Ensuring Robust, Resilience Cybersecurity for Civil Aircraft

By James Careless

Cyber-attacks against all aspects of civil aviation are on the rise, necessitating the implementation of robust, resilient cybersecurity measures in this vital industry.

There’s no time to lose. “Cyber-attacks in general are escalating each year,” said Vance Hilderman, CTO of AFuzion, which describes itself as being the world’s largest aviation certification services company. “The 2024 estimated cost of cyber-attacks is US$8 Trillion.”

Worse yet, “the world has been witnessing a steady increase in cyber-attacks against all sectors,” warned the International Civil Aviation Organization (ICAO) on its Aviation Cybersecurity web page (https://www.icao.int/aviationcybersecurity/Pages/default.aspx). “Aviation has been no exception, being characterised by its extensive interconnectivity and complexity, its high level of media exposure, and its critical role in the socio-economic development of States.”

“Cyber-attacks affect airlines, airports, and air transport managers,” noted Waël Kanoun, Director of Cyber Defense Solutions at Thales Middle East, and International Aerospace Vertical Lead for Cybersecurity at Thales. “In 2023, the main target for attacks were airlines, accounting for over 60% of all cyber-attacks in the aviation sector. Certain patterns emerge, revealing that specific categories of stakeholders are more affected by particular attack vectors; for example, DDoS [Distributed Denial-of-Service] attacks on airports (64% of all DDoS attacks are on aviation), and ransomware attacks on the supply chain (63% of all ransomware attacks are on aviation).”

Why Aviation is at Risk

Before detailing the ways in which aviation is improving its cybersecurity, it is helpful to understand why this industry is in hackers’ crosshairs to begin with.

The reason: “Since 9/11, aviation is increasingly seen as a ‘target rich’ cyber-attack area since aircraft incidents are among the highest profile incidents possible, with the exception of nuclear reactor incidents,” Hilderman said. “Wealthy countries fly more and build more aircraft, so they are at a higher risk of cyber-attacks, which is increasingly known. As well, aircraft complexity is increasing along with usage of third-party commercial products and more-open communication protocols, thus increasing the number of potential aviation cyber-attack ‘vectors’ (areas of cyber vulnerability).”

As a result, aviation is increasingly being subjected to greater cyber-risks and more actual cyber-attacks. “To date, no commercial passenger aircraft has yet crashed due to a cyber-attack,” said Hilderman. “However, many cyber incidents have been attempted and succeeded in impairing flight and supply chain operations.”

A Wide Range of Cyber-Attack Options and Targets

When it comes to attacking aviation, hostile players have a wide range of options at their disposal. “The commercial aviation industry faces a range of cyber threats such as ransomware, phishing attacks, DDoS attacks, and advanced persistent threats (APTs),” said Roberto Valla, Senior Director of Aerospace & Defense at the security software firm Wind River. “These attacks can be perpetrated by nation-state actors, cybercriminals, or insiders with various motives. The industry’s cybersecurity is becoming more robust, with increasing investments in technology and training, but challenges remain due to the complexity of interconnected systems.”

Josh Lospinoso is CEO and co-founder of Shift5, whose onboard observability platform allows aviation, military, rail, and maritime operators to make smart, fast decisions about their aircraft through real-time data access, contextual insights, and actionable analytics. “There are a number of cyber risks that aviation defenders monitor, but the latest risk, requiring immediate action, is GPS jamming and GPS spoofing,” he told Aerospace Innovations. “The rise in hybrid warfare globally — from the Ukraine to the Middle East — has led to the now-daily use of electronic warfare (EW) tactics. Forces can manipulate the electromagnetic spectrum to attack an enemy or impede operations, targeting GPS satellites to jam enemy radar, intercept communications, deceive enemy sensors, and spoof GPS signals. Its extensive use on the battlefield has bled into civilian life; according to OpsGroup, 900 daily flights are now encountering GPS spoofing. The International Air Transport Association (IATA) estimates GPS disruption grounding aircraft could obstruct one million daily global passengers, incurring $60 billion lost in annual global GDP.”

