There are two distinct generations of cyberattacks targeting the civil aviation sector. The first generation involves basic breaches of aviation systems, resulting in minor losses such as flight delays. The second generation is more advanced, primarily targeting data and posing increasing risks to air navigation. This concern was highlighted in UN Security Council Resolution 2341, adopted in 2017, which focused on enhancing cybersecurity to protect critical infrastructure from terrorist attacks. The resolution drew international attention to the potential exploitation of vulnerabilities in the aviation sector by terrorist organizations or hostile states, leading to an increase in cyber threats.
Warning Voices
Numerous warnings and analyses have highlighted the massive economic losses suffered by the civil aviation sector due to the increasing number of cyber risks, threats, and attacks over recent years, and the likelihood of such threats intensifying in the future. Dr. Abdel Khalek Mohamed Lotfy, Head of Communications and Information Technology at Cairo Airport Company, estimated that the losses incurred by countries due to cyberattacks on national aviation companies and facilities could reach trillions of dollars, with projections suggesting these losses might amount to $23 trillion by 2027. KPMG reported that the civil aviation sector suffered a significant loss of $252 billion in 2020. Similarly, during the “Aviation Cybersecurity Forum,” Luis Felipe de Oliveira, Director General of the Airports Council International, emphasized the attractiveness of the aviation sector to both states and hackers due to the vast amount of data it holds, making it a target for phishing, malware, and other cyberattacks, which have indeed increased recently.
In March 2022, Salvatore Sciacchitano, President of the International Civil Aviation Organization (ICAO), confirmed the growing number of cyberattacks targeting the civil aviation sector, noting that 61% of the world’s airports had been affected. He warned during the same “Aviation Cybersecurity Forum” of the increasing severity and frequency of these attacks, as they lead to significant losses. In a related context, Sylvain Lefèvre, Deputy Director of Aviation Security and Facilitation at ICAO, stressed that all member states must adhere to specific standards. These include ensuring that operators and aviation facility management understand the sensitivity of the information, systems, and data used in civil aviation, building robust protection systems against external breaches, implementing strict evaluation programs, and limiting remote access to various systems. However, an ICAO audit of 54 countries revealed significant gaps, with 15% of the countries lacking the necessary infrastructure and risk identification measures, and 26% having no clear cybersecurity definitions.
According to data from the European Union Aviation Safety Agency (EASA), the number of cyberattacks on the civil aviation sector surged sharply during the COVID-19 pandemic, with the period between 2019 and 2020 witnessing a fivefold increase in such attacks. Commercial airlines became the target of nearly 61% of the detected cyberattacks on the aviation sector in 2020. Patricia Reverdy, Executive Secretary of the European Civil Aviation Conference, suggested that the reality could far exceed these numbers, especially given the confidential nature of many cyberattacks, which often go unreported by those affected.
Cases and Examples
Several countries have experienced cyberattacks targeting their civil aviation sectors, with varying degrees of impact. The following is a chronological overview of the most notable incidents:
Egypt: In November 2023, Cairo International Airport experienced a cyberattack targeting its website, although not its internal systems, as both are separate. The Egyptian Ministry of Civil Aviation confirmed that the breach was successfully countered by taking the website offline as a precaution until its readiness was ensured, with work continuing through alternative means. All services and data on the site, including passenger information, airline data, restaurant and café listings, duty-free shops, and lounges, were secured, with no disruption to services provided to passengers or between the airport and airlines. The hacking group “Anonymous” claimed responsibility for the attack, stating it had caused the Cairo Airport app to shut down and the website to be offline for 20 hours, also targeting the airport’s email service. Egyptian officials confirmed that the attack originated outside Egypt’s borders.
United States: On October 10, 2022, several U.S. airports, including LaGuardia Airport in New York, Hartsfield-Jackson Atlanta International Airport, Des Moines International Airport in Iowa, Los Angeles International Airport, and Chicago O’Hare International Airport, as well as the “Fly LAX” website, were hit by Russian cyberattacks. These attacks targeted systems unrelated to air traffic control, airline internal coordination, or transportation security, but they disrupted public access to web domains that report airport wait times and congestion. Despite efforts to restore systems at each airport, similar attacks affected multiple airports, leading some websites to operate in a backup and partial capacity without impacting air traffic control, communications, transportation security, or internal systems.
Iran: On November 21, 2021, Iran’s private airline, Mahan Air, the country’s leading private airline after state-owned Iran Air and a target of U.S. sanctions since 2011, experienced a cyberattack on its computer system. Despite the attack, the airline’s flight schedule remained unaffected. The airline acknowledged that it had been targeted by multiple cyberattacks in the past, attributing this to its significant role in the country’s aviation industry.
United Kingdom: In January 2020, British airline EasyJet suffered a breach that compromised the data of 9 million customers, although the company did not disclose the incident until May of the same year. Following the breach, multiple class-action lawsuits were filed by 10,000 customers from over 50 countries, seeking compensation of £18 billion, particularly as the company had hidden the breach for four months, during which time hackers accessed passengers’ email addresses and some travel-related data, though not their passports. Additionally, British Airways experienced a cyberattack in 2018 on its JavaScript library, which involved malicious code known as Magecart, compromising the data of over 400,000 customers and employees due to inadequate security measures during the processing of sensitive personal information, including payment card details, addresses, and names. The airline was subsequently fined £20 million for failing to protect customers’ financial and personal data.
