Cybersecurity Threats To Aviation Bolstered By Efficiency, Geopolitics

ATLANTA—Occurrences of ransomware inside the aviation supply chain are up 600% in just one year—an indicator of escalating cybersecurity risks the industry is facing.

The statistic was cited by Boeing at Aviation Week’s MRO Americas Conference in Atlanta. 

“There are increasing interfaces to the airframe both in regulated and unregulated portions of the aircraft,” Boeing Chief Security Officer Richard Puckett said. “We have to begin to account for the extended ecosystem of connectivity ... Increasing requests for sensors on almost every working part of the aircraft makes it more efficient but it also makes it more vulnerable because anything that sends or receives a signal can be hacked. Anybody who says differently isn’t really paying attention.”

In addition to the evolution of digital connectivity, a governmental decision to designate aerospace and aviation a critical infrastructure is also raising risk, United Airlines says. 

“It almost paints a target on airspace’s back for threat actors to want to take advantage of that critical infrastructure,” United Airlines Director of Security Jen Miosi said. “Because of that, it’s growing. From a threat landscape perspective, we’re seeing more and more cyber-attacks trying to penetrate into this critical infrastructure that we call aviation.”

Aviation ISAC, a cybersecurity intelligence nonprofit, also pointed to geopolitical motivations. 

“There’s a lot of things around the world that are motivating folks to attack the aviation industry,” Aviation ISAC CEO Jeffrey Troy said. “We have to be concerned about that. We’ve even seen ‘hacktivists,’ people who essentially do some type of cyber activity with the sense of supporting a particular political agenda.”

Noting an escalation of concern around that scenario he added, “Without a doubt the threat side of this equation is increasing.”

In terms of where the largest threat lies, the industry panel looked more to the supporting ecosystem, rather than the airframe itself. Risk prioritization is key, the panel noted, along with ensuring suppliers are thinking about cybersecurity. For some airlines with contracts that are a decade old or more, stipulations on cybersecurity may not exist. It is something United, with upwards of 30,000 suppliers, is addressing. 

“We’re evaluating all of our third parties,” Miosi said. “We’re also working to enhance our contracts with all of our third parties ... adding terms around the need to drive cybersecurity into the supply base.”

In order to build industry resilience against a threat too dynamic to rely on regulations alone, panelists said more voluntary collaboration is needed, along with an acceptance of the risk being real—and growing. Challenging past assumptions and moving forward all speaking the same language in understanding the threats, they stressed, is key.

“It’s a backroom conversation still, because I think people are afraid to expose their own weaknesses that they may have,” Puckett said. “You’re seeing a waterline come down of awareness around the airframe ecosystem. It’s actually more and more exposed to a community that is very, very good at sharing information. One of the things that the attackers do way better than I think the industry does today, is they share.”