This blog is also appeared in Australian Air Power Today, Winter 25, Volume 7 No. 2.

During the past three years, over the course of my Master’s of Cyber Security, I  have been investigating aviation cybersecurity: looking at vulnerabilities of System Wide Information Management, as planned in the ICAO GANP; investigating the SITA breach of 2021 and the subsequent supply chain impact; proposing a strategy to regulate civil aviation cybersecurity in alignment with ICAO SARPs and Australian law; as well as a detailed look at the socio-technical nature of cybersecurity, which means it has integrated human and technical elements (Davis, 2014, p. 171) – like aviation, cybersecurity has a significant human factors element. Writing a single, informative article on the topic of cybersecurity in aviation is challenging and almost guaranteed not to meet everyone’s expectations. Acknowledging that, this article will explore why aviation is an attractive cyber-target, where vulnerabilities exist, make a case for a sector wide approach, and close with what I think is a key challenge in maintaining cybersecurity and resilience in the aviation sector.

Aviation is an important sector, employing around 58 million people, contributing $2.4 trillion to global GDP and annually carrying 3.3 billion passengers and $6.6 trillion worth of freight (ICAO, 2016, p. 6). It is growing quickly, at 4.3% per annum with commercial aircraft operations expected to double to 73 million per annum by the mid 2030’s (ICAO, n.d.) and global Revenue Passenger Kilometres (RPK) expected to quadruple by 2050 (Gössling & Humpe, 2020, p. 5). It is also a complex sector, with interdependent operations across the globe connected by digital systems spanning infrastructure and participants. This gives rise to a supply chain which is “one of the most complex and relied upon networks in the world” (Schmidt, 2016, p. 187). 

Aviation is rather unique in its use of technology, given that many of its cyber vulnerabilities exist due to systems being designed with a “significantly weaker threat model in mind” (Dave et al., 2022, p. 10) and relying on designs which are deliberately open (Elmarady & Rahouma, 2021, p. 143997), which makes them inherently insecure (Dave et al., 2022, p. 7).  These vulnerabilities exist across all airspace users, including: 

• modern aircraft, with commercial aircraft entering service since the early 1990s having cyber-attack surfaces (Davis, 2016, p. vii)
• airports, which are becoming increasingly digitised with complex operations which make their attack surfaces difficult to define (Cooper et al., 2019, p. 3)
• ATM where modernisation is introducing new vulnerabilities making the system more susceptible to cyber-attacks (ICAO, 2022, p. 7). 

Open, high value, complex environments are attractive to adversaries, and the aviation sector is an attractive target (IATA, 2021) with cyber-attacks on the rise (ICAO, 2022, p. 8). This is reflected in an increasingly sophisticated aviation cybersecurity threat landscape, with adversaries including script kiddies/hobbyists, cyber criminals/terrorists and nation states (Strohmeier et al., 2016, p. 227), their intent ranging from thrill seeking and disruption through to causing life threatening catastrophic incidents (Bogoda, 2022, p. 5). The increasing availability and reduced cost of tools such as Software Defined Radio (SDR) which are capable of manipulating the wireless channels used in the aviation sector (Strohmeier et al., 2016, p. 227) is enabling these adversaries to exploit vulnerabilities.

This complexity, interconnection and the threat environment means that cyber-risks are shared across the sector with a solution being beyond the means of any individual stakeholder (EUROCONTROL, 2024). The potential impact of an incident extends beyond a single system or jurisdiction, meaning that countermeasures will include not only system specific controls and mitigations, but also regulation and threat intelligence sharing. This will require regional and international cooperation. Global challenges are a known quantity to civil aviation, which functions on its global scale because of its standards, interoperability and cooperation. As outlined in the ICAO Cybersecurity Action Plan and related guidance, the approach to aviation cybersecurity should draw on this experience so that solutions, successes and lessons learnt can be scaled across the sector. 

A key area in need of attention is the aviation technology supply chain, which has historically been given insufficient attention (Koepsel, 2018, p. 64). A lack of clear oversight in supply chains creates an environment where “malicious actors thrive” (Muncaster, 2021) making it critical for organisations to include their supply chains in their cybersecurity strategies (Mehan, 2014). To manage this challenge, ICAO calls for cooperation between vendors, the aviation industry and authorities (ICAO, 2022, p.17). This is easier said than done with supply chain cybersecurity being an emerging field affecting many industries, as evidenced by the SolarWinds attack affecting US Government agencies (BBC News, 2020) and the SITA breach impacting airlines who were customers and non-customers alike (Ilascu, 2021). However, we don’t need to start from scratch, the National Institute of Standards and Technology (NIST) – a globally recognised source of cybersecurity standards – has developed Cybersecurity supply chain risk management for systems and organizations (Boyens et al., 2022). This publication recognises the aforementioned socio-technical nature of the challenge and provides guidance on mitigating technological and human factors. Given this, NIST’s expertise and the alignment of ICAO’s Cyber Action Plan with the NIST Cyber Security Framework  (Hally, 2022), I think this is a suitable basis for an approach to aviation technology supply chain security. By doing this, we can improve the security of our cyber systems, while also identifying alternatives in the event of disruption to improve resiliency.

