Last week, PinnacleOne reviewed escalation dynamics in the Middle East.

This week, we turn our attention to domestic critical infrastructure with a look at recent developments in aviation cybersecurity.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: [email protected]

Insight Focus | Aviation Cybersecurity

The aviation sector continues to face a complex and evolving cybersecurity threat landscape with nation-state actors, cybercriminal groups, and hacktivists targeting critical infrastructure. Last week, the FAA issued a ground stop order on Alaska Airlines for one hour due to an “upgrade issue with flight software that calculates weight and balance.” This follows a similar hour-long nationwide ground stop last year caused by a software update at United Airlines, a network-wide outage at WestJet caused by a service provider, and a ransomware breach at Sabre.

Most concerningly, on Friday, the Department of Homeland Security (DHS) published an official notice stating that the Transportation Security Oversight Board (TSOB) has recommended to the Transportation Security Administration (TSA) that a cybersecurity emergency exists, warranting the expedited implementation of critical cyber mitigation measures through emergency regulatory authority.

The TSOB – including the Secretaries of Homeland Security, Transportation, Defense, and the Treasury, the Attorney General, the Director of National Intelligence, and a National Security Council representative — convened a meeting to review TSA’s transportation security plans for cybersecurity in the aviation sector and provide a recommendation regarding TSA’s emergency determination to issue Joint Emergency Amendment (EA) 23-01.

During the classified briefing, the TSOB was presented with sensitive security information and intelligence regarding the severe cyber threat to the aviation transportation system. The board discussed the circumstances leading to TSA’s issuance of Joint EA 23-01, which requires performance-based cybersecurity measures to prevent the disruption and degradation of critical systems. The TSOB’s recommendation endorsed the need for TSA to proceed with these critical mitigation measures on an emergency basis.

This development came in the context of a September 2023 advisory from the Cybersecurity and Infrastructure Security Agency (CISA), which identified indicators of compromise at an Aeronautical Sector organization as early as January 2023. Nation-state advanced persistent threat (APT) actors exploited vulnerabilities in a public-facing application (Zoho ManageEngine ServiceDesk Plus) and a firewall device to gain unauthorized access, establish persistence, and move laterally through the network. CISA warned that “additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.” APT interest in critical infrastructure means that such exploitation happens on other devices and software, too, not just the Zoho product in this particular alert.

Aviation Cybersecurity Risks

Leaks of intelligence documents in 2023 from Russia indicated a specific interest in targeting operational aviation systems. Further, Chinese threat actors are known to be targeting US critical infrastructure firms (including the aviation sector) given their military doctrine that sees disrupting civilian systems as a means of deterring or coercing US political decision-makers in a time of conflict.

Participants in the USAF Civil Reserve Air Fleet should also expect to be targeted for their role supporting contingency airlift requirements for the Department of Defense, something likely to be activated in a Taiwan crisis situation.

Against this geopolitical backdrop, aviation CISOs face a complex technology and cybersecurity risk environment, resulting from:

• Growing integration of new tech into legacy systems, including new connectivity interfaces and e-Enabled aircraft;
• Increasing federal cyber regulations and compliance requirements;
• Constrained security budgets that limit focus to catastrophic risks and compliance;
• Security cultures that often silo cyber/IT from the broader organization and create obstacles to effective enterprise engagement and operational collaboration;
• Tactically oriented people, processes, and tooling aimed at immediate triage, not strategic risk;
• Complex global supply chains that increase upstream risk exposure; and
• Increasing third-party risks from the economy-wide move to, and dependency on, cloud-enabled services and the associated shift in risk management responsibilities.

While the geopolitical threats to aviation cybersecurity grow, aviation faces the technical difficulty of defending complex legacy and modern systems. The industry must protect a uniquely broad range of vulnerable elements from its airport and online systems and data to vendor supply chains and airplane electronics. Despite all this, aviation cybersecurity’s resources and incentives lag the threat environment.

Corporate executives must recognize that the aviation industry remains at the frontlines of emerging geopolitical risk, and cybersecurity threats have the potential to cause significant operational, financial, and reputational damage. The TSOB’s recommendation and the CISA advisory underscore the urgency of the situation and the need for high-level, enterprise-wide engagement to address these risks effectively.

Investing in a comprehensive cybersecurity strategy, aligning technical and security stacks, and fostering collaboration between corporate and cybersecurity leadership is essential to mitigate the risk of a catastrophic event. As the DHS notice and CISA advisory demonstrate, the stakes are high, and failure to act decisively could result in severe consequences for the aviation industry and national security.

The aviation sector must consider modern, more expansive risk models to navigate a strategic environment at the nexus of emerging cyber and geopolitical threats. Even when the risks are clear and the gaps manifest, tight budgets and other business priorities can get in the way of building an effective security organization. This requires high-level, executive engagement across the enterprise to help leadership understand how these risks impact operational reliability, customer relations, corporate liability, shareholder value, passenger safety, and national security.

The combination of legacy IT/OT with new connectivity interfaces, sprawling third-party dependencies and digital supply chains, strained corporate balance sheets and infosec budgets, increasing regulatory mandates, highly visible industry stumbles, and aggressive nation-state threats indicate major turbulence ahead.