Introduction: The aviation sector
Aviation is an important sector, employing 58 million people, contributing $2.4 trillion to global GDP and annually carrying 3.3 billion passengers and $6.6 trillion worth of freight (ICAO, 2016, p. 6). It is also a fast growing sector, growing at 4.3% per annum with commercial aircraft operations expected to double to 73 million per annum by the mid 2030’s (ICAO, n.d.) and global Revenue Passenger Kilometres (RPK, an industry measure of demand for air transport) expected to quadruple by 2050 (Gössling & Humpe, 2020, p. 5). This growth is increasing Air Traffic Control (ATC) workloads and driving a move to lowering aircraft separation distances (Elmarady & Rahouma, 2021, p. 143997) to increase throughput.
To manage this growth as well as efforts to reduce environmental impacts (ICAO, 2016, p. 3), Air Traffic Management (ATM) is modernising “from ground-based analog systems to space-based digital systems” (Elmarady & Rahouma, 2021, p. 143998). A key area for improvement outlined in the International Civil Aviation Organization’s (ICAO) Global Air Navigation Plan 2012-2030 (GANP) is Globally Interoperable Systems and Data. This will incorporate System Wide Information Management (SWIM), an “aviation intranet” (ICAO, 2016, p. 72), which is essential for enabling this transformation (ICAO, 2016). Aviation already has many vulnerabilities (Appendix 1, Table 2) this modernisation of ATM is changing the way aviation operates and is making the system more vulnerable to cybersecurity threats (ICAO, 2022, p. 7).
Aviation is already an attractive cyber target (IATA, 2021) and cyber attacks on the sector are on the rise (ICAO, 2022, p. 8). Recent publicised attacks include: Air Traffic Control systems in Alaska were shut down after a virus infection in 2006 (Sueki & Kim, 2016, p. 202); in Europe in 2014, jamming interfered with radar surveillance (Elmarady & Rahouma, 2021, p. 144010); a supply chain attack on SITA, a global provider of air transport communications and information technology, in 2021, (Ikeda, 2021); and, in 2022 in Europe, Swissport, a provider of airport ground services and air cargo handling was victim to a ransomware attack (Kovacs, 2022).
In this report we will review the evolution of aviation’s stance on cybersecurity, explore the benefits and vulnerabilities of SWIM, and finally make recommendations for the need for defence by design and defence in depth to help maintain the cybersecurity of future aviation systems.
A change in security stance
Most aviation systems “were designed with a significantly weaker threat model in mind” (Dave et al., 2022, p. 10) and have traditionally been open designs (Elmarady & Rahouma, 2021, p. 143997) making them inherently insecure (Dave et al., 2022, p. 7). For example, contrary to OWASP recommendations for encryption of data in transit (OWASP, 2018) some essential wireless protocols (e.g. ADS-B) in modern aviation systems, are transmitted unencrypted (Sueki & Kim, 2016, p. 201). Even where secure communications exist, during degraded modes of operation they may be sent over insecure networks (Davis, 2017, p. vii). These vulnerabilities (see Appendix 1, Table 2) exist across: modern aircraft, which are essentially flying data centres which can read/write to/from external systems and networks (Cooper et al., 2019, p. 3); airports, which are becoming increasingly digitised with complex operations which make it difficult to define their attack surface (Cooper et al., 2019, p. 3); and ATM, has vulnerabilities across its systems, in the case of Australia most of the ATM information handled by its air navigation service provider (ANSP), Airservices Australia, is not security classified (Thompson, 2019). As aviation modernises, new vulnerabilities are being created (Elmarady & Rahouma, 2021, p. 143998) adding to the challenge of security.
However the aviation sector is responding, at an operational and governance level. For example, Airservices Australia’s new ATM system is incorporating cybersecurity by design with “cyber security will be built into the system from day one” (Thompson, 2019). At the governance level, during the 39th ICAO Assembly, the urgency and importance of protecting against cyber attack was highlighted, leading to the ICAO Cybersecurity Action Plan (CyAp) (ICAO, 2022). It outlines how stakeholders including states, industry and ICAO can work together to develop a cyber capability to “identify, prevent, detect, respond to and recover from cyber attacks on civil aviation” (ICAO, 2022, p. 8), this aligns with the Framework Core Functions of NIST Cybersecurity Framework Version 1.1 (NIST, 2018), indicating that ICAO is looking to implement scalable, repeatable, best practice solutions.
