Aviation Industry and Cybersecurity: Mitigating Risks through Penetration Testing

Why Pen Testing is Key to Navigating Aviation Cyber Threats

Your airline business is going well. You've expanded lately, and all is well. Suddenly an alert wreaks havoc between the passengers of one of your company's aeroplanes—a coast-to-coast flight. As the plane reaches cruising altitude, a passenger connects to the in-flight WiFi to get some work done. But as soon as he tries to visit a website, an alarming message pops up on his screen:

"This plane was hacked. Surrender $200 worth of bitcoin to unlock the entertainment systems."
Around the cabin, other flyers are encountering the same ransom demand as hackers have taken over all screens.
While (hopefully) still a far-fetched scenario, the risks of cyberattacks targeting aeroplanes and the aviation infrastructure continue growing as systems load. Penetration testing is now essential to help the industry navigate escalating threats.

Examining Aircraft Digital Systems for Weaknesses

Modern passenger aircraft rely on interconnected digital technologies to expand the attack surface. Penetration testing digs into crucial systems:
In-Flight Entertainment: Pen testing evaluates the separation between IFE and flight/navigation networks. Hacking via passenger WiFi or media systems could cross over without proper segmentation. Tests check for vulnerable software, unsecured external connections, and the bridging of networks.
Flight Management: Navigation and real-time flight diagnostics increasingly depend on air-to-ground network communications. Tests evaluate data flows for interception risks, flooding vulnerabilities, and manipulation of telemetry data.
Communications: Your company should test radio, satellite networks, and data links for air traffic control, weather data, and flight tracking for signal jamming, protocol exploits, and spoofing. Tests ensure redundancy.
Mobile Devices: Penetration assessments examine mobile device management policies and network access controls to ensure personal pilot/crew tablets and smartphones cannot introduce malware when connected.
Embedded Sensors: Testing safety-critical systems like engine sensors, flight surface actuators, pressurisation monitors, and GPS instrumentation for electrical fault, fire/flood resilience, and signal spoofing risks.
In-depth testing of loaded aircraft systems and connections proactively finds weaknesses lurking within fast-evolving technologies. What hackers could exploit today must be found and fixed promptly.

Verifying Aircraft Defences Against Real-World Attack Techniques

While hacking aircraft systems remains extremely difficult, some alarming proof-of-concept cases have demonstrated vulnerabilities:
DHS Boeing Engine Hack - A cybersecurity researcher penetrated a commercial jetliner's engine controls via the in-flight entertainment system while in the passenger cabin during a test flight. It demonstrated that an actor with technical expertise could compromise digital aircraft systems in flight.
Airplane Control System Penetrated: A security test successfully hacked into electronic thrust management and flight control systems from vulnerabilities in the in-flight entertainment hardware, showing a potential pathway to hijack fundamental plane functions digitally.
GPS Signal Spoofing: University researchers completely fooled GPS receivers in drones using spoofed signals, allowing them to manipulate the aircraft's navigation and control. It proves aircraft systems relying on location data are vulnerable to fake GPS attacks.
These incidents reveal real-world risks lurking within loaded aircraft despite their specialised nature and isolation. Adversaries are probing for innovative ways to exploit them.
Proactive penetration evaluations simulate how hackers might infiltrate systems using the same sophisticated techniques. It finds weaknesses long before criminals have a chance to discover them. Testing proves aircraft cyber defences remain airworthy against the realities of a modern threat landscape.

Recent Aviation Cybersecurity Events Show Risks Taking Flight

Over five years, 100+ cybersecurity vulnerabilities were found through penetration testing of FAA systems, including critical air traffic control systems.

"In a controlled test, a security researcher hacked into aeroplane flight control and engine management systems from the in-flight entertainment system."

"Malicious hackers have recently compromised frequent flyer/loyalty program databases at several airlines, stealing passenger personal and payment data."

"Researchers spoofed GPS signals to drones during flight tests, allowing them to manipulate navigation and control."

"A ransomware attack against a service provider temporarily knocked out passenger processing systems at over 100 US airports in 2021."