Hong Kong: In 2018, Cathay Pacific Airways was hit by a cyberattack that continued intensely until May 2020, compromising the data of 9.4 million customers. The stolen data included credit card information, passport details, phone numbers, and more. The primary cause of the breach was the airline’s inadequate password protection, backup file security, and the outdated operating system in use. In September 2018, the airline introduced multi-factor authentication (MFA) across its user base to prevent future attacks.
Canada: In 2018, Air Canada experienced a data breach affecting approximately 20,000 customers through its mobile app. Analysts suggested that the compromised information included phone numbers, email addresses, passport details, customer addresses, nationalities, frequent flyer information, and more. However, the airline denied that any financial information related to payment methods was stolen. Following the breach, Air Canada closed the accounts of all customers who had changed their passwords and sent emails assuring them that their passwords were not at risk and that the airline was working with experts to improve security measures.
Saudi Arabia: In December 2016, the Saudi General Authority of Civil Aviation announced that six Saudi facilities, including the General Authority of Civil Aviation itself, had been targeted by a series of cyberattacks. While none of its navigation systems, airports, main networks, human resources, financial systems, security permits, operating systems, or websites were affected, some airport servers and devices were disabled, leading to disruptions in the services provided. The attacks attempted to seize data from computer systems and install malware. Some employee desktop computers were also affected until the infected devices were isolated from the network and data was safely restored, while unaffected devices were provided to employees to resume their work. Subsequently, service to the affected systems was restored after a precautionary shutdown and monitoring.
Explanatory Factors
The above cases, diverse in nature and varying in the severity of the damage caused, can be potentially explained by the following factors:
Attractiveness of the Aviation Sector: Air transport is a vital industry that significantly contributes to economic development and national income, playing an important role in trade, transportation, infrastructure, and more. As such, the aviation industry is an attractive target for states, hackers, and amateurs due to the sensitive data it holds, such as passenger names, identity numbers, passport details, residences, photos, biometric fingerprints, travel destinations, and more. Hackers and amateurs can extract high-value credit card payment data from such information and use it in various online fraud schemes, or employ ransomware or distributed denial-of-service (DDoS) attacks to extort airlines.
Global Digitization of the Aviation Sector: The aviation sector is undoubtedly equipped with a wide range of advanced technological systems. As airports continue to embrace technological advancements to keep pace with the evolution of aircraft operations and data management, the digitization of air traffic management and its networked nature, coupled with the global interconnection of aircraft information systems for security and route determination, are expected to increase the risks and challenges facing civil aviation. This is particularly true with the integration of advanced technologies such as artificial intelligence (AI) in cyberattacks targeting the sector. Even a limited cyberattack on any operating system can cause rapid global damage and expose the data within those systems to corruption, increasing the number of exploitable vulnerabilities.
Multiplicity of Aviation Systems Requiring Protection: Over the past decade, aircraft have evolved into what could be termed a “flying data center,” necessitating the protection and fortification of multiple systems against cyberattacks. These include aircraft communication and takeoff systems, online and mobile travel booking systems, payment and ticketing systems, cargo data systems, internal websites of aviation companies, personal customer information, and more.
Exploitation of the Pandemic: The global outbreak of COVID-19 in 2020 highlighted the dangers and risks of cyberattacks, which targeted airlines as well as a wide range of other sectors. Most aviation companies were severely impacted by the pandemic, with many airlines being unable to repay loans and settle financial commitments due to cash shortages, leading to bankruptcies and liquidation. However, the increase in cyberattacks on the sector from 2019 to 2020 was primarily due to the increase in remote work and the digitization of the sector’s infrastructure, which allowed attackers to exploit the rising demand for information by conducting phishing attacks and spreading ransomware.
Technological Shortcomings: Despite the widespread digitization of the aviation sector, it is often neglected by governments, leaving airlines vulnerable to cyberattacks. For instance, some airlines continue to use outdated operating systems that are no longer supported by manufacturers, making them more susceptible to attacks. Similarly, some airlines fail to implement multi-factor authentication (MFA) in their internal systems, resulting in data breaches and unauthorized access to employees’ personal information. Therefore, cyberattacks on aviation companies are considered one of the greatest threats to the airline industry in the future.
Conclusion
In conclusion, the rapid evolution of civil aviation, whether through the widespread use of technology in this vital sector, reliance on digital infrastructure, or significant gaps in the technical capabilities of the sector, has led to an increase in cyberattacks on various airports and national airlines. This has sparked widespread debate among industry experts regarding the future of aviation in light of these attacks. Experts have even suggested that we may one day witness cyber hijackings, as today’s attackers are not limited to breaching individual airport systems, and most cyberattacks target advanced airport systems that could pose significant challenges to the aviation industry in the future.
