When one thinks of safety in air travel, they typically are concerned with mechanical or artificial challenges that could endanger a flight, its passengers, its crew, and people on the ground. Unfortunately, there is an entirely new kind of safety threat that has begun to emerge in recent years. Legacy carriers, low-cost airlines, and airports alike have begun to notice just how fragile the technological systems are that run aircraft, airport operations, and air traffic control networks. In a world where evildoers are increasingly focused on cyberwarfare, airports and airlines have had to reorient their efforts to improve cybersecurity.
Just a couple of winters ago, an inadvertent technological meltdown crippled the Southwest Airlines operational network, stranding thousands of passengers all across the country and forcing the carrier to fully restart its network. This technological breakdown was not singular in nature, as other technological incidents resulted in operational disruptions earlier this summer as well. These were both unintentional incidents, but they have continued to raise concern about what hackers with malware could do to disrupt flight operations and ultimately put passenger safety at risk. We analyze the world of airport and airline cybersecurity and determine what additional steps airports and carriers should be taking to improve overall cybersecurity.
A Deeper Look At Cybersecurity In Aviation
Cybersecurity risks in aviation are now purely operational, threats have evolved beyond just the vulnerabilities of information technology (IT) systems. Recent attacks highlight a pair of key pressure points. For starters, third-party vendor outages result in significant operational disruptions, as airlines rely heavily on services from these kinds of companies. Identity-driven intrusions are also highlighted as a significant threat to airlines, airports, and even manufacturers within the aviation industry.
A recent ransomware intrusion against Collins Aerospace’s MUSE passenger processing platform significantly disrupted check-in and baggage handling at European airports, causing a non-lethal headache for airlines and passengers across the continent, according to reports from Reuters. This demonstrated that a single supplier having a cybersecurity issue can lead an entire airport’s operations to stall. This also helped illustrate just how quickly a relatively small cybersecurity challenge can significantly stall airport operations at scale. This further pushed many European airports to adopt additional security measures.
Another malware and ransomware actor, the individual evildoer known as SCATTERED SPIDER, has also been involved with using malware to target airlines directly. They have used help-desk social engineering to reset airline systems before attacking virtual data infrastructure. The individual (or potentially a group, as we are still not aware of the individual’s specific identity) quickly began to acquire data and then use it for extortion. This poses a major threat to airlines from both a financial and an identity perspective, while for passengers, it is a significant safety-related concern.
A Brief Overview Of The CrowdStrike Incident
On July 19, 2024, a faulty CrowdStrike Falcon update (one which was named “Channel File 291”) for Windows computers triggered a variety of crashes of corporate computer systems across the globe. This had a major impact on US aviation, and it was later recorded as the largest IT outage in history. Preliminary/post-incident reports ultimately traced the incident to a validation bug that had unintentionally distributed a malformed file, and Microsoft quickly documented the kinds of errors that affected machines were showing.
The operational impact of the incident rippled across banks, the media, healthcare, and most notably aviation, where check-in and dispatch systems failed extensively. Major US carriers were forced to issue ground stops, with Delta Air Lines ultimately suffering the most, as the airline had to cancel thousands of flights across several days and later pursued additional compensation. Remediation required continued remote removal of the bad file and sensor recovery. Microsoft, hyperscalers, and CrowdStrike ultimately secured coordinated fixes. CrowdStrike’s CEO publicly apologized the same day and published PIR/RCA follow-ups.
There are a number of key lessons to take away from this incident. For starters, the concentration risk associated with this outage was exceptionally high, with a single endpoint vendor quickly becoming a point of systematic failure. The lack of enforcement of staged rollouts and signing checks independent of vendor pipelines also contributed to this breakdown. Fail-safe modes and offline fallbacks for airport crews and operational management teams are also necessary safety valves that need to be put in place. This episode further highlights the continued need for elevated resiliency in cybersecurity.
What Happened In The Wake Of This Incident?
Most FBI-flagged advisories and industry analyses were quick to break down the causes of the incident, highlighting how drastic the consequences could be if a malicious hacker were to deliberately attack an airline. Warnings indicated that hackers could imminently target both airlines and IT vendors, with prolonged outages and continued exposure to these high-risk environments set to follow. External audits further highlighted that many technical exposures remained unpatched, and that the safety valve systems and automatic kill switches had yet to be remotely implemented.
