In an increasingly digital world, cybersecurity is a growing issue for all industries, and business aviation is no exception. Cybersecurity has emerged as a critical concern for the sector because the consequences of a breach are particularly high.
“When we think about cybersecurity, a lot of people think about the guys in the hoodies behind the screen somewhere in the basement. But, we need to think about safeguarding our data, anything that we have which is digital. In fact, The European Union Aviation Safety Agency doesn’t even use the term cybersecurity. They call it information security, which I feel gives a much better idea of what we are talking about,” explains Diego Magrini, co-founder of NERD.aero, an IT service company dedicated to aviation.
“The cybersecurity threats for business aviation are constantly changing,” explains Josh Wheeler, senior director of entry into service and client services at Satcom Direct. “As technology evolves and we use more devices than ever, malware attacks continue rising, with over five billion occurring in the last year. Satcom Direct blocks some 10,000 attempted malware attacks on our customers’ assets every day,” he says.
“Business aviation leaves a trail of sensitive information unfortunately,” says Maxim Schelfhout, CEO at Skylegs, a flight management platform for aircraft operators. “This sensitive information can be used against the company, the individuals working for the company or the passengers. In business aviation it seems that there is a race to move quickly no matter what, but that’s a dangerous attitude. Sending data, secure files from passenger to operator to authorities should be done in a more secure manner than Whatsapp, emails with attachments and passwords, printing Gendecs and leaving them everywhere.”
“When I speak about information security, I strongly emphasize that a lot is about awareness. It’s about knowing the threats. It’s really the human aspect. That’s why I push companies to include information security or cybersecurity training in their HR policies, onboarding, and general training,” Magrini says.
“Modern operations have become very efficient by relying on web-based and connected technologies,” says Schelfhout . “If any of these softwares fail it has a large impact on the safe operation of the flight because there might not be backup systems. That’s why operators and system providers need to make their operations not only efficient but also secure and robust.”
Types of attacks
“Social engineering is still a common strategy, using cheaply acquired software readily available online to manipulate user behaviour. Many of us are aware of Phishing, the use of fraudulent emails to appropriate this data. Phishing gives rise to clickbait scams, giveaway frauds, false Facebook quizzes and cloned accounts. These remain the greatest threat to operators and rely on simplicity, clever tactics, and slick graphics to trick users out of valuable information,” explains Wheeler.
“We are also seeing increasing cyber events manifesting in new imaginative guises that are moving the goalposts for cyber-attacks. Clients often think they are immune because they don’t use a laptop in flight, but this is not the case. If the phone is connected to the internet, which it nearly always is, it’s equally as vulnerable as a laptop or tablet. Phones offer a new platform from which to gather information or direct behaviour.
“Smishing, which uses fake texts to extract data, and Vishing, which uses voice-generated AI, are entering the sector. The clever use of AI, publicly available digital recordings, and a little background research can generate convincing fraudulent phone messages in which voices and speech patterns are emulated. These vocal frauds can be extremely convincing.”
Cybersecurity is the act of ensuring that data being transmitted from an aircraft to organizational networks is always protected to prevent the unauthorized theft of information. The continuous mitigation of risk forms a key component of cybersecurity activity.
In 2023, the cost of cyber data breaches averaged around US$4.45 million but this doesn’t include reputational damage. “Alarmingly, the average time to detect a violation was nearly four months,” explains Wheeler. “With 53% of users not changing passwords regularly or recycling the same password across different accounts and additionally, an alarming 57% of users writing passwords on sticky notes for all to see, some eight billion data records were compromised.
“While these numbers do not represent pure aviation incidents, it is important to understand that if your airframe is connected to your organization’s internal network or intranet and there are no cyber protocols or strategies in place, passengers are as vulnerable on the aircraft as if they were sitting in a coffee shop,” says Wheeler.
“Altitude does not make data exchange secure. If the internet is visible to the aircraft, then the aircraft data is visible to the internet. It is essential to implement an active cybersecurity policy for all aviation operations.”
“In business aviation, the process of arranging a flight is a lot less standardized and streamlined compared to airlines. That means there are more potential faults. With airlines, you go to a booking website owned by the airline. They manage the data and have precise processes for data flow,” says Magrini.
“In business aviation, it doesn’t work like that. Many flights are arranged via brokers, WhatsApp, or Telegram. Passport pictures are often sent over WhatsApp and remain on devices, exposing operators to big GDPR risks.”
Simple things like not using password-protected Wi-Fi access in public areas leave digital users exposed to hackers. “This is when malware can be downloaded and subsequent threats released,” Wheeler says.
Users who don’t think about unusual emails, question whether it is a genuine email from a reliable source, or even click on attachments that are not known can all inadvertently become vulnerable explains Wheeler.
“Using thumb drives that are not password protected or that you don’t know the source of can cause issues when plugged into the hard drive. They may carry malware, virus or other code that seamlessly passes on to a computer.”
Sharing data with third-party suppliers may seem innocent enough but Wheeler says it is important to be aware of their security protocols before information is transmitted. “Passenger manifests for example contain rich data but if the catering company/ground transport company for example does not have cyber protocols in place the data becomes vulnerable,” he says.
Avoid becoming a victim
Aviation organizations, stakeholders, and suppliers need to be cyber vigilant and employ various tools to mitigate the threat. Wheeler says that the best for of defence is a combination of human understanding, implementation of tech protocols and investment in robust cyber management solutions can help protect aviation assets.