"Cyberattacks targeting airports and airlines have increased by over 1000% since 2016, according to cybersecurity firm NCC Group."

These incidents and statistics reveal substantial cyber risks for aircraft, airlines, and aviation infrastructure that penetration testing can proactively mitigate.

How Assessments Thwart Top Aviation Cyber Threat Vectors

The interconnected nature of modern aircraft, airline operations, and aviation infrastructure opens vulnerabilities that hackers could exploit to endanger passenger safety or cripple air travel. Consistent penetration testing helps proactively identify and thwart these key cyber threat vectors:
In-Flight Entertainment Hacking: Penetration tests evaluate WiFi networks, seatback screens, and other infotainment systems for risks. Evidence of segmentation issues or vulnerable software could enable hackers to pivot from passenger systems into flight controls. Testing prevents digital intrusion paths that put aircraft safety in jeopardy.

Aircraft System Hijacking: Flight management computers, engine controls, navigation equipment, and other loaded aeroplane systems could potentially be hacked to alter key functions mid-flight. Testing hardens these critical flight networks against the takeover by verifying isolation safeguards and access controls that block adversaries.

Air Traffic Network Disruption: Radar arrays, instrument landing systems, navigation satellites, and air traffic control networks provide vital aircraft guidance vulnerable to interference or spoofing. Assessments prevent loss of control risks by auditing network resilience and redundancy against potential denial-of-service attacks.
Sensor Data Manipulation: Digital engine sensors, GPS, glide slope instrumentation, and other embedded aeroplane systems feed navigation data that could be subject to spoofing. Manipulated values and false sensor readings could make the aircraft unsafe to fly or intentionally crash. Testing reveals sensor vulnerabilities before adversaries can exploit them.
Airline and Airport System Intrusion: Breaches of sensitive IT systems owned by airlines, airports, and aviation vendors could cripple operations or expose personal customer data. Assessments block network intrusions, website attacks, and data system compromise to avert large-scale cyber incidents.
Insider Threat Exploits - Compromised employee credentials provide valuable access ripe for insider misuse. Tests simulate insider attacks to uncover gaps like inadequate behavioural monitoring, poor segmentation, and overprovisioned access rights that malicious actors could leverage.
Ransomware Disruption: File-encrypting ransomware that locks access to systems and data could quickly cascade across the interconnected aviation network. Testing ensures malware controls and backups can prevent crippling systemic ransomware incidents.
Regular penetration evaluations aligned to emerging aviation cyber threats provide the threat visibility, and intelligence organisations need to stay steps ahead of risk. Testing proactively future-proofs defences before cyber events end up making headline news.

Hardening Flight Systems and Insider Access

Comprehensive penetration assessments probe for weaknesses from both outside and inside the aircraft perimeter:

• Attempts network intrusion via in-flight entertainment systems and WiFi networks, probing for segmentation gaps and vulnerable software.
• Tests communication interfaces like ACARS data links and satellite and VHF radios for signal interception and spoofing.
• Evaluate the resilience of flight data transmission and navigation systems against protocol exploits, DDoS attacks, and data spoofing.
• Assess malware risks from infected USB devices or compromised crew tablets and mobile devices plugged into aircraft systems.

• Simulates insider threats by attempting to gain elevated access to maintenance, diagnostics, and operational networks from standard employee credentials.
• Tries to pivot from back-office IT systems into air gap isolated networks holding safety-critical flight systems.
• Tests if behavioural analytics and activity monitoring can detect suspicious insider actions.
• Attempt to abuse insider knowledge and access to smuggle payload data past air gaps onto operational networks.
  Aircraft require security zones with strict access controls, monitoring, and segmentation to block external and internal adversaries from reaching critical flight control networks. Regular testing is crucial for proving robust defences aligned with zero-trust principles.
  

