The aviation industry is both vast and complex. More than 45,000 flights and 2.9 million passengers travel through U.S. airspace every day, requiring high-tech tools and extensive communications networks. All of that data and complexity makes the sector a prime target for cybercriminals. Worryingly, only 49% of non-governmental organizations have fully adopted NIST security standards. As attacks against critical infrastructure and rapidly digitizing industries rise, the aviation industry must reevaluate its standards.
How Vulnerable Are Aircraft Networks?
Attacks against aircraft networks can cause immense damage. Airplanes rely on radio signals to navigate and communicate, so cybercriminals could steer flights off-course by interfering with these networks. As aircraft incorporate more Internet of Things (IoT) technologies, attackers gain more potential gateways to infiltrate aircraft control or communication systems.
Aircraft themselves undergo rigorous safety and compliance testing, so they may not be the most vulnerable parts of these networks. The air traffic control systems and airline booking platforms that handle vast amounts of data daily are a more likely target. Cybercriminals could infiltrate airport networks to steal sensitive passenger data, such as names and financial information.
These threats are more than just hypothetical too, as attackers have already begun targeting the aviation industry. In 2018, cybercriminals accessed up to 9.8 million passengers’ data, including passport numbers and credit card details. Upon review, it became clear the airline had many vulnerabilities, such as unprotected backups, out-of-date software, and unpatched internet-facing servers.
Earlier that same year, British Airways suffered an attack on its website, exposing thousands of customers’ data. Air Canada experienced a similar breach through its app. Attacks have targeted airports, too, with Bradley International Airport suffering a DDoS attack in March 2022.
How Can Aircraft Networks Become More Secure?
In light of these attacks, it’s clear that aviation cybersecurity needs improvements. Aircraft networks are too vulnerable, and the potential damage is too significant to overlook security best practices. Here are four steps aviation businesses can take to protect their aircraft, data and passengers.
1. Zero Trust Architecture
One of the most important measures to implement is zero trust security. Zero trust is a best practice anywhere, with 97% of security professionals agreeing that it improves security outcomes, but it’s critical in the aviation industry.
Aircraft networks involve many devices and communications handling different kinds of sensitive information. Lateral movement between any of these systems could cause widespread damage, so aviation businesses must keep them separate. Since zero trust segments networks by design, it can help in that area.
Verifying all devices and users is another crucial aspect of zero trust security for aviation. Given the complexity of aircraft networks, especially as planes add more IoT devices, they must ensure that nothing slips in unnoticed. Zero trust architecture measures are the only reliable way to do that.
2. Comprehensive Encryption
Aviation businesses must encrypt customer data on their websites, apps and other systems. The average amount of data created to manage all the information for a transatlantic flight is roughly 1,000 gigabytes, much of which is sensitive customer PII. If airlines don’t encrypt this data, attackers could steal the identities or financial information of hundreds, if not thousands of passengers. Given how much sensitive data is at stake, this encryption must be comprehensive. That includes both at-rest and in-transit.
3. Threat Monitoring
As cybercriminals recognize the value of aircraft networks, airlines must continually monitor these networks. The only reason Cathay Pacific’s massive breach didn’t spell the end for the company is that they quickly discovered and responded to the irregularities. Fast reactions are crucial for minimizing damage, and that requires continuous monitoring.
Vulnerability management platforms can help by analyzing network traffic and modeling threats. These automated tools can then establish network behavior baselines to discover suspicious activity sooner. They can then alert IT professionals, enabling decisive action, preventing breaches.
Automation and AI will likely have to lead the charge in this area. These networks are too complex and labor shortages too widespread for every airline to create a sufficient security operations center.
4. Regular Penetration Testing
Similarly, aircraft networks must perform regular penetration tests to ensure their defenses are up to date. As aircraft and air traffic control systems incorporate more devices, they’ll grow increasingly complex. That can make it difficult to understand where vulnerabilities lie, so penetration testing is essential.
These tests will reveal if airports have any glaring vulnerabilities and how they can improve. They’ll also help them stay current on developing attack trends. Since these facilities could be prime targets for cyber terrorism, gaining that edge is a vital security measure.
Penetration testing should happen at least once a year to scale up with new systems and stay current. Larger or faster-growing facilities may even opt to test multiple times a year to stay safe.
Aircraft Cybersecurity Is Crucial
As air travel picks up again, aviation businesses must reflect on their cybersecurity measures. Given the industry’s vulnerability and status as a high-value target, following these four steps is critical. If aircraft networks don’t embrace robust security measures, it could lead to disastrous results.
About the Author: Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.