SecurityScorecard today released new cybersecurity research on 250 leading global aerospace & aviation companies, including 100 top commercial passenger airlines. In The Cyber Risk Landscape of the Global Aviation Industry, 2024 report, security researchers provide a detailed examination of cybersecurity vulnerabilities across the airline industry and its various supply chains.
Novel insights into aviation cybersecurity
The report comes as regulatory bodies worldwide ramp up cybersecurity requirements for the aviation sector. The U.S. Transportation Security Administration introduced new mandates in March 2023, and the E.U.'s Implementing Regulation 2023/203 will take effect in 2026, setting a new standard for aviation information security risk management.
The aviation industry has traditionally focused on physical security threats, but recent revelations about risks on Boeing's supply chain have spotlighted the critical need to measure and mitigate supply chain risk. SecurityScorecard's latest research aims to elevate the discourse on supply chain cyber risk in particular, emphasizing the need and best practices for comprehensive cybersecurity monitoring across the aviation sector.
Key findings
- The aviation industry scores a "B” on cybersecurity: The aviation industry scores a "B" on average. While this isn't a failing grade, significant disparities exist. Organizations with a B rating are 2.9x more likely to be victims of data breaches than those with an A rating.
- Vulnerability of IT vendors and airlines: Notably, aviation-specific software and IT vendors score the lowest, with a mean score of 83, posing substantial third-party risks for their airline customers. By the same token, customers can also pose third-party risks for their vendors. For example, this research yielded three recent examples of breaches at airlines exposing information on their aerospace & aviation vendors.
- Impact of third-party breaches: 7% of companies in the sample publicly reported breaches in the past year; 17% had evidence of at least one compromised machine in the past year. In addition, airlines had 4% more breaches than the industry benchmark due to vulnerabilities in lower-scoring vendors raising their third-party risks.
- Global disparities at the nexus of cyber and geopolitical threats: Advanced economies like Western Europe and Australia achieve better cybersecurity outcomes, with scores significantly higher than emerging markets. Aggressive nation-state threats from countries like China indicate major turbulence ahead.
- Ransomware is a top threat: Ransomware is the dominant theme in public reporting of attacks on this industry. Ransomware operators actively targeting the aviation industry have included BlackCat, LockBit, BianLian, and Dunghill Leak..
- Correlation with performance: Top-performing airlines, as ranked by industry and consumer standards, have above-average security scores, indicating a link between operational excellence in general and cybersecurity performance in particular.
Cybersecurity recommendations for the aviation industry
Based on this analysis, SecurityScorecard threat researchers also offer actionable insights for enhancing cybersecurity in aviation:
- Prioritize software & IT vendors: Focus on mitigating risks from software and IT vendors, which pose the highest third-party risks.
- Expand third-party risk management: Include customers and other partners in third-party risk management programs to cover the full spectrum of potential threats.
- Enhance protection of key data: Implement robust defenses around aerospace intellectual property and passenger data, which are high-value targets for cybercriminals and state-sponsored actors.
- Avoid paying ransoms: Refrain from paying ransoms to prevent further incentivizing attacks and comply with legal restrictions.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, said:
“The aviation industry operates on a complex web of partnerships, but a company's security is only as strong as its weakest link. Our research shows airlines are flying blind on third-party risks. It's time for the industry to take control and prioritize robust security measures across their entire ecosystem before turbulence turns into a disaster."
