Space and aviation sectors invest in community awareness, training and education to ward off increasing cyberattacks
By Krishna Sampigethaya, Philip Potts and Arun Viswanathan|December 2023
The Aerospace Cybersecurity Working Group provides awareness, education and standards development to help protect aerospace’s digital infrastructure.
The year began with an outage of the Philippines air traffic management system in January and an outage of FAA’s Notice to Air Missions system in February, both of which disrupted and delayed air travel. While these incidents are not considered cyberattacks, they point to underlying critical system vulnerabilities, such as inadequate security policies and outdated cyber infrastructure, that may be exploited by an adversary.
Cyberattacks this year continued to demonstrate real-world impacts on the aviation and space sectors. An analysis of the European Organization for the Safety of Air Navigation published in July showed an increase in supply chain security incidents in which exploitation of a vulnerable third-party vendor’s system caused data breaches at an airport or airline. A cyber threat event map in the analysis also showed hacktivists were the dominant aviation cyber threat actor and that distributed denial-of-service, or DDoS, attacks were the most common threat to airlines, airports and international aviation authorities. For example, DDoS attacks by pro-Russian hacktivist groups in January targeted airports in NATO member countries and allies, particularly those located in countries that supplied Ukraine with armaments and training.
In February, the European Union Aviation Safety Agency revised one of its safety alerts to note an increase in spoofing and jamming of GNSS, global navigation satellite systems including GPS, in certain geographical regions and conflict zones, and provided mitigation recommendations. The effects of GNSS jamming and/or spoofing in some cases caused unsafe flight scenarios that required aircraft rerouting or additional pilot guidance.
New strides were also taken toward improving cyber defenses. In April, it was reported that the U.S. Office of the National Cyber Director held a workshop with satellite manufacturers to raise awareness about securing satellites against cyberattacks and engaged experts from industry, government and academia to address policy gaps in safeguarding space from hackers. In June, a cybersecurity working group kicked off an international technical effort to build a more secure-by-design space sector. This IEEE standard for space system cybersecurity would provide requirements for securing space systems, including ground stations and spacecraft, and “establish trustworthiness criteria amongst various elements of the space systems ecosystem,” according to the working group’s webpage.
As threats increase, governments and companies are increasingly acknowledging the security risk and investing in training and education. In August, the Aerospace Village met at DEF CON 31, which included the U.S. Air Force and Space Force’s Hack-A-Sat capture-the-flag competition. For the first time, five international teams of security researchers ethically hacked a satellite orbiting around Earth at 5 miles per second. Their mission was to establish a data link, capture a ground target image, download it to a ground station and overcome satellite-imposed restrictions while defending against other teams’ attacks. The Italian team mcHACKeroni was declared the winner.
Also during this conference, a capture-the-flag event was held with the Aviation Information Sharing and Analysis Center, in collaboration with Embry-Riddle Aeronautical University. Participants tackled problems resulting from simulated cyberattacks at a major airport. Boeing, Lockheed Martin and SpaceX also presented capture-the-flag challenges related to commercial aircraft, military aircraft and satellites, respectively.
Formal education courses were also offered throughout the year, including the International Civil Aviation Organization aviation cybersecurity course offered by Embry-Riddle, the International Air Transport Association course, and Indiana University’s Kelley space-cybersecurity digital badge.