This blog is also appeared in Australian Air Power Today, Winter 25, Volume 7 No. 2.

During the past three years, over the course of my Master’s of Cyber Security Leadership, I  have been investigating aviation cybersecurity: looking at vulnerabilities of System Wide Information Management, as planned in the ICAO GANP; investigating the SITA breach of 2021 and the subsequent supply chain impact; proposing a strategy to regulate civil aviation cybersecurity in alignment with ICAO SARPs and Australian law; as well as a detailed look at the socio-technical nature of cybersecurity, which means it has integrated human and technical elements – like aviation, cybersecurity has a significant human factors element. Writing a single, informative article on the topic of cybersecurity in aviation is challenging and almost guaranteed not to meet everyone’s expectations. Acknowledging that, this article will explore why aviation is an attractive cyber-target, where vulnerabilities exist, make a case for a sector wide approach, and close with what I think is a key challenge in maintaining cybersecurity and resilience in the aviation sector.

Aviation is an important sector, employing around 58 million people, contributing $2.4 trillion to global GDP and annually carrying 3.3 billion passengers and $6.6 trillion worth of freight. It is growing quickly, at 4.3% per annum with commercial aircraft operations expected to double to 73 million per annum by the mid 2030’s and global Revenue Passenger Kilometres (RPK) expected to quadruple by 2050. It is also a complex sector, with interdependent operations across the globe connected by digital systems spanning infrastructure and participants. This gives rise to a supply chain which is “one of the most complex and relied upon networks in the world”.

Aviation is rather unique in its use of technology, given that many of its cyber vulnerabilities exist due to systems being designed with a “significantly weaker threat model in mind” and relying on designs which are deliberately open, making them inherently insecure.  These vulnerabilities exist across all airspace users, including: 

• modern aircraft, with commercial aircraft entering service since the early 1990s having cyber-attack surfaces
• airports, which are becoming increasingly digitised with complex operations which make their attack surfaces difficult to define
• ATM where modernisation is introducing new vulnerabilities making the system more susceptible to cyber-attacks. 

Open, high value, complex environments are attractive to adversaries, and the aviation sector is an attractive target with cyber-attacks on the rise10. This is exacerbated by an increasingly sophisticated cybersecurity threat landscape, with adversaries including script kiddies/hobbyists, cyber criminals/terrorists and nation states, their intent ranging from thrill seeking and disruption through to causing life threatening catastrophic incidents. The increasing availability and reduced cost of tools, such as Software Defined Radio (SDR), which are capable of manipulating the wireless channels used in the aviation sector is enabling these adversaries to exploit vulnerabilities.

This complexity, interconnection and the threat environment means that cyber-risks are shared across the sector with a solution being beyond the means of any individual stakeholder. The potential impact of an incident extends beyond a single system or jurisdiction, meaning that countermeasures will include not only system specific controls and mitigations, but also regulation and threat intelligence sharing. This will require regional and international cooperation. Global challenges are a known quantity to civil aviation, which functions on its global scale because of its standards, interoperability and cooperation. The sector’s approach to cybersecurity should draw on this experience so that solutions, successes and lessons learnt can be scaled across the sector. 

A key area in need of attention is the aviation technology supply chain, which has historically been given insufficient attention. A lack of clear oversight in supply chains creates an environment where “malicious actors thrive” making it critical for organisations to include their supply chains in their cybersecurity strategies. To manage this challenge, ICAO calls for cooperation between vendors, the aviation industry and authorities10. This is easier said than done with supply chain cybersecurity being an emerging field affecting many industries, as evidenced by the SolarWinds attack affecting US Government agencies and the SITA breach impacting airlines who were customers and non-customers alike. However, we don’t need to start from scratch, the National Institute of Standards and Technology (NIST) – a globally recognised source of cybersecurity standards – has developed Cybersecurity supply chain risk management for systems and organizations. This publication recognises the aforementioned socio-technical nature of the challenge and provides guidance on mitigating technological and human factors. Given this, NIST’s expertise and the alignment of ICAO’s Cyber Action Plan with the NIST Cyber Security Framework, I think this is a suitable basis for an approach to aviation technology supply chain security. By doing this, we can improve the security of our cyber systems, while also identifying alternatives in the event of disruption to improve resiliency.

Have you considered your cybersecurity supply chain?