Hacking the friendly skies: Cyber-Threats to the Aviation Industry

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

I’ll admit it. I’m a fussy flier. I want at least 100 movies in the queue on my in-flight entertainment system. I want to be able to change my seat on my mobile app on the way to the airport. I want to pay for my boxed wine with a credit card that’s swiped at my seat.  And if the flight isn’t equipped with Wi-Fi (heaven forbid!), I might keel over and die right there. Yet even though these creature comforts seem like absolute necessities in my hierarchy of needs, the ever-increasing world of data that airlines are putting at our fingertips may be exposing vulnerabilities that threaten our security on a global level.

Airlines, both foreign and domestic, should be regarded as high-priority targets of cyber espionage actors, and it’s easy to see why. The aviation industry is a critical part of our national infrastructure.  Every day, approximately 1.8 million people fly on domestic flights in the United States (U.S. Dept. of Transportation, Bureau of Transportation Statistics), and countless goods are transported from coast to coast. Airlines are also a one-stop shop for valuable data – from the millions of credit card records for the fiscally-minded hacker, to critical data around proprietary technology, routing, and passenger information.

Take for instance this summer’s well-publicized breach reported by United Airlines, in which a group of cybercriminals with ties to China compromised United’s network, gaining access to confidential flight manifests, which included information on passengers, flight originations, and destinations. Think these data streams are relatively innocuous? Think again.

It is now widely believed that the same attackers responsible for the United Airlines breach are also responsible for the massive hack into the U.S. Office of Personnel Management (OPM) and hacks into U.S. insurer, Anthem, and Sabre (a former American Airlines subsidiary and one of the world’s largest clearinghouses for travel reservations). When you put all this information together, it suddenly paints quite a picture – China-based hackers now have access to the names of millions of U.S. citizens and their security background check records, and have the ability to cross-check millions of travel records to investigate U.S. citizens’ travel patterns: where they’re going, and exactly when they will be there.  The counter-intelligence uses for this information are staggering.

Other cyber-attacks could be even more nefarious. Some security experts have hypothesized that it’s possible to gain partial or complete control over an airplane’s onboard systems by hacking into one of the aforementioned “creature comforts” associated with modern air travel, such as inflight Wi-Fi, entertainment systems, or even a smartphone. Indeed, some pen testers have reported successful hacks into the beta versions of flight control systems using a plane’s Wi-Fi network. These threats are (at least for now) primarily hypothetical and would require extensive knowledge of the aircraft and its systems to come to fruition; however, hackers may already be amassing the critical information necessary to gain an understanding of which flight systems to target.

Indeed, in the case of sophisticated state-sponsored attacks, it’s not uncommon for attackers to be active in an environment for months, if not years, before a breach is finally discovered.  Over the past five years, at least four known APT intrusion sets operating from the People’s Republic of China have repeatedly targeted airlines, civil aviation authorities, and aerospace firms.  But China is not the only player in this game. Information Security Firm Cylance published materials describing the modus operandi and typical indicators of suspected Iranian state-sponsored cyber espionage actors that included U.S. and European airlines among their previous targets. The number of private and state-sponsored threat actors interested in the aviation industry is expanding, which means that the prevalence of sophisticated attacks against the airlines will only increase.

So what can companies within the aviation industry do?  Here are some thoughts:

  • Assume You’ve Been Hacked:  Perform proactive scanning and analysis to look for signs of APT/sophisticated intrusion. Even if you’re not aware of an incident now, chances are there are hackers poking around in your environment. Engage an incident response specialist to analyze your environment for signs of APT activity.
  • Know Your Points of Ingress and Egress:  Aviation companies deal with a myriad of complicated systems that must interact with one another out of necessity within a networked environment. As the number of these systems increases within an environment, the number of potential points of entry for an attacker also increases.  Airlines must have a handle on the points of ingress and egress within their network environments.
  • Lockdown Access to Critical Data Systems:  Far too often, administrative credentials and permissions are over-inclusive, particularly when it comes to third party vendors. Restrict network access to only who and what is necessary to complete a given set of tasks, and to the times that access is needed.
  • Share insight:  If you are struggling with security and outside threats, consider yourself in good company. Engage in knowledge sharing with others in your industry and trusted outside advisors to assist with the identification of potential threats and to facilitate the sharing of ideas on security enhancements.

We cannot avoid cyber-attacks on the aviation industry.  But companies must increase their preparedness and collaboration to meet the rising challenges.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas:

I am: In the C-Suite or a Director

Tags: cyber threats, cyber espionage



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.