A group of security, defense and aerospace experts are releasing a report today to highlight the threats that exist to aviation cybersecurity, underscoring the need for a clear vision to protect against those threats as technologies advance rapidly. Washington think-tank the Atlantic Council brought together airlines, airports, air traffic management specialists and other stakeholders to develop the report, Aviation Cybersecurity—Finding Lift, Minimizing Drag, which finds that preventive measures act as a deterrent, but “declarations of fully secure systems are unrealistic.”
Aviation systems in the past were relatively secure from cyber threats due to the “bespoke nature” of their design and their isolation from other systems, the report notes. “But air traffic management (ATM) is no longer isolated, and ground services and supply chains are becoming fully integrated into an interconnected digital world.”
The report points to vulnerabilities associated with emerging capabilities, ranging from additive manufacturing to unmanned systems, and warns that “their novelty may obscure the cybersecurity risks these technologies introduce.” A shift from legacy radar to GPS and ADS-B greatly improves accuracy and reliability under normal conditions, the report states, but it adds that those systems “...remain susceptible to degradation by environmental hazards or manipulations by hostile actors.”
Airports, which are susceptible to physical breach, are another area of concern, says the report, pointing to numerous other vulnerable areas, such as connectivity systems on aircraft, electronic flight bags and remote towers.
Concerning to the report’s authors is “the speed of innovation, technological advancement and adversary capabilities potentially outstripping policy and regulatory development in many areas of the aviation ecosystem.”
The report offers numerous recommendations for shaping a cybersecurity vision, with a need to focus on international collaboration on managing risks and developing resilient systems. Recommendations range from reinforcing standardization, developing a common understanding of cyber safety and developing robust threat models, to designing systems to capture relevant cybersecurity data and training for safety. Another recommendation it makes is to “incorporate cyber perspectives into accident and incident investigations.”