1. Home
  3. Connectivity demands robust cybersecurity culture

Connectivity demands robust cybersecurity culture

While digitization has enhanced efficiency and capacity, accompanying cyberthreats have grown dramatically, making air transport an attractive target for malicious intent.

By Don Van Dyke
ATP/Helo/CFII, F28, Bell 222
Pro Pilot Canada Technical Editor

Aerospace cybersecurity seeks to maintain safe, secure, and reliable connectivity in the face of vulnerabilities and growing cyberthreats. At least 2 US government agencies provide oversight of cyberthreats to civil aviation – the FAA Threat Analysis Team (TAT) and the Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA).

The digital transformation of aviation has accelerated systems evolution through rapid prototyping, development, and introduction to market.

However, accompanying connectivity enhancements come at a price – intensified dependence and potentially greater vulnerability to loss of security and reliability. Connected aircraft are recognized agents of change, and the value of this core attribute increases their attractiveness as targets of malicious opportunity.

Importantly, most individuals and companies miss the point of making people more aware. A retired FBI Supervisory Special Agent of the Cyber Division noted that the private sector does not realize the lack of sophistication required to do serious damage to an organization.

Cyberattacks seek to gain benefit by degrading cybersecurity confidentiality, integrity, and/or availability of aircraft operations. A cyberattack can endanger aircraft safety, affect operational reliability, business continuity, and financial health. Aviation cybersecurity acts to protect civil aviation organizations, operations, and passengers from such attacks.

For many, dealing with cybersecurity remains a complex, cloudy realm. Important concerns include unknowns such as:

• Does increasing digitization of aviation increase cyber risk?

• Are cyberthreats real?

• Can encryption amply secure software?

• Could aircraft be compromised?

Cybersecurity recommendations are effectively applied at least 4 stages in an aircraft life cycle – procurement, delivery, continuing airworthiness, and operations.

As technologies evolve with greater hardware and software, aviation becomes increasingly connected through system architecture and the Internet. Aviation is evermore dependent on data and information, increasing exposure to the risks and threats posed by cyberattacks.


A recent analysis of FAA oversight of cybersecurity issues found that advanced airplanes are equipped with networks and systems that share data with pilots, passengers, maintenance crews, other aircraft, and air control in ways not previously feasible. Unprotected systems may succumb to a variety of potential cyberattacks and connections between aircraft and other systems, combined with the evolving cyberthreat landscape, may compromise future flight safety


A Wi-Fi router allows crew and passengers to connect personal electronic devices (PEDs) with an Internet protocol (IP) address to the Internet. Realistically, any device with an IP address is vulnerable to cyberattacks, including the router on an aircraft providing Wi-Fi connectivity to passengers and crew.

It’s one reason flight departments should regularly change that router’s password. Although company-issued PEDs, such as smartphones, tablets, and laptops are often locked down with anti-malware protection, the weakest link in the network turns out to be a lack of awareness on the part of the human carrying them.

A 2017 NBAA connectivity survey of large cabin aircraft (78.3%) reported that:

• The primary uses of inflight cabin connectivity are email, web browsing, and virtual private network (VPN) services.

• Most respondents (74%) rated themselves as knowledgeable about cabin connectivity.

• 13.3% reported that they do not train crew or passengers, or that training is ineffective.

• Roughly 28.3% of flight operations are international and the remainder domestic.


Types of cyberattacks

The variety of cyberattacks commonly used to compromise systems include:

• Malware (viruses, trojans, worms, ransomware, and spyware).

• Phishing (fraudulent emails disguised as coming from reliable sources to unsuspecting users).

• Man in the middle attacks (interception of a 2-part transaction where hackers put themselves in the middle).

• Denial of service (flooding systems, servers, and/or networks with traffic to overload resources and bandwidth, thereby rendering the system unable to process and fulfill legitimate requests).

• Server query language (SQL) injections (inserting malicious code into a server using an SQL, forcing the server to deliver protected information).

• Password attacks (eg, a “brute force attack”).


In the majority of cybersecurity breaches, the human element is to blame. A 2023 study of self-identified technology professionals from more than 90 countries indicated that 64% of respondents were not able to identify best practices for reducing phishing attacks.

Despite their innocent appearance, 2 distinct types of insider threats can be surprisingly dangerous.

Intentional insider threats, in which individuals misuse their privileges with malicious intent. Their actions may include compromising, damaging, or harming an organization’s assets or involve stealing sensitive data, sabotaging systems, or conducting fraud.

Unintentional or innocent insider threats, in which individuals inadvertently cause security breaches by falling victim to phishing emails, unknowingly sharing sensitive information, or misplacing files containing critical data.

Another avenue for innocent insider threats are smart devices connected via Bluetooth (speakers, toys, etc) which are subsequently Wi-Fi network-enabled by a smartphone app.

Table 1 presents an overview of common challenges to cybersecurity.


Cybersecurity culture

Humans are a factor in more than 85% of data breaches, confirming that the actions of individuals impact  cybersecurity risks significantly.

The International Civil Aviation Organization (ICAO) says that cybersecurity culture is commonly understood to be a set of assumptions, attitudes, beliefs, behaviours, norms, perceptions, and value inherent in the daily operation of an organization and reflected by the actions and behaviours of all entities and personnel in their interaction with digital assets.

The goal of cybersecurity culture is to foster an environment where each member of an organization embraces attitudes and beliefs that drive secure behaviors. While technology and training play crucial roles in safeguarding companies against cyberthreats, they are not sufficient on their own. Behavior change is needed in cybersecurity culture to ensure that organizational safety becomes an integral part of daily responsibilities.

Risk reduction is a cybersecurity culture benefit which helps protect company assets by creating a mindset that recognizes risk and helps employees make informed decisions to enhance security. To achieve this, organizations can:

• Inspire safe behavior by encouraging sharing cybersecurity stories, engaging participation through campaigns, and highlighting actions which reinforce secure practices.

• Embed in fabric by making cybersecurity an integral part of the organization’s culture.

• Reward secure behavior by recognizing individuals and organizations who contribute to a safer digital environment.

Elements regarding cybersecurity policies, culture, and strategies of 3 major international standard setting organizations are summarized in Table 2, highlighting elements useful in formulating a cybersecurity culture.


Even seemingly innocent actions can have significant consequences in the realm of cybersecurity.

A positive cybersecurity culture (embracing awareness, training, vigilance, and education) aims to make cybersecurity considerations part of the organization’s habits, conducts, and processes by embedding them in daily operations as reflected by the actions and behaviors of all personnel.

Sustainable cybersecurity culture is deliberate, engaging, rewarding, and focused on improving security while eliminating or limiting vulnerabilities.

DonDon Van Dyke is professor of advanced aerospace topics at Chicoutimi College of Aviation – CQFA Montréal. He is an 18,000-hour TT pilot  and instructor with extensive airline, business and charter experience on both airplanes and helicopters. A former IATA ops director, he has served on several ICAO panels.  He is a Fellow of the Royal Aeronautical Society and is a flight operations  expert on technical projects under UN administration.