Although aircraft offer hackers the highest visibility targets, all aspects of aviation are under attack. According to Kanoun, “Attackers target airport systems to create backdoors, granting them prolonged undetected access. This allows the infiltration and potential disruption of key systems over an extended period, going from days to months. The longer the period of infiltration, the larger the amount of data collected. Such attacks can also be used to disrupt the operation of key systems such as luggage systems, announcements, CCTVs, and ticketing. The impact of such cyber-attacks can be substantial, as evidenced by the example of the Beirut airport cyber-attack in January 2024, where traveller information screens were hacked to display political messages for several days.”

Meanwhile, the growing adoption of interconnected systems within civil aviation has spurred an increase in the number of possible cyber-targets. It’s not just communication networks and flight management systems that are in danger. “As examples, the now-common availability of passenger Wi-Fi systems on aeroplanes, the use of credit card capture systems in-flight, the ubiquity of USB ports for device charging at the seat — all things consumers have come to expect during their travel — and digital flight bags (e.g. iPads loaded with vector routes, landing approaches, and runway maps) commonly brought onboard by pilots, are all opportunities for intentional unauthorised electronic interactions, or IUEI,” said Valla. “The vulnerabilities are also heightened by the legacy systems still in use, which may not have been designed with modern cybersecurity threats in mind.”

Stepping Up Cybersecurity: What The Experts Have to Say

Compared to the military sector, civil aviation has been slower to step up its cybersecurity practices “for simple monetary and apparent ‘lack of urgency’ reasons,” Hilderman said. Nevertheless, this situation is now improving due to regulator pressure: “The FAA and EASA have recently mandated that all new commercial aircraft and avionics undergo required cyber-security evaluations and adherence to the new ‘DO-326A’ (‘ED-202A’ in Europe) requirements,” he noted. “So, new aircraft will be increasingly protected. Now legacy aircraft and systems are much less protected. But fortunately, they are also much less vulnerable due to their near-exclusive use of custom-developed and fully verified dedicated software.”

So, what is being done specifically to improve aviation cybersecurity? Quite a lot, according to the experts interviewed for this article. Quite a lot indeed.

A case in point: “Three main areas of work are enhancing the assurance of cybersecurity robustness,” said Paul Butcher, UK Programme Manager and Head of Dynamic Analysis with AdaCore, which aids developers in the creation of safe, secure and reliable software. These three areas are “the advocation of memory-safe programming languages, the advocation of memory-safe hardware, and the advocation of Refutation activities within airworthiness security standards,” he said. [According to Wikipedia “memory-safe” is defined as the state of being protected from various software bugs and security vulnerabilities when dealing with memory access, such as buffer overflows and dangling pointers.]

Let’s start with memory-safe programming languages. According to Butcher, trends within the aerospace industry have sometimes resulted in memory-safe programming languages falling out of favour, leading to the widespread use of memory-unsafe languages like C and C++. “The problem is that memory-unsafe programming languages are highly susceptible to unsafe memory instruction calls, which can result in undetected-through-testing software bugs, like buffer overflows,” he explained. “If an attack can trigger these bugs, they become vulnerabilities that could lead to unauthorised electronic interaction with the air vehicle’s avionics systems. For an operator, this can lead to costly fixes to deployed software and potentially life-threatening scenarios if the vulnerability is linked to a safety hazard. “

However, the tide is turning. In February 2024, the White House released a report titled ‘Back to the Building Blocks: A Path Toward Secure and Measurable Software’ (https://www.whitehouse.gov/wp-content/uploads/2024/02/Final-ONCD-Technical-Report.pdf), which strongly advocates the use of memory-safe programming language and memory-safe hardware. “Since many cybersecurity issues start with a line of code, one of the most effective ways to address those issues is by examining the programming language itself,” the report said. “Ensuring that a programming language includes certain properties, such as memory or type safety, means software built upon that foundation automatically inherits the security those features provide.”

“This report recognizes that the risk of undiscovered vulnerabilities across the existing software ecosystem is unacceptably high and underscores the urgent need for a shift towards memory-safe solutions,” said Butcher. “One promising solution to the prevalent use of memory-unsafe programming languages is to run the compiled application code on memory-safe hardware.”

