Why Are Airlines a Prime Target for Cyberattacks?

Recent high-profile cyberattacks on American Airlines and Japan Airlines have highlighted the vulnerabilities within the aviation sector and underscored the need for robust cybersecurity measures. 

On the morning of December 26, 2024, Japan Airlines (JAL) began experiencing system malfunctions. Ultimately, the airline discovered that these malfunctioning systems were the result of a cyberattack. Although no data was leaked, the attack led to massive delays and halted ticket sales, which caused the airline to lose business and eroded trust with its customers.

The holiday season cyberattack on JAL came just months after hackers gained access to customer data from American Airlines. The United States–based airline reported that the attack, which they discovered in July 2024, may have compromised a small group of customers’ birth dates, driver’s license and passport numbers, and medical information.

These cyberthreat incidents are stark reminders of the risks posed by sophisticated threat actors who continuously evolve their tactics to exploit weaknesses in airline systems. As the aviation industry continues to adopt technologies such as artificial intelligence (AI), cloud computing, and the Internet of Things (IoT), the attack surface for cybercriminals expands, making it imperative for airlines to stay one step ahead in their cybersecurity efforts.

There are a few key reasons why airlines are frequent targets for cybercriminals, including:

• Operational complexity
• High value of data
• Operational disruption
• Geopolitical motives
• Trust exploitation

Airline operations are inherently complex because of the aviation industry’s stringent regulatory requirements and airlines’ reliance on extensive, interdependent systems. To fulfill its many specialized needs, an airline's supply chain typically includes a global network of diverse providers and suppliers, which requires its operational systems to be interconnected and accessible to others. Any loss of connectivity will have a significant operational impact including flight delays and cancellations.

Passenger data, including travel patterns and preferences, is highly lucrative for cybercriminals. If this type of personal data is part of a data breach, it can be monetized directly or used for targeted phishing campaigns.

Airlines depend on seamless operations. Cybercriminals and hackers exploit this dependency to launch cyberattacks and ransomware attacks, knowing that airlines are likely to pay hefty ransoms to restore operations quickly or to ensure data remains safe.

Airlines are often targeted for geopolitical reasons, with state-sponsored attackers seeking to gather intelligence or disrupt national infrastructure.

Airlines are trusted entities and any operational disruptions or data breaches can tarnish their reputations and erode passenger trust, providing attackers with leverage over the victim organization.

To counter the growing threat of cyberattacks, airlines should look to adopt a multilayered cybersecurity strategy. A few actions that airlines can take to improve their security posture include:

• Moving to a Zero Trust security architecture
• Using network segmentation to limit the impact of cyberattacks
• Enhancing employee training and awareness
• Upgrading outdated systems
• Creating an incident response plan
• Collaborating with other airlines, regulatory bodies, and cybersecurity organizations

In a Zero Trust network, no user or device is automatically trusted, even if it is already part of the network or has been authenticated before. Implementing a Zero Trust approach ensures that every device and every user (from employees to partners and contractors) is authenticated and authorized before system access is granted. This minimizes the risk of unauthorized access to sensitive data by cybercriminals who are posing as legitimate users. 

In the United States, the Transportation Security Administration (TSA) has released specific guidance on cybersecurity requirements for airport and aircraft operators. This guidance mandates that airlines create access control measures to secure and prevent unauthorized access to critical systems. One sound approach is to eliminate the use of VPNs for application and system access and replace those with a Zero Trust Network Access (ZTNA) solution.

Many cybersecurity incidents and ransomware attacks begin with an attacker exploiting a known system vulnerability or using phishing to gain an initial foothold into an airline’s network. Once that initial access is gained, attackers tend to move laterally, seeking access to additional assets and finding other systems to exploit or lock with ransomware.

Luckily, there’s a way to prevent attackers from moving deeper and causing additional damage once they’ve gained initial access to a network: segmentation. The TSA states that airlines should develop network segmentation policies and controls to ensure that operational technology systems can continue to operate safely in the event that an information technology system has been compromised, and vice versa.

Airlines should look to deploy microsegmentation solutions that can prevent lateral movement and limit the blast radius impact of a cyberattack or ransomware incident.

Even if just one employee falls victim to a phishing attack, it can have devastating consequences. To help employees recognize phishing attempts and other social engineering tactics, airlines should provide regular training sessions. They should also regularly train employees on how to handle sensitive data and share best practices for securing their devices. 

Replacing outdated systems with a modern, secure infrastructure is a critical step in fortifying the resilience of any organization, particularly in industries like aviation in which safety and efficiency are paramount. Legacy systems often contain inherent vulnerabilities due to outdated technology, lack of support, and limited compatibility with contemporary security measures.

Upgrading to advanced systems enhances operational reliability, scalability, and cybersecurity by incorporating features such as real-time monitoring, automated threat detection, and robust encryption protocols.

In the event of a cyberattack, a robust incident response plan ensures quick containment and recovery while minimizing damage. The plan should outline roles, procedures, and communication strategies and should be tested regularly.

Sharing threat intelligence across the aviation industry can play a crucial role in enhancing the industry's collective resilience against emerging cyberthreats and reduce the impact of cyberattacks. By fostering partnerships among airlines, airports, regulatory bodies, and cybersecurity organizations, the aviation sector can build a unified defense strategy. 

Collaborative efforts enable the timely exchange of critical information about vulnerabilities, attack methods, and mitigation strategies, which may help stakeholders stay ahead of adversaries.

As the aviation industry continues to embrace digital transformation, the threat landscape will evolve, increasing the attack surface and exposing new vulnerabilities. Airlines must prioritize cybersecurity as a core component of their operations to protect passengers, maintain trust, and ensure uninterrupted service. 

The recent attacks on American Airlines and Japan Airlines serve as a wake-up call, emphasizing the urgent need for proactive cybersecurity measures to safeguard the skies.