An Aviation Intranet
Aviation systems are currently undergoing a multi-decadal upgrade outlined in the ICAO GANP (ICAO, 2016), covering four modules: Airport Operations; Interoperable Systems & Data; Globally Collaborative ATM; and, Efficient Flight Paths.
Within the Interoperable Systems & Data module, System Wide Information Management (SWIM, Figure 1) will create an “aviation intranet based on standard data models, and internet-based protocols” (ICAO, 2016, p. 41), with ground systems and aircraft being nodes in the network (Elmarady & Rahouma, 2021, p. 144013). It will underpin new ATM systems globally, including: The United States’ Next Generation (NextGen) project; Europe’s Single European Sky ATM Research (SESAR); Japan’s Collaborative Actions for Renovation of Air Traffic Systems (CARATS), (Elmarady & Rahouma, 2021, p. 144013); and, Australia’s Civil Military Air Traffic Management System (CMATS), (Thompson, 2019).
Figure 1: Overview of the air navigation critical infrastructure
(Elmarady & Rahouma, 2021, p. 143998)
Benefits
SWIM will facilitate the global exchange of information for all airspace users and stakeholders, including aircraft, airports and ATM (Elmarady & Rahouma, 2021, p. 144013). Increased collaborative decision making will improve coordination between airspace users as well as improving operational performance (ICAO, 2016, p. 41) with benefits across efficiency, environment and safety (ICAO, 2016, p. 42).
The author also sees potential for gains to be made in the area of threat intelligence, with an opportunity for intelligence gathering across the global network and centralised for analysis for collaborative benefit. Once validated, this intelligence could be used to inform active and offensive measures, including: the sharing of information between airspace users, authorities in member states and more broadly; working with law enforcement to take down adversarial infrastructure; automated control deployment such as blocking of adversary IPs and updating firewall rules across the network.
Vulnerabilities
For all its promised benefits, SWIM is also a significant source of potential vulnerabilities (Sueki & Kim, 2016, p. 201) across the Mitre ATT&CK lifecycle from Reconnaissance through to Impact (Mitre, 2022). A full analysis is beyond the scope of this report but some specific examples are listed in table 1 which span the reconnaissance, initial compromise and execution phases of the attack lifecycle. Supply chain compromises are of particular concern to this author because they involve vulnerabilities for which end users may lack visibility and control.
Supply chain compromises, where an adversary may introduce a vulnerability into or exploit an existing one in vendor supplied components, may be introduced through SWIM’s support for third party applications (Thompson, 2019). They are proven attack vectors, as seen recently in the aviation industry against SITA (Ikeda, 2021), as well as other large organisations and government agencies trusted with data security such as the SolarWinds (Jibilian & Canales, 2021) and the Transport for NSW (Tan, 2021) breaches. This confirms my concern along with Koepsel (2018, p. 64) claiming that the aviation sector has not paid enough attention to its supply chains.
Table 1: Specific SWIM vulnerabilities
| Mitre ATT&CK phase | Vulnerabilities | |
| Aviation specific | Internet-based protocols | |
| Reconnaissance | Amplification attacks (collect legitimate identifiers for spoofing/DoS) (Dave et al., 2022, p. 6) and eavesdropping (Elmarady & Rahouma, 2021, p. 144003); | Prone to active scanning with tools such as NMAP for network topology and Nessus for vulnerabilities. |
| Initial compromise | This could be made through supply chain attacks, trusted relationships or vulnerabilities in Appendix 1. | Attacks using Tactics, Techniques and Procedures (TTP) known to adversaries and tools such as Metasploit to launch attacks. |
| Execution | These could be direct attacks on a specific airspace user such as using aircraft as zombies to launch a DoS on a particular ATC centre (Dave et al., 2022, p. 5-6) or against a specific system using TTP such as jamming or spoofing (Elmarady & Rahouma, 2021, p. 144011); | Adversaries can use tools such as Meterpreter to deliver payloads in a stealthy manner. |
Recommendations
Due to the breadth and depth of aviation systems, the sheer number of vulnerabilities and practical limitations of this report, I will provide a high level recommendation that aviation systems need to be built with security by design principles, where cybersecurity is considered for each element of the network at each stage of its lifecycle, with Defence in Depth used to provide assurance of security. This will help incorporate the “security, authenticity, and privacy” demanded by Dave et al. (2022, p. 9) and will include administrative, technical and physical controls.
