With the vast majority of aviation procedures now transitioned into digital format, airlines and the aviation sector in its entirety must give priority to cybersecurity. Should a cyber malefactor launch an assault that impacts a system relevant to aviation – whether owned by an airline or a third-party provider – the entire process, spanning safety measures to passenger well-being, could face repercussions.
To heighten security within the aviation sphere, the FAA recently put forth new regulations to bolster cybersecurity on aircraft. These regulations aim to “safeguard the equipment, systems, and networks of transport category airplanes, engines, and propellers from deliberate unauthorized electronic interactions (IUEIs) capable of creating safety risks.” If these measures are ultimately enacted, they will impact the broad spectrum of industry stakeholders, including airlines, third-party vendors, and passengers.
Incidents of breaches and cyber assaults prevalent in the aviation sector
Cybersecurity assaults and data breaches have infiltrated all segments of the aviation industry for numerous years. Noteworthy episodes encompass the Cathay Pacific breach, impacting over 9 million passengers’ personal data, and the 2021 SITA breach affecting frequent flyer members, particularly those in the Star Alliance and OneWorld programs. The Los Angeles airport website fell victim to a DDoS attack that rendered its website inaccessible for several hours.
“The reality is severe: our aviation industry faces persistent threats from cyber attacks, up by 74% since 2020. As the aviation sector contributes over 5% of our GDP, totaling $1.9 trillion in economic activity, and supporting 11 million jobs, it is imperative that we awaken to and treat these aviation cyber risks with gravity,” expressed U.S. Senator Maria Cantwell during a Congressional Hearing on September 18, 2024.
Collectively, the aviation industry presently holds a B grade, as per The Cyber Risk Landscape of the Global Aviation Industry, 2024 report. Researchers discovered that organizations graded at a B rating were 2.9 times more prone to falling victim to data breaches than those with an A rating, demonstrating the significant impact of seemingly minor disparities. Ransomware attacks persist as a primary threat, with recent findings by Bridewell revealing that 55% of civilian aviation cyber decision-makers acknowledged experiencing a ransomware assault within the past year. When queried about its impact, 38% cited operational disruption, while 41% reported data loss within their organizations.
Ted Theisen, a Managing Director in FTI Consulting’s Cybersecurity division, remarked that the prevalent use of outdated equipment and systems within the aviation sector lacks the necessary attributes for safeguarding, such as the integration of crucial updates and compatibility with novel protocols. Given that the aviation industry frequently relies on third-party service providers, these vendors may access systems and networks, thereby introducing vulnerabilities.
“The widened workforce and network systems establish an expanded attack surface magnifying access points exploitable by threat actors,” articulated Theisen. “This dispersed framework engenders challenges in securing systems, monitoring cybersecurity threats, and mitigating unauthorized access points.”
Discover cybersecurity solutions
Aircraft present avenues for data breaches
Despite aviation cybersecurity targeting vulnerabilities and offenses across all aviation systems, the focus of the new regulations directs attention toward the cybersecurity of the physical aircraft. Any transmission of data – be it relating to flight status or an alert concerning maintenance issues – from an aircraft to a network exposes it to potential breaches by external entities.
Due to the ongoing transmission of data from every airborne aircraft, an extensive volume of critical data faces daily risks. The National Business Aviation Association disclosed that the router on aircraft providing connectivity to crew and passengers poses a significant vulnerability, particularly if the router’s password remains unchanged at extended intervals.
The FAA highlighted that the transformation in the connectivity of aircraft – together with their engines and propeller systems – to internal or external data interfaces and services is a principal factor underlying the new regulations. The interlinked designs pave the way for vulnerabilities originating from various sources, which include maintenance laptops, public networks, and mobile devices. Consequently, regulators and industry experts must engage in heightened monitoring of systems to counter cybersecurity threats.
New regulations strive to standardize aircraft cybersecurity
Since 2009, the FAA has been progressively imposing a greater number of “special conditions” pertaining to cybersecurity. These conditions serve as temporary norms designated for specific instances to tackle emerging vulnerabilities. Wesley Mooty, the Executive Director of the FAA’s Aircraft Certification Service, mentioned that each of these disparities contributes to heightened certification complexity, costs, and time for both applicants and regulators. Consequently, the FAA has tabled a regulatory packet encompassing prevalent cybersecurity special conditions to establish uniform criteria for addressing cybersecurity hazards, ultimately reducing certification expenses and duration.
The new proposed regulations stipulate that applicants seeking product certifications must guarantee the protection of each aircraft’s equipment, systems, and networks against IUEIs capable of jeopardizing aircraft safety.
Outlined below are the prerequisites for safeguarding assets as delineated in the official FFA documentation:
- Identification of all threat conditions associated with the system, architecture, and external or internal interfaces, encompassing severity
- Evaluate the danger associated with assets, like systems and structure.
- Assess these weaknesses to gauge the possibility of exploitation.
- Counteract the weaknesses by implementing singular or multi-layered protective measures or operational controls to safeguard.
Consequence of the suggested regulations
Although the intention of the latest regulations is to establish uniform cybersecurity standards, they are anticipated to have supplementary ramifications. Unless a product requires an update and necessitates reauthorization, the new regulations will solely impact new products, not those presently available in the market. As every product will no longer necessitate special deliberation for cybersecurity concerns, endorsements are probable to be expedited, ensuring that new products reach the market more rapidly.
Furthermore, the suggested regulations might indirectly influence the passenger journey. In the event of a cybersecurity breach, the airline, airport, or third-party suppliers usually go offline, causing delays. With standardized cybersecurity procedures and diminished vulnerabilities, passengers may encounter fewer setbacks resulting from cyber-related incidents.
“The enforcement of stricter cybersecurity regulations might also culminate in escalated operational expenditures for airlines, potentially impacting airfare rates,” emphasizes Itay Glick, VP at OPSWAT, a cybersecurity solutions provider. “Even though passengers could notice marginally pricier tickets due to airlines transferring compliance expenses, the chief advantage of these novel directives will be improved safety and security.”
Preparation for the forthcoming regulations
Amidst the discussion and endorsement of the proposed regulations, aviation bodies, comprising airports, third-party suppliers, and airlines, should initiate preparations for the upcoming guidelines. Since the new regulations will impose more rigid standards, Glick advises that entities concentrate on their cybersecurity strategies, security evaluations, and incident response plans.
“In readiness for these modifications, airlines must execute thorough risk evaluations to recognize vulnerabilities and allocate resources towards cybersecurity education for staff to augment their understanding and reaction capabilities,” Glick suggests. “Furthermore, demands for advanced technologies like threat detection and endpoint protection stand as vital. To bypass any necessity for incident response, airlines should proactively boost their security setup to avert successful breaches.”