Can airplanes be hacked? Navigating cybersecurity threats in aviation

Credit: Golden Dayz / Shutterstock.com

Can airplanes be hacked? This question poses a real concern at a time when headlines about cybersecurity breaches are common and not just a plotline for a blockbuster movie. 

The aviation sector is increasingly reliant on digital systems, encompassing everything from cockpit avionics to passenger service databases, air traffic control communications, and even the infrastructure of airports. As such, the importance of cybersecurity cannot be overstated. 

While aviation has benefited from this technology in terms of efficiency and safety, there are also concerns around the vulnerability of aircraft to cyberattacks in the digital age.   

Data breaches 

The aviation industry faces a range of hacker threats that vary in complexity and potential impact. Data breaches, where cybercriminals target personal information stored by airlines and airports, are one of the most common. This data, which may include passenger names, contact information and payment details, can be used for identity theft and financial fraud. 

One notable case was the 2020 easyJet data breach where approximately nine million customers were affected, and the credit card details of 2,208 people, including CVV numbers, were compromised.  

The incident, considered a sophisticated cyberattack, occurred between October 17, 2019, and March 4, 2020. easyJet disclosed the attack publicly in May 2020 and customers were warned of the risk of phishing attacks using the stolen data. 

When making the news public, the airline told the BBC that an investigation suggested hackers were targeting “company intellectual property” rather than attempting to steal customer data.  

Following the breach, there were reports of credit card fraud, and a class-action lawsuit worth £18 billion ($22 million) was filed against the airline. However, in November 2023 it was reported that the United Kingdom’s Information Commissioner’s Office (ICO) had abandoned the investigation, a decision that was met with criticism from some quarters.  

In October 2023, Boeing also experienced a data breach, as a result of failing to respond to a ransom demand from the ransomware group LockBit.  

LockBit claims to have obtained a large amount of sensitive data from Boeing and threatens to release it unless a ransom is paid. Boeing’s financial details, supplier and distributor information, training materials and internal instructions are reportedly among the leaked data.  

While Boeing acknowledged the cyberattack on November 2, 2023, the company claims that it has had no impact on flight safety. 

Operational disruptions 

Operational disruptions represent a more severe threat. Cybercriminals can deploy malware or ransomware to infiltrate the IT systems of airlines or airports, crippling booking systems, flight operations, and even air traffic control communications. These attacks not only cause financial losses but can also lead to significant safety concerns and the loss of public trust. 

In June 2015, Polish state-owned airline LOT suffered a cyberattack by unidentified attackers using a distributed denial-of-service (DDoS), a tactic that overwhelms systems with traffic from multiple sources, to target LOT’s ground computer systems at Warsaw’s Frederic Chopin Airport (WAW). The attack disrupted the processing of passenger flight plans, resulting in the cancelation of approximately 20 flights and around 1,400 passengers were left stranded. At no point was the safety of in-flight systems compromised.   

Another cyberattack along similar lines occurred in October 2022, when pro-Russian hackers, identifying as the group Killnet, claimed responsibility for a series of distributed DDoS attacks on US airport websites, including Los Angeles International (LAX), Chicago O’Hare (ORD) and Hartsfield-Jackson Atlanta International Airport (ATL). The attacks were part of a call to action by Killnet posted on Telegram, where they listed multiple US airports, urging other hackers to join the DDoS barrage. 

Despite the cyberattacks, LAX officials confirmed that the disruptions were limited to their public website and had not affected internal systems. Services were restored, and an investigation was launched with the Federal Bureau of Investigation (FBI) and Transportation Security Administration (TSA) being notified.  

Atlanta officials added that disruptions to website access were only temporary. The motivation for these cyberattacks appears to have been anti-US sentiment, related to the country’s role in the war in Ukraine. 

Hacking the aircraft 

In 2017, during the CyberSat Summit a Department of Homeland Security (DHS) official, Robert Hickey, revealed that his team had been able to remotely hack a parked Boeing 757 at Atlantic City Airport (ACY) in New Jersey. 

The hack took place in 2016 and required no physical contact with the aircraft, using equipment that could pass through airport security to exploit the 757’s radio frequency communications. 

The details remain classified, but the revelation underscored long-standing concerns about the potential for unauthorized access to aircraft systems via interconnected networks such as passenger Wi-Fi. 