I believe there is a particular need to pay attention to how third party applications are kept secure. To this end, the ICAO Cybersecurity Action Plan calls for cooperation between vendors, aviation industry and authorities to manage supply chain risks and threats (ICAO, 2022, p.17). Software supply chain security is an evolving field, Section 4 of Executive Order 14028 (Biden, 2021, p. 26637) recently called for the enhancement of software supply chain security. In response to which NIST released Recommended Minimum Standards for Vendor or Developer Verification (NIST, 2021) providing guidance on supply chain security. Koepsel (2018, p. 63) suggests a four step process to assess aviation IT/ICT supply chains which covers: identifying IT/ICT elements of commercial aviation assets; identifying the supply chain entry point for IT/ICT elements; undertaking a risk assessment of each IT/ICT element; establishing how these risks will be managed within the supply chain.
Conclusion
In response to growth the aviation industry is modernising to facilitate this growth in a safe, efficient and environmentally aware manner. This involves the transformation of aviation systems which includes an aviation intranet, SWIM. As well as many benefits, SWIM will also introduce vulnerabilities. Some of these are specific to aviation infrastructure, but new vulnerabilities may be introduced with a reliance on internet-based protocols, vulnerabilities which are well known to adversaries who can exploit them with existing TTP and toolsets. SWIM will support third party applications which introduces the risk of supply chain attacks. This is a risk that is acknowledged in the ICAO Cyber Action Plan and one that I feel needs particular attention because without it, an organisation cannot be assured that their vendors are adhering to cybersecurity requirements. Accompanying these changes is a change in mindset in regards to cybersecurity in the aviation sector, moving from a culture of open communications to one of security by design and an awareness of the need to keep ahead of adversaries.
Aviation functions on a global scale because of its standardised approach: phraseology, procedures, language and redundancies. Its approach to cybersecurity should draw on this experience so that solutions, successes and lessons learnt can be scaled across the sector. If this isn’t done, given the interconnection of SWIM there is a potential for an exploit in one part of the system to spread across the network in a manner that parallels Rizvi et al. (2018) discussion on IoT devices. I agree with Sueki & Kim (2016) that this level of interconnectivity “presents elevated cyber-attack opportunities”, where each connected node of the aviation intranet is a potential attack vector against the system, making the need for a system wide defence in depth, with particular attention to third party applications and their integration, critical to the security of aviation systems in the future.
Areas of further research include aviation supply chain cybersecurity and using attack surfaces to gather threat intelligence. Given the vulnerabilities that supply chains present, the evolving nature of supply chain cybersecurity and the apparent lack of depth of literature on the topic in the field of aviation, I believe this is an important area for further research. The attractiveness of aviation as a cyber target along with the growth in attacks, highlights the need for quality threat intelligence so that the sector can stay at the forefront of defence. An area of further research is investigating the use of SWIM’s attack surface as an intelligence gathering mechanism and how this could be used for the creation and dissemination of threat intelligence throughout the network.
