Cybersecurity as an industry has only really been around for about 40 years. However, the complex landscape of information security continually evolves at a rate that is hard to predict. Within the last 10 years, major cyber attacks and data leaks have become more intense and require additional complications when recovering. The expansion of ransomware attacks and zero-day incidents has grown in scale, including in the aerospace community.
As the decentralized nature of airline operations expands, experts believe that the industry is severely underprepared for a major attack, so much so that airlines are scrambling to reinforce their security posture. According to the International Civil Aviation Organization (ICAO), the first half of 2023 saw a 24 percent rise in cyberattacks in the aviation sector worldwide. Rushed and misappropriated allocations of infrastructure adjustments have created a sense of fear for when the next attack could transpire.
Cybersecurity watchdog groups, including Cyviation, an Israel-based cybersecurity company, have been monitoring the security posture of the aviation industry for years. Israel, like the US, has proven to be one of the leaders in cybersecurity innovation and protection, most notably through their involvement in the Stuxnet attacks in Iran in the 2000s.
Cyviation and its CEO, Aviel Tenenbaum, have raised an initial $4 million in their efforts to scale. What is unique about the company is that rather than strengthening the cyber capabilities of the airline's prominent data usage domains (data hosting, operations centers, and company locations), they have been focused more on researching the aircraft fleet itself.
Tennenbaum stated, "They invest on cybersecurity for the data, IT and general facilities, but only few have so far taken the step forward to actually develop such needed resilience for the fleet and aircraft". And there seems to be some truth in the company's initial aim. With passengers on aircraft being able to access the internet via the aircraft on most commercial flights, access to multiple domains could negatively affect the aircraft's network security. One malicious attack that could reach the network could prove to be dangerous.
However, some frameworks already exist to limit vulnerabilities within the aircraft. In 2015, a report published by the Government Accountability Office raised concerns about a lack of security infrastructure separation between the cockpit avionics and the cabin broadband. The firewall components at the time were all on the same software, presenting a threat if circumvented.
Most aircraft present air-gapped hardware systems that separate general avionics from the traditional cabin network. Additionally, in-flight entertainment systems (like behind-chair screens) are typically hosted on an independent network connection separate from how you might access the internet on your phone or tablet. Application security of the airline's smartphone applications is also vulnerable.
Experts believe that the digital nature of air travel will continually present a running risk for attacks. Digitized Air Traffic Controls (ATCs) and supply chain operations use interconnected communications systems, most of which are digital. As a persistent threat might originate from within a plane, ATC centers can experience threats of their own at the ground level, creating increased risk for communicating with live aircraft.
Regarding cyber and data governance in the skies, the International Civil Aviation Organization (ICAO and the International Air Transport Association (IATA) have expanded their cyber practices in the last few years to meet greater demand for their input. Cyviation and other watchdog groups present independent research and consulting services, which shed light on the current posture.
Cyviation believes the current security landscape is drastically behind and needs a quick refresh. An official, worldwide list of security controls used for aircraft is in the works, with an estimated release in 2025. By 2027, the valuation of aviation cybersecurity is projected to be north of $38 billion. With the rise of cybersecurity attacks, change must be implemented quickly before a cataclysmic event occurs.