Expert IDs Business Aviation Cybercrime Vulnerabilities

Source Domain: nbaa.org

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

June 9, 2026
As cyber threats to aviation quickly evolve amid the rapid expansion of artificial intelligence (AI), Cyviation CEO Eliran Almog is helping to confront the challenge.
Beginning his career as a Black Hawk pilot in the Israeli Air Force, Almog is accustomed to risk — physical or cyber — but he is concerned that the business aviation industry is only beginning to expand its awareness to the cyber threats posed to aircraft.
He credits regulators with significantly driving a heightened industry awareness about this critical issue. The European Union Aviation Safety Agency (EASA) has released the first edition of its cybersecurity guidance, as well as bringing Part IS (Information Security) into effect in February 2026. The FAA has issued advisories including the Airport Cybersecurity Framework Profile to provide airports with a National Institute of Standards and Technology-compliant voluntary tool to assess their cybersecurity posture. It also developed a proposed advisory to provide guidance on showing compliance with proposed airworthiness standards for Aircraft Systems Information Security Protection (ASISP).
“We are talking with other bodies, other states, that are saying out loud that they are hiring people for cybersecurity, which again shows an understanding that there is an issue,” said Almog. “However, there is still a big gap with whatever relates to the aircraft, even within Part IS.”

“If you think about business jets, … They basically become a much better target and an easier target for ransomware.

”

ELIRAN ALMOG CEO, Cyviation

Potential Risks to Bizav

The risk posed to business aviation is no less pertinent than that faced by commercial airlines, he said. “If you think about business jets and who the passengers are, they fly business jets because of their privacy. They basically become a much better target and an easier target for ransomware.”
Almog provides an example of an “easy” backdoor into a cabin management system, his team discovered while researching vulnerabilities for a client.
“Think about a passenger in a cabin,” he explained. “Suddenly the lights go off and the screen has a ransomware message with a threat about controlling the aircraft or crashing the aircraft. What do you do then?
“These vulnerabilities are there, and the industry needs to step forward to identify them because this wasn’t identified until we did our research on that specific cabin management system software. And once identified, act on it.”

Sharing the Burden

Acting on identified cybersecurity threats is crucial to any mitigation strategy, but whose responsibility is it to do so? Almog said this is the main challenge Cyviation faces as a cybersecurity provider. He points to the “notion of shared risk” in aviation due to complexity of the supply chain.
“Even the OEMs, they’re integrators of many other systems. Even with that integration, they have control up to delivery. They don’t have control over what happens after delivery, because after delivery, each provider can decide whether they install connectivity from this provider or that provider,” he noted.
But no one is looking at the interconnection between all the separate pieces and how that impacts risk, said Almog.
EASA’s Part IS defines it very clearly: the responsibility is on the operator. “Now no one can say, ‘Hey, if I find this backdoor in a cabin management system, I can’t do anything about it.’ They can reduce the risk by having a process for authentication or knowing who gets access to the Wi-Fi,” he said. Part IS requires operators to report the vulnerability to the OEM to comply with the risk assessment and risk management requirements.

‘Maintenance Is a Big Issue’

There are also other vulnerabilities that can be reduced or eliminated through routines and processes. For example, instrument landing systems can be spoofed. “However, with the right awareness, pilots can do cross checking, and be more alert, more in control, and definitely avoid that,” said Almog. But to do this effectively means recognizing cybersecurity threats to be more than a simple phishing email, he said.
The two main threat vectors Cyviation has identified are maintenance processes which account for more than 60% of vulnerabilities, according to in-house research, and distraction and spoofing/jamming, which accounts for about 20%.
“Maintenance is a big issue. Why? The gap is in the design of these aircraft. Maintenance laptops, tablets that are used to load data and update software and avionics – these are very old. They don’t necessarily have the securities we have,” he explained.
The fundamental basis for any cybersecurity assessment and solution is to first understand your risk, he said. “So, what is that accepted risk level that your organization is willing to accept on your aircraft from a cybersecurity perspective? There is no tool today to do that. That’s why we focus our technology on first understanding. We are building digital twins of each tail number by data only,” said Almog.
Cyviation is collaborating with Boeing’s Aviation Business Solutions to support aircraft cyber risk assessments and compliance through its SkyRay platform.
“Part of the SkyRay platform is the digital twin,” said Almog. “That helps undertake the risk assessment and management. We have another pillar of that platform which is threat intelligence dedicated to devices on aircraft, to GNSS and GPS and to general vulnerabilities we believe are related to the industry.”

Finding Weak Spots

Conducting research in the lab, Cyviation discovered a vulnerability. “So we thought: ‘Where in aviation is this being used?’ We went to pilot headsets. We identified which models of pilot headset use that protocol with a known vulnerability,” said Almog. “That alerts the industry to a threat of voice spoofing of the pilot, for example.”
Properly tackling cybersecurity threats requires industry collaboration, he said. “We cannot wait for a catastrophe to happen before we act. … Resources are needed, but the small to medium aviation market doesn’t necessarily have the profitability to invest in these resources. I’m worried about the small operators that don’t have the systems and processes in place,” warned Almog. “That’s most of our flights today. We need an industry approach.”