Aviation is a component of critical infrastructure that is comprised of a complex web of public and private organizations relying on millions of assets to move people and cargo around the world. The industry supports countless critical functions such as emergency response, community access, agricultural support, passenger services, national security, law enforcement, border security, intermodal connections to rail and shipping, and much more. Like many industries, delivering these functions requires increasing reliance on innovative technology.
When the use of technology increases, the cyber threat landscape grows as well reinforcing the need to adjust cybersecurity strategies continually. Here are a few trends in cybersecurity in aviation to think about as you work to adapt to the ever-evolving environment.
Like many industries, breaches are constant.
- Cathay Pacific Airlines Breach: Last year, Cathay Pacific Airlines disclosed a breach that resulted in the exposure of personal information of over 9 million passengers. The company noticed abnormal activity occurring within its network and after investigating found that unauthorized individuals had accessed critical information such as passport information, credit card data, and more.
- Atlanta Government Ransomware Attack Impacts Airport: ‘Georgia’s largest international airport was forced to shut down its Wi-Fi network as a security precaution after the local government was hit with a ransomware attack. The intent was to avoid the spread of the ransomware to other systems throughout the airport, as well as connected systems of airlines, airport authorities, passengers, and employees.
- Asco Forced to Send 70% of Workers Home After Ransomware Attack: Asco, a company in Belgium that supplies of a variety of aircraft parts and services to aircraft manufacturers globally, was hit with a ransomware attack. The attack forced the company to shut down its operations in several locations including Belgium, the United States, Canada, and Germany.
- American Airlines mechanic in Miami charged with sabotaging a commercial airliner carrying 150 people: On Sept. 5, 2019, Abdul-Majeed Marouf Ahmed Alani, an airline mechanic was arrested in Miami and charged with trying to disable or damage an aircraft. According to an air marshal’s affidavit, Alani admitted that in July he used his access to the back side of the Miami airport terminal to drive up to a Boeing 737, open a compartment below the cockpit, and glue a piece of foam inside navigation equipment in such a way that pilots wouldn’t be able to tell how fast or high they were flying. The blockage triggered an alert when pilots powered up the plane, and they canceled the takeoff. The charge against the Miami airport airline mechanic highlights Insider Threats.
Attackers try exploiting air traffic control systems, cargo processes, and aircraft.
While the aviation industry faces many of the threats other industries face such as criminals aiming to steal data, attacking systems for ransom, or insiders stealing assets – there are a few unique threats and considerations within aviation. In addition to criminal threat actors, another concern is terrorism targeting air traffic control system disruption, cargo exploitation, aircraft weaponization, and more.
Each function mentioned in the introduction relies heavily on technology, and in theory, can be exploited if not adequately secured. Examples we have seen from researchers in the past include attempts to exploit protocol weaknesses or compromise systems to spoof GPS navigation data or flight plans, launch denial of service attacks through flooding or ARP poisoning to disrupt communication between critical systems, or inject malicious content into critical databases.
While these types of incidents could cause concern for any industry, within aviation, the consequences can impact safety.
‘It’s not just security that matters; safety must be a part of the conversation.
Researchers have emphasized the importance of understanding how cybersecurity can potentially impact safety. In the past, emphasis on aviation security was typically placed on physical security concerns and promoting the safety of passengers, cargo, etc. The ultimate purpose of investing in aviation security is to improve safety and protect people from any harm, whether intentionally or unintentionally, by any individuals with authorized or unauthorized access to airspace systems and assets that can impact this sector.
In practice, cyber threats are evaluated and managed based on the impact on confidentiality, availability, or integrity of information systems. Usually, those attributes are targeted by attackers for financial gain, competitive advantage, or other reasons. In the case of aviation, cyber threats can have an additional impact on safety. Aircraft are becoming more comparable to a complex computing system and can be targeted not only for financial gain but to negatively impact safety. The reliance on critical aviation components on cyber technology creates the potential for such links. This example is not limited to aviation. In the medical industry, for example, pacemaker technology is evolving to include wireless connectivity. In theory, these devices can be hacked and manipulated to impact the safety of the patient using the device.
The question, “Can cybersecurity impact safety?” is one that many companies need to start asking and thinking about. The answer is absolutely yes for many industries, including aviation.
A way forward.
There are four major players in aviation: Airlines and Aircraft Operators, Aircraft Manufacturers, Air Traffic Control, and Aviation Authorities. Each of these entities must focus on securing their networks and assets to protect the aviation industry holistically. This also means working together across these groups to understand downstream impacts and align on best practices for addressing cyber threats.
All players involved should aim to create a holistic and layered cybersecurity strategy that starts with an understanding of which functions within the aviation ecosystem are most critical, which assets support those functions, and what risks apply to those assets.
Throughout that process, ‘it’s essential to acknowledge that this is an industry where the potential impacts of cybersecurity are not limited to a data breach, and it’s typical consequences. Safety is an essential part of the equation as well.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.