“Operators need to discuss all these elements with their connectivity provider to reduce risk. The inflight connectivity must be paired with a robust, secure ground infrastructure that can support secure connectivity solutions. There is no one size fits all and the operator must trust the connectivity provider to tailor the security system according to their needs,” says Wheeler.
“Flight departments must implement cyber-specific policies within the SOPs (standard operating procedures). Assessing the risk profile before each trip will help them stay ahead of the curve. Creating a security mindset is paramount to successfully navigating an ever-changing threat landscape,” he says.
One of the easiest and most effective strategies for preventing a cyberattack is having a robust password that is changed regularly says Wheeler, “Yet many business aircraft operators fail to implement this option,” he says. “Some CEOs and owners just want to get online and connect and passwords are deemed an inconvenience. Alarmingly, many jets are not configured with their own passwords.”
Wheeler says the irony is that simple actions can make a huge difference.
“Using passwords to protect cabin Wi-Fi is an obvious one,” says Wheeler. “Flight departments can be reluctant to create Wi-Fi passwords due to the perceived inconvenience to passengers, yet the inconvenience of learning a password far outweighs the potential risks. You can even put passwords into a QR code for passengers to scan when they board.”
Interestingly password length trumps complexity in terms of strength explains Wheeler. “It is harder for the decoders to crack a long password, say the first line of a favourite song, than it is to figure out a short password that includes numbers, special characters and letters.”
Wheeler also says it is better to switch off auto-connect and actively decide which Wi-Fi networks to connect to if you’re in a public space, an FBO, or MRO. “If you’re not sure the Wi-Fi is legitimate, stay on the cellular network,” he says. “And if you travel, use a virtual private network, VPN, for an encrypted connection. This creates another layer of defence when logging on to a hotel or FBO network.”
“Just like deploying oxygen masks in an emergency. Protect yourself, then protect the others. It starts with your own accounts and keeping things clean and updated. Then you think about your peers and how you communicate with them in a secure way by being disciplined in the use of systems,” says Schelfhout.
Emerging technologies & cybersecurity
“Cybersecurity is a dynamic sector, and the changing practices of malevolent actors partly trigger its evolution,” says Wheeler. “As the attacks become more sophisticated, the response or proactive protection needs to evolve. It really is a game of cat and mouse, not just for aviation but for all users of technology platforms.
“As AI and machine learning evolve, they present new opportunities for both security and threats,” he explains. AI-powered tools can replicate voices and create convincing phishing schemes. “Voice cloning technology, for example, can easily trick people into thinking they’re speaking with someone they trust,” he says.
While AI poses risks, Magrini believes the best defense is awareness. “The more we understand how these technologies work, the better we can protect ourselves,” he stresses. “It’s about recognizing the capabilities of AI and the risks that come with it, while not letting fear push us away from new technologies.”
Recent cyber-attack developments include the increased use of AI technology and machine learning to target victims and evade detection layers. AI-powered phishing/smishing/vishing attacks and deep-fake scams are also on the rise. Simple computer viruses and trojan horses have transformed into highly sophisticated ransomware, spyware and advanced persistent threats (APTs). “Malware is designed to disrupt operations and steal data and funds,” says Wheeler. “A notable development in the cybersecurity sphere is the increase in nation-state-sponsored cyberattacks. Such attacks are carried out for espionage, to sabotage critical infrastructure and can influence geo-political events. With each new development comes an equal and opposite development in terms of cybersecurity.”
The importance of training
However, the key recommendation for aviation organizations, stakeholders, and suppliers is to be cyber vigilant and employ various tools to mitigate the threat.
“A combination of human understanding, implementation of tech protocols and investment in robust cyber management solutions can help protect aviation assets,” says Wheeler.
A good strategy to maintain cybersecurity is driven by cyber awareness, vigilance and education. “Organizations and operators must actively educate their staff, suppliers and passengers about what can be done to reduce cyber events,” says Wheeler.
All three experts agree that training and education are essential. Cyber awareness courses should be constantly updated for aviation IT professionals, crew and passengers and designed specifically for business aviation professionals, owners, and operators.
But Magrini believes there are currently not enough aviation specific courses available.
“Generally, cybersecurity courses are developed for professionals in the IT sector and if you call something a cybersecurity course, 95% of the human population will stay away from it,” he says.
“What we are doing is building specific training modules for aviation personnel, which doesn’t necessarily mean pilots. For instance, flight dispatchers are a very important link in the operations department of an operator. The amount of information that goes via email in operations is embarrassing and it is a huge risk,” Magrini says.
“We are working on building training modules together with dispatch and other aviation academies. Operators should include easy-to-digest information security training in their routine training. It shouldn’t be dense or heavy, because people won’t engage with it.”
Satcom Direct also offers a program that navigates the complexities of security and cyberthreat prevention from an aviation perspective. The focus is on identifying common hacking techniques, attack methodology and current cybersecurity concerns within aviation supports the building of awareness about inherent vulnerabilities.
As technology advances, the threats to cybersecurity in business aviation become more complex. Companies must stay vigilant, integrate security into their daily operations, and educate their staff about potential risks.
Read this and similar articles in their original magazine format online. Want more? Industry professionals can subscribe to our print and online magazine and our weekly newsletter free of charge now.
