Aviation is a cornerstone of national and international commerce, trade, and tourism, which means even an isolated incident could spark a crisis of confidence in the entire sector. The potential impacts on stock market value, stability, and national gross domestic product makes securing and protecting the connected aviation world a critical element of national security.
This study indicates that the aviation industry will likely experience cybersecurity challenges similar to other industries that have embraced the “digital revolution.” As the industry moves forward, will it be able to maintain stakeholder trust by accurately perceiving the risks and opportunities as well as understanding adversary threats?
Previously, aviation systems were relatively secure due to the bespoke nature of their design, isolation from other systems, and little in the way of communication protocols. But aircraft and ATM are no longer isolated, and ground services and supply chains are becoming fully integrated into an interconnected digital world.
In addition, cyber adversaries and their capabilities evolve and adapt quickly. This may be particularly challenging for an industry where many of the systems have long design and development periods. As technology radically transforms design, production, operation, and maintenance of aircraft, models of safety and security must adapt. While new and emerging capabilities, like additive manufacturing and UAS, are transforming the aviation sector, their novelty may obscure the cybersecurity risks these technologies introduce.
Connectivity of aircraft systems, through traditional information technologies and aviation-specific protocols, has now extended the attack surface to the aircraft itself. Aircraft are now complex data networks, yet the ability to monitor them arguably lags behind comparable ground-based networks—as does the ability to avoid and respond to potential cybersecurity incidents. ATM is also undergoing a sweeping modernization program that shifts away from legacy radars and beacons to a heavy reliance on Global Positioning Systems (GPS) and digital communications. Advanced technologies such as GPS and ADS-B can greatly improve accuracy and reliability under normal conditions, yet remain susceptible to degradation by environmental hazards or manipulation by hostile actors.
Airports are a key focal point of adversary interest. As a federated management system with numerous interdependent service providers, deficiencies in airport cybersecurity may allow bypass, subversion, and eventual breaches of physical security. Additionally, as capabilities such as remote tower services gain popularity, balancing commercial interest with sound risk management will be even more difficult. Attacks against public-facing systems at airports may pose little safety risk, but can harm public confidence and trust.
As the domains of aviation and cybersecurity increasingly overlap, the common goals of safety, resilience, and trust can be achieved sooner by working together. Preserving aviation’s strengths relies on clear definition of governance and accountability and recognition of shared responsibility across the supply chain. The aviation industry has a longstanding and robust safety management system with a safety culture embedded in its core. As the cybersecurity industry looks to deliver cyber safety, it should draw upon these strengths and leverage the processes already in place.
The aviation industry has thrived under mature, global policy and regulation frameworks with clarity and coherency. The challenges of cybersecurity are testing this as nations, organizations, and businesses attempt to develop best practice. There will be a key role for the International Civil Aviation Organization (ICAO) in bringing both leadership and vision to the challenge.
With multiple perspectives and stakeholders, it is essential for the increasingly interconnected aviation industry to have a clear, coherent vision.