I grew up surrounded by Aviators and their stories. My Dad’s career in aviation spanned 40+ years across military, commercial, management, and regulatory domains. I was never drawn to the skies like he was; instead, I ended up a hacker.
John Ratcliffe forecasted back in 2018, “as devices, aircraft, and systems become more interconnected, cybersecurity will increasingly play a larger role in aviation security. That is because nation-states, cyber criminals, and hacktivists all possess an incentive to manipulate systems within this sector. Whether it be looking to gain a competitive advantage, or financially motivated actions, or simply a political statement, the space will always be crowded by malicious actors seeking to do us harm.”
Securing aviation systems involves proactively identifying, assessing, and addressing potential security vulnerabilities within aviation infrastructure. The work entails simulating cyber-attacks and exploiting weaknesses within the aviation ecosystem. These include communication networks, air traffic control systems, and aircraft avionics. By emulating the techniques, tactics, and procedures (TTPs) of real-world threat actors, cybersecurity professionals can uncover hidden vulnerabilities and evaluate the resiliency of aviation systems against cyber intrusions. The findings from these tests can then be used to develop effective countermeasures, enhance security policies, and contribute to the safety of passengers, crew, and ground personnel.
The aviation industry has witnessed significant digital transformation in the last few decades, with advancements such as the transition from paper-based navigation charts to Electronic Flight Bags (EFBs) for pilots. Additionally, the adoption of connected Aircraft Health Monitoring Systems (AHMS) has enabled real-time monitoring and analysis of aircraft performance data, streamlining maintenance and enhancing overall operational efficiency.
In early 2021, Malaysia Airlines began notifying customers that a data breach exposed the personal information of members in its Enrich frequent flyer program. The breach occurred at a third-party IT service provider, with the data of Enrich members exposed between March 2010 and June 2019. The information exposed includes member names, contact information, date of birth, gender, frequent flyer number, status, and rewards tier level. Member passwords were not exposed. It is unknown how many Enrich members were affected by the breach.
Across the pond in early 2022, researchers reviewed aviation cyber-security attacks over the past 20 years and concluded that the majority of threats originated from APT groups working with state actors to steal intellectual property and intelligence. They also discovered that attacks disproportionately targeted IT infrastructure.
In October of 2022, several major US airports, including Atlanta, Chicago, Los Angeles, New York, Phoenix, and St Louis, experienced distributed denial of service (DDoS) attacks on their public-facing websites. KillNet, a threat actor group, promoted the attacks by publishing a list of targeted sites. Fortunately, the attacks did not impact critical airport operations as the websites hosted extraneous flight and service information.
In December of 2022, the US Department of Commerce placed several Chinese high-tech companies, including those that manufacture aviation equipment on its export controls blacklist. The move, which is intended to bolster US national security, means that export licenses will likely be denied for any US company trying to do business with the firms. Companies based in other countries are also required to comply with the requirements to prevent workarounds.
In March of 2023, the United States Transportation Security Administration (TSA) established fresh cybersecurity mandates for airport and aircraft operators, compelling them to devise strategies to enhance their resilience and avert disruptions to their infrastructure. This is a reaction to the unrelenting threats targeting the nation’s aviation industry and other vital infrastructure. The updated regulations necessitate that aviation entities under the TSA’s jurisdiction implement network segmentation controls, formulate policies, establish access control measures, and develop incident detection and response protocols. Furthermore, organizations must consistently update and patch their systems.
One of the primary challenges associated with testing the security of aviation systems is the inherent complexity and interconnectivity of the various components that make up the aviation ecosystem. This intricate network of systems, which includes aircraft avionics, air traffic management, communication networks, and ground support infrastructure, can make it difficult for cybersecurity professionals to identify and isolate potential vulnerabilities. Moreover, the rapid pace of technological advancements in the industry often outpaces the development and implementation of security measures, leading to a continuous need for updated testing methodologies and tools. Additionally, aviation systems must adhere to stringent safety regulations and standards, which can further complicate the testing process as it requires striking a delicate balance between ensuring security and maintaining compliance.
Another significant challenge is the potential impact of penetration testing on the operational efficiency and safety of aviation systems. Conducting tests on live systems can be risky. Any disruptions or unintended consequences could have severe ramifications, including the potential to compromise the safety of passengers, crew, and ground personnel. As a result, testers must carefully plan and execute their tests in a controlled environment. These environments use simulated systems to minimize the risk of unintended disruptions. However, this approach can also present challenges, as reproducing the exact conditions of real-world systems can be difficult and may not always accurately reflect the actual vulnerabilities present. Therefore, cybersecurity professionals must continually refine their testing techniques and strategies to ensure comprehensive and effective penetration testing of aviation systems while minimizing any negative impact on system operations and safety.
