Managing Cybersecurity Risks in the Airline Industry

by Vance Hilderman

We’ve all probably seen enough headlines recently about cybersecurity threats in every industry to become somewhat numb to the issue. But cybersecurity in aviation holds a special place in the sense that it can directly impact the safety of passengers and crew. And there’s even more reason to worry since the aviation industry, while far ahead in many areas of technology, seems to have fallen behind with regards to digital security despite the recent mandate to follow the new DO-326A for aviation cyber-security.

For example, in 2020, 97 percent of the top 100 airports famously failed a major cybersecurity test. In 2021, EUROCONTROL wrote a paper demonstrating that the aviation industry was experiencing a wave of cybercrime and urged aviation leaders to pay more attention to new attack vectors. And in just the first eight months of 2022, the number of cyber attacks in the aviation industry had already surpassed that of either of the previous two years.

The cybercrime increase shows no sign of stopping, and in the meantime, a lot of people are understandably concerned about whether the aviation industry is prepared for the onslaught. Let’s take a look at where aviation is in terms of overcoming cybersecurity risks today and what needs to change.

Risks and motivations

Why have attacks increased so much recently? The number one reason is simple: increased reliance on digital systems, and particularly the Internet of Things (IoT). In other words, more and more of the systems onboard planes and in airlines are interconnected with each other and with the cloud. So there are more vulnerabilities for malicious actors to exploit and more gateways into safety-critical systems than ever before.

In addition to the increased attack surface, there’s also a greater reliance today on commercial off-the-shelf (COTS) software, which simply means that the software wasn’t designed specifically for the aviation industry. It’s software that any industry might use, like the Windows operating system or any kind of standard database software. These types of software don’t have the same certification and safety requirements as software developed specifically for avionics, and security in COTS software is primarily the responsibility of the software vendor.

But the vendors aren’t always the best at protecting their systems. For example, in 2022, Microsoft detected many different vulnerabilities in the Windows 10 operating system, two of which were zero-day vulnerabilities. That means the company had no idea there were vulnerabilities until malicious actors were already exploiting them. So using COTS that have questionable or insufficient security measures can create serious issues for airlines and aircraft manufacturers alike.

The third reason there is increased risk in aviation cybersecurity today is the prevalence of smartphones, tablets, and other internet-connected devices. Most passengers will bring a smartphone on board a plane. Add in in-flight Wi-Fi and you have a potential method for external attacks to access the network through someone’s personal device.

Cybersecurity in the air

All of those factors mean that the aviation industry is less than ideally prepared for the constant onslaught of cyber threats. But I think it’s safe to say you still don’t have to worry about your next flight. Here’s why: on-flight cybersecurity guidelines require stringent testing and oversight far above what most other industries demand.

Specifically, the ED-202A standard in Europe and the DO-326A standard in the U.S. stipulate guidelines for software development and security in aviation. Both standards take a risk-based approach, meaning they focus on identifying and mitigating the risks that are most likely to affect the safety and security of aircraft. They also both provide guidance on the processes that avionics developers and manufacturers must follow to develop and certify secure avionic systems. This guidance covers all aspects of the development lifecycle, from defining requirements to testing and certification.

While no standard is perfect and there may still be room for improvement with the increase of connected systems onboard planes, the truth is that in-flight systems are well protected. So you can likely go on your next vacation without worrying about cybercriminals taking over your plane.

Cybersecurity on the ground

Personal and financial information are the targets of most cyber attacks in the aviation industry, meaning ground systems in aviation are the target of the majority of attacks. This particularly applies to basic airline software like flight scheduling systems and payment management systems as well as databases. Many of these systems are COTS software, and vulnerabilities and data leaks are not uncommon.

Also, it’s hard to properly secure systems that a lot of different people access on a daily basis. The top cybersecurity concern in the aviation industry is phishing threats, which often take the form of scam emails. These emails appear to be from legitimate sources or authorities but ask for personal information or work passwords. Once a password gets leaked, it’s easy for malicious actors to access sensitive data and systems.

Airlines have found some creative ways to improve security on the ground. For example, United Airlines has a reward program for people who discover and report vulnerabilities in certain ground systems or scheduling systems. Other airlines are implementing cybersecurity training programs for staff so they can identify phishing attacks and other threats. But there’s no question that there’s still a lot of room to grow in the area of cybersecurity for ground systems.

Room for growth

I’ll finish with this thought: Can the aviation industry improve in terms of cybersecurity? Absolutely. But is it hopelessly behind or in danger of planes falling out of the sky from cyberattacks any time soon? Absolutely not. Cybersecurity continues to be a major priority in aviation, and the industry will continue to grow in terms of protecting sensitive data and systems from outside threats.

About the author:  Vance Hilderman is the principal founder/CTO of three of the world’s most significant aviation development/certification companies including TekSci, HighRely, and AFuzion. Hilderman has trained over 31,000 engineers in over 700 aviation companies and 30+ countries. His intellectual property is in use by 70% of the world’s top 300 aviation and systems developers worldwide, and he has employed and personally presided over 500 of the world’s foremost aviation engineers on 300+ projects the past thirty-five years. AFuzion’s solutions are on 90% of the aircraft developed over the past three decades. His latest book, Aviation Development Ecosystem, debuted at #1 on the Aviation category best-seller list.