As for Refutation? “As stated within DO-356A/ED-203A, Refutation is an alternative to exhaustive testing that can provide evidence that unwanted behaviour has been precluded to an acceptable level of confidence,” Butcher replied. “Therefore, refutation is the act of refuting claims that a system is secure by rigorously attempting to hack the system and identify attack paths.”

Shift5’s Josh Lospinoso has a different take on improving aviation cybersecurity. “The interconnected nature of modern aircraft and ground-based systems demands a layered defence strategy that can address the unique vulnerabilities of each environment,” he said. “While many companies have developed robust solutions to secure ground-based OT systems, the critical need to protect the aircraft themselves cannot be overlooked.”

At the same time, “the critical importance of securing onboard systems cannot be overstated.,” said Lospinoso. “Today, aircraft are complex networks of interconnected systems, including avionics, in-flight entertainment, communication networks, and more. These systems are integral to the safe and efficient operation of the aircraft, but their connectivity also makes them vulnerable to cyber threats. A successful attack on these systems could have catastrophic consequences, ranging from operational disruptions to threats to passenger safety.”

Working Together to Solve Problems

Fortunately, the cybersecurity industry is taking these concerns to heart, by developing products and services to address these vulnerabilities. “It has to be a team effort, because the future of aviation cybersecurity lies in collaboration,” Lospinoso said. “No single company can claim to secure an airline’s entire OT landscape, but together, specialised solutions can offer the comprehensive coverage that the industry requires. For instance, Shift5’s expertise in securing onboard systems, combined with the strengths of other OT providers, forms a powerful alliance that can safeguard both the ground and the skies.”

Thales’ Waël Kanoun shares this belief in collaboration, which he extends to include airlines and regulatory agencies in addition to cybersecurity firms. “The aviation industry must continually assess and enhance its cybersecurity measures to effectively mitigate evolving cyber threats,” he explained. “This is why Thales is active in sharing with other aviation stakeholders by being a member of Aviation ISAC (an international association of OEMs, airlines, airports, satellite manufacturers, aviation services, and their supply chains) and a founding member of the French Aviation CERT (Computer Emergency Response Team), which monitors cyber threats and responds to computer security incidents in aviation.”

Thales is also providing cyber security training to the industry that integrates aviation and cybersecurity expertise, with a strong focus on practical applications. “One illustrative approach involves the utilisation of simulators in various locations such as the UK (NDEC in Wales), France, Belgium, and the Middle East (CyberNode in the UAE),” said Kanoun. “These simulators, referred to as ‘CyberRange’, are sophisticated simulation solutions enabling the execution of cyber attack scenarios. They facilitate accurate replication of systems, including airport and aviation systems, and offer a secure environment for testing and simulating attacks under conditions closely resembling real-world scenarios.”

That’s not all. According to Wind River’s Roberto Valla, the aviation industry is adopting several more measures to boost cybersecurity. They include implementing advanced threat detection systems, conducting regular vulnerability assessments, and establishing comprehensive incident response plans.

Of course, for these measures to be effective, “it is important to work with proven, trusted technologies and technology partners who can help companies achieve their security objectives,” Valla said. “And again, collaboration between industry stakeholders is also crucial, with information sharing initiatives and adherence to regulatory standards. Companies can also put additional focus on continuous employee training, upgrading legacy systems, and integrating AI-driven cybersecurity solutions.”

Protecting AI and Autonomous Flight

Speaking of AI, the notion of AI-managed autonomous aircraft being hacked to be repurposed for evil intent is the stuff of nightmares — and Hollywood. (Prediction: Such a scenario will likely turn up in a movie or TV show in the near future.) This begs the question:

As AI and autonomous flight make their way into aviation, what needs to be done to prevent them from being exploited by hackers and terrorists — and is this being done?

According to AFuzion’s Vance Hilderman, the answer is yes. “The good news is that the FAA’s DO-326A requires continuous reassessment of cyber-risks and that should include increased vulnerabilities caused by AI,” he said. “Also, AI is currently disallowed onboard the aircraft to control any real time onboard safety function so onboard AI cannot be exploited for real time safety.”

Having said this, Hilderman stressed that current FAA rules do not yet apply to legacy aircraft or onboard AI which is simply “monitoring” aircraft systems. “Frankly, the bad news is that it will likely take a major cyber incident to really force implementation of greatly enhanced cyber rigour, just as 9/11 triggered major airport/passenger scrutiny.”
This is why the experts interviewed for this article want aviation AI to be properly regulated now, before a 9/11-style event ever takes place.

