The aviation sector is a prime target for cyberattacks. Airports, airlines, aircraft, and the many subcontractors and service providers involved in all of these industries manage a ton of personal data like passport and credit card details. On top of that, with airplanes themselves becoming increasingly digital, networked components used for navigation and communication systems for example have created even more vulnerabilities for cybercriminals to exploit. Unsurprisingly, the number of cyberattacks on the aviation industry has skyrocketed as a result. Read on to learn more about the cybersecurity landscape in aviation systems development and what kind of standards the industry requires manufacturers to comply with in order to ensure the airworthiness of their products!
Cybersecurity in aviation systems development
Similar to the automotive industry, aviation has become increasingly digitized over the last few years. Rather than relying on old mechanical systems, modern aviation systems development now leverages all sorts of technological innovations like augmented reality, 3D printing, machine learning, cloud technology, and perhaps most importantly in the context of cybersecurity issues, the Internet of Things. Networked communication systems and aircraft components are more important than ever nowadays. But while the automotive industry has already spent years mitigating the cybersecurity vulnerabilities that cropped up as a result of their digital evolution, the aviation industry is still playing catch up.
The reality is that as airplanes and aviation systems have become more digital and connected to the Internet of Things, the integrity and security of data have become much more vulnerable. The basic premise here is that if it’s controlled by a computer, in theory, it can be hacked. The more connections there are, the more vulnerable your system is. So the very interconnectivity of aviation systems which allows the industry to benefit from innovation and new technology, also creates a prime environment for unauthorized access to occur.
These cyberthreats are also constantly evolving, which is why government and industry leaders regularly have to evaluate the ways they ensure information security and aircraft safety for everyone involved. That’s why in October 2019, the International Civil Aviation Organization (ICAO) published its first Aviation Security Strategy which provides guidelines on how to prevent and deal with cyber incidents, and also why aviation systems developers have to adhere to certain industry standards when creating their products and services.
The most common types of cyberattacks in the aviation industry
Understandably, one of the biggest concerns people have is that someone malicious might be able to seize control of an aircraft in flight and cause an accident or redirect a plane for criminal reasons. While tampering with airplane systems is not unheard of, most of the incidents (that we know about, in any case) were actually researchers uncovering vulnerabilities in order to improve avionics cybersecurity.
For now anyways, the real and constant threat is actually more to the sensitive information managed by the aviation industry, which can be stolen for identity theft, financial gain, or even political reasons. Between 2019 and 2020, the number of cyberattacks against airlines and airports increased by a whopping 530%. According to the report, the majority of these attacks were financially motivated and caused financial loss and data leaks. In some cases, malware and ransomware attacks have been conducted simply to cause disruption to business operations.
Here are some examples of the biggest data breaches in the aviation industry to date:
- Air Canada: In August 2018, the data of approximately 20,000 Air Canada customers was compromised when cybercriminals managed to gain access to their mobile application
- British Airways: Also in 2018, 400,000 customers and BA staff were affected when hackers took advantage of BA’s lack of cybersecurity measures and inserted malicious code to steal sensitive personal data
- EasyJet: In May 2020, EasyJet revealed that four months earlier they had fallen prey to a highly sophisticated cyberattack and that the data of 9 million customers had been breached
- Air India: In May 2021, Air India announced they had suffered a cyberattack resulting in the theft of 4.5 million of their customer records in an attack targeting passenger sensitive information between August 2011 and February 2021.
While no digital device is “immune” to hacking, it’s evident from the increase in frequency and severity of cyberattacks against the industry that aviation is particularly vulnerable. That is why the European Aviation Safety Agency recommends following a variety of standards like DO-326A, DO-356A, and DO-355. These aviation standards outline the best practices and recommendations for developing aviation systems in the safest and most secure way possible.
Safety vs. security in aviation systems development
Safety standards have always been deeply entrenched in the aviation industry. And since the early 2000s, so have cybersecurity standards, both as parts of existing safety standards and in standalone guidelines which only address cybersecurity concerns. Let’s explore the difference between the two overlapping areas!
Safety guidelines in aviation systems development set standards for preventing incidents that could compromise the physical safety of passengers and staff as a result of software or hardware failure or malfunctioning. For example, if a flight control system fails and causes the engine to stall or the wind turbines to stop working, that is a safety concern.
From a cybersecurity perspective, guidelines are supposed to prevent, identify, and mitigate unauthorized access to aviation systems. Ideally, a hacker will not be able to gain entry to the systems, but on top of that, they need to be designed in a way that even if someone does breach them, the overall system and aircraft will still be able to operate in a way that safeguards the health and safety of everyone involved.
Here are some of the key industry standards involved in ensuring both the safety and cybersecurity of aviation systems:
- RTCA DO-178C / EUROCAE ED-12C
- RTCA DO-254A / EUROCAE ED-80
- RTCA DO-356A / EUROCAE ED-203A
- RTCA DO-355 / EUROCAE ED-204A
- SAE ARP4754A
- And RTCA DO-326A / EUROCAE ED-202
While the other standards regulate the functional hazard analysis and safety guidelines that aviation systems developers should perform, it is DO-326A which addresses cybersecurity concerns specifically.
What is DO-326A/ED-202A?
DO-326A/ED-202A “Airworthiness Security Process Specification” is the US and European compliance standard for all aircraft, engines, rotorcraft, and propellers. This standard is the main certification guideline for aircraft cybersecurity and is the de facto industry certification for aviation software systems.
Like its sibling standards, DO-326A is all about ensuring airworthiness. However, in the context of DO-326A, airworthiness security is defined as the protection of aircraft from unauthorized interaction. It focuses heavily on preventing aviation systems from being breached by hackers or getting infected by malware for example, as any resulting failure could drastically threaten the safety of passengers and operators.
DO-326A was designed to address the full development lifecycle of aviation system cybersecurity, from concept to deployment and retirement.
The seven core steps of DO-326A are:
- Plan for Security Aspects of Certification
- Security Scope Definition
- Security Risk Assessment
- Risk Acceptability Determination
- Security Development
- Security Effectiveness Assurance
- Communication of Evidence.
Find out more about what each of these steps requires from aviation systems developers, and how to comply with DO-326A! To learn more about DO-326A and cybersecurity engineering in aviation systems development, check out our eBook: