For nearly a century, commercial aviation has been at the center of technological innovation, from the invention of the jet engine in 1930, to the first electric flight in 2019. Throughout this period, safety has been the primary consideration of carriers and manufacturers alike. But a new security battleground is here. Rather than bird strikes, crosswinds and economic instability, cybersecurity has emerged to widen the spectrum of threats against the aviation industry.
Each day, 45,000 flights are handled by the Federal Aviation Administration (FAA), and around 100 aircraft deliveries a month are made by manufacturers, all contributing to an industry that drives $1.25tr in US GDP each year. Within this intricate web of air traffic management systems, servers and maintenance equipment, operational technology (OT) supports critical physical processes, and terabytes of data on customers, contractors and machinery are stored.
As cybercrime becomes increasingly lucrative, the aviation industry has become an attractive target for hackers who now thrive in ecosystems of organized criminality. To quell the rise of cyber-attacks and keep malicious groups from their shores, airlines and manufacturers must train and test their security programs against realistic attacker behavior.
To earn a commercial pilot’s license, trainees can log up to 50 hours in a simulator, training for different scenarios. The experience they gain from this allows them to be efficient under emergency conditions and fluent in their responses to complex scenarios when flying a real plane. New cybersecurity technologies mirror this concept by condensing three years’ worth of cyber-attacks into 24 hours of realistic training in simulated environments.
If businesses view simulated cybersecurity training as a necessity, carriers and manufacturers can gain cyber-preparedness that goes beyond compliance tick-boxing.
A Regulatory Awakening
In a whirlwind year so far for cybersecurity, regulatory bodies and policymakers have shone a spotlight on the need to further secure systems and networks against rising threats. In March 2023, the Transportation Security Administration (TSA) issued an ‘emergency amendment’ to airports and aircraft operators’ security programs. The amendment requires TSA-regulated entities to develop approved implementation plans to improve their cybersecurity resilience, aiming to prevent disruption and degradation to their infrastructure.
Concurrently, President Biden’s National Cybersecurity Strategy released in the same month reinforces the necessity of defending critical infrastructure by rebalancing responsibility from individuals to large organizations and realigning threat priority by favoring long-term investments.
These actions are in part a response to a litany of attacks against aviation targets. SpiceJet was hit by a ransomware attack leaving hundreds stranded in airports. System outages were also experienced at Los Angeles International Airport (LAX), Chicago O’Hare (ORD) and Atlanta Hartsfield-Jackson (ATL) airport last year, with over a dozen US airport websites also being subject to denial of service attacks. Incidents that have since been attributed to pro-Russian hacker groups.
The International Air Transportation Association (IATA) has also made clear that aviation cybersecurity should be considered as the convergence of “people, processes and technology”, three components dependent upon each other to create a unified cybersecurity strategy. However, in an age where nation-state tactics and techniques are now being used on commercial sector businesses, traditional cybersecurity GDPR approaches to assessing and reducing cyber risk have become obsolete.
Insights Driven Cybersecurity
Hackers know that reputational, financial and operational damage is more costly to a large organization than ransomware payouts, meaning infrastructure providers must demonstrate cyber-readiness so that stage is never reached. To avoid OT downtime, organizations should be using programs that can gather data and insights into their system’s performance. Alexandre de Juniac, former director general and CEO of IATA stated that “the aviation industry is on the verge of a new era, in which the use of data and the ability to turn data into information and insights will be more crucial than ever.”
Organizations using technology such as cyber ranges can allow their system to be trained and tested against real-world attacks in a simulated environment. Much like a flight simulator, cyber ranges can find weaknesses in human interactions with systems, as well as find superfluous tools that can be offloaded, supporting the financial optimization of a company.
By implementing a “train to fail” mindset, organizations can thoroughly train and test against the most sophisticated ransomware, phishing and DDoS attacks and data breach techniques being used by hackers, tactics that currently make up over 60 percent of all cyber threats to aviation today. As these attacks become less effective on tested systems, the risk of safety issues and reputational impact decreases, while trust between customers and airlines, or airlines and manufacturers, improves.
The aviation industry is seen as a bastion of safety and security the world over, and as additional compliance measures signal change for the industry, CISOs must adopt a proactive cybersecurity strategy to maintain stakeholder confidence. By implementing cyber ranges, carriers and manufacturers can gain visibility into their OT assets, resulting in time and cost savings that can be reinvested into the business. Protecting the daily operations of the aviation industry can be achieved if organizations test their systems with the same complexity that hackers are trying to infiltrate them with. As the saying goes, “if it’s smart, it’s vulnerable.”
A former F-15 Fighter Pilot and Cyber Exercises Lead at the U.S. Cyber Command, William “Hutch” Hutchison is CEO and co-Founder of SimSpace. Working at Cyber Command and the National Security Agency, he led the first joint force-on-force tactical cyber training exercise, introducing a ‘special forces’ approach to testing cyber defense teams. Hutch built on those experiences to develop a comprehensive cyber readiness platform at SimSpace which now enables the most sophisticated enterprises, governments, and critical national infrastructure organizations to find intelligence-driven answers to the most vexing security, governance, training, and cyber readiness questions.