Aviation Cybersecurity

Article on Aviation Cybersecurity written by Thales for the Atlantic Council,

Connectivity of aircraft systems, through traditional information technologies and aviation-specific protocols, has now extended the attack surface to the aircraft itself. Aircraft are now complex data networks, yet the ability to monitor them arguably lags behind comparable ground-based networks— as does the ability to avoid and respond to potential cybersecurity incidents. 

 Advanced adversaries will still breach the IT infrastructure.”2 This assumption of future breach, failure, or attacks on data integrity has resulted in a greater focus to deliver resiliency as well as security. It will require both resilient systems engineering practices and a resilient personnel culture to safely work through such adversary activity.

 Yet this study indicates that the aviation industry is likely to experience cybersecurity challenges similar to other industries that have embraced the ‘digital revolution.’ History is replete with examples of ‘secure’ systems from all sectors being critically compromised by adversaries in some form.

As airliners become evermore complex, with pressures to maintain efficiency and serviceability, many airlines and aircraft manufacturers are connecting aircraft systems to ground services.  

 But the challenges of securing such a critical supply chain are considerable

Previously, aviation systems were relatively secure due to the bespoke nature of their design, isolation from other systems, and little in the way of communication protocols, but aircraft are no longer ‘air-gapped.’ ATM is no longer isolated and ground services and supply chains are gradually becoming fully integrated into an interconnected digital world. In such a world, vulnerabilities will be found where they were not anticipated, adversaries will attack that which was not predicted, and systems which ‘cannot fail’—can fail. 

The more that adversaries observe how the failure of one system may scale and cascade in a connected industry, the greater their motivations will be to explore the ‘art of the possible.

But this evolution is happening. In 2016, the 39th session of the ICAO assembly adopted a resolution to address cybersecurity in civil aviation.12 This highlighted the danger posed by rapidly evolving malicious threat actors and the urgent need to counter them through collaborative industry efforts. 

Although there are a number of national initiatives around the globe that aim to improve internal aviation cybersecurity policy, a key effort in the United States is the ‘Cybersecurity Standards for Aircraft to Improve Resilience Act of 2016,’ or the ‘Cyber Air Act,’ proposed by Senator Edward Markey.15 This Act creates a feedback loop of improving knowledge and visibility to update standards and regulations on “aircraft systems and maintenance and ground support systems for aircraft,” with requirements to identify “electronic entry points” to aircraft so that they may be protected by actions like isolating critical systems from non-critical systems.

“Cyber attacks on the aviation sector have so far been low-level and caused limited impact, but the consequences of a successful malicious cyber-attack on civil aviation operations could potentially be catastrophic.”

History has shown that cyber adversaries and their capabilities evolve and adapt surprisingly quickly. This may be particularly challenging in the aviation industry where many of the systems considered the backbone of the industry have long development periods, where policies and design standards are fixed early,

There are numerous examples of cyberattacks in which the victim organization had high confidence in its ability to defend itself against what it thought were its threats right up to the point that a compromise was discovered. This cycle is becoming so commonplace that it is no longer surprising.

Well-resourced threat actors will use unsophisticated tools to both save money and misdirect attribution, unresourced individuals with key skills can develop sophisticated tools. 

Some contributors considered that aviation industry threat models often underestimate adversary ability or the increasing sophistication of that ability. 

One off-the-record contributor was particularly blunt about some perspectives in the aviation industry: “It’s going to take the factory over the road burning down before they buy a sprinkler system.”