Cybersecurity attempts to protect against the known unknowns—and anticipate the unknown unknowns—that come from sources such as malware and targeted attacks. To gauge the commercial aviation industry’s focus on cybersecurity and determine which threats are the greatest priorities for protection to respondents from around the world, the Aviation Week Network surveyed manufacturers, airlines and aftermarket service providers—30% of respondents from MROs. On a scale of 1-10, with 10 being the highest, respondents rated instituting cybersecurity as a priority of at least an 8, with 38% assigning it a 10.
Intellectual property (IP) threats rank as the greatest for the commercial aviation manufacturing and MRO sectors, according to the survey, sponsored by Rockwell Collins (see graph below). Threats from non-state criminals ranked the highest for airlines—followed closely by IP theft. Denial of service was ranked as the lowest.
Civil aviation companies plan to invest more money to protect critical company infrastructure in the next two years than to upgrade aircraft systems or data links, although even those activities still ranked about a 3 on a 5-point scale. So while cyberinvestments still are primarily focused on organizational capabilities, companies also are considering aircraft systems to ensure cybervulnerabilities do not lead to inflight attacks.
Piet Hoogeboom, an R&D engineer for the Netherlands Aerospace Center, says examples of vulnerabilities include inflight disturbance, Automatic Dependent Surveillance-Broadcast attacks or spoofing, and jamming or falsifying messages. Corrupting usage data could affect flight airworthiness or loss of maintenance optimizations, he notes.
Corrupting data also could come from mobile devices, which respondents perceive as the source for the biggest attack vulnerability, followed by internal IT systems. Interestingly, aircraft cockpits, onboard cabin systems and air traffic control were viewed as the least vulnerable (see graph below).
Not surprisingly then, the two cybersecurity investment priorities are access control and malware detection systems. They were each ranked 4.1 on a 5-point scale. The third-highest-ranking priority, at 3.7, was investing in internal personnel, processes and training. Encrypting air-to-ground communications was rated the lowest at 2.8.
While most respondents believe their companies have enough layered security mechanisms on IT networks to ensure data integrity and repel a security breach, MROs had the highest percentage of those who disagreed. Overall, very few respondents knew whether their company had experienced a breach.
From a training perspective, more than half of the respondents indicate cybersecurity instruction is mandated for some or all employees—and another 13% indicated it is offered but not mandated, which goes back to training as the third-highest investment priority. However, MROs lagged in training—46% indicated none is offered, compared to 26% for airlines or air cargo operators and 24% for manufacturing.