The State of Civil Aviation Cybersecurity

Technology and cyber systems have become essential components of modern society. Despite the benefit of cyber technologies, insecurities arise. These could affect all systems and infrastructures. More than that, the threat of a cyberattack could very well have a transnational component and effect as worldwide systems become increasingly interconnected. Civil aviation is mainly reliant on cyber-enabled technology that is used to increase the safety and efficiency of air transport. However, as the aviation industry becomes increasingly digitalized, the interconnectivity of systems and dependence on technology has led to the emergence of new risks. The aviation industry is using a computer-based interconnected system spanning across air navigation systems, onboard aircraft control and communication systems, airport ground systems, flight information systems, security screening and many other technologies that are used on a daily basis and for all aviation-related operations.

The Aviation Cyber Threat Landscape

The aviation digital attack surface continues to grow in such a way that both managing risk and gaining insight into it remain difficult. With emerging technologies like machine learning and fifth-generation (5G) telecommunications experiencing wider adoption—alongside electric vertical takeoff and landing (eVTOL), and autonomous aircraft—aviation cybersecurity risk management is becoming more and more complex. This will inevitably increase the number of aviation actors potentially impacted by a cyber-attack. The increased attack surface affects all components of the aviation sector: airports, airlines, Air Traffic Control (ATC) centers, supply vendors, and even passengers. To shed some light on the current state of aviation security, ImmuniWeb conducted a study on cybersecurity, compliance and privacy at some of the world's largest airports. According to the research findings, “97 out of 100 the world’s largest airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, Dark Web exposure or code repositories leaks.” The only international airports that passed with top grades were Schiphol airport in Amsterdam, Helsinki-Vantaa airport in Finland, and Ireland’s Dublin Airport. Problems with the airports’ official websites included:

• outdated web software (97%),
• known and exploitable vulnerabilities (24%),
• not GDPR compliant (76%),
• not PCI DSS compliant (73%), and
• no SSL encryption or the use of obsolete SSL version 3 (24%).

Furthermore, a test of 36 official airport smartphone apps found that 100% of the mobile apps contained vulnerabilities, with 15 security or privacy issues detected per app on average. In July 2019, the DHS/CISA issued a warning about an insecure implementation of CAN bus networks, the protocols which allow the various devices within planes, cars and other machines to communicate with each other. The vulnerability could allow bad actors to inject false data into the aircraft. By physically tapping into the CAN bus system, an adversary could alter numerous aircraft measurements including engine telemetry readings, compass and attitude data, altitude and airspeed, according to CISA. In the past, airports have suffered ransomware attacks, incidents in which hackers stole building plans and sensitive security protocols, conducted DDoS attacks, and even produced data leaks at boarding gate displays. Finally, after running penetration tests on many Air Traffic Management systems, EUROCONTROL found that most of its subjects were vulnerable. According to its think paper, senior management, technical staff and system designers need to move away from the illusion that their systems could survive a cyber-attack because "nothing" happened in the past. “The challenge now lies in making aviation systems/services progressively more and more cyber-resilient while remaining safe and cost-effective,” concludes the EUROCONTROL paper.

Challenges Towards Cyber Resilience

Aviation is considered critical infrastructure in both the United States and the European Union. One key characteristic of the aviation industry is the high level of interdependency between the various sectors of activity (airports, air navigation services, airlines, etc.) and interconnectivity with related systems (maintenance services, network connectivity services, fuel distribution systems, etc.). One incident at any point in this value chain can have severe consequences in other areas. During the 2020 annual meeting, the World Economic Forum (WEF) urged the consideration of emerging cybersecurity challenges in the aviation industry, as addressed in its “Advancing Cyber Resilience in Aviation: An Industry Analysis” report. The report findings indicate that the aviation industry will likely experience cyber risks similar to those of other industries grappling with new levels of digitalization and connectivity. “Technology and digitization not only bring many advantages, but also risks associated with the challenge of finding and managing cyber vulnerabilities across complex, international operations from airports, aircraft operators, Air Traffic Management, and supply chain,” reads a paper by IATA. This complexity makes the aviation industry vulnerable to hidden cyber risks and ever-increasing threats. According to a recent report by Atlantic Council, the airline industry is an attractive target for many cyber threat actors with diverse motives ranging from financial gain to disruption and harm to unintentional motives related to human error. Due to their complexity, cyberattacks on the aviation sector may be more difficult to detect and control and may generate cascading effects resulting in economic loss, industrial disruption and, in some cases, human casualties. The impact of such cyberattacks could be severe in the absence of adequate cybersecurity and resilience measures and capabilities. Management of aviation-cybersecurity risk remains challenging, says the latest report on aviation cybersecurity from the Atlantic Council. The report has identified several challenges that need to be addressed. The first set of challenges involves issues in trying to integrate aviation cybersecurity into flight safety, security, and enterprise IT, which all are subject to well-established governance and accountability frameworks. The second set of challenges is related to the cybersecurity posture of aviation suppliers and customers. According to the Atlantic Council, many suppliers find it difficult to incorporate best practices into purchases. There are also difficulties in developing consensus on adequate cybersecurity risk management and transparency. Information sharing is another area where there is still much work to be done. Managing aviation cybersecurity requires making thoughtful choices from a clear and well-informed understanding of risk. Information sharing is closely related to the need for objectivity regarding the qualification of aviation cybersecurity risk either through independent assessment or agreement among aviation stakeholders. Although the aviation sector rigorously works to anticipate, mitigate, and objectively investigate failure through both its designs and its training practices, incorporating cybersecurity into the sector’s culture remains a challenge. There is very little operational training (for pilots, air-traffic controllers, etc.) to either recognize or manage aviation-cybersecurity incidents. Finally, although aviation operations are inherently resilient, disruptive attacks at scale will prove challenging to manage. Attacks against data integrity will undermine the ability of aviation operators to conduct safe operations. Working through these issues will require an increased effort to understand the cybersecurity aspects of everything from normal operations and procedures to post-accident and incident management. “The aviation industry today is realizing a future in which drones deliver packages to the doorstep and a daily commute means flying over traffic. As industry and government work together on strong policy and regulations, industry consensus standards will bring us closer to that future,” concludes the World Economic Forum analysis on aviation cyber resilience.

