With increasing digitalisation and the growth of connected systems — up to and including the Industry 4.0 technology wave — cybersecurity and information security are a key element of ensuring aviation safety. With high-profile data breaches increasingly common, what does the aviation industry need to know about these key elements of operational safety and security? Join us for the latest in our introductory series of ab initio primers.
“Safeguarding critical aviation infrastructure, including air traffic control systems, against cybersecurity attacks is of paramount importance as they can disrupt operations, compromise safety, and undermine the trust users place in them,” Lisa Ventura — a cybersecurity and technology specialist, founder of cybersecurity Unity, and member of BCS, the UK chartered institute for IT — tells us. “The strategies to be put in place must, above all, aim to implement a global, coordinated defence between all stakeholders, because cybersecurity threats know no borders, and the air transport system will only be as strong as its weakest link.”
Xavier Depin, products and services security officer at Airbus, highlights that “air transport cybersecurity issues are first and foremost an air transport issue that must be addressed by its specialists. This will necessarily involve collaborative work with cybersecurity specialists and experts, as well as upskilling civil aviation specialists in the field to develop the dual-skilled profiles that the sector has and will increasingly need.”
Integrating the security management frameworks of the wider technology industry will certainly be a challenge for aviation, which continues to tackle substantial legacy system technology debt, as well as increasingly sophisticated threats.
Risk-based approaches are key to tackling cybersecurity threats
With high-profile data breaches of customer information becoming increasingly regular, and penalties from data regulators strict, many public-facing companies (in aviation’s case, usually airlines) are ahead of the wider industry curve on cybersecurity and information security.
“Adopting a proactive and risk-based approach to cybersecurity is the first thing that the aviation industry should look at when it comes to evolving cyber threats and vulnerabilities that are associated with the increasing digitisation of aircraft system and air traffic management,” Ventura recommends. “This includes developing and implementing a comprehensive cybersecurity strategy that aligns with the organisation’s overall risk management framework, with the strategy identifying and assessing cybersecurity risks, including those associated with digitalisation, and implement appropriate controls to mitigate those risks.”
Even those companies that aren’t public facing may well be dealing with sensitive data, while the interlinked nature of the aviation industry means that organisations of every size and in every part of the industry need to avoid being the proverbial weakest link in the cybersecurity chain.
“Investing in robust cybersecurity technologies and solutions is also critical, and this includes deploying security solutions that can protect against a wide range of cyber threats, such as intrusion detection and prevention systems, firewalls, and data encryption. Organisations should also invest in security monitoring and incident response capabilities to detect and respond to cyberattacks quickly and effectively,” Ventura says. In addition, she notes, “It is vital to build a culture of cybersecurity awareness and training. All employees, including those involved in the development, operation, and maintenance of digital aircraft systems and air traffic management systems, should be trained on cybersecurity best practices. This includes training on how to identify and report suspicious activity, as well as how to avoid common cyber threats such as phishing attacks.”
Collaboration and information sharing across the industry will also be vital. In a sector often reluctant to work together for reasons of competition, or perceived competition, siloes need to be broken down in the interest of passengers and aviation as a whole.
“The civil aviation sector has adopted a multifaceted approach to safeguarding its operations against cybersecurity threats. These measures, developed between regulators, operators and original equipment manufacturers encompass a wide range of regulations, practices, standards, and technologies aimed at safeguarding aviation infrastructure and information,” Depin notes, explaining that “the measures implemented are of three types — governance, physical and technical — and meet the distinct but complementary needs of prevention, detection, reaction and recovery.”
Measures here include a strong approach toward integrating cybersecurity requirements into both policy and business management systems within an organisation. Requiring robust and standardised digital signatures, especially for onboard or ground operations systems, as part of authentication and systems integrity is another weapon in the arsenal. Wherever possible, design-level segregation of onboard networks — a challenge in an industry where an airframe’s hardware may serve thirty or more years and see multiple passenger-facing hardware and software updates — should be specified.
IoT and connected aircraft are a particular risk
Connected aircraft and the growing number of sensors enabling benefits around the Internet of Things (IoT) can on the one hand improve operational safety and security, while on the other hand opening up new risks by multiplying the number of devices and attack vectors for bad actors.
“IoT devices are typically small and have limited processing power, which makes them more vulnerable to cyberattacks. Additionally, IoT devices often collect and transmit sensitive data, such as passenger information and aircraft performance data. This data is a valuable target for cybercriminals,” Ventura says. “Connected aircraft are equipped with a variety of sensors and other devices that are connected to the internet. This allows airlines to collect and analyse data about aircraft performance, maintenance, and passenger experience. However, it also creates new attack vectors for cybercriminals. For example, attackers could exploit vulnerabilities in connected aircraft systems to gain control of an aircraft or to steal sensitive data.”
Looking towards the increasingly connected future, Depin concludes, “the security posture to be put in place by each and every air transport player must cover their systems as much as their operations, and take into account the human aspects that are fundamental in dealing with cybersecurity. The development of these security postures must of course draw on existing cybersecurity management frameworks, and must involve industry specialists like designers and operators in order to take into account the specificities of air transport.”
Author: John Walton
Published 07 December 2023