Airlines prioritise safe connections
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
Within just a few decades, the commercial aviation industry has gone from using computers only for flight bookings to operating an end-to-end digital air travel journey across multiple connected systems. Ticketing, passports, payment information, even airport security processes are linked — but these technological advances create security vulnerabilities.
In 2022, there were 38 “successful” cyber attacks on the aviation industry, according to KonBriefing Research.
Then, in April this year, pro-Russian hackers claimed responsibility for a five-day attack on Europe’s air traffic control authority — disrupting its website but not European aviation.
These attacks have become possible because aviation technology is now a “sea of complexity”, says Frank Dickson, a cyber security analyst at IDC, a research company.
“You took a system that was incredibly secure and connected it — [which creates] an attack surface,” he says. “It’s surprising that it hasn’t had more significant cyber security breaches.”
How, then, does the industry protect itself and customers from cyber attacks? Is disconnecting an option?
Most experts doubt whether a large-scale disconnecting of systems to the internet, or from each other, is feasible, given the disruption this would probably cause passengers. In fact, the direction of travel is towards more automation and technology.
However, some airports and airlines — including American Airlines and Spain’s Iberia — have begun exploring new techniques, such as encrypted, single-use digital tokens and facial recognition technology, to verify passengers’ identity. These technologies aim to make journeys through airports faster and more secure and, post-pandemic, with less physical contact. Aviation is “moving to a more digital version of identity management”, says Philippe Vallée, executive vice-president of digital identity and security at Thales, a technology company that supplies the aviation industry.
Nevertheless, airlines and airports still take a twin-track approach, with manual safety precautions. Alexander Döhne, cyber security manager at Germany’s Frankfurt airport, says that, if there is a cyber threat or attack, all its internet-facing systems could be disconnected with a fallback to emergency processes. The airport could use paper lists and telephones to get relevant airline information, he points out.
But the airport is also looking to the future and testing the use of artificial intelligence. Whether it is applied to detect cyber risks, or whether cyber criminals try to use it to attack airports, “AI will have a huge impact,” predicts Döhne.
For their part, airlines argue that their cyber security is strong due to an industry regulatory culture that has always prioritised safety. Best practice includes “air gapping”, in which an IT system or network has no physical or wireless connection to the internet or other systems, and “redundancy”: multiple back-up systems for critical IT functions.
The aircraft they use have been “subject to 40 to 50 years of design culture regulations”, notes Matthew Vaughan, director of aviation security and cyber at the International Air Transport Association (Iata), the airline trade association. “[It’s] near perfect in terms of IT-related interference today.”
Even if a passenger aircraft’s wireless internet connection or in-flight entertainment system were hacked, there is no overlap between these systems and critical IT systems, Vaughan says. “They are physically separate.”
Still, some experts argue that ageing operational systems and fragmented supply chains leave multiple cyber security risks.
Computer and ground control systems that communicate with aircraft can be up to 30 to 40 years old, says Patrick Kiley, an information security expert at Mandiant, a cyber security company owned by Google. As a result, they have not been designed with today’s security threats in mind, which can make them less secure than modern systems.
Pilots also use tablet devices to check the data for each flight — for example, passenger numbers, flight distance and fuel requirements — and any interface connecting “very rapidly evolving technology with a piece of very old technology” can be a security risk, Kiley warns.
However, updating or replacing old aviation computer systems can be tricky.
“Upgrading legacy systems that are constantly in use is like changing the tire on a car while you’re driving it,” says Eric Escobar, principal consultant at Secureworks, a cyber security company.
For many operators, it will have to be done. Governments and regulators are now legislating to raise security standards in aviation.
In March, the US government issued updated cyber security requirements for airports and airlines — including having a plan to improve “cyber security resilience” and measures to prevent unauthorised access to “critical” cyber systems. Last year, in Europe, requirements were strengthened for several industries, including aviation.
But whatever the regulatory and security challenges of an increasingly digitised aviation system, few experts expect that disconnecting it would improve security.
“The train has left the station,” says IDC’s Dickson. “Imagine the cost of a move to paper-based tickets . . . digital transformation is here to stay.”