In today’s technology dominated and unprecedentedly interconnected world, no digital enterprise around the globe can consider itself secure without a robust Cyber Security Plan designed by the best cyber security consultants in the field and implemented with the assistance of cutting edge cyber security tools. Like many others entities, aviation industry also faces immense cyber security challenges that could potentially jeopardize aviation operations, incur financial/data losses, and even put the safety of commercial aircraft and lives in danger. However, the field of military aviation cyber security continues to remain “terra incognita” for cyber security companies which mostly operate in the civilian sector. Therefore, a more clearer understanding of military aviation and its operations is required for civilian cyber security companies to be able to recommend appropriate measures for ensuring cyber security of military aviation and its concomitant assets.
Civil Aviation and Cyber Security
Civil Aviation industry essentially requires connectivity to the outside world to run its operations and thus can become a lucrative target for the vile elements lurking in the hides of internet. Therefore, aviation industry is as much threatened by the cyber-attacks and breaches as any other enterprise might be. The massive digital transformation in aviation industry over the past couple of decades, has resulted in extensive reliance on the latest technologies connecting airline operations and systems across the entire canvass of the industry. The security of this intricate connectivity of airline ground systems to flight operations and predictive maintenance is essentially important for, the safety of the aircraft, airline operations, airline and passenger data, services, reputation and financial health of the industry. However, these amazing boons of technological advancement do not come without a price. Criminals, terrorists and APT groups continue to explore innovative techniques to compromise the aviation systems which may lead to substantial operational, financial, physical or reputational damage to the industry.
According to the data published by Eurocontrol (a pan-European, civil-military organization dedicated to supporting European aviation), cyber-attacks against aviation industry are on the rise. There were 52 attacks in 2020, 48 in 2021, and 50 attacks were reported till the end of August 2022. “According to an article published by independent research firm KonBriefing 38 cyber-attacks on the aviation industry took place in February 2023 alone, and 13 of these incidents transpired in the US”.
The data also indicates that the most seen attack types in the last three years (2020, 2021, and 2022) are Ransomware (%22), Data Breach (%18.6), Phishing (%15.3), and DDoS (%7.3). Meanwhile, %16 of the attack type was other/unknown. Introduction of every new technology in the aviation industry actually broadens the available attack surface for the vile elements to exploit. This requires a regular surgical analysis of aviation industry’s cyber space by the experts to ensure safety, security, integrity, reliability and resilience of aviation industry operations. In view of the expansive attack surface of the civilian aviation industry and associated implications of a cyber-attacks/threats, cyber security for the civilian aviation sector is generally well understood by the commercial cyber security companies and organizations like ICAO (International Civil Aviation Organization) regularly incorporate safety measures and protocols to ensure cyber security of the civilian aviation industry
Military Aviation and Cyber Security
However, cyber security for civilian and military aviation cannot be considered in isolation in the prevailing digital environment. “Experts from NATO observe that there are very strong interdependencies between civil and military aviation users and stakeholders. Any potential cyber-attack on the Air Traffic Management system ATM would not only hamper the safe conduct and management of civil and military flights but could also undermine the trust in the overall security and resilience posture of the NATO and its member States. Hence, any disruption of civilian aviation at a large scale would amount to national security implications thus raising the stakes to a next level.
It is also a fact that military and military aviation, its operations and its peculiar cyber security requirements are generally less understood by the civilian cyber security companies due to lack of exposure and non-availability of technical information (classified information) required to comprehend the nature and spectrum of military’s cyber security requirements. Therefore, many militaries around the world have established their own cyber commands manned by their own cyber security experts. Nonetheless, not all militaries have technically elaborate cyber security setups and necessary expertise to handle the latest cyber security threats. They heavily depend on the civilian cyber security expertise when it comes to availability of latest cyber security technology and threat intelligence.
