KSG Exec Brief: Final Boarding Call for Rethinking Aviation Cybersecurity
The seat belt sign is on. Expect a bumpy ride.
The aviation sector must consider modern, more expansive risk models to navigate a strategic environment at the nexus of emerging cyber and geopolitical threats. The combination of legacy IT/OT with new connectivity interfaces, sprawling third-party dependencies and digital supply chains, strained corporate balance sheets and infosec budgets, increasing regulatory mandates, highly visible industry stumbles, and aggressive nation-state threats indicate major turbulence ahead.
The aviation industry had a no good, very bad week of IT and cybersecurity issues: a flawed software update at United upended Labor Day travel nationwide, while WestJet experienced a “network-wide” technical disruption caused by an outage at industry service provider Sabre, which itself is now investigating claims of a ransomware data breach.
Further, CISA just released a cybersecurity advisory alerting the sector to IOCs associated with multiple national state APTs successfully targeting an aviation industry firm.
KSG sees the aviation industry increasingly at the nexus of cyber and geopolitical risk, with legacy infosec challenges exacerbated by advanced adversary threats and regulatory requirements. We assess that nation-state threat actors, cybercriminal groups, and hacktivist groups possess growing capability and intent to target Western firms supporting critical infrastructure, including aviation.
In particular, recent leaks of intelligence documents from Russia indicate a specific interest in targeting operational aviation systems. Further, Chinese threat actors are known to be targeting US critical infrastructure firms (including the aviation sector) given their military doctrine that sees disrupting civilian systems as a means of deterring or coercing US political decision-makers in a time of conflict.
Participants in the USAF Civil Reserve Air Fleet should also expect to be targeted for their role supporting contingency airlift requirements for the Department of Defense, something likely to be activated in a Taiwan crisis situation.
Against this geopolitical backdrop, aviation CISOs face a complex technology and cybersecurity risk environment, resulting from:
Growing integration of new tech into legacy systems, including new connectivity interfaces and e-Enabled aircraft;
Increasing federal cyber regulations and compliance requirements;
Constrained security budgets that limit focus to catastrophic risks and compliance;
Security cultures that often silo cyber/IT from the broader organization and create obstacles to effective enterprise engagement and operational collaboration;
Tactically oriented people, processes, and tooling aimed at immediate triage, not strategic risk;
Complex global supply chains that increase upstream risk exposure; and
Increasing third-party risks from the economy-wide move to, and dependency on, cloud-enabled services and the associated shift in risk management responsibilities.
While the geopolitical threats to aviation cybersecurity grow, aviation faces the technical difficulty of defending complex legacy and modern systems. The industry must protect a uniquely broad range of vulnerable elements: from its airport and online systems and data to vendor supply chains and airplane electronics. Despite all this, aviation cybersecurity’s resources and incentives lag the threat environment.
KSG saw these issues surface as we recently completed a strategic cyber risk and capability assessment for a major airline. As part of this engagement, KSG:
Developed and validated a strategic threat model that linked current and emerging risks to the corporate value chain and cyber capability requirements;
Reviewed and re-aligned their technical and security stack to achieve efficiencies while enhancing capability; and
Put down a capability roadmap for corporate and cybersecurity leadership to jointly drive enhanced cyber risk governance and enterprise-wide engagement.
It is apparent to us that airlines are operating in an environment of rising cybersecurity and technology threats and are at the frontlines of emerging geopolitical risk. At the same time, live operational demands, tactical incident response, and ever-growing compliance requirements make it difficult for security leaders to step-back, re-assess their posture against strategic risks, and communicate their needs to business executives.
Even when the risks are clear and the gaps manifest, tight budgets and other business priorities can get in the way of building an effective security organization. This requires high-level, executive engagement across the enterprise to help leadership understand how these risks impact operational reliability, customer relations, corporate liability, shareholder value, passenger safety, and even national security.
Success here can mean the difference between an industry-standard “bad day” and a “business existential event.”
For more information or assistance on these issues, please reach out to firstname.lastname@example.org.
Forwarded this Exec Brief by a friend? Click below to sign up for our weekly dispatch.
India Relishes Rising Status as G20 Chair: As the world’s now most populous nation, with an economy set to grow by 7 percent this year, and a recently successful lunar landing, Delhi seeks to rebrand itself and burnish its position as a global power.
Xi Reportedly Confronted by Party Leaders over China’s Trajectory: While the sourcing is thin, a group of retired Communist Party leaders were said to have been worried by dire economic indicators, social unrest, and internecine turmoil among the military and diplomatic corps. President Xi later announced he would not appear at the G20 summit in India.
Gulf Monarchies Ascendant in Regional Projects, Global Finance: As Western private equity, venture capital and real-estate funds are hampered by interest rates, high energy prices have created a “gold rush” for infrastructure and investment in oil-rich Gulf states, increasingly acting as geopolitical free-agents.
Apple Advises Rapid Patches for Two New Zero-Day Exploits: Emergency updates are required to fix vulnerabilities in iPhone and Mac devices. Privacy watchdog Citizen Lab claimed the zero-click exploits had been used by NSO Group's Pegasus commercial spyware.
Google Warns of North Korean Campaign against Security Researchers: For nearly two years, cyber vulnerability sleuths have been targeted using an as-yet undisclosed zero-day. The vendor has been notified, while Google urges vigilance among those in the field.
Microsoft Details Major Cloud Services Breach: The company found that a series of cascading security failures resulted in a critical signing key ending up in the hands of apparent Chinese hackers. The key was among data from an April 2021 system crash that was erroneously placed on Internet-facing corporate networks.
Strategic and Emerging Technology
UK’s Frontier AI Taskforce Issues First Progress Report: In the run-up to an AI Safety Summit in November, the group has recruited leading technologists and ethicists to advise the government on risks at the leading edge of development, at speed.
World’s Largest Wind Turbine Sets Power Generation Record: Just offshore of China’s Fujian Province, the 252-meter diameter mammoth turbine produced enough electricity on 1 September to power 170,000 homes, surpassing the August record set by Denmark.
US Energy Department Uses AI to Identify Non-Rare-Earth Magnets: Researchers used machine learning to identify abundant compounds that would react at the proper temperatures to produce a magnetic charge – key to new data storage and battery tech.
UK Lawmakers Step Back from Clash with Tech Firms on Encryption: The draft Online Safety Bill now acknowledges the current technological infeasibility of so-called “client-side scanning” that still preserves the privacy of encrypted applications. Critics note, however, the wording still leaves the door open to unprecedented future surveillance.
California Inches Closer to Data-Broker Clampdown: Widely viewed as a bellwether for other state and federal initiatives, the draft California Delete Act would enable users to block brokers from collecting, maintaining and selling their information.
Verizon Fined for Lack of Cybersecurity Controls: The company violated rules for federal contractors requiring standard encryption and Internet security protocols. The $4.1 million settlement with the Justice Department reflected the company’s proactive disclosure, cooperation with investigators, and remediation measures.
Atlantic Council: How China Weaponizes Software Vulnerability Reporting (From KSG’s own Dakota Cary!)
Carnegie Endowment: The US Can Flip the Script on China in Green Tech