Testing Digital Systems Across the Aviation Infrastructure

While aircraft security is paramount, the aviation ecosystem relies on interconnected technologies vulnerable to cyber disruption if not adequately protected. Comprehensive penetration testing is crucial for the following:
Air Traffic Control Systems - Your company must assess radar, navigation aids, and data networks to allow air traffic controllers to guide flights for weaknesses that could deny aircraft guidance or trigger collisions. Tests safeguard human lives.
Airline IT Systems: Customer databases, bookings/ticketing tools, flight planning software, crew scheduling systems, and frequent flyer programs are tempting targets holding financial and personal data. Tests protect customer assets.
Passenger Screening: Scanners like backscatter X-ray, millimetre wave, and explosive trace portals used in checkpoints can be tested for device tampering and data flow vulnerabilities, as hacking could aid smuggling.
Baggage Handling: High-speed conveyor systems, scanners, and robotics moving luggage behind the scenes at airports are often highly automated and networked. Tests prevent grounding of baggage flows.
Maintenance Facilities: Hangars and workshops where aircraft are repaired rely heavily on networked diagnostic computers, parts databases, and avionics testing equipment that require security evaluations.
The aviation ecosystem's sheer scope and interdependence make end-to-end testing imperative. Fixing isolated systems does not ensure broader resilience. As airports and airlines continue digitising operations, testing provides threat visibility across their interconnected attack surface.

Staying the Compliance Course

As cyber risks take flight within the air travel industry, compliance mandates for evaluating and securing aircraft and infrastructure systems rapidly expand globally. Penetration testing is essential for aviation companies to validate controls and stay compliant.
Key aviation cybersecurity regulations worldwide include:

This US legislation includes the first mandates directly addressing cybersecurity within civil aviation. It requires the FAA to conduct cyber risk assessments of aircraft systems certified through 2023. Penetration testing provides the technical security evaluations needed to fulfil this mandate. The FAA is developing the framework for these assessments in partnership with aircraft manufacturers.
The law also requires airport operators to assess security systems and infrastructure vulnerability. Penetration tests will be critical for uncovering risks within airport perimeter access controls, surveillance systems, passenger screening technologies, baggage scanners, and sensitive back-office networks.

The European Union Aviation Safety Agency (EASA) has prioritised cybersecurity through initiatives like the European Strategic Coordination Platform. The strategy promotes cyber assessments, vulnerability scanning, penetration testing of aircraft components, air traffic management systems, and airline operations.
Requirements for Security Risk Assessments and Penetration Testing guide European airlines, airports, and aviation vendors. EASA helps coordinate cyber evaluations, provides testing tools and methodologies, and aggregates risk data across the EU aviation ecosystem to highlight priorities.
The International Civil Aviation Organization published comprehensive guidelines for cyber risk mitigation across global civil aviation. The toolkit provides cybersecurity best practices, assessment principles, and testing methodologies tailored for the air travel industry.
ICAO calls for continually evaluating aircraft, airline systems, and aviation infrastructure. The guidelines recommend regular penetration testing to identify vulnerabilities using the same tactics as real-world attackers proactively. Testing across critical aviation systems and technologies is advocated.
Aviation cybersecurity regulations will continue maturing in the years ahead, with penetration testing an integral component. Cyber readiness evaluations validate that aircraft and infrastructure meet expanding compliance and audit requirements.
More importantly, proactive assessments address emerging threats before they lead to real-world incidents that jeopardise passenger safety and the continuity of air travel globally. Aviation companies can gain assurance by continually evaluating systems using state-of-the-art penetration testing aligned to evolving best practices and regulations.

Charting the Future Course for Aviation Cybersecurity

Aviation companies can confidently navigate the cyber skies by continually evaluating and evolving defences, keeping profitability and passenger safety on course.
Now is the time to get ahead of emerging threats. Contact our experts at Microminder to discuss launching a comprehensive, aviation-tailored penetration test program across your fleet and operations. With rigorous assessments validating security, you gain evidence-based cyber readiness assurance even as threats come your way.
Be sure to have your next move charted by regulators or malicious actors. Take command of your cybersecurity trajectory. Launch your penetration testing journey with Microminder today.