At the core of the matter, FBI audits noted that internet-facing systems and legacy software (specifically ForgeRock AM RCE and VMware ESXi) remained core vulnerabilities. These are places that authorities have warned hackers will try to exploit. When engaging in cyber-sabotage, individuals or groups tend to try to target the weakest points within a system or network. As most cybersecurity experts will tell you, a system is only as strong and capable as its weakest link.
|
Principal Risk: |
Key Mitigation: |
|---|---|
|
Concentration Risk: |
Diversify airport and airline technological systems. |
|
Weak-link Risk: |
The individual system with the weakest network needs to be identified. |
|
Third-party Risk: |
Airlines and airports need to verify the cybersecurity firewalls of third-party contractors. |
The primary priority of any airport or airline at this moment is to implement phishing-resistance training for all personnel, to avoid malware from entering a system at all times. Strict verification of all individuals interacting with an airline or airport’s system is necessary. Furthermore, experts recommend hardening and monitoring identity systems from the moment an individual steps into an airport or virtually enters an airport’s network or system.
Additional Steps Needed To Ensure Cybersecurity
Passenger airlines and airports need to treat cyber resilience like overall safety, with designs that prioritize failure prevention, not perfection. Passengers are encouraged to begin segmenting airport and operational networks and enforce strict identity controls across their systems and even their mobile applications. The continuous patching of inventory and any internet-facing assets is extremely necessary. Cyber analysts must actively manage a live asset register and scan weekly for the appearance of any bad actors.
Remote access to any of these kinds of systems needs to be extremely limited. Vendors and third-party contractors must deliver business-continuity-proof solutions and maintain multi-region fail-proof coverage. Industry analysts also highlight the importance of conducting joint airline-airport tabletop exercises regularly. This move has been less exciting for airlines and airports, however, as it would likely raise operational costs.
But rehearsing a CrowdStrike-style outage regularly could be an excellent opportunity for airlines. They could fully rehearse the loss of communication and network infrastructure, which would enable pilots to get a good understanding of how to communicate and manually perform dispatch and check-in operations. Paper flight plans, once a thing of the past, remain necessary in these kinds of situations. Each of these rehearsals can be carefully analyzed with reliability KPIs in order to help passenger airlines and pilots prepare for situations where it will not ultimately be just a drill.
What Role Do Regulators Play?
Cybersecurity in aviation is slowly moving from a best practice to a regulatory obligation. In the United States, the TSA now requires airport and aircraft operators to implement broad performance-based controls, including network segmentation, access control, and continuous monitoring initiatives, which are joined by incident response plans and timely reporting. Punishment for non-compliance is also a key piece of this puzzle.
The Federal Aviation Administration (FAA) complements this with planning guidance and profiles aligned to the needs of individual operators. Internationally, the International Civil Aviation Organization sets the global strategy, framing cybersecurity as an integral part of aviation safety and resilience, pushing nations to adopt individual rules.
In the European Union, the European Aviation Safety Agency has a binding information security agreement which sets stringent requirements for airlines, airports, maintenance operators, and ground handling companies. This helps diversify risk and clarify expectations across the board.
What Is The Bottom Line?
Ultimately, cybersecurity needs to be a top priority for all airlines going into the next few years. Bad actors are becoming increasingly numerous and more creative, and the potential reward of shutting down an entire airline or airport using a piece of ransomware has only become more obvious. These kinds of technological shutdowns can cripple airport and airline infrastructure for days if not weeks.
Legacy carriers, low-cost airlines, airports, and industry-adjacent firms all need to continue investing in preventative systems in order to ensure that they are better prepared for when situations like these arise. Continued implementation of defensive infrastructure can both help prevent these kinds of cyberattacks and also quickly address them when digital incursions occur.
Safety must be an airline’s principal priority. Historically, this has meant that mechanical and air safety are the biggest pieces of any operational safety picture. However, cybersecurity is becoming an increasingly important part of this picture as threats become more and more real.
