Is it surprising that the speed of technological adoption in the aerospace industry lags behind the speed of development of cyberthreats?

The double-edged sword of digitalization has exposed land-based space to malicious cybercriminals. Considering that what flies into the air has to be managed from land, we have always known that the civil aviation industry is also vulnerable; but the shocking truth is that the speed of technological adoption in the aerospace industry lags behind the speed of development of cyberthreats.

Add to this the fact that the massive damage that crashing aircraft and hijacked avionics can wreak on land, and you can imagine how urgently we need to address aviation security.

To get an idea of the threats, weaknesses and opportunities at play in the aviation cyberspace, CybersecAsia interviewed Yannick Le Ray, Head of Cybersecurity for Aeronautics at Thales, ahead of the Singapore Airshow 2020.

CybersecAsia: How has the evolving cyber landscape changed the way airspace and the aviation industry is being breached and protected?

Le Ray: The industry has jumped into digitalization and connectivity with both feet and is fast developing the concept of the connected aircraft and the connected aerospace ecosystem.

Aircraft are becoming nodes in a network, with airborne, space and ground systems that share digital data based on software-driven technologies and internet connectivity. By 2026/2027, up to 60% of the global fleet will be connected and aircraft are projected to generate 98 million terabytes of data. Passengers are also more and more connected in flight thanks to satellite and digital technologies. And commercial drones are revolutionizing the aerospace sector: in the coming years, there might be 10 times more commercial drones than manned aircrafts.

On the flipside of the numerous benefits, connectivity creates exposure to cyberthreats. The attack surface is dramatically growing and each new interaction becomes a potential point of entry for a cyberattack. Airborne, space and ground systems are increasingly using standard technologies (wireless networks, USB connections, tablet computing, firewall, etc.) on which traditional attack techniques apply. Increased vulnerability also comes from the moving nature of cyberattacks: they are constantly evolving, and increasingly using new technologies such as AI to select their targets, optimize their intrusion capabilities, determine the best vulnerabilities to exploit and slip under the radar of any detection systems.

Whilst being aware of the requirements for cybersecurity and fully engaged in the need to ensure all nodes of communications are secure, there remains a lack of understanding of the number and depth of attack surfaces that can be opened by a fully-connected aerospace ecosystem. The speed of technological adoption in the aerospace industry lags behind the speed of development of cyberthreats. This creates a situation where future technology already in the pipeline for adoption by the industry does not necessarily take into account the speed at which hacking techniques develop.

In the aviation ecosystem, cybersecurity involves not only the protection of information in the form of digital data, including consumer data, but also the associated networks, computers and portals that are transporting and enabling access to data in the whole ecosystem.

This requires end-to-end approaches based on intelligence, expertise and operations, the three necessary pillars for a successful and efficient cybersecurity. Such approaches cover the entire cybersecurity cycle, delivering solutions based on “cybersecurity by design”, from risk assessment to crisis management, including the development of people’s competences. 

CybersecAsia: What are the shared and distinct roles of governments, enterprises and their cybersecurity partners in building a safer aviation industry, protecting consumer data, and ensuring a more secure cyberspace?

Le Ray: Since the first commercial use of airplanes, governments have been and continue to be heavily involved in promoting and regulating the aviation industry.

In the current civil aviation context where air traffic is rapidly increasing with new types of aircraft and airspace users, the operational environment is becoming more complex. Cybersecurity incidents may affect the traveling public and damage trust in the civil aviation system. Risks are growing rapidly and there is a strong need for a sustainable cybersecurity framework at the international, regional and national level.

With large amounts of operational and passenger data exchanged wirelessly and shared through multiple systems, there is a natural concern for the security and integrity of passenger data, payment transaction information and intellectual property of stored or streamed content.

In this context, some countries such as France and Israel have put in place a centralized regulatory approach for critical operators who must meet a set of specified safety and cybersecurity requirements, according to new legislations. For example, the French national cybersecurity agency (ANSSI) awards specific qualifications such as security incident detection service provider (PDIS) or audit and consultancy services providers (PASSI). These qualifications are an endorsement of the selected enterprises as trusted end-to-end cyber partner for critical operators.

In the United States, the Department of Homeland Security coordinates a national infrastructure protection plan and requires sectoral plans from various agencies such as the Federal Aviation Administration (FAA) that oversees civil aviation safety. The FAA’s safety mission is critical and includes the publication and enforcement of regulations and standards for the manufacture, operation, certification and maintenance of aircraft. The agency is responsible for the certification of aviators and airports serving air carriers. It also runs a program to protect civil aviation safety and enforces regulations under the Transportation of Dangerous Goods Act for shipments by air.

Enterprises must continuously ensure the performance, the resilience and the security of aviation industry’s critical information systems, facing numerous breakthroughs in information technology and the permanent evolutions of cyber-threats. The aviation industry is a specific domain where safety and cybersecurity are in close relationship. To ensure both secure skies and cyberspace, companies need to combine expertise in cybersecurity and aviation. Only teams with dual expertise who fully understand the cyberthreat landscape and the specific missions, operations, architectures and constraints of the aviation industry, can cybersecure safety preponderant systems such as air traffic, avionics and airports. 

Building a robust cybersecurity infrastructure, which relies on strong cooperation among states, industry and international aviation organizations, assures the creation of a common cybersecurity consciousness that will ultimately lead to a more secure and resilient civil aviation system.