Owing to these inherent limitations, militaries and military aviation assets have also become the target of cyber-attacks around the world. According to Konbriefing, there were 34 reported cyber-attacks against military setups of 26 nations across the globe in 2022 out of which 15 were NATO members including important countries like USA, UK, Turkey, France, Italy, Germany, Canada, Poland, Finland, Romania, Denmark, Estonia etc. However, overall maximum number of attacks around the world were reported against military setups of Russia, Italy, UK, Romania and Peru respectively. However, unlike civil aviation, core of the military operational assets including aviation generally do not require connectivity to the outside world. Most of the above mentioned attacks against military setups targeted systems that were directly or indirectly connected to the outside world for operational reasons. Therefore, understanding the complete canvas of military operations at strategic, operational and tactical level of air, land, sea, space and cyber forces (which operate on the principles of NCW – Network Centric Warfare) is too expansive a topic and well beyond the scope of this article
Nonetheless, following paragraphs endeavor to explain major components of military aviation, their major cyber security concerns and possible remedial measures.
Avionics Systems in Military Aviation and the Cyber Security Concerns
Generally, aviation assets are extensively required and utilized among all the armed forces including land, air, sea and space. Military aviation assets do not depend upon flying assets alone but there are other essential setups operationally required to accomplish the assigned tasks/missions. Military aviation and aviation related assets may be generally categorized into following major categories depending upon their role and task:-
- Frontline Operational Elements (fighters, bombers, reconnaissance and specialist role aircraft)
- Heavy/Light Transport and Communication Aircraft
- Air to Air Refuellers
- Search and Rescue (S&R) Elements
- Command and Control (C2) Centers and associated Information Services
- Air/Ground based Navigational Aids
- Flight Information Services (FIS) / Air Traffic Managements (ATM) Services
- Airborne Early Warning and Control (AEW&C) Systems
- Integrated Air Defense Centers Systems
It is important to understand that all these elements seldom operate independently and are generally used in various combinations to achieve synergy and accomplish the assigned mission efficiently and safely. In order for them to operate in synergy, these elements require some kind of connectivity to exchange vital information with other assets when required. The airborne systems mostly exchange this information through radio frequencies, datalinks and SATCOMs operating on frequencies specifically assigned for military use and are generally secure from direct access of common cyber infiltration/attack. However some of these airborne systems and their respective ground stations (eg Heavy/light transport & communications a/c, AEWCs, Air-to-Air Refuellers, Navigational services, C2 centers, S&R elements, FIS & ATM services etc) may require connectivity with the outside agencies for operational dictates and may become vulnerable to cyber threats if appropriate measures have not been put in place. Moreover, these vital military aviation assets and associated equipment also requires frequent connectivity with special equipment like, testers, ground terminals, specialist vehicles etc for data downloading/uploading, software updates, maintenance, crypto-key exchanges etc before or after the mission. These are the most vulnerable points for operational assets which can lead to a compromise of the involved systems if robust cyber security measures/tools have not been incorporated. Other operational military aviation assets and systems are isolated from the outside world and operate on an air-gap principal making them comparatively safe from common cyber threats.
Today, all of the military aviation assets including ground-based and airborne assets, extensively utilized computers, IT/OT and specialist hardware operating custom-built software/firmware. All electronics used on airborne aviation assets are also known as Avionics. According to BAE systems, avionics is a category of electronic systems and equipment specifically designed for use in aviation (air, space, satellites). Avionics on a typical modern fighter aircraft control a host of its systems including, engine controls, flight control systems (primary & secondary) , navigation, communications, landing gear system, flight recorders, lighting systems, threat detection systems, fuel systems, EO/IR systems, weather radar, performance monitoring systems (test systems-air/ground), weapon management systems, mission computers (Integrated information processing systems) etc. All these systems are sub-systems that talk to many other systems of a larger system for an integrated response and output. Their seamless, secure and efficient communication with each other is primarily responsible for operating the modern military aircraft under various operational conditions.
Aviation electronics or avionics mostly use embedded systems (micro-controller or micro-processor based self-contained systems i.e. hardware + software) that work independently or as part of a larger system. Embedded systems in military aviation are basically user-focused devices or mini computers (mostly modular components) with their own software or operating system based on embedded programming like C/C++ etc. These self-contained avionics are also known as LRUs or Line Replaceable Units which can easily be taken out of the aircraft in a short time without using very specialized tools and replaced with a serviceable LRU while the faulty ones go into maintenance thus ensuring efficiency without compromising on the operational mission exigencies.