Appendix 1: Table 2
Table 2: list of aviation systems and vulnerabilities
| CNS System | Protocol | Vulnerability | Source |
| Communications | VHF: Very High Frequency | Eavesdropping | (Dave et al., 2022, p. 4)(Elmarady & Rahouma, 2021, p. 144003) |
| Jamming | (Dave et al., 2022, p. 4)(Elmarady & Rahouma, 2021, p. 144003) | ||
| All pilots on the same frequency, With increased traffic, increased the probability of accidental overrides. | (Dave et al., 2022, p. 4) | ||
| Spoofing (pretending to be pilot or atc) | (Elmarady & Rahouma, 2021, p. 144003) | ||
| DoS attacks (partial or full) depending upon targeted frequencies. | (Dave et al., 2022, p. 4) | ||
| CPDLC: Controlled Pilot Data-Link Communication | An attack on it may go undetected (lack of integrity) | (Dave et al., 2022, p. 4) | |
| It does not provide confidentiality and integrity of the message. | (Dave et al., 2022, p. 4) | ||
| Jamming | (Dave et al., 2022, p. 4)(Elmarady & Rahouma, 2021, p. 144003) | ||
| Eavesdropping | (Dave et al., 2022, p. 4)(Elmarady & Rahouma, 2021, p. 144003) | ||
| Message alteration (injection, replay, deletion) | (Dave et al., 2022, p. 4)(Elmarady & Rahouma, 2021, p. 144003) | ||
| Spoofing | (Dave et al., 2022, p. 4)(Elmarady & Rahouma, 2021, p. 144003) | ||
| Flooding (DoS) | (Elmarady & Rahouma, 2021, p. 144003) | ||
| ACARS: Aircraft Communication Addressing And Reporting System | Weight and balance updates | (Elmarady & Rahouma, 2021, p. 144003) + 144005 | |
| Flight plan updates | (Elmarady & Rahouma, 2021, p. 144003) + 144005 | ||
| Navigation | GNSS, GLobal Navigation Satellite System | Unintentional interference | (Elmarady & Rahouma, 2021, p. 144007) |
| Intentional interference | (Elmarady & Rahouma, 2021, p. 144007) | ||
| Spoofing | (Elmarady & Rahouma, 2021, p. 144007) | ||
| VOR: VHF Omni-directional Range, provides angle/bearing to waypoint | Eavesdropping | (Dave et al., 2022, p. 5) | |
| Jamming | (Elmarady & Rahouma, 2021, p. 144007) | ||
| Spoofing | (Elmarady & Rahouma, 2021, p. 144007) | ||
| ILS: Instrument Landing System, | Overshadow attack | (Dave et al., 2022, p. 5)(Elmarady & Rahouma, 2021, p. 144007) | |
| Spoofing | (Dave et al., 2022, p. 5) | ||
| Single Tone Attack | (Dave et al., 2022, p. 5)(Elmarady & Rahouma, 2021, p. 144007) | ||
| DME: Distance Measuring Equipment | Susceptible to SDR-based Software Defined Radio) attacks | (Dave et al., 2022, p. 6) | |
| Surveillance | PSR | Jamming | (Dave et al., 2022, p. 6)(Elmarady & Rahouma, 2021, p. 144009) – but sophisticated |
| Time based (gps) attacks | (Dave et al., 2022, p. 6) | ||
| SSR | Eavesdropping | (Dave et al., 2022, p. 6) | |
| SDR attacks | (Dave et al., 2022, p. 6) | ||
| Spoofing | (Dave et al., 2022, p. 6)(Elmarady & Rahouma, 2021, p. 144011) | ||
| Jamming | (Dave et al., 2022, p. 6)(Elmarady & Rahouma, 2021, p. 144011) | ||
| Injecting/altering | (Dave et al., 2022, p. 6) | ||
| Amplification attack (gather legit responses from aircraft then use for DoS) | (Dave et al., 2022, p. 6) | ||
| Use aircraft as zombies | (Dave et al., 2022, p. 6) | ||
| DoS | (Dave et al., 2022, p. 6)(Elmarady & Rahouma, 2021, p. 144007) | ||
| ADS-B: Automatic Dependent Surveillance-Broadcast. ADS-B OUT – is transmission to/from ATC. ADS-B IN – is transmission between aircraft. | Jamming | (Dave et al., 2022, p. 6)(Elmarady & Rahouma, 2021, p. 144011)(Latifi, 2016, p. 204) | |
