Airlines are flying blind on third-party risks

The aviation industry has traditionally focused on physical security threats, but recent revelations about risks on Boeing‘s supply chain have spotlighted the critical need to measure and mitigate supply chain risk, according to SecurityScorecard.

The report comes as regulatory bodies worldwide ramp up cybersecurity requirements for the aviation sector. The US Transportation Security Administration introduced new mandates in March 2023, and the EU’s Implementing Regulation 2023/203 will take effect in 2026, setting a new standard for aviation information security risk management. As the aviation industry grapples with supply chain cyber threats, understanding these risks’ entire scope and impact is crucial for developing effective mitigation strategies.

The aviation industry scores a “B” on cybersecurity

The aviation industry scores a “B” on average. While this isn’t a failing grade, significant disparities exist. Organizations with a B rating are 2.9x more likely to be victims of data breaches than those with an A rating.

Notably, aviation-specific software and IT vendors score the lowest, with a mean score of 83, posing substantial third-party risks for their airline customers. By the same token, customers can also pose third-party risks for their vendors. For example, this research yielded three recent examples of breaches at airlines exposing information on their aerospace and aviation vendors. Software and other IT products and services in general enable as much as 75% of third-party breaches across all industries.

7% of companies in the sample publicly reported breaches in the past year; 17% had evidence of at least one compromised machine in the past year. In addition, airlines had 4% more breaches than the industry benchmark due to vulnerabilities in lower-scoring vendors raising their third-party risks.

Advanced economies like Western Europe and Australia achieve better cybersecurity outcomes, with scores significantly higher than emerging markets. Aggressive nation-state threats from countries like China indicate major turbulence ahead.

Airlines with the best performance rankings from aviation and travel industry analysts and consumer publications have above-average security ratings. Average scores for budget airlines are nearly the same as those of full-service airlines.

Ransomware is a top threat

Application security is the most common area in which aviation organizations score lowest. The most common application security issues that have the worst impact on scores are HTTP usage in redirect chains and the lack of two key attributes in session cookies.

The lack of “secure” attributes enables cookie transmission via HTTP connections, running the risk of interception by attackers, who can use them to gain access. The lack of “HTTPOnly” attributes allows client-side scripts like JavaScript to access them, increasing the risk of cross-site scripting and other attacks with which attackers can hijack sessions.

Ransomware is the dominant theme in public reporting of attacks on this industry. Ransomware operators actively targeting the aviation industry have included BlackCat, LockBit, BianLian, and Dunghill Leak.

The technology for physical security systems is another sensitive target for this industry, given the extensive physical security restrictions around airlines’ ground operations and the sensitivity of aviation hardware. For example, French aerospace manufacturer and aviation services provider Thales, along with several other organizations, experienced a third-party data breach in June 2023 via its physical access control systems vendor, Belgium-based Automatic Systems.

Top-performing airlines, as ranked by industry and consumer standards, have above-average security scores, indicating a link between operational excellence in general and cybersecurity performance in particular.

“The aviation industry operates on a complex web of partnerships, but a company’s security is only as strong as its weakest link. Our research shows airlines are flying blind on third-party risks. It’s time for the industry to take control and prioritize robust security measures across their entire ecosystem before turbulence turns into a disaster,” said Ryan Sherstobitoff, SVP of Threat Research and Intelligence.