Vulnerability management and remediation also present notable challenges due to the complexity and interconnected nature of aviation systems. As aviation systems are a blend of various components, identifying and mitigating vulnerabilities across these disparate systems can be especially challenging. Additionally, the integration of older, legacy systems with newer, digitally-connected components can create a landscape where vulnerabilities may go unnoticed or be hard to rectify without causing operational disruptions. Moreover, the industry’s heavy reliance on suppliers and third-party vendors can further complicate vulnerability management, as potential weaknesses in one organization’s systems can affect others within the supply chain. Lastly, the high-stakes environment of aviation, where security incidents can have far-reaching safety and financial implications, necessitates a careful, well-coordinated approach to vulnerability remediation, which can be both challenging and time-consuming.
One effective strategy to address the challenges associated with testing aviation systems is the implementation of a risk-based approach to cybersecurity. This methodology involves prioritizing the assessment and mitigation of vulnerabilities based on the potential severity of their impact on critical systems and infrastructure. By focusing on high-risk areas and the most valuable assets within the aviation ecosystem, cybersecurity professionals can allocate their resources more efficiently and develop targeted penetration testing plans. This approach allows for a more thorough understanding of the potential attack vectors and consequences, ultimately enhancing the overall security posture of the aviation industry.
The Aviation ISAC was founded in 2014 and has strong working relationships with aviation organizations, government cybersecurity agencies, and CERTs. A-ISAC is a community of aviation professionals that aims to protect organizations from cyber attacks through threat intelligence sharing and best practices. They offer membership benefits such as global community, threat sharing, and dark web & social media monitoring. The organization also holds events such as the Aviation Cybersecurity Summit and the Student Cyber Challenge.
Developing and utilizing advanced simulation environments and digital twins is another strategy to address the challenges of testing aviation systems. These environments provide accurate, virtual replicas of real-world aviation systems, allowing for comprehensive testing without jeopardizing the safety or operational efficiency of live systems. Virtual targets enable testers to conduct realistic penetration tests and vulnerability assessments, mimicking actual threat scenarios while minimizing potential disruptions to critical infrastructure. Aviation cybersecurity must take a proactive approach to continuously update and adapt security measures to counter evolving threats and protect the complex, interconnected systems that comprise the global aviation industry.
The aviation industry has long been familiar with the use of simulation technologies, leveraging them for various purposes, including the certification and training of pilots. Flight simulators, for instance, have played a critical role in pilot training for decades, allowing pilots to gain experience and hone their skills in a controlled, risk-free environment. These sophisticated devices replicate aircraft controls, systems, and flight dynamics, enabling pilots to practice and master various flight procedures, emergency scenarios, and instrument operations without ever leaving the ground. Leveraging these techniques, the Aerospace Village organization has been instrumental in elevating awareness of aviation cybersecurity issues at the DEFCON and RSA security conferences.
Cisco is ideally positioned to assist aviation organizations in addressing the unique challenges they face. Cisco’s comprehensive suite of cybersecurity services are tailored to the industry’s needs. Cisco’s threat modeling services help aviation organizations identify potential vulnerabilities in their systems, evaluate the risks associated with various attack scenarios, and prioritize mitigation efforts. By using a proactive approach, Cisco helps aviation organizations stay ahead of emerging threats and better protect their complex, interconnected systems. Additionally, Cisco’s penetration testing services simulate real-world cyberattacks, uncovering weaknesses in communication networks, air traffic control systems, and aircraft avionics, enabling organizations to strengthen their cybersecurity posture and ensure compliance with industry standards.
Cisco also offers cutting-edge threat intelligence services, providing aviation organizations with up-to-date information on the latest tactics, techniques, and procedures employed by cybercriminals. This actionable intelligence helps organizations anticipate and defend against potential cyber threats more effectively, reducing the likelihood of successful attacks on their systems. Cisco’s vulnerability management service (formerly Kenna.VM) utilizes machine learning (ML) and a range of other resources to prioritize remediation efforts and provide exceptional visibility into critical risks. The service helps organizations identify patterns and trends, predict potential threats, and prioritize vulnerabilities based on their potential exploitability and impact. This allows organizations to focus their remediation efforts on the most critical vulnerabilities first. Finally, Cisco’s incident response services ensure that, in the event of a security breach, aviation organizations have the resources and expertise needed to quickly and effectively respond to minimize the impact on operations and restore normalcy. By partnering with Cisco and Cisco CX, aviation organizations can enhance their security measures, effectively addressing the challenges they face in today’s ever-evolving threat landscape.
To find out more check out how Cisco CX enabled a frictionless, engaging, and secure passenger experience for Aéroports de Montréal.