The aviation industry has embraced widespread digitalisation over the past decade to improve passenger experience and operational efficiency. However, according to the UN’s International Civil Aviation Organisation (ICAO), this advancement has exposed the industry to increasing cyber-attacks. Notably, a major cyber-attack against a global IT supplier in February 2021 underscored how the aviation sector was susceptible to cascading failures. The recent global Crowdstrike outage has once again highlighted how airlines and airports can grind to a halt when interconnected IT systems malfunction. In addition to rapid digitalisation, there has been an exponential accumulation of sensitive Personally Identifiable Information (PII) following a staggering increase in airline passengers. These two factors have made the aviation industry a gold mine for hackers.
Numerous studies have substantiated this threat; Eurocontrol has published data on various types of cyber-attacks against the European aviation industry since 2020. In their findings, ransomware was the top cyber threat. Beyond Europe, ransomware has generally been the top international attack trend in the aviation sector. One of the most prominent attacks was against Indian airline, SpiceJet in May 2022 which left hundreds of frustrated passengers stranded at airports across the country.
Cyber-attacks against the aviation sector can also affect those sitting comfortably at home. According to the ‘Trends Global Survey’, more than 80% airline passengers book flights via apps or websites. While doing so, they expect their PII to be secure. However, in March 2024, more than 600,000 passengers of Kuwait Airways were shocked to learn that they were the victims of one of the largest data breaches this year. While the integrity of their financial data was not compromised, unfortunately, the same could be not said for passengers of Air Europa who were urged to cancel their credit cards after a cyber-attack last August.
Although airlines can recover from operational disruptions after a cyber-attack, financial losses, particularly those incurred by passengers, are not easily recouped. Moreover, reputational damage poses a more formidable challenge, eroding passenger confidence, which is crucial to the integrity of civil aviation, already strained by ongoing threats from malicious cyber-actors.
On the other hand, military aviation, despite strong interdependencies with the civil aviation sector, remains comparatively less vulnerable to cyber-attacks. This heightened security is primarily due to rigorous monitoring of military avionics and systems and the additional safeguard of being ‘air-gapped.’ However, the landscape is evolving as state-backed Advanced Persistent Threat (APT) groups increasingly employ sophisticated techniques, including Artificial Intelligence (AI) and machine learning, to orchestrate complex network intrusions.
These developments indicate a shift towards more technologically advanced methods of cyber warfare, challenging the existing security measures within military aviation. International cybersecurity firm Kaspersky has warned that this nexus between AI and cyber could enable more sophisticated and automated cyber-attacks. The Swiss global technology company Acronis has assessed similar implications of AI-driven cyber-attacks. Moreover, the advent of increasingly automated and digitally connected smart airports will only further amplify these emerging attack trends.
Despite recent updates to cybersecurity regulations by the American and European Aviation Administrations (FAA & EASA), regulatory frameworks continue to struggle to keep pace with rapid advancements in cyber threats. Similarly, the ICAO has developed a comprehensive Cybersecurity Strategy and Action Plan (CyaP) to combat cyber-attacks against aviation. Additionally, the International Air Transportation Association (IATA) has stressed that an effective cyber defence strategy must integrate three main components: technology, people, and processes, highlighting the multifaceted nature of cybersecurity preparedness in the aviation sector.
Technologically, the sector is exploring innovative solutions to counter AI-enabled cyber threats. One such approach is the use of threat-informed defence, which leverages machine learning techniques to safeguard networks. Similarly, threat monitoring could be entirely automated and augmented by AI to ensure around-the-clock protection against cyber-attacks. In addition to AI, tamper-proof blockchain technologies could be used for storing PPI with robust encryption.
However, technology represents only one facet of the aviation cybersecurity puzzle. Given that passengers are often the prime targets, safeguarding their PII is crucial to any comprehensive aviation cybersecurity strategy. Raising awareness among them is hence crucial considering the proliferation of generative AI has supercharged phishing attacks. Staff training in the aviation industry is also essential for handling unexpected cyber incidents and managing potential panic among travelers effectively. Furthermore, enhanced cooperation between airlines and airports, facilitated by international forums such as the ICAO, is crucial. This collaborative approach goes beyond mere regulatory measures to tackle the dynamic cyber threats facing the aviation sector. Lastly, security processes should be tailored to ensure cyber hygiene across the aviation industry. This could entail mandating Multi-factor Authentication (MFA), strong password policies and adopting zero-trust security best practices centred on verifying all devices and users. Additionally, extensive ‘penetration testing’ of aircraft, airlines and airports should be encouraged to find and address unforeseen exploits in interconnected networks.
To deal with increasingly complex cyber threats, the aviation industry must rigorously implement the cultural and procedural shifts outlined. Such strategic updates are critical to ensure that cyber defences evolve in step with new vulnerabilities, thereby fortifying the industry’s resilience against potential breaches.
Mustafa Bilal is a Research Assistant at the Centre for Aerospace & Security Studies (CASS), Islamabad. He can be reached at cass.thinkers@casstt.com
