Why aviation needs to prioritise cybersecurity
After major data breaches hit American Airlines, Southwest Airlines, and the Scandinavian airline SAS this year, it’s become evident that the cyber security threat to aviation is very real, writes Vance Hilderman.
As a result, in the US in March of this year, the Transport Security Association (TSA) issued an emergency amendment to the security programmes of numerous airports and airlines.
The amendment requires regulated airports and airlines to develop a plan to improve cybersecurity resilience and assess and update that plan regularly. And both the Federal Aviation Administration (FAA) and European Aviation Safety Administration (EASA) have simultaneously mandated new aircraft cyber-security regulations such as DO-326A and ED-202A.
But while I’m happy to say many airlines and airports are beginning to adjust, in many cases, security is still behind what it should be. Here’s what you need to know about cybersecurity in aviation today, what the new TSA guidelines and FAA regulations change, and how the industry is responding.
Security compliance today
When it comes to security compliance, it all comes down to an abundance of technology. Tech plays a critical role in the safety of aircraft, passengers and inflight crews. In particular, air traffic control (ATC) is essential for safe landings and route optimisation.
Airports also feature various communication systems that are safety-essential, as well as surveillance and security systems, all of which are vulnerable to varying degrees.
What’s more, airport reservation and airline ticketing systems process passengers’ financial and personal information continually throughout a given day, making them a major target for hackers.
Today’s aircraft have over 30,000 software developers creating the avionics with millions of lines of software logic written annually; all of these provide “attack vectors” meaning vulnerabilities which hackers and malware target.
In short, technology is essential to the way that airports and airlines operate today, which means cybersecurity needs to be top of mind. But there are four major threats to that security today in the form of insider threats, aircraft system vulnerabilities, phishing attacks, and AI-based malware attacks.
Insider threats refer to a security breach brought about by someone within an organisation, whether inadvertently or maliciously. Insider threats have always been a problem, but they are especially noteworthy now because they are on the rise globally.
Many of these threats are simply due to some form of negligence or simple mistakes on the part of employees or contractors; in fact, 80 percent of data breaches are the result of human error.
A simple employee mistake was the cause of an FAA system failure early this year that grounded thousands of flights. These types of mistakes could impact ground systems, compromise air traffic control, or allow malicious actors to access communication systems.
Today’s avionics increasingly use commercial off-the-shelf software, easily updatable software, and onboard networks to operate the aircraft.
Each of these provide attack vectors whose vulnerabilities can be leveraged by hackers. The new DO-326A and ED-202A cyber-security document set is meant to thwart such hackers.
However, attacks most commonly occur through phishing attacks, which occur when malicious actors send emails, texts, or other types of messages that are disguised as being from legitimate senders with the goal of accessing private information or credentials.
And the recent introduction of generative AI systems has only made matters worse. Email-based phishing attacks surged a staggering 464 percent after the introduction of generative AI systems like ChatGPT, making this a bigger worry now than ever before. AI has also made malware a bigger problem, particularly with the advent of WormGPT, a generative AI programme that specifically creates cyber threats and malware.
The truly scary thing about these AI-enabled malware systems is that they make it possible for nearly anyone to develop malware and initiate threats 24/7 with no real limits. These new threats make it more necessary than ever before to ensure airports and airlines are compliant with the new TSA emergency amendment.
Before the amendment
Of course, it’s not as though airports and airlines didn’t have security measures in place prior to the TSA amendment. In addition to utilising standard anti-malware and cybersecurity systems, the aviation industry is also required to comply with standards like DO-278A, a protocol created by the Radio Technical Commission for Aeronautics (RTCA) in the United States.
DO-278A deals with software testing and safety for ground systems, specifically communication, navigation, surveillance, and air traffic management (CNS/ATM) systems at airports.
Developers use the guidelines provided by DO-278A to ensure that their software functions correctly and safely. The standard requires testing for how CNS/ATM systems function under a worst case scenario. DO-278A-compliant systems need to be able to safely handle the worst of bad inputs, user errors, and external interference. So the standard already guarantees a certain level of resilience to security threats.
The problem is that DO-278A isn’t comprehensive, and doesn’t specifically address how to adequately protect these systems from cyber attacks. DO-326A is a cybersecurity standard for airborne software, but as of yet there is no equivalent for airport CNS/ATM systems in the United States.
However, there is a cybersecurity standard for that purpose in Europe in the form of ED-205, called Process Standard for Security Certification/Declaration of Air Traffic Management/Air Navigation Services (ATM/ANS) Ground Systems.
This standard lays out specific requirements for the development and testing of those systems. One major reason the TSA amendment was necessary was to fill the absence of a similar standard in the United States and also provide coverage for additional systems beyond the scope of ED-205, like ticketing systems or airline mobile apps.
However, unlike ED-205, the TSA amendment is more flexible and still leaves a lot of room for how cybersecurity is managed, which could mean some security gaps will remain. Still, it’s a good starting place for airlines and airports to improve security.
The TSA amendment requirements
Here’s what I mean by saying the TSA amendment is more flexible: rather than laying out specific development and testing guidelines for software like ED-205, it simply requires TSA-regulated entities to develop and implement cybersecurity resilience plans.
The plans must describe the measures that the entity is taking to improve such aspects as risk management, incident response, cybersecurity awareness training, and so on. The amendment also requires airports to proactively assess the effectiveness of those measures so they can be improved or updated as needed.
Airports and airlines will have to submit their cybersecurity resilience implementation plans to the TSA for approval, then implement the approved plan and submit annual reports to the TSA on its progress.
Here are just a few of the specific things airlines and airports will have to start doing, and in many cases have already begun to do, to comply with the amendment.
First, they’ll need to develop network segmentation policies. That means the digital operations of the airline or airport need to be divided up into parts that can each function independently if another part of the network gets attacked or compromised in some way.
Second, aviation companies will have to develop effective access control methods to prevent unauthorised access to their systems. They’ll have to go beyond just password-protecting user accounts and use multi-factor authentication (MFA), which requires multiple points of identity verification prior to allowing access.
Third, these organisations will also need to develop plans for how they will monitor and respond to cybersecurity incidents. This should include a plan for communicating with any affected parties and mitigating the impact of cyber incidents as much as possible.
Fourth, they will need to update systems continuously. Legacy systems that weren’t designed to face the latest cyber threats present many vulnerabilities for malicious actors to exploit. Those systems need to be patched and updated regularly to maintain security.
And finally, airports and airlines alike will need to step up cybersecurity training. Remember that the vast majority of breaches are due to human error, so this is the number one way to reduce breaches.
Make sure employees know about the danger of phishing attacks and how to recognise scam emails. Train workers to monitor their accounts and report suspicious activity. Doing all of these things will significantly reduce cyber incidents for the aviation industry.
In reality, the new amendment in the US doesn’t require anything particularly groundbreaking. These are all measures that airlines and airports should have been taking all along. The trouble is that they haven’t been, and with the growing prevalence of cyber threats today, better security is an absolute must.
The TSA amendment is a good start, but there’s plenty more work to be done.