Cybersecurity in the sky

The aviation sector, made up of many players (airlines, airports, air traffic managers, …), is undergoing a major digital transformation and is moving towards an ever-increasing reliance on connectivity. What are the cybersecurity challenges? 

We had the opportunity to discuss this topic with Waël Kanoun, Director of Cyber Defense Solutions at Thales Middle East and International Head of Cybersecurity for Aerospace at Thales.

Waël Kanoun. Image ©️Thales.

Have there been any changes in the number and type of cyber attacks over the last few years?

The answer is yes! And it affects airlines, airports, and air transport managers. What we’re seeing is a sharp increase in the volume of attacks, especially post-Covid (double-digit growth). In 2020, for example, airlines have been the main target, accounting for more than 60% of all aviation-related cyber attacks! 

If we look at the geographical breakdown of these post-COVID cyber attacks, we see that Europe was the target of 36% of the attacks, Asia-Pacific 20%, North America 20% and the Middle East and Africa 15%.

Although the volume of attacks is increasing, it must be said that most of these attacks are the result of either human error or technical or organizational weaknesses. This is good news because it means that these types of attacks can be managed and resolved. A classic example is the large-scale attack on an airline through its employees aimed at inducing human error (e.g. phishing campaigns), but there are also more targeted actions aimed directly at members of management. 

In terms of the nature of the attacks, we see that they are becoming more sophisticated or ‘multi-step’, meaning that the attack is not limited to a single point of entry, but that there are other action steps that follow. Attackers target airport systems and create backdoor which enables them to access the systems during long period of time without being detected. These ‘dormant’ attacks can remain undetected for long time, allowing the attackers to exfiltrate a large amount of data over a long period of time, or even be ready to disrupt the operation of key systems (luggage’s systems, announcements, CCTV, etc.) In other words, it can take days, weeks or even months from the initial attack to its propagation to other adjacent systems, while a backdoor remains in place.

Thales Cyber Security Center. Image ©️Thales.

These cyber attacks have a big impact! One example is the serious cyber attack on Beirut airport in January ’24: the information screens for travelers were hacked to display political messages, which remained on screen for several days.

Given the ever-increasing need for connectivity and communication, and the boom in air travel, how can we anticipate the development of cyber risks? 

The answer lies in a combination of proactive and reactive approaches. The proactive approach is based on ‘cybersecurity by design’, which means designing a system or product with security in mind from the outset, whether at the network or application level. The reactive part covers the ‘maintenance’ of the security system, as the day-to-day threats are constantly evolving and the systems in place need to be continually updated. 

Today, the cyber approach covers the entire ecosystem: the passenger at home (information available on smartphones), the airport (landside and airside), the aircraft (on the ground and in flight) and air traffic management. We cover the whole chain because, for example, a concern about baggage piracy can have an impact on air traffic management.

Thales Smart Digital Platform. Image ©️Thales.

Given its expertise in cybersecurity, is Thales involved in raising awareness and training aviation professionals (airlines, airports) in the culture of cybersecurity?

Absolutely, we offer cybersecurity training, but it’s not strictly speaking a general training course. We combine our expertise in both aviation and cybersecurity to provide more targeted and specialized training, always with an emphasis on practical application. For example, we use simulators in the UK (NDEC in Wales), France, Belgium, and the Middle East (CyberNode in the UAE). These simulators, also known as ‘CyberRange’, are advanced simulation solutions that allow us to run cyber attack scenarios. These simulators allow perfect reproduction of systems, including airport/aviation systems, and provide a secure environment to test and simulate attacks as close as possible to real-world conditions.

Given the nature of the aviation business, would it be possible to develop a common vision and define a harmonized (European or global) cybersecurity strategy?

This trend is beginning to take shape, and that’s a good thing!  This is also the case in the rail sector. To make this global strategy a reality, three players need to be mobilized, which makes the exercise somewhat complex, but achievable. Firstly, the international bodies (IATA, EASA, FAA, …), the working groups of experts specialized in aviation cyber security (Aviation ISAC, EATM-CERT and ECCSA) and the national bodies dealing with the cyber security of critical instances and environments (ANSSI in France, NCSC in the UK, NCA in the US).  

Does the heterogeneity of fleets (aircraft models) present an additional difficulty in identifying and dealing with potential vulnerabilities in each system, interface, and connection? 

The answer is yes, and it’s a big challenge indeed! Fortunately, we have the combined expertise of cyber and aviation (he smiles). Of course, we know that aircraft vary from manufacturer to manufacturer. The equipment delivered can also vary for the same aircraft model (for example, an Airbus delivered to Air France or to Emirates). What’s more, an aircraft contains tens of thousands of parts manufactured by thousands of suppliers.

In conclusion, I would say that some stakeholders are less aware of cybersecurity than others, which may be due to a lack of maturity, a lack of exposure or the fact that they have been lucky enough never to have experienced an incident. Fortunately, this type of scenario is gradually disappearing. Once this type of risk has been regulated, they will have to face up to the problem and get in line.