| Spoofing | (Dave et al., 2022, p. 6)(Elmarady & Rahouma, 2021, p. 144011)(Latifi, 2016, p. 204) | ||
| Message injection, modification, deletion | (Dave et al., 2022, p. 6)(Latifi, 2016, p. 204) | ||
| Eavesdropping | (Elmarady & Rahouma, 2021, p. 144011)(Latifi, 2016, p. 204) | ||
| DoS (by creating many ‘ghosts’) | (Latifi, 2016, p. 204) | ||
| MLAT – Multilateration | Mis-synchronisation due to GPS vulnerabilities (ie spoofing satellites to interfere with time stamps) | (Elmarady & Rahouma, 2021, p. 144011) | |
| SYSTEM WIDE INFORMATION MANAGEMENT | SWIM | MiTM | (Elmarady & Rahouma, 2021, p. 144014)(Latifi, 2016, p. 205) |
| DoS | (Elmarady & Rahouma, 2021, p. 144014) | ||
| Unauthorised access | (Elmarady & Rahouma, 2021, p. 144014) | ||
| IP-Network attacks | (Elmarady & Rahouma, 2021, p. 144014)(Latifi, 2016, p. 205) |
References
Aviation Transport Security Act 2004, (2021). https://www.legislation.gov.au/Details/C2021C00252
Biden, J. (2021). Improving the Nation’s Cybersecurity. Federal Register, 86(93).
Boyens, J. M., Smith , A., Bartol , N., Winkler , K., Holbrook , A., & Fallon, M. (2022). Cybersecurity supply chain risk management for systems and organizations. National Institute of Standards and Technology. http://dx.doi.org/10.6028/nist.sp.800-161r1
Cooper, P., Handler, S., & Shahwan Edwards, S. (2019, December 11). Aviation cybersecurity: Scoping the challenge. Atlantic Council. https://www.atlanticcouncil.org/in-depth-research-reports/report/aviation-cybersecurity-scoping-the-challenge-report/
Datta, D. (2022, May 28). Decoded: Why aviation industry is a tempting target for cyberattacks. Business Standard. https://www.business-standard.com/article/technology/decoded-why-aviation-industry-is-a-tempting-target-for-cyberattacks-122052701407_1.html
Dave, G., Choudhary, G., Sihag, V., You, I., & Choo, K.-K. R. (2022). Cyber security challenges in aviation communication, navigation, and surveillance. Computers & Security, 112, 102516. https://doi.org/10.1016/j.cose.2021.102516
Davis, T. L. (2017). Commercial aviation and cyber security: Current state and essential reading. IEEE. https://ieeexplore-ieee-org.wwwproxy1.library.unsw.edu.au/book/8503637
Elmarady, A. A., & Rahouma, K. (2021). Studying cybersecurity in civil aviation, including developing and applying aviation cybersecurity risk assessment. IEEE Access, 9, 143997–144016. https://doi.org/10.1109/access.2021.3121230
Iasiello, E. (2013). A review of “A framework for aviation cybersecurity” – A decision paper from the American Institute of Aeronautics and Astronautics. Journal of Homeland Security and Emergency Management, 11(1). https://doi.org/10.1515/jhsem-2013-0076
IATA. (2021). Aviation cyber security. Cyber Security; International Air Transport Association. https://www.iata.org/en/programs/security/cyber-security/
ICAO. (n.d.). Future of aviation. International Civil Aviation Organization. Retrieved June 13, 2022, from https://www.icao.int/Meetings/FutureOfAviation/Pages/default.aspx
ICAO. (2016). 2016–2030 Global Air Navigation Plan. In International Civil Aviation Organization. ICAO. https://www.icao.int/publications/Documents/9750_5ed_en.pdf
ICAO. (2019). Aviation Cybersecurity Strategy. In ICAO. INTERNATIONAL CIVIL AVIATION ORGANIZATION. https://www.icao.int/cybersecurity/Pages/Cybersecurity-Strategy.aspx
ICAO. (2022). Cybersecurity Action Plan. International Civil Aviation Organization.
