With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.
To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport category airplanes, engines and propellers against intentional unauthorized electronic interactions (IUEI) that could create safety hazards.” If finalized, the changes will affect the entire industry, including the airlines, third-party vendors and passengers.
Breaches and cyberattacks prevalent in the aviation industry
Cybersecurity attacks and data breaches have touched all parts of the aviation industry for the past several decades. Notable incidents include the Cathay Pacific breach which affected more than 9 million passengers’ personal information and the 2021 SITA breach of frequent flyer members, primarily Star Alliance and OneWorld members. The Los Angeles airport website was the victim of a DDoS attack that took its website offline for several hours.
“The reality is stark: our aviation industry is under constant threat from cyberattacks, up 74% since 2020. With the aviation sector contributing more than 5% of our GDP, $1.9 trillion in total economic activity, and supporting 11 million jobs, we have to wake up and take these aviation cyber threats seriously,” said U.S. Senator Maria Cantwell at a September 18, 2024, Congressional Hearing.
Overall, the aviation industry currently receives a B grade, according to The Cyber Risk Landscape of the Global Aviation Industry, 2024 report. Researchers found that the organizations that were ranked at a B were 2.9 times more likely to be victims of data breaches than those with an A rating, illustrating the big impact of seemingly small differences. Ransomware attacks remain a top threat, with recent research by Bridewell finding that 55% of civil aviation cyber decision-makers have admitted to being on the receiving end of a ransomware attack in the past 12 months. When asked about the impact, 38% reported operational disruption and 41% said that their organization lost data.
Ted Theisen, a Managing Director in FTI Consulting’s Cybersecurity practice, said that the prolific use of legacy equipment and systems in the aviation industry lacks the features needed to protect them, such as installing critical updates and compatibility with new protocols. Because the aviation industry often outsources services to third parties, the vendors can access systems and networks, thus introducing vulnerabilities.
“The distributed workforce and distributed systems create an expanded attack surface that increase access points that can be exploited by threat actors,” says Theisen. “This dispersed setup makes it challenging to secure systems, monitor for cybersecurity threats and mitigate unauthorized access.”
Explore cybersecurity services
Planes provide opportunities for data breaches
While aviation cybersecurity focuses on vulnerabilities and attacks on all systems involved in aviation, the focus of the new rules is on the cybersecurity of the actual airplane. Every time a piece of data, from flight location to an alert about a maintenance issue, is sent from a plane to a network, it is at risk of being breached by a third party.
Because data is continuously sent from every airplane in flight, a high amount of critical data is at risk each day. The National Business Aviation Association reported that the router on aircraft that provides connectivity to the crew and passengers provides a top vulnerability, especially if the router’s password is not regularly changed.
The FAA stated that the change in how airplanes, along with their engines and propeller systems, are increasingly connected to internal or external data networks and services was a key factor in the new rules. The interconnected designs make it possible for a vulnerability to come from a range of new sources, including maintenance laptops, public networks and cell phones. As a result, regulators and industry professionals must more closely monitor the systems for cybersecurity threats.
New rules aim to standardize cybersecurity on airplanes
Since 2009, the FAA has been increasingly issuing more “special conditions” related to cybersecurity. These are temporary regulations for a specific case to address these new vulnerabilities. Executive Director of the FAA’s Aircraft Certification Service Wesley Mooty stated that each of these disconnects adds to the certification complexity, cost and time for both the applicant and regulators. As a result, the FAA has proposed a rulemaking package that covers the most common cybersecurity special conditions to standardize criteria for addressing cybersecurity threats, which will reduce certification costs and time.
The new proposed rules state that applicants for product certifications must ensure that each airplane’s equipment, systems and networks are protected from IUEIs that may result in an adverse effect on the safety of the airplane.
Here are the requirements for protecting the assets as outlined in the official FFA documentation:
- Identify all threat conditions associated with the system, architecture and external or internal interfaces, including the severity of the risk on associated assets, such as systems and architecture.
- Analyze these vulnerabilities to determine the likelihood of exploitation.
- Mitigate the vulnerabilities, such as installing single or multilayered protection mechanisms or process controls to protect.
Impact of the proposed rules
While the goal of the new rules is to standardize the cybersecurity criteria, they are expected to have additional effects as well. Unless a product is updated and must be recertified, the new rules only affect new products — not products currently on the market. Because each product no longer must wait for special consideration for cybersecurity issues, approvals will likely be quicker, meaning new products will get to the market faster.
Additionally, the proposed rules may indirectly affect the passenger experience. When a cybersecurity incident occurs, the airline, airport or third-party vendors typically go offline, which causes delays. With standardized cybersecurity processes and reduced vulnerabilities, passengers may be less likely to be affected by cyber-related incidents.
“The implementation of stricter cybersecurity rules may also result in increased operational costs for airlines, which could affect airfare prices,” says Itay Glick, VP at OPSWAT, a cybersecurity solution company. “While passengers may experience slightly higher ticket costs as airlines pass on compliance expenses, the primary benefit of these new regulations will be enhanced safety and security.”
Preparing for the proposed rules
While the proposed rules are going through the comment and approval process, aviation organizations, including airports, third-party vendors and airlines, should begin planning for the new guidelines. Because the new rules will impose stricter standards, Glick says that organizations need to focus on their cybersecurity protocols, security assessments and incident response strategies.
“To prepare for these changes, airlines should conduct comprehensive risk assessments to identify vulnerabilities and invest in cybersecurity training for employees to enhance their awareness and response capabilities,” says Glick. “Additionally, requirements for advanced technologies like threat detection and endpoint protection are crucial. In order to avoid any incident response requirement, airlines would need to proactively enhance their security posture to avoid a successful attack.”