Cybersecurity Strategy and Standards

Aviation cybersecurity should be led globally. As national, regional, and organizational efforts are underway to improve aviation cybersecurity, there is a growing risk of adding complexity across the landscape of regulations and best practices. All regions deserve the tools to improve, and any new body of standards must be harmonized across complex global supply and operations chains. ICAO promotes this from a capacity-building perspective with a tagline of “No Country Left Behind.” The 40th Session of the ICAO General Assembly adopted its first Cybersecurity Strategy relating to aviation in October 2019, stating the following vision. “ICAO’s vision for global cybersecurity is that the civil aviation sector is resilient to cyber-attacks and remains safe and trusted globally, whilst continuing to innovate and grow.” The ICAO vision highlights the key challenges facing the sector. The importance of resilience sits alongside the need for safety and maintaining trust while fostering growth and innovation. The publication of the first Aviation Cybersecurity Strategy by ICAO is a critical first stage in building global coherency. Additionally, the publication of the European Strategic Coordination Platform Strategy for Cybersecurity in Aviation is a significant step forward at a regional level, alongside national efforts such as the UK Aviation Cybersecurity Strategy. From an aviation cybersecurity standards perspective, there has been significant activity by both the European Aviation Safety Agency (EASA) and the US FAA. Since the end of 2019, the only way that aircraft, aviation systems, engines, etc. will be able to achieve airworthiness certification is to comply with the recently updated DO-326 and ED-202. These new regulations are considerably more detailed and comprehensive in their approach to the management of cybersecurity risk. Additionally, a new initiative of the US Department of Homeland Security (DHS) in partnership with the U.S. Air Force (USAF) will increase the scrutiny of aircraft cybersecurity. Following the publication of the U.S. National Strategy for Aviation Security, the Aviation Cybersecurity Initiative (ACI), chaired jointly by CISA, the Department of Defense, and the US Department of Transportation, aims to “to reduce cybersecurity risks and improve cyber resilience to support safe, secure, and efficient operations of the nation’s aviation ecosystem” by conducting vulnerability assessments of aircraft as a means to better understand and mitigate risk.

The Way Ahead

With the publication of the ICAO Cybersecurity Strategy, there is now a vision for how aviation cybersecurity can advance globally. To coherently gain insight, understand and manage aviation cybersecurity risk as well as bring swift, globally aligned, and effective change, all aviation stakeholders—including states, international bodies, regulators, manufacturers, and service providers—are strongly encouraged to act in unison and support the new ICAO Cybersecurity Strategy. The Strategy’s aims will be achieved through a series of principles, measures and actions contained in a framework comprised of seven pillars:

1. International cooperation
2. Governance
3. Effective legislation and regulations
4. Cybersecurity policy
5. Information sharing
6. Incident management and emergency planning
7. Capacity building, training and cybersecurity culture

Although progress is being made, significant challenges remain with regards to both gaining insight into aviation cybersecurity risk and globally managing it. Cultural change to better manage these cybersecurity challenges requires strong leadership and time. Measures must be taken to accelerate this process of improvement, increase transparency and trust as well as develop objectivity and collaboration. There is no single solution to aviation cybersecurity, and it will take positive collaboration across diverse stakeholders. Along with all this effort, it must be remembered that the aviation sector is a global one. Improving aviation cybersecurity will be a journey, and bringing along all stakeholders is essential if global, systemic risk is to be reduced.