Turbulence ahead: Cyber threats in aviation

Aviation and aerospace can’t fly under cyber threat actors’ radars anymore.

Man has always been keen on pushing past preconceived limits. The Wright brothers made the skies the limit … until Neil Armstrong took a giant leap for mankind by stepping onto the surface of the moon.

None of these advances would have been possible without the ingenuity of tinkerers, scientists, and engineers, or the fearlessness of test pilots. In recent years, software developers have become a new kind of jet ace, helping an entire industry focused on breaking past barriers, both physical and technical. But today, the focus is increasingly on facing difficulties beyond the sky — in cyberspace.

A stormy threat landscape

The 20^th century witnessed aviation develop from a hobby into an industry innovating at a breakneck speed. In fact, it took little more than a decade to go from the first powered aircraft (1903) to the first instances of aerial combat in mass-produced warplanes (1914), and just 66 years to put man on the moon (1969).

Over that time, the industry’s growth encompassed everything from manufacturing aircrafts and working out component logistics to becoming a transportation juggernaut with the requisite umbrella of regulations and regulatory bodies.  Add in the operation of airports and airlines, and you can quickly understand the magnitude of the industry’s latest pushing of the envelope: figuring out how to navigate the digital dimension and meet the critical and growing need for significant cybersecurity.  

From red barons to fancy bears

While Manfred von Richthofen, aka the “Red Baron,” is remembered for methodically hunting the skies during the first world war, becoming a legend of skill and competence, the damage he could inflict was confined to a single battle at a time. Digital threats in aviation don’t have the same constraints.

These threats are global, and the aviation sector is a prime target. The sector’s value to bad actors is a consequence of its size, its role in critical strategic defense and economics, and the interconnected nature of both its supply chains and its technologies (including digital). These elements have attracted advanced persistent threat (APT) groups and criminals alike, including MirrorFace, Lazarus, and Sednit (also known as fancy bear), that use sophisticated attack techniques to sabotage, spy on, or steal from entities in aviation. From aircraft manufacturers to airlines and airports, any aviation-related business can be a target.

Hacktivists have also taken a fancy to causing aviation-related mischief, hacking airports or their websites for ideological reasons. Whatever an attacker’s motivations might be, the result of such disruptions can include further system vulnerabilities, delayed or cancelled flights, exposure of sensitive data, or worse, potentially even air traffic accidents.

Aviation’s most wanted

The stakes are high. But what is it that threat actors desire the most when it comes to aviation? Consider what said industry covers:

• Costly R&D and IP: The tip of the spear in aerospace is the development and engineering of modern planes, related tech, and facilities. These efforts create a market worth billions. Airplane manufacturers who have invested significant capital in research and development obviously don’t want their pricy designs floating around in cyberspace, but threat actors are willing to jump through significant hoops to steal and sell such intellectual property on the black market.

  
  

• Logistics and connected systems: Aircraft are a part of complicated, interdependent, global supply chains, delivering people and goods across the globe. Knowing when a particular shipment/plane is due to lands or what flight path it will follow can enable clandestine operations outside the realm of mere cyberspace.

  
  

• People: There are lots of shady moves a criminal can play with access to a person’s data — in fact, it’s a crucial factor in social engineering and identity theft. Now imagine what a bad actor could do with the stolen identity of an air traffic controller or a pilot …

Airborne

Another reason why the aviation and aerospace sector sits among critical industries is its deep connection to the military, an area in which the highest form of innovative expression can often be located. 

The convergence of aviation and aerospace encompasses everything from fighter jets and surveillance drones to transport planes, UAVs, and both rockets and missiles. This secures the sector as an essential component in nation state power projection.  Because of this, the sector is considered a critical component of national security. 

For this reason, any disruption — whether through cyberattacks, supply chain vulnerabilities, or geopolitical tensions — can directly impact a nation's defense capabilities and economic contributions, making the protection and resilience of aviation infrastructure a strategic priority.

How to raise resilience in aviation and aerospace?

So, with a wealth of data, designs, systems, hardware and people to protect, how can the aviation sector ensure an accident-free airspace? Government-mandated standards like the Implementing Regulation (EU) 2023/23 (including Part-IS provisions  for the identification and management of info security risks), Delegated Regulation (EU) 2022/1645 or the NIS2 light the way, detailing a foundation for ensuring continued cyber resilience in aviation.

Some of the security features required by these regulations involve the establishment of holistic risk assessment, management, and mitigation strategies for any ICT or operational tech (OT) system in use under the “Information Security Management System” moniker (ISMS), with an emphasis on rapid response to, and proper reporting of, threats.

Preventing turbulence

To be frank, most of the safety measures required by regulations like Part-IS are not strange, otherworldly ideas. They’re all standard preventive approaches in cybersecurity:

• Access controls: Zero-trust security remains a key approach to preventing the abuse of access to sensitive systems and data.

  
  

• Risk assessments: Vulnerability management, as ever, should be a top priority for any organization running multiple systems and apps.

  
  

• Endpoint protection: Endpoint security is a basic tenet of business defense posture.

  
  

• Detection and Response: Taking endpoint and network security to the next level, advanced detection and response by the use of EDR or XDR-enabling tools can stop sophisticated threats before they cause large-scale incidents.

  
  

• Data protection: Nearly every cybersecurity regulation has a form of data protection as part of its requirements, such as encryption, a simple, but powerful option for maintaining data integrity.

  
  

• Awareness training: Human error is a major factor in enabling security breaches, and human awareness is critical to stopping them.  For this reason, training employees on best practices is key to preventing security failures, such as those stemming from social engineering.

  
  

However, where there are extremely critical systems involved, regular cybersecurity measures might not be enough.

The right solutions for aviation

Regardless of where on the industry spectrum a company sits, increasingly rigorous requirements demand approaches custom-tailored to the organization’s specific environment. Critical aviation manufacturing facilities, R&D centers, valuable IP, and thousands of human lives daily depend on protection that, for the lack of a better expression, simply cannot fail.

To that end, ESET provides scaled security bundles and services for the businesses and service providers of these complex organizations. Using a prevention-first methodology, ESET delivers highly relevant technologies to limit security vectoring across the supply chain. Attack vectors often manifest as phishing attacks, cloud security threats, ransomware and advanced persistent threats by bad actors.

To further boost security potential of even the most complex organizations, the ESET Corporate Solutions division also works to support custom security implementations that are designed specifically with sensitive sectors in mind. 

Rounding things out, ESET delivers both standard and bespoke implementations that align with the needs of even the most sensitive businesses. These can range from standard and modified endpoint security suites to solutions designed in cooperation with a variety of technology partners, as well as embedded solutions that connect core ESET tech and deep research expertise into third-party-controlled environments, fully aligning the security to the vision and features a partner requires.

Another happy landing

In conclusion, the aviation and aerospace industries will remain fixed in the crosshairs of cyber threat actors. Their deep interconnectedness and overlap with military and civilian safety, economic prosperity, and national security mean that the sector has no room for error. Whether by establishing prevention-first cybersecurity to create an instant safety net or developing a more delicate, individual approach with embedded custom solutions, ESET is happy to support these industries with utmost care.