A cyberattack on a plane can have disastrous consequences. The crash of Spanair Flight 5022 in 2008, which resulted in 154 deaths, initially raised speculation that malware had contributed to the accident. According to Spanish daily newspaper El Pais, an internal report issued by the airline revealed an infected computer at the airline’s headquarters failed to alert the crew of critical technical issues, including the improper configuration of flaps and slats for takeoff.  

While it was later clarified that the malware had not directly factored into the crash, which took place shortly after departure from Madrid-Barajas International Airport (MAD), industry experts went on to raise serious concerns about aviation cybersecurity and the potential for such threats to compromise flight safety systems. 

Spanair Flight 5022 crash location Credit OpenStreetMap Wikimedia Commons

The aviation industry, recognizing the critical nature of cybersecurity, has developed comprehensive frameworks and protocols to safeguard against cyber threats. Efforts began ramping up in the 2000s as reliance on this technology grew. These frameworks are a collaborative effort, involving input and regulation from industry bodies, international organizations, and governmental agencies. 

Key among these is the International Civil Aviation Organization (ICAO), which has established guidelines for cybersecurity in aviation. These guidelines cover a wide range of areas, including risk assessment, threat identification and response strategies. The ICAO also emphasizes the importance of cooperation between Member states of the United Nations (UN) and the sharing of cybersecurity information. 

Similarly, the Federal Aviation Administration (FAA) in the United States and the European Union Aviation Safety Agency (EASA) have set forth regulations and guidelines for cybersecurity. These include requirements for airlines and airports to implement robust cybersecurity measures such as integrating safety oversight systems, and for regular audits and assessments to be conducted. 

In addition to these regulatory frameworks, the industry has developed its own protocols and best practices. The Aviation Information Sharing and Analysis Center (A-ISAC) serves as a hub for sharing threat intelligence and best practices among industry stakeholders. Airlines and airports frequently comply with the ISO/IEC 27000 series, a suite of standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), to ensure effective management of their information security risks.   

Aircraft certification plays a pivotal role in ensuring cybersecurity. Both the FAA and EASA require that new aircraft models undergo rigorous cybersecurity testing as part of the certification process. This includes assessing the aircraft’s resilience to cyberattacks and the integrity of its critical systems. Manufacturers must demonstrate that aircraft systems are not only functionally safe but also secure from potential cyber threats. 

This process ensures that cybersecurity is built into the aircraft from the design stage and continues throughout its operational life. 

Emerging technologies in aviation security 

The aviation industry is also turning to emerging technologies like Artificial Intelligence (AI), machine learning, and blockchain to bolster its cybersecurity defenses. AI and machine learning are being deployed to detect and respond to cyber threats more efficiently. These technologies can analyze vast amounts of data to identify patterns indicative of a cyberattack, often recognizing threats faster and more accurately than human operators. They can also learn from each incident, continuously improving their ability to detect and neutralize threats. 

Blockchain technology offers a different set of advantages. Known for underpinning cryptocurrencies, blockchain can provide a secure and unalterable ledger of transactions. Within the context of aviation, this could be used to securely track the maintenance history of aircraft components, the movement of baggage, or even the credentials of personnel, all of which have implications for security. 

However, technology is only part of the solution. Continuous training and awareness programs are equally critical in maintaining a strong defense strategy against cyber threats, which, together with advanced technology, constitute a robust cybersecurity posture. Human error remains one of the most significant vulnerabilities in cybersecurity. Ongoing training ensures that all employees, not just IT staff, are aware of the latest cyber threats and the best practices for preventing them. This includes everything from recognizing phishing attempts to following protocols for reporting suspicious activity. 

Moreover, awareness programs help to foster a culture of cybersecurity within organizations. When employees at all levels understand the importance of cybersecurity and their role in maintaining it, they become an active part of the defense strategy, rather than a potential weak link. This human-centric approach, combined with advanced technological tools, creates a comprehensive defense against the evolving landscape of cyber threats. 

Advancements in AI and blockchain should enhance aviation’s cyber defense, making hacking more challenging but not impossible. The landscape is ever-changing, and absolute security can never be guaranteed.  

Aviation industry experts continue to grapple with the complexity and persistence of cyber threats, highlighting the need for constant vigilance. 

How secure do you feel about flying in the digital age? Join the discussion in the comments section. 

AeroTime is on YouTube

Subscribe to the AeroTime Hub channel for exclusive video content.

Subscribe to AeroTime Hub