Aviation Cybersecurity: Risks and Mitigations

A decade later the world wide web was born, unleashing nearly instantaneous communications with others anywhere on the planet. While the internet evolved into a communications success, the cyberworld it created also cultivated a successful platform for scam artists to manipulate and control people along with their data. Cyberspace today is a world bombarded by cybercriminals attempting to hijack valuable information capable of bringing an individual, company or even a government agency to its knees.

Jim Kazin, a business jet captain and flight department security officer, remembers the early days of cybersecurity. “It was all about physical security, developing policies and procedures for [airport] gate access, cameras, locks and key controls,” he recalled. “Cyber wasn’t even on the horizon.”

Fast forward to today, and cyberattacks are increasing at an alarming rate. According to an April 2023 Blackberry Global Threat Intelligence Report, unique malware attacks increased by 50% – from one per minute in October 2022, to a rate of 1.5 per minute three months later. “Hackers have gotten very, very savvy,” Kazin said. “Anything with an N-number on it remains a huge target.”

The end goal of a cyberattack is always the same: access to the user’s password, the key to admittance to both personal banking and corporate networks. Why just this single point of failure? Because, according to Scott Augenbaum, a retired supervisory special agent in the FBI’s Cyber Division, “Some 60% of the population keeps using the same password across multiple platforms.”

According to Augenbaum’s book, “The Secret to Cybersecurity,” no victim ever expects to be a victim. After interviewing nearly 1,000 cybercrime victims, Augenbaum learned that “almost 90 to 95% of the cybercriminals were located outside the U.S., usually in Russia, China, Philippines, Bangladesh and West Africa. Once cybercriminals steal your money or your data, it’s nearly impossible to retrieve.”

What’s worse, Augenbaum said, is the chances of law enforcement bringing the bad guys to justice are even worse than getting your money or data back.

Protecting Civil Aviation

At least two U.S. government agencies provide oversight of cyber threats to civil aviation. The FAA’s Threat Analysis Team conducts intelligence analysis, issues threat warnings and provides stakeholders with relevant information. The team also serves as the FAA’s intelligence lead on all security threats to the NAS, FAA mission areas and regulated operators and aviators. Also on the case: the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA), which manages and reduces risks to the nation’s cyber and physical infrastructure.

Many people, including those across business aviation, often let their guard down by thinking they’re too savvy to be fooled by hackers. But experts say bad actors rely on human nature to do their dirty work. Curiosity is a typical example.

“Hackers will drop high-capacity thumb drives in busy locations hoping unsuspecting travelers will plug them in just to see what’s on them,” Kazin said. “The thumb drive then plants malware that may go completely unnoticed. Also beware of using public USB chargers at airports.” Plugging in may give you a disastrous chunk of malware while you’re charging your phone.

Ransomware attacks pose another hacker risk that experts say is increasing. In a ransomware attack, data is hacked – often including backups. The targeted data – which could include sensitive information about business aviation clients, important maintenance records or critical aircraft sales figures – is held hostage until the victim pays a ransom.

All it takes is the loss of one password to open the door to a ransomware attack that could wipe out an entire company. Scammers can be clever. “Once they steal your information they get into your system and see if you have insurance or not,” Augenbaum said. “Then they figure out what price point the victim can tolerate.” Often – even after a ransom is paid – victims never regain their precious data.

Aircraft Routers

Realistically, any device with an IP address is vulnerable to a cyberattack, including the router on an aircraft providing Wi-Fi connectivity to passengers and crew. It’s one reason flight departments should regularly change that router’s password. Although company-issued personal devices – smartphones, tablets and laptops – are often locked down with anti-malware protection, the weakest link in the network turns out to be a lack of awareness on the part of the human carrying them.

Tricks designed to fool you include phishing attacks or spoofs in which someone masquerades with a realistic subject line tempting the user to click. Another tactic is dishing – a unique use of artificial intelligence. The bad guys record a cell phone’s outgoing message and use AI to create new audio messages that sound like the user’s voice – real enough, some experts say, that even their own family doesn’t recognize the scam.

To increase awareness, some corporations may use work phones or laptops as a testing/training ground to guard against cyberattacks. The IT department might send an internal email or text employees a harmles-looking link to see if anyone will click. The company then records the IDs of those who fall victim to this test – triggering additional training in the future.

Phishing, text messages and bogus phone calls are the weapons of choice for today’s cybercriminal, Augenbaum said. Once someone’s been scammed, those passwords find their way to “The Dark Web,” where millions of user IDs and passwords stolen through data breaches are regularly bought and sold.

Importantly, most individuals and companies miss the point of making people more aware. “The private sector does not realize the lack of sophistication required to do serious damage to an organization,” said Augenbaum.

Cyber Resilience

Shay Colson, managing partner at Coastal Cyber Risk Advisors, doesn’t think the term cybersecurity is particularly helpful. “It’s undefined,” Colson said. “It implies there is an end state when you become secure. The reality is, it’s all a journey. I think there’s a better word than ‘security,’ like ‘resilience.’ We’re really trying to build cyber resilience. That gives us a sense of what we’re trying to accomplish, to become more robust, to become more self-aware, to become more redundant and eliminate single points of failure.”

When it comes to business aircraft, Colson says it’s important to recognize what you can control. “For the people who own and lease planes, they’re not building avionics systems, they’re not building the entertainment systems. They’re not building the network on those airframes. But they can influence their employees, their systems and their security controls.”

Potential Solutions

Spotlighting risks is important, but people really want to know what they should do next. Experts agree the best solution to cybercrime is prevention education. “Users need to become a human firewall of sorts, a process that begins with self-reflection,” Colson said.

No one can protect everything all the time, so users might see vulnerabilities appear by asking: What information could give a criminal leverage on a user? Or: What information is sensitive to a company or its clients? Then, begin protection efforts there.

In a business flight operation, “you might start thinking about an acquisition,” Colson said. “The executive team flies to meet with the leadership of that other company. If you’re publicly traded, this movement information could be useful to a competitor or an adversarial intelligence trader who’s trying to determine why these trips are happening.”

Because solutions evolve from awareness, equipment-specific training is critical because pilots and others in flight operations know when something isn’t quite right. “If there were a cyber event at your company, would your team know what to do?” Colson asked. “Is there a written plan? Has your department tested and practiced it?”

For long-time industry leaders – many who grew up as pilots, schedulers or dispatchers and are now flight department leaders – “they’ve never before tackled an issue like cyberattacks,” Colson said. “We need to support them by leaning on their business and industry knowledge with available IT support and help them align flight operations with these new areas of risk.”

Review NBAA’s cybersecurity resources at nbaa.org/cybersecurity.