As the world becomes further digitalised and increasingly interconnected, exposure to cyber threats is more imminent. Information security experts often state that it is not a matter of “if” but rather “when” a certain entity will be targeted by cybercriminals. The aviation domain is not immune to such threats. There are information security threats that can lead to disruptions in operations or impact on aviation safety.
EASA’s mission to ensure safe air travel in Europe (and worldwide) includes mitigation of information security risks. The European Union (EU) Regulatory package requires that information security risks are identified, assessed, and treated in a proportionate way by organisations active in the entire civil aviation ecosystem and then controlled to avoid adverse effects on citizens’ safety. This ecosystem includes organisations involved in aircraft design, production, maintenance, operations, training and all activities necessary to ensure safe flight operations.
Which are the threats to aviation and where are they coming from?
Aviation is a "system of systems" comprising — alongside aeronautical products and their associated technologies — people, processes, and other intangible assets that are in turn vulnerable to information security threats.
All the different systems are complex and highly interconnected. There are countless attack paths that can lead to a safety problem and the aircraft is the last line of defence. Any link between aircraft and ground (wireless or not), any maintenance component, any industrial system and of course the supply chain are all subject to potential threats. These threats are potential violations stemming from unauthorized access, use, disclosure, disruption, modification and/or destruction of information and information systems involved in the aviation system. Many attacks can find their root cause in negligence or lack of awareness of employees.
Threats can come from diverse parties including cybercrime actors, hacktivists, and even state sponsored actors. The motivation behind such attacks can be financial, political, or personal reasons such as recognition or a sense of achievement.
Which sectors in aviation seem to be the most attractive to malicious actors?
Based on the data that the EASA Cyber Threat Intelligence team collects, airports seemed to be the most popular target of cyber-attacks in late 2024, with more than 50% of recorded targeted attacks against aviation. Most of these are Denial-of-Services attacks – that’s when cybercriminals overwhelm a system with a high amount of traffic in order to crash it. This can be linked with hacktivist activity, which is often fuelled by geopolitical tension. It seems that airports provide high visibility when targeted due to the significant visible impact following an incident. Flight cancellation boards and unhappy, delayed passengers are easy visual material for news stories.
Air operators seem to be the second most attractive target for malicious actors, with around 25% of attacks targeting airlines. Apart from Denial-of-Service attacks, air operators suffer also from ransomware attacks (when cybercriminals encrypt the data of an entity and demand a ransom to decrypt them) as well as data breaches. Therefore, the attacks have not only a safety impact but also an impact on business continuity and operations.
Other impacted sectors based on the recorded data are aircraft manufacturers and maintenance, repair, and overhaul organisations as well as governmental institutions, which also suffer different types of cyber-attacks daily.
What is EASA doing to make aviation more resilient to cyber attacks?
EASA's approach to cybersecurity in aviation has four pillars: aviation products certification, organisational information security risks, information sharing and capacity building.
Aviation Products Certification
Initially, cybersecurity in this context was addressed on a case-by-case basis. Applicants (organisations seeking certification of an aircraft) needed to assess the potential effects that information security threats could have on the safety of the aircraft systems and networks.
With aircraft systems and parts becoming more interconnected, there were more potential attack paths. So, the threat could no longer be addressed on a case-by-case basis and a holistic approach was needed.
For that purpose, EASA incorporated specific requirements for the certification of aircraft that specify that “aeroplane equipment, systems and networks, considered separately and in relation to other systems, must be protected from intentional unauthorised electronic interactions that may result in adverse effects on the safety of the aeroplane”.
Organisational Information Security Risks
As information security threats are not only limited to the aircraft design but also include people and processes, a new set of rules were published in 2022 and 2023, the so-called “Part-IS”, where IS stands for “Information Security” (consisting of the Delegated (EU) 2022/1645 and the Implementing (EU) 2023/203, for those who want to dig deeper). Part-IS lays down requirements with the objective to protect the aviation system from information security risks that have a potential impact on safety. Part-IS covers information and communication technology systems and data used by Approved Organisations and Authorities for civil aviation purposes. To achieve its objective, Part-IS requires setting up, implementing, and maintaining an Information Security Management System.
Information sharing
The third pillar is information sharing, which is currently conducted under two different streams. The European Centre for Cybersecurity in Aviation, which consists of stakeholders from both the industry as well as from authorities, and the Network of Cyber Analysts, which comprises representatives from member states. These are communities where trust among participating organisations has been built that allows them to share knowledge, such as threat intelligence in the form of reports, alerts on possible threats and insights from incidents analysis, and to promote collaboration amongst the members.
Capacity building
Last but not least, capacity building activities are an important part of EASA's approach on cybersecurity. Given the rapid pace of technological advancements it is important for the EASA cybersecurity team to remain up to date. Therefore, training is an important element of the team activities alongside with research, which plays a key role to understand the future threat landscape and to adopt a proactive stance against cybersecurity threats.
Horizon Europe Research Project: CYBER - Aviation resilience & cybersecurity threat landscape
In 2024, EASA launched a research project on cyber aviation resilience and cybersecurity threat landscape. This project aims to identify cybersecurity threats having a potential negative impact on the safety of flight operations. With this knowledge, EASA aims to help build a stronger and more resilient aviation system for the future.
EASA's Cybersecurity Community
If you are interested in following all the activities above, EASA has created a Cybersecurity Community where we share information on the wide range of topics related to cybersecurity in aviation. Whether an enthusiast or an expert in the field, we would be happy to have you onboard to exchange on a number of interesting topics in the area of cybersecurity in aviation.
Some notes on GNSS interference: jamming and spoofing
Since February 2022, there has been a notable increase in global navigation satellite system (GNSS) jamming and spoofing, particularly in regions surrounding conflict zones and other sensitive areas such as the Mediterranean, Black Sea, Middle East, Baltic Sea, and the Arctic. You might even have seen some news about it. These incidents also fall under aviation cybersecurity.
Jamming refers to the intentional radio frequency interference that prevents GNSS receivers from locking onto satellite signals, rendering the system ineffective or degraded. Spoofing involves broadcasting counterfeit satellite signals to deceive GNSS receivers, causing incorrect position, navigation, and timing data – so, the system might tell the pilots that they are flying over Paris at 7 o’clock in the morning, when in reality, they are flying above Rome at night. These interferences can lead to various operational challenges for aircraft and ground systems, but there has been no impact on the safety of flights. EASA is continuously monitoring the phenomenon, to be ready to provide advice to all aviation actors in case there are indications that safety might be impacted.