The Rise of Aviation Information Security

Information Security

In the vast expanse of technological progress, aviation stands out as a beacon of innovation and safety. However, aviation is changing; further digitisation and interconnectedness of aviation systems is propelling the industry into a new generation of operational and safety risk. The development of aviation technologies may lead one to the ‘obvious’ conclusion that such innovation is improving the safety of flight. Yet, as with any advancement, there’s a flip side to the coin. The same technologies that propel us forward also introduce new risks, particularly in the realm of information security. Whilst innovation does bring about further functionality and more efficiency, such improvements also open the door to the exploitation of newly introduced vulnerabilities – ones which can bring about more adverse outcomes than favourable ones.

What Is Information Security and Why Does It Matter in Aviation?

Information security, put simply, is the measures and practices used to secure and protect information. Considering that the focus of computer systems is to process relevant information for whatever purpose, securing such information is critical to ensure that such systems work safely and as intended. We live in an era where computers pervade every aspect of our lives, from banking to healthcare, and this area has evolved to improve operations in all areas of industry. Computing has also become more popular and accessible, including to those with bad intentions. The aviation industry is no exception, due to its significant growth in popularity, as well as the geopolitical symbology it has in the world. The heavy reliance on the industry by humanity makes aviation an attractive target for malicious adversaries, all of which have one common goal: they all want to have some form of an impact, and what better way than targeting an industry that is relied on by billions of people every year? Aviation makes an enticing victim, and this is why digital weapons are starting to be used against it.

So Where Am I Going with This?

Looking back throughout history, there are numerous instances of fatal physical attacks on the aviation industry. The effects of these attacks are still felt today and have influenced the various security regulations that we all know too well. The increasing digitisation and interconnectedness of aviation systems introduces new attack surfaces which malicious actors can take advantage of to impact the safety of flight. By further interconnecting systems and processing larger volumes of data, such innovation opens up the frontline in the battle against information security threats. We have confidence in current rules protecting against most physical threats faced by the industry, but what about the digital ones? Digital threats today have become as, or if not more, prevalent, given the number of digital systems that are implemented across all areas of the industry: navigation, communication, avionics, corporate, and MRO, amongst many others. 

Are These Threats Becoming a Reality?

We are already witnessing cyber attacks on aircraft in-flight. Wartime situations tend to highlight the threats aviation faces, especially when such threats are backed by state actors with significant resources. For example, the Baltics are currently seeing instances of GPS signal spoofing (signal spoofing: mimicking a signal to seem like the real thing), which is rendering this vastly depended-on and critical navigation system ineffective. Aircraft may suddenly receive inaccurate position and time data, making it seem that the aircraft is in a different position than it actually is.  Imagine relying on your GPS for directions, only to find yourself miles off course due to a malicious signal. It’s not just inconvenient; it’s downright dangerous. 

With the increasing reliance of air operations on satellite-based navigation (including during the approach phase), the safety risks increase exponentially. Similarly, we have seen successful attacks on the Electronic Flight Bag, which allowed attackers to alter aircraft performance calculations, posing a tangible threat to flight safety. Pilots, armed with inaccurate calculations, risk disastrous outcomes like tail-strikes and runway excursions. These examples underscore a crucial reality: as aviation becomes more digitised and interconnected, so too do the vulnerabilities.  While we’ve fortified ourselves against physical threats through stringent regulations, attackers today can simply deploy digital weapons to compromise the operation of these systems with varying levels of impact – including ones that result in injury and even loss of life.

The Dawn of Aviation Information Security Regulation

Thankfully, regulators are taking notice and have started to acknowledge and address the risks posed by digital systems in recent years. Cyber security legislations have already started to come into effect, such as the EU’s NIS2 Directive which requires all member states to implement cyber security regulation for relevant organisations by October 2024. We are now seeing such considerations being made in the aviation industry through EASA’s upcoming PART-IS Regulation, laid down by the EU’s Delegated and Implementing Regulations in 2022, requiring organisations in scope to establish and implement an Information Security Management System (ISMS).

For the first time, the European regulator is acknowledging the information security risks that have an impact on aviation safety – a niche area that significantly lacks experts with the combined knowledge of information security and aviation. The regulation aims to take on a holistic approach towards information security in aviation, factoring in all associated information security risk areas of a given entity (whether directly or indirectly impacting aviation safety), and enforcing the implementation of relevant controls to minimise such risks to acceptable levels. Furthermore, the regulation also requires entities to implement appropriate monitoring that will enable them to not only detect information security events and incidents, but to also respond and recover from incidents within timeframes that reflect the perceived level of impact on aviation safety. Starting with the Delegated Regulation (October 2025) and continuing with the Implementing Regulation (February 2026), all relevant entities are expected to be compliant in time. This is a proactive step toward safeguarding our skies in an age of unprecedented technological complexity.

Looking Ahead

We are currently in an exciting yet challenging period that will see aviation risk management take on a new and much-needed perspective, one that appreciates the information security risks on flight safety, as well as the creation of a new threat landscape that poses a danger to human lives. It will be interesting to see how affected entities will adapt to these new regulations, but the road ahead won’t be easy. Implementing these regulations requires significant investment in resources and training. Organisations must begin preparing now to meet the upcoming deadlines, ensuring they’re equipped to navigate this new landscape of compliance and security. As we stand on the cusp of this regulatory shift, it is crucial to recognise the importance of ensuring the continued safety and security of aviation for generations to come.

Related Articles

Responses

Your email address will not be published. Required fields are marked *