircraft and associated systems from cyber threats.”
ICAO is rolling out standards and guidance materials for secured IPS connectivity to the ACD as aircraft communications evolve from OSI to IPS solutions. ICAO is also working on standards for using digital identities to secure navigation augmentation systems such as SBAS to reduce the threat of spoofing, especially when receiving signals from multiple satellite constellations at the same time (DFMC). Goodfellow explains, “Currently ICAO has Annex 17 standard 4.9.1 which is directly applicable to cybersecurity. Other ICAO Annexes (e.g. Annex 10 – Aeronautical Communications) also have cybersecurity-related standards, and ICAO has also developed several guidance documents for cyber-related topics. Other industry associations such as EUROCAE and RTCA have standards such as ED-200 series and DO-326A that are focused on the manufacturing industry.”
In August 2024, the Federal Aviation Administration proposed rulemaking that would impose new design standards to address cybersecurity threats for transport category airplanes, engines and propellers. The intended effect of this proposed action is to standardize the FAA’s criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety provided by current special conditions.
The FAA proposes to add new regulations to and revise certain existing regulations in title 14, Code of Federal Regulations (14 CFR) part 25 (Airworthiness Standards: Transport Category Airplanes), part 33 (Airworthiness Standards: Aircraft Engines), and part 35 (Airworthiness Standards: Propellers). These changes would introduce type certification and continued airworthiness requirements to protect the equipment, systems and networks of transport category airplanes, engines and propellers against intentional unauthorized electronic interactions (IUEI) that could create safety hazards. Design approval applicants would be required to identify, assess and mitigate such hazards, and develop Instructions for Continued Airworthiness (ICA) that would ensure such protections continue in service. Proposed changes to parts 25, 33, and 35 would mandate such protection and apply to applicants for design approval of transport category airplanes, engines and propellers.