“Saying that AI systems are safe, is not enough: it is essential, particularly in such a critical environment, to prove it with strict controls,” said Kanoun. “At Thales, we aim to keep humans at the centre of decision-making processes, meaning that the AI is only an aid. The AI technologies that we build into our systems have to meet stringent requirements and, just like the other stakeholders of the aviation industry, sometimes need to obtain certification before they can be used in real-world applications. Alongside academic and industrial partners, Thales anticipates the development of qualification methodologies to build trusted AI. This is particularly crucial for critical systems where infrastructure safety or human life is at stake.”

One thing is certain: Regulating AI and autonomous flight should not be an industry afterthought. “As AI and autonomous flight technologies advance, it is essential to incorporate cybersecurity from the design phase, ensuring that these systems are resilient against potential exploitation, Valla said. “This involves adhering to design/development practices with security in mind as a top priority, implementing real-time monitoring, and creating fail-safe mechanisms. In general, aircraft manufacturers must show that they can either protect against unauthorised access, or if it occurs, isolate the access from propagating to other aircraft systems. They must also demonstrate how they prevent adverse impacts to aircraft systems. And in both cases, they must show how they can maintain these security protections for the transport’s expected useful life as part of earning an airworthiness certificate. These requirements hold for both crewed and uncrewed aircraft.”

What Aviation Operators and Others Can Do For the aviation industry to truly create a robust and resilient cybersecurity environment, everyone has to do their part. This includes airlines, airports, and others associated with civil aircraft operations.

So what do aircraft operators and aviation businesses actually need to do? “They need to really read, understand, and adopt DO-326A/ED-202A for cybersecurity,” Hilderman answered. “They need to do this not only for mandatory new aircraft/systems, but also for legacy aircraft and legacy systems, plus airports and air traffic management, supply chains, and infrastructure.”

A case in point: “Avionics systems are the backbone of modern aircraft, responsible for critical functions that ensure safe and efficient flight,” said Lospinoso. “The potential consequences of a successful cyber-attack on an aircraft’s avionics systems can be catastrophic. Unauthorised access or malicious manipulation of these systems can lead to severe disruptions, compromising safety and operational efficiency. As a result, ensuring the cybersecurity of avionics systems is critical for maintaining the safety and integrity of modern aircraft operations.”

Taking a Big Picture view of this problem, Waël Kanoun opined that, “to improve their cybersecurity and resilience, aircraft operators and aviation business need to adopt an approach that is both proactive and reactive. On one hand, the proactive part should rely on the ‘cybersecured by design’ principle, meaning that security must be placed at the centre of reflections from the outset. On the other hand, the reactive part should aim to constantly update the systems in place to be able to face evolving threats.”

For Roberto Valla, the critical word in Kanoun’s above statement is ‘update’. “Once an airframe achieves safety certification, the thought is to lock it down and not make changes, to avoid triggering any recertification costs,” he said. “But for security purposes, the threats are always evolving, and architectures need to both remain resilient and flexible to be able to thwart future, unanticipated threats. On a larger scale, aircraft operators and aviation businesses must prioritise cybersecurity by adopting a multi-layered defence strategy, which includes regular security audits, employee awareness programs, and the deployment of advanced security technologies. While progress is being made, there is always room for improvement and continued innovation, especially in areas such as threat intelligence sharing and proactive threat hunting.”

The bottom line: Everyone has to work together to create and maintain a robust, resilient cybersecurity environment for the global aviation industry. Fortunately, “the aviation industry is in the process of developing a cohesive cybersecurity strategy,” said Kanoun. “To implement this global strategy effectively, the participation of three key entities is vital: International organisations such as ICAO, IATA, EASA, and FAA, specialised expert working groups in aviation cybersecurity — for example, Aviation ISAC, EATM-CERT, and ECCSA — and national bodies responsible for securing critical instances and environments such as ANSSI in France, NCSC in the UK, and NCA in the US.” Also required is the wholehearted support and participation of airlines, airports, and all aviation-associated businesses.