C Y B E R S E C U R I T Y ybersecurity has never been more critical to
businesses. In 2018, security intelligence
vendor Risk Based Security reports that
over five billion information records were
compromised around the world by hackers.
Josh Wheeler, senior director of
cybersecurity at aviation communications provider Satcom
Direct believes that the business aviation industry is a
particularly appealing target for cyber criminals.
“Cyber criminals go out of their way to target VIPs. What
better place to reel a VIP in than in the cabin of their own
private aircraft?
“Business aviation presents opportunities to target
organizations and high net worth individuals. Hackers don’t
need to compromise an organization’s security if they can
compromise an unmanaged asset like an aircraft or a
device that connects to the aircraft’s network.”
The European Aviation Safety Agency (EASA) reports
that on average 1,000 attacks occur each month against
aviation systems. Satcom Direct has seen a year-on-year
increase in attempted cybersecurity attacks on business
aviation aircraft subscribed to its threat monitoring service.
The company’s latest report shows a 54% overall increase in
critical and high-level threats for the first three months of this
year compared to the same period last year.
The risks to aviation businesses from cyber attacks
are diverse and have increased with the rise of digital
technologies and connectivity. Loss of personal data can
put customers themselves at risk, as well as erode trust in
the business. It can also lead to significant penalties under
the General Data Protection Regulation (GDPR), which was
introduced in May 2018.
But as well as stealing data, cyber criminals are using
a variety of different tactics to cause problems
for companies – often losing them time
and money. Denial of Service (DoS)
attacks are used by hackers
to shut down a machine
or network, making it
inaccessible to users and
interrupting operations
and potentially delaying
flights. Then there are
ransomware attacks
where criminals demand
payment for the return of
data or access to a victim’s
own network.
“Additionally, there are
safety-related risks if
attackers focus on targeting
systems that support
physical security and
aviation safety,” adds Justin
Lowe, a cybersecurity expert at PA Consulting.
Plurality increases risk
Business aviation faces a number of challenges around
cybersecurity compared to the commercial aviation sector.
For example there are a greater variety of business models
at work in the sector: private owners, shared ownership and
business ownership, for example.
When combined with the variety in aircraft complexity,
it means that very different rules are applicable for the
operation and maintenance of business aircraft, and in the
particular case of less complex aircraft operated by private
individuals, there may not be an organization responsible for
the management of the associated risks.
“There are challenges in ensuring system security is
kept up to date,” says Alex Cowan, CEO of cybersecurity
software provider RazorSecure. “Typically, when a jet owner
buys a system there’s no real plan in place for how it is
updated. If a vulnerability appears it’s likely this will never
get patched and therefore secured.
“Cyber criminals go
out of their way to
target VIPs, what better
place to reel one in than
the cabin of a private
aircraft?" 42 | BU S INE S S A I R P O R T INT E RNAT I ONA L J U L Y 2 0 1 9
“Another issue is that your
equipment is always moving around.
Normally, in order to patch or update
software you want to be physically
sitting next to it to make sure it’s
working correctly. This creates
additional challenges.”
Risks and regulations
The level of cybersecurity understanding
within the business aviation sector has
increased in recent years, but experts still
believe that many businesses are still unaware
of the potential threats. On the operational side, a
cybersecurity regulatory framework is still being developed
for business aviation.
“Furthermore, business and general aviation aircraft are
likely to operate in smaller airports, which in some cases
may not have a very mature management system,” points
out Juan Anton, EASA’s cybersecurity in aviation and
emerging risks section manager.