The European Aviation Safety Agency estimates that some 1 000 cyber attacks target aviation systems worldwide each month.A May 2018 UK Department of Transport Aviation Cyber Security Strategy report stresses that “it is not a matter of if but when cyber-attacks or system compromises are perpetrated against or impact upon the aviation sector.” There have already been cases of such attacks.
A study by the Florida Institute of Technology (Florida Tech) lists the following as aviation industry elements potentially vulnerable to cyber attacks:
- Access, departure and passport control systems
- Cargo handling and shipping
- Flight management systems
- Flight traffic management
- Hazardous materials transportation
- On-board computer and navigation systems
- Reservation systems
Cyber threats (such as ransomware and viruses) targeting other sectors may also affect the aviation industry. This was the case with the NotPetya ransomware that saw Ukraine’s Boryspil International Airport in Kiev lose access to its systems in June 2017.
Other instances are the result of deliberate cyber actions, such as the June 2015 distributed denial of service (DDoS) attack on the flight operations system of Poland’s LOT carrier at its main hub in Warsaw airport. The attack led to the cancellation of 22 flights, leaving some 1 400 passengers stranded.
Airports and ATM/ATC operations rely heavily on a range of industrial control systems (ICS) to operate efficiently. ICS integrate IT and OT. OT systems are often the most vulnerable as they incorporate commercial off-the-shelf (COTS) components that use IT protocols (such as Internet Protocol), which can more easily become targets of cyber attacks than better-protected IT systems are. ICS are central to air cargo handling, airfield lighting, fuel distribution, power management, heating, ventilation and air conditioning systems. Any ICS-related incident may affect entire airport facilities.
Cyber risks to avionics systems are also real. The avionics systems potentially at risk include:
- Communication systems to ground control through data-links used to send two-way information between aircraft and ATC when an aircraft is too far away to make voice radio communication and radar observations possible
- Inboard WiFi and entertainment systems which may be used to display false or alarming messages to passengers and crews
A US Department of Homeland Security official hacked into the systems of a Boeing 757 passenger aircraft parked at Atlantic City airport, New Jersey, in September 2016. This was “a remote, non-cooperative penetration” without insider help or being onboard, using “typical stuff that could get through security”.
Aircraft manufacturers are aware of many of the risks. A panel session on Securing the critical supply chain, held at a June 2018 conference on Managing Cyber Risk in Critical Infrastructure organized by the Financial Times highlighted the steps manufacturers are taking to mitigate risks. Airbus Head of cyber security architecture Dr Kevin Jones explained that Airbus introduced a number of measures to protect its supply chain.
These include secure remote access for suppliers and a certain measure of access segregation, a full audit of the Airbus production facilities and those of its suppliers and the identification of vulnerabilities. Suppliers have to review their processes and make sure they meet Airbus standards. Similar practices are followed by other manufacturers, Bombardier Chief Information Officer Jeff Hutchinson noted at the time.