By: Valarie Findlay
No industry is immune to cyber breaches, but few evoke visions of catastrophic loss and devastation than an aviation cyber attack. Despite being the safest mode of transport, the aviation industry’s potential for large-scale loss makes it a high-value target for malicious actors. Aviation’s inextricably connected systems and processes present numerous contact points for cyber threats, targeting its critical assets – data, information, systems, and equipment. From flight service delivery, aircraft maintenance, repair and overhaul, ground and airspace control, and in the case of military aircraft, combat, ordnance and navigation processes, the very nature of these processes make cybersecurity incredibly complex in both design and management.
In the past fifty years, aviation has increased its operational dependency on systems and software by at least 75 per cent. The evolution of aviation software and systems emerged from isolated systems, rather than open systems that allowed for higher vulnerability resolution, that was designed for specific functional and availability needs, not security. While cybersecurity is now a priority for the development and implementation of aviation technologies, malware attacks are occurring between hundreds to thousands of times a month, seeking vulnerabilities in not only software but policies, processes, infrastructures, architectures, equipment, and components. When successful, these attacks have resulted in substantial data and profit loss, as seen in recent cyber exploits in the US, Turkey, Spain, Sweden, and Poland, causing a growing concern among industry authorities and regulators.
While flight and system configuration data or entire systems are common targets for malicious actors, the impacts of these breaches can extend far beyond financial and privacy to operational safety, service levels and even, if severe enough, mass casualties to the destabilization of entire sectors and economies. Due to these risks, aviation must maintain an elevated security posture through comprehensive cybersecurity standards, frameworks, processes, and safeguards. However, balancing the priority of current threats with the broadening problem on the horizon is complicated by other unprecedented challenges: a global cybersecurity skills shortage, increases in less sophisticated but high-impact attacks and even more complex relationships between networks, systems, and equipment.
Moreover, technologies like Big Data Analytics, the Internet of Things, smart-technologies, and smaller, cheaper, super-powered devices, all stand to radically transform aviation, but they will also obfuscate the very threats it strives to counter. Similarly, external public networks, third-party cloud storage, and out-sourced development are all important to improving efficiencies but they also increase the potential for modification of data, which poses a greater risk than denials-of-service. While the benefits these technologies – how they improve access, transmission and relational data constructs for more precise application and improved business processes and decisions – are significant, they are not limited to the industry and will be undoubtedly exploited and utilized by malicious actors.
In recent years, it has been recognized that technological countermeasures alone are not enough. The International Air Transport Association (IATA), the International Civil Aviation Organization (ICAO), and operational agencies like NAV Canada and the European Aviation Safety Agency (EASA), have made cybersecurity a priority in standards, frameworks and in developing new capabilities that address emerging threat scenarios. Formulating cybersecurity approaches through partnerships, collaboration and information sharing at the industry and international policy levels, in cooperation with nations, are crucial to maintaining alignment with the significant strides in technology.
Beyond standards and toolkits, aviation regulators and operational stakeholders must engage to develop and implement higher operational acceptability levels – integrated design, standardization and interoperability at the system level, policy-driven grading and certification, research and development that test well outside “normal” and “predictable” conditions and CERT-driven monitoring and operations. Like any other industry looking to harden assets and improve detection and response, aviation will need to invest in “better than best practices”, comprehensive target evaluation and air-tight security assurance requirements that are commensurate with thoroughly assessed risks.
While the cybersecurity challenges in aviation may appear to be monumental, a historical perspective on the industry may alter the paradigm: in 1903, two brothers embarked on the first powered, sustained and controlled flight. Today, aviation is a diverse, worldwide industry that puts sophisticated aircrafts in the air over a hundred-thousand times a day and supports 63 million jobs, $2.7 trillion in global GDP and drives several nations’ economies and the global economy. In twenty years, this is projected to double. That is monumental.
In light of that, cybersecurity in aviation should be a piece of cake.
Valarie Findlay is a research fellow for the Police Foundation (USA) and has two decades of senior expertise in cybersecurity and policing initiatives. She holds a Masters in Terrorism Studies from the University of St. Andrews, and her dissertation, “The Impact of Terrorism on the Transformation of Law Enforcement” examined the transformation of law enforcement in Western Nations.