Ikeda, S. (2021, March 8). Aviation IT Giant SITA Breached in Extensive Supply Chain Attack. CPO Magazine. https://www.cpomagazine.com/cyber-security/aviation-it-giant-sita-breached-in-extensive-supply-chain-attack-frequent-flier-programs-of-major-airlines-compromised/
Jibilian, I., & Canales, K. (2021, April 15). The US is readying sanctions against Russia over the SolarWinds cyber attack. Here’s a simple explanation of how the massive hack happened and why it’s such a big deal. Insider. https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12
Klenka, M. (2021). Aviation cyber security: Legal aspects of cyber threats. Journal of Transportation Security, 14(3–4), 177–195. https://doi.org/10.1007/s12198-021-00232-8
Koepsel, K. M. (2018). Aerospace supply chain and cyber security: Challenges ahead. SAE International.
Kovacs, E. (2022, February 7). Ransomware attack on aviation services firm swissport leads to flight delays. SecurityWeek.Com. https://www.securityweek.com/ransomware-attack-aviation-services-firm-swissport-leads-flight-delays
Mandiant. (n.d.). Targeted attack lifecycle. Mandiant. Retrieved June 25, 2022, from https://www.mandiant.com/resources/targeted-attack-lifecycle
Mitre. (2022). MITRE ATT&CK®. Mitre. https://attack.mitre.org
NIST. (2018). Framework for improving critical infrastructure cybersecurity, version 1.1. National Institute of Standards and Technology. http://dx.doi.org/10.6028/nist.cswp.04162018
NIST. (2021, July). Recommended minimum standards for vendor or developer verification (testing) of software under executive order (EO) 14028. NIST. https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/recommended-minimum-standards-vendor-or
Rizvi, S., Pipetti, R., McIntyre, N., & Todd, J. (2018, July). An attack vector for iot networks. 2018 International Conference on Software Security and Assurance (ICSSA). http://dx.doi.org/10.1109/icssa45270.2018.00019
Sampigethaya, K., Poovendran, R., Shetty, S., Davis, T., & Royalty, C. (2011). Future e-enabled aircraft communications and security: The next 20 years and beyond. Proceedings of the IEEE, 99(11), 2040–2055. https://doi.org/10.1109/jproc.2011.2162209
Security of Critical Infrastructure Act 2018, (2022). https://www.legislation.gov.au/Details/C2022C00160
Springer. (2019). Critical infrastructure security and resilience. Springer International Publishing. http://dx.doi.org/10.1007/978-3-030-00024-0
Stastny, P., & Stoica, A.-M. (2022). Protecting aviation safety against cybersecurity threats. IOP Conference Series: Materials Science and Engineering, 1226(1), 012025. https://doi.org/10.1088/1757-899x/1226/1/012025
Sueki, S., & Kim, Y. (2016). Information technology: New generations: 13th International Conference on Information Technology (S. Latifi, Ed.). Springer.
Tan, A. (2021, February 24). Transport for NSW hit by Accellion breach. ComputerWeekly.Com. https://www.computerweekly.com/news/252496913/Transport-for-NSW-hit-by-Accellion-breach
Thales. (2020, January 23). Cybersecurity in aviation: The big picture. Thales Aerospace Blog. https://onboard.thalesgroup.com/cybersecurity-in-aviation-the-big-picture/
Thompson, I. (2019, February 23). Reach for the Onesky, Australia’s integrated air traffic management system. Australian Aviation. https://australianaviation.com.au/2019/02/reach-for-the-onesky-australias-integrated-air-traffic-management-system/
Ukwandu, E., Ben-Farah, M. A., Hindy, H., Bures, M., Atkinson, R., Tachtatzis, C., Andonovic, I., & Bellekens, X. (2022). Cyber-Security challenges in aviation industry: A review of current and future trends. Information, 13(3), 146. https://doi.org/10.3390/info13030146
Wong, L.-W., Lee, V.-H., Tan, G. W.-H., Ooi, K.-B., & Sohal, A. (2022). The role of cybersecurity and policy awareness in shifting employee compliance attitudes: Building supply chain capabilities. International Journal of Information Management, 66, 102520. https://doi.org/10.1016/j.ijinfomgt.2022.102520
