Resilient skies: Aviation security
23 May 2018
From equipment suppliers through to airport management systems: the aviation industry is undergoing a sector-wide digital transformation. The migration to new interconnected technology platforms is changing the way aircraft connect to ground-based support systems, as well as how the next generation of air traffic control systems guide them through airspace. While increased connectivity presents significant business and operational opportunities across the industry, the increased threat of cyber-attack against critical national infrastructure operators requires adapting to this new threat landscape.
Migration to new IP based technology presents new ways for industry to optimise both aircraft and navigation operations. An example is remote maintenance, which for airlines in particular provides significant efficiency benefits, such as reducing the financial costs of monitoring and servicing their fleets. Across new satellite links, manufacturers can also leverage real-time data connections to receive airframe and avionic telemetry data, increasing the resiliency of their equipment. The expectation from passengers to remain online while travelling has also driven airlines to competitively increase their aircraft connectivity, and passengers can now access Wi-Fi connections as part of their inflight entertainment suites. However, the adoption of this new technology has widened the cyber-attack surface for aircraft; as new data connections pose the increasing risk that threat actors can gain unauthorised access to avionics and other critical systems.
The Single European Sky Air Traffic Management Research Programme (SESAR) is at the forefront of the transformation towards the next generation of air traffic management systems, introducing borderless navigation across Europe from 2020. SESAR will transform the way aircraft navigate across airspace; from isolated, legacy operational systems to a common, interoperable IP-based technology platform. This introduces both new benefits and challenges for all stakeholders; deploying a vast management network will increase connectivity between all parties who will be able to receive radar, weather and voice communication feeds more efficiently than before. However, this also poses a higher risk that collaboration partners could be inadvertently infected with malware, or targeted as part of a wider campaign by a threat actor exploiting these connections.
The Changing Threat Landscape
Across the sector, organisations will need to proactively adapt to these new threats and take active steps to protect their external data connections and safety critical systems. Consumers of future air traffic management data, such as airline operators, will need to be confident that resilient services are delivered from navigation providers, with the assurance that cyber incidents can be detected, contained and swiftly eliminated through active defence measures. Although aviation executives are accustomed to managing high-risk business environments and safety processes are well established, many in the industry still presume that their operational systems are immune from cyber-attacks. Historically, safety critical systems were isolated from other business environments, however the migration to these interconnected avionics and operational systems demonstrates that cyber security is no longer an exclusively IT problem.
Because security for operational environments can be difficult to retrofit post deployment, engineering stakeholders will need to consider defences for their future systems during design plans. Whilst in operation, these will also need to be tested and maintained in order to ensure systems are defended against continuously evolving threats. There are also opportunities for stakeholders to leverage their collective knowledge of these unique aviation environments during this technology transformation. Whether this is collaborating to develop best practice guidance to support partners overcome similar challenges; or sharing threat intelligence to inform member groups of new threats, increasing the awareness and security of the wider community.
PwC has experience supporting our clients manage cyber security in many safety focused sectors, including aviation. We would be very happy to discuss how your organisation can leverage our experience; get in contact if you wish to know more.