The aviation industry includes many domains, assets and interests that must be protected from a wide range of risks and threats. Some of these are linked to technology shortcomings such as software glitches, equipment or control systems failures; others, like cyber attacks, which may exploit known weaknesses, are deliberate. The industry also faces risks of a physical nature, essentially from terrorism, which have been the focus of protective measures for decades.
A holistic approach that addresses all possible physical and other threats, and which includes IT and OT issues, is vital for ensuring people (passengers and crews) and costly assets are afforded the maximum protection possible, for safeguarding business continuity, maintaining resilience and, when possible, ensuring recovery. It must involve all stakeholders, such as industry trade bodies, airports and airline operators.
Aviation is a highly important economic sector with an impact (direct, indirect, induced and linked to tourism) estimated at some USD 2 200 billion, equivalent to 3.5% of global gross domestic product. The safety record of commercial aviation is excellent: it transported some four billion passengers in 2017 without incurring a single casualty. The industry covers commercial (passengers), business, freight and courier aviation. Each carries with it issues that require different levels of protection.
As well as aircraft, the aviation industry covers multiple domains that are linked to:
Until recently, protecting air travel from external security risks predominantly concerned physical threats. This has now evolved to include a broader range of risks (and threats), some linked to technology, others to deliberate cyber attacks targeting IT and OT systems and attacks carried out by different actors for a variety of reasons.
Risks facing aircraft and flights may be linked to technology. These include:
The European Aviation Safety Agency estimates that some 1 000 cyber attacks target aviation systems worldwide each month.
A May 2018 UK Department of Transport Aviation Cyber Security Strategy report stresses that “it is not a matter of if but when cyber-attacks or system compromises are perpetrated against or impact upon the aviation sector”. There have already been cases of such attacks.
A study by the Florida Institute of Technology (Florida Tech) lists the following as aviation industry elements potentially vulnerable to cyber attacks:
Cyber threats (such as ransomware and viruses) targeting other sectors may also affect the aviation industry. This was the case with the NotPetya ransomware that saw Ukraine’s Boryspil International Airport in Kiev lose access to its systems in June 2017.
Other instances are the result of deliberate cyber actions, such as the June 2015 distributed denial of service (DDoS) attack on the flight operations system of Poland’s LOT carrier at its main hub in Warsaw airport. The attack led to the cancellation of 22 flights, leaving some 1 400 passengers stranded.
Airports and ATM/ATC operations rely heavily on a range of industrial control systems (ICS) to operate efficiently. ICS integrate IT and OT. OT systems are often the most vulnerable as they incorporate commercial off-the-shelf (COTS) components that use IT protocols (such as Internet Protocol), which can more easily become targets of cyber attacks than better-protected IT systems are. ICS are central to air cargo handling, airfield lighting, fuel distribution, power management, heating, ventilation and air conditioning systems. Any ICS-related incident may affect entire airport facilities.
Cyber risks to avionics systems are also real. The avionics systems potentially at risk include:
A US Department of Homeland Security official hacked into the systems of a Boeing 757 passenger aircraft parked at Atlantic City airport, New Jersey, in September 2016. This was “a remote, non-cooperative penetration” without insider help or being onboard, using “typical stuff that could get through security”. It raises questions about the safety of onboard avionics systems.
Aircraft manufacturers are aware of many of the risks. A panel session on Securing the critical supply chain, held at a June 2018 conference on Managing Cyber Risk in Critical Infrastructure organized by the Financial Times and attended by e-tech, highlighted the steps manufacturers take to mitigate risks. Airbus Head of cyber security architecture Dr Kevin Jones explained that Airbus introduced a number of measures to protect its supply chain. These include secure remote access for suppliers and a certain measure of access segregation, a full audit of the Airbus production facilities and those of its suppliers and the identification of vulnerabilities. Suppliers have to review their processes and make sure they meet Airbus standards. Similar practices are followed by other manufacturers, Bombardier Chief Information Officer Jeff Hutchinson noted at the time.