Have you considered your cybersecurity supply chain?

References

BBC News. (2020, December 15). SolarWinds Orion: More US government agencies hacked. BBC News. https://www.bbc.com/news/technology-55318815   

Bogoda, L., Mo, J., & Bil, C. (2019). A systems engineering approach to appraise cybersecurity risks of CNS/ATM and avionics systems. 2019 Integrated Communications, Navigation and Surveillance Conference (ICNS), 1–15. https://doi.org/10.1109/icnsurv.2019.8735376 

Boyens, J., Smith, A., Bartol, N., Winkler, K., Holbrook, A., & Fallon, M. (2024). Cybersecurity supply chain risk management practices for systems and organizations. National Institute of Standards and Technology (U.S.). https://doi.org/10.6028/nist.sp.800-161r1-upd1    

Braziotis, C., Bourlakis, M., Rogers, H., & Tannock, J. (2013). Supply chains and supply networks: Distinctions and overlaps. Supply Chain Management: An International Journal, 18(6), 644–652. https://doi.org/10.1108/scm-07-2012-0260

Cooper, P., Handler, S., & Shahwan Edwards, S. (2019, December 11). Aviation cybersecurity: Scoping the challenge. Atlantic Council. https://www.atlanticcouncil.org/in-depth-research-reports/report/aviation-cybersecurity-scoping-the-challenge-report/ 

Dave, G., Choudhary, G., Sihag, V., You, I., & Choo, K.-K. R. (2022). Cyber security challenges in aviation communication, navigation, and surveillance. Computers & Security, 112, 102516. https://doi.org/10.1016/j.cose.2021.102516 

Elmarady, A. A., & Rahouma, K. (2021). Studying cybersecurity in civil aviation, including developing and applying aviation cybersecurity risk assessment. IEEE Access, 9, 143997–144016. https://doi.org/10.1109/access.2021.3121230

EUROCONTROL. (2024, September 15). Investing early in cyber resilience will avoid major disruptions in the longer term. EUROCONTROL. https://www.eurocontrol.int/article/investing-early-cyber-resilience-will-avoid-major-disruptions-longer-term 

Gössling, S., & Humpe, A. (2020). The global scale, distribution and growth of aviation: Implications for climate change. Global Environmental Change, 65, 102194. https://doi.org/10.1016/j.gloenvcha.2020.102194 

Hally, L. (2022, June 30). Evolving aviation cybersecurity. An Aviation Cyber Security Blog by Luke Hally. https://www.lukehally.au/cyber-ops/a-review-of-aviation-cybersecurity/ 

IATA. (2021). Aviation cyber security. Cyber Security; International Air Transport Association. https://www.iata.org/en/programs/security/cyber-security/ 

ICAO. (n.d.). Future of aviation. International Civil Aviation Organization. Retrieved June 13, 2022, from https://www.icao.int/Meetings/FutureOfAviation/Pages/default.aspx 

ICAO. (2016). 2016–2030 Global Air Navigation Plan. In International Civil Aviation Organization. ICAO. https://www.icao.int/publications/Documents/9750_5ed_en.pdf  

ICAO. (2022, January). Cybersecurity Action Plan. International Civil Aviation Organization. https://www.icao.int/aviationcybersecurity/Documents/CYBERSECURITY%20ACTION%20PLAN%20-%20Second%20edition.EN.pdf

Ilascu, I. (2021, March 5). SITA data breach affects millions of travelers from major airlines. BleepingComputer. https://www.bleepingcomputer.com/news/security/sita-data-breach-affects-millions-of-travelers-from-major-airlines/amp/  

Kovacs, E. (2022, February 7). Ransomware attack on aviation services firm swissport leads to flight delays. SecurityWeek.Com. https://www.securityweek.com/ransomware-attack-aviation-services-firm-swissport-leads-flight-delays 

Latifi, S. (2016). Information technology: New generations: 13th International Conference on Information Technology. Springer.

Mehan, J. (2014). CyberWar, CyberTerror, CyberCrime and CyberActivism: An in-depth guide to the role of standards in the cybersecurity environment. IT Governance Publishing.

Muncaster, P. (2021, March 5). SITA supply chain breach hits multiple airlines. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/sita-supply-chain-breach-hits/?__cf_chl_jschl_tk__=pmd_22d96108ea7a7a023a70a6e1ae2d307113653a31-1626767310-0-gqNtZGzNAfijcnBszQp6 

Strohmeier, M., Schafer, M., Smith, M., Lenders, V., & Martinovic, I. (2016). Assessing the impact of aviation security on cyber power. 2016 8th International Conference on Cyber Conflict (CyCon), 223–241. https://doi.org/10.1109/cycon.2016.7529437