Cyber Threats to Aviation: ATC Systems, Airlines & Airport Infrastructure

The Aviation Cyber Landscape

Aviation's digital transformation — from electronic flight bags and connected aircraft to system-wide information management (SWIM) — has expanded the attack surface available to malicious actors. ICAO's Cybersecurity Strategy, adopted in 2020 and updated in 2023, identifies aviation cybersecurity as a strategic priority, noting that "the increasing connectivity and digitalization of aviation systems creates vulnerabilities that did not exist in previous generations of air transport infrastructure."

According to EUROCONTROL's Aviation ISAC (Information Sharing and Analysis Centre), the number of publicly reported cyber incidents affecting aviation entities has increased steadily, with over 30 significant incidents documented between 2020 and 2025. These range from ransomware attacks on airline IT systems to attempted intrusions against air navigation service providers.

Air Traffic Control System Vulnerabilities

ATC systems have historically operated on isolated networks, but the transition to SWIM (System Wide Information Management) — ICAO's framework for aviation data sharing — introduces IP-based connectivity between previously segregated systems. EUROCONTROL analysis notes that while SWIM enables more efficient data exchange, it creates new network pathways that require rigorous security architecture.

FAA data shows that the US NextGen modernization program has incorporated cybersecurity requirements into its architecture, but legacy systems — some dating to the 1970s and 1980s — remain in operational use alongside modern components. The GAO (Government Accountability Office) has repeatedly identified the cybersecurity of FAA systems as a "high-risk" area, most recently in 2024.

EASA's NIS2 compliance framework, which applies to air navigation service providers across Europe, mandates specific cybersecurity measures including network segmentation, intrusion detection, and incident response capabilities. Implementation timelines vary by member state.

ADS-B: The Unauthenticated Broadcast Problem

Automatic Dependent Surveillance-Broadcast (ADS-B) is the backbone of modern air traffic surveillance. Every ADS-B-equipped aircraft continuously broadcasts its GPS-derived position, altitude, speed, and identity on 1090 MHz. The fundamental security limitation is that these broadcasts are unauthenticated and unencrypted.

According to academic research published by multiple universities and cited by ICAO, it is technically feasible to inject false ADS-B messages using commercially available software-defined radios. A malicious actor could create "ghost aircraft" on ATC displays, modify the apparent position of real aircraft, or delete aircraft from surveillance. EUROCONTROL's 2023 threat assessment categorized ADS-B injection as a "demonstrated capability" at the research level.

No authentication layer was included in the ADS-B standard (DO-260B). Retrofit is complex because the protocol was designed for simplicity and low bandwidth. ICAO and RTCA (the standards body) have acknowledged the gap, but no certified solution for ADS-B authentication exists as of 2026. The primary mitigation is multi-sensor fusion — cross-referencing ADS-B data with primary radar and multilateration to detect inconsistencies.

Ransomware and IT-Side Attacks

The most frequent cyber incidents affecting aviation have been ransomware attacks against airline IT systems and airport operational technology. According to EUROCONTROL's Aviation ISAC data:

• Airport systems: The August 2024 attack on Seattle-Tacoma International Airport affected check-in systems, flight information displays, and baggage handling for over a week. Port of Seattle officials confirmed that operational technology networks were compromised.
• Airline operations: Multiple airlines have experienced attacks affecting booking systems, crew management, and ground operations. While flight safety systems (avionics, flight management) remain air-gapped from IT networks, disruption to ground operations can cause widespread cancellations and delays.
• Air navigation service providers: Several European ANSPs have been targeted by DDoS and intrusion attempts. EUROCONTROL itself experienced a cyberattack in 2023 that briefly affected some administrative systems, though operational air traffic services were not impacted.

Regulatory Framework

ICAO Annex 17 (Security) was amended in 2020 to include cybersecurity as a component of aviation security, requiring states to "identify and protect critical information and communications technology systems and data used for civil aviation purposes from cyber threats." The corresponding ICAO Cybersecurity Strategy provides implementation guidance.

EASA's Part-IS (Information Security) regulation, effective from 2025, requires aviation organizations — airlines, airports, ATC providers, and manufacturers — to implement information security management systems (ISMS) with specific requirements for risk assessment, incident reporting, and supply chain security. FAA's parallel efforts are coordinated through the Aviation Rulemaking Committee on Cybersecurity.

Related Pages