Aviation Cyber Threats

How Ready is the Civil Aviation Industry to Mitigate Cyber Threats?

Author: Nissim Belzer, Tech Lead at CyViation, an IAI/ELTA company

Civil Aviation took a hard blow during the Covid19 worldwide pandemic. Most, if not all airlines, reported a dramatic decrease in flight activities, OEM slowed manufacturing and the second and third industries’ circles were seriously affected, as well. While many of us are still eager to pop on a flight and visit new places, the reality is challenging and it seems as if it will take some time for our travel and the aviation industry to regain momentum again.

Surprisingly, cyber events were not slowing down during this period, rather they have increased to alarming scales.

“Between 2019 and 2020, there was a 530% increase in cyber-attacks reported to Eurocontrol … there were 775 cyber-attacks on airlines in 2020 – and 150 at airports…Some 95% of these attacks were financially motivated, according to the Eurocontrol report, leading to a financial loss in 55% of cases. Nearly 35% saw the leaking of data”.

Responding to the increased cyber-attacks, the higher risk exposure and the growing awareness of the need, the EASA (The European Union Aviation Safety Agency) and the FAA (Federal Aviation Administration) are pushing the industry towards better awareness and a proactive approach in building cyber security readiness. For example, their DO-326/ED-202 and DO-356/ED-203 documents serve as guidelines for development and manufacturing processes, and DO-355/ED-204 documents serve as guidelines for the aftermarket (in-service) life cycle.

These guidelines also cover and address the operational aspects of an airline, and the aircrew’s readiness to address future cyber threats.

While these guidelines are in the process of becoming mandatory, the OEMs and airlines, traffic control, airports and other major players are not yet rushing to adopt the regulation. Each entity adopts different types of cyber security measures, mainly relying on standard IT, OT and IoT protection.
The civil aviation industry is known for its ‘lesson learned’ tradition; the functional safety domain, for example, is covered during manufacturing, training, maintenance, life cycle operations and so on, due to safety events that have occurred in the past.

But one of the most important aspects of Cyber Security is post-events investigations, where the investigators share knowledge, conclusions, best practices and any other information that is important to learn from, for aircrew, manufacturers, airports and other related players. The importance of this sharing method is in its efficient and immediate distribution of knowledge that can assist in mitigating future event occurrences. The ‘lessons learned’ mode of operation proved itself by saving lives, but is not yet being applied when it comes to cyber-attacks on aircraft, airlines or airports, nor to cyber threats newly discovered (even zero-day vulnerabilities).

In fact, major players tend to keep this information close to their chests for various reasons: the need to keep passengers calm, the desire to keep finance investors assured, lack of proper infrastructure for sharing, and sometimes lack of capabilities to detect cyber-attacks in real-time. So, how resilient to cyber threats is the aviation industry really?

In Mid Nov 2021, around the Dubai Airshow event, and while trying to address this question, a group of industry worldwide representatives from aviation authorities, airport management, airlines and cyber security companies experienced an aviation cyber security simulation aimed at assessing readiness and identifying needed actions.

Figure 1: The Aviation possible threat landscape

Grouped by industry segments around shared tables, the participants were divided into several workgroups: airlines, manufacturers, policy managers and government representatives, airport SOC and operations and cyber security groups, aviation industry leaders and pilots.

During the simulation that lasted half a day, every few minutes a cyber event was reported simultaneously to all the groups. No guidelines or directions were given. No relation or connection between any of the cyber events was reported in advance and each group was asked to provide its feedback on what it would do, recommend or ask.

The events were spread geographically and were associated with various categories and domains. For instance, a specific aircraft reported a GPS issue during a fly-by-wire landing, close to a specific airport. A few minutes later, a different airport reported an issue with the incoming/departure board display which was “frozen”. A few minutes later, a different aircraft reported an issue with the duty-free charging process during flight. A similar event was received from a different airline/aircraft but in the same longitude.
As the chain of events was received, the participants were asked to discuss, report, share, collaborate, and act as they saw fit. Initiated ‘brainstorming’ breaks were conducted in order to assess specific snapshots of ‘what we know’ and ‘what should be done’ status.

This simulation demonstrated in a small scale, but clear way, a need for improved readiness and mitigation policies and playbooks as well as for much higher resilience to cyber threats. Some of the main observations were:

Data sharing & collaboration are key components of understanding, detecting, and mitigating cyber events. Keeping data isolated within each group could lead to impairing the event resolution.
Event analysis - connecting the dots between separated events, differentiate between safety, malfunction and cyber events.
Aircrew cyber training - operators should be better trained and qualified to understand, identify and mitigate cyber events just as they are trained and ready for any other safety events. DO-355 addresses this issue, but as mentioned, it is not yet mandatory for airlines, airports, pilots, etc.
Reporting and event awareness are partial and rely on pilots’ personal capabilities of understanding developing events. The attacks are rarely reported in real-time and the incident logs are available sometimes hours or days after the events occurred.

CyViation was created in order to help the commercial and private aviation industry build its cyber resilience and be better prepared for cyber threats and risks.

Founded in 2021, as a spinoff from Israel Aerospace Industries and Elta, we leverage years of extensive R&D efforts, aviation and cyber security know-how, a wealth of experience and resources needed to craft a valuable set of solutions to help the commercial and private aviation industry mitigate cyber threats.

From anomaly detection tools, airborne and ground analytical platforms, mitigation rules and live update models, we are committed to helping the commercial and private aviation eco-system build cyber security capabilities, resilience, knowledge and training, in order to ensure a safer, cyber secure, air space.