The aviation industry is crucial to the global economy. Its annual impact has been estimated at more than $2 trillion, or 3.5% of global gross domestic product, according to the American Institute of Aeronautics and Astronautics.
Disruptions to this worldwide transportation network can cause ripples of economic and social turmoil around the globe. Aviation’s critical infrastructure must be protected.
Ground and flight operations have depended heavily on computer systems for the past couple of decades. The interconnectedness and interdependence of IT systems can boost operational efficiency, safety and consumer satisfaction.
“Modern aircraft are increasingly connected to the Internet,” the U.S. Government Accountability Office reported in 2015. “This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”
What is Vulnerable to Attack?
Cyber elements that are potentially vulnerable to attack include:
- Reservation systems
- Flight management systems
- Access, departure and passport control systems
- Flight traffic management
- Cargo handling and shipping
- Hazardous materials transportation
- Onboard computer and navigation systems
Cyber attacks are becoming “the weapon of choice” targeted toward the aviation industry, according to an analysis by the InfoSec Institute.
Types of Cyber Threats
Cyber risks can range from errors made by IT personnel that leave systems vulnerable to exploitation to malicious attacks designed to inflict damage to operations and threaten safety.
For example, in June 2015, a Polish aircraft with hundreds of passengers aboard was grounded in what airline officials believe was likely a Distributed Denial of Service (DDoS) attack, according to a Reuters report. In a DDoS attack, hackers seek to flood critical computer systems with traffic, causing the server to overload and cease functioning.
Cybersecurity researchers also have warned that hackers could target satellite communications equipment on passenger jets through WiFi and inflight entertainment systems.
Additionally, the nonprofit Center for Internet Security (CIS) has reported that 75 U.S. airports were impacted by an Advanced Persistent Threat attack in 2013, including two where the computer systems were compromised.
The CIS said it issued a cyber alert after identifying a malicious phishing email directed toward aviation industry professionals.
Cyber Threat Prevention
Such threats are increasing pressure on airlines, airports and aviation managers to bolster their cyber defenses. The International Air Transport Association (IATA) has developed an Aviation Cyber Security Toolkit that includes training videos, a risk analysis tool and other resources.
“IATA continues to assist airlines in developing a robust cyber security strategy and to help drive coordination of global efforts to address cyber threats to aviation,” the association, which represents more than 250 airlines, says on its website.
In its 2015 report, the Government Accountability Office (GAO) called for the Federal Aviation Administration to develop “a more comprehensive approach to address cybersecurity” as it embraces next-generation technology.
The GAO noted that the aviation regulatory agency had adopted measures to protect its air-traffic control system from cyber intruders. However, “significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace system.”
Information Security Framework
Developing an information security (IS) framework to protect aircraft and air traffic control systems can include a series of steps, among them:
- Assessing and understanding immediate risks and potential threats
- Conducting research and development
- Providing incident response
- Defining design and operational principles
- Establishing common cyber standards for aviation systems
According to global aerospace manufacturer Boeing, an effective IS framework “continually prevents, detects, and responds to security threats.”
Another essential component of a secure system is a trained and qualified cybersecurity team. Private companies and government agencies across industries are competing to hire cybersecurity professionals.
A 2014 report by the RAND Corp. found that demand had been outpacing supply since 2007, and the U.S. Bureau of Labor Statistics (BLS) projects that employment of information security analysts will jump by 37% nationwide between 2012 and 2022.