From the discussion so far following deductions can be made:-
- Civilian aviation systems necessarily require connectivity to the outside world and other similar systems across the globe to undertake operations
- In Civil Aviation, cyber-attacks mostly focus on airline/passenger data or flight operations which are a much easier target as compared to the isolated military systems
- Military system connected to the outside world can easily be targeted by the enemy, criminals or terrorists for various reasons
- Most of the military and military aviation systems (except those discussed above) are mostly isolated from the isolated from outside and work on air-gap principal which is difficult to breach
- Hackers or offensive cyber elements do not have direct access to these isolated Military aviation systems (except systems operation on RF)
- Therefore, major cyber security steps/safeguards (hardware + software) are ensured during design and development phase of the avionics systems developed for high-value aviation assets (F-35, Eurofighter, Rafael, F-16 Block 70/72, and under development TAI MMU Kaan)
If we categorize cyber security vulnerabilities of avionics designed for high-value sensitive aviation platforms, they can be divided into three major categories:-
These are inherent weaknesses that were overlooked or not catered for during the critical design and development phase of the avionics. They may include shortcomings in design specifications, meeting international military standards or specific requirements to conform to operational protocols. For example, if the communication systems have not be designed to incorporate national encryption standards or the requirement of securely communicating with other operational assets from friendly nations, the systems would not only fall short of the operational requirements but may also be vulnerable to compromise in the cyber space. Hence the form-fit interfaces (LRUs) developed for modern military aviation systems must meet very strict national/international military standards (both wired and wireless) to ensure security of these systems. Specification vulnerabilities can only be catered for during the design and development phase of these systems and require continuous inputs and guidance from the experts in the field.
These are flaws in software, firmware source code etc being developed for the aviation systems. If necessary inputs from the cyber security experts in the field are not sought at the right stage, it could lead to inherent loop-holes in the software/firmware which could later be exploited thus compromising the security of these avionics.
These vulnerabilities depend upon the security culture of the organizations/entities involved in the design/development and subsequent operations of these state-of-art avionic systems. Any flaws that go undetected due to insecure configurations of these avionics or weak/inadequate procedures/SOPs may lead to cyber security compromises thus jeopardizing the integrity of these systems which can directly translates into mission failure. These vulnerabilities can easily be avoided if those involved in the installation and operations of these systems follow best practices based on a robust SOPs.
It is also very important for the companies involved in design and development of sensitive aircraft systems and avionics to undertake extensive cyber security risk assessment and clearly define the attack surface across the entire technical/operational spectrum to plug-in any possible vulnerabilities. Therefore, in-depth analysis/risk assessment of the assets in a system (hardware + software) and identifying the entire security perimeter by considering all the possible points through which these systems shall be talking to the outside world (maintenance/operational interfaces etc) and evaluating the operating environment is of prime importance. Seeking assistance from the cyber security experts and consultants known for their professionalism and expertise in the field would be the most suitable approach at this critical stage of design and development of the sensitive avionic systems.
We are living in an unprecedently interconnected world where no digital enterprise can consider itself secure against the ever evolving cyber security threats. While cyber security threats against civilian aviation sector are generally well-understood and addresses by the cyber security experts/companies operating in the civilian sector, military aviation, its operations and concomitant cyber security requirements are commonly less comprehended in the civilian cyber security sectors. However, rising cyber security threats against military aviation, its systems and related entities demand a comprehensive understanding of the military aviation by civilian cyber security experts to be able to provide the most appropriate recommendations and solutions based on the latest cyber security trends and safeguards. Since military aviation systems and avionics are specifically designed to ensure mission success in the most demanding conditions while operating in different environments (with or without connection to the outside world) require a robust cyber security plan both in the design/development and induction/operational phases. However the best cyber security safeguards for sensitive avionics systems can only be ensured during their design and development phase requiring regular inputs, oversight and guidance from the best cyber security experts in the field, provided the necessary technical information is made available to the experts for rendering the best cyber security recommendations.
Writer: Nasim Abbas