Key Takeaways:
- Aviation cybersecurity strategy is now as critical as traditional flight safety measures.
- The FAA is introducing new cybersecurity requirements that elevate security to a core part of aircraft airworthiness.
- Legacy systems like the F-35 face challenges adapting to today’s cybersecurity landscape without costly overhauls.
- Solutions such as SBOMs, runtime code protection, and security certifiability are key to protecting aviation’s future.
For decades, aviation has operated under a simple but powerful principle: safety first. The industry’s rigorous certification standards have created some of the world’s most reliable systems, with aircraft designed to account for every conceivable mechanical failure, weather condition, and human error.
But that very mindset—safety above all—has created a blind spot. While the aviation industry perfected aviation flight safety, it overlooked an equally urgent priority: cybersecurity. Modern aircraft are hyper-connected flying computers, connected to ground networks, satellite systems, and the internet itself.
In their 2025 report, the Cyberspace Solarium Commission offered a warning. The aviation industry is facing escalating threats from ransomware attacks, GPS spoofing, and sophisticated cyber intrusions.
A new aviation cybersecurity strategy is now mission-critical for protecting passengers, operations, and national security.
Listen to the Audio Overview
Safety vs. Security: What DO-356 Tells Us
The aviation industry relies on DO-178C and similar safety standards, which focus on ensuring that flights land safely despite system failures, hardware malfunctions, or software bugs. These standards have been remarkably successful, as commercial aviation remains one of the safest forms of transportation.
However, these safety protocols were designed for an era when the primary threats were mechanical failures and human error, not malicious attacks. DO-178C accounts for everything that should be on an aircraft, but it doesn’t address threats from sources that shouldn’t be there, like hackers infiltrating flight systems through network connections.
As DO-356, the aviation industry’s newer security standard, explicitly states: “Safety and security are not the same thing; however, there is a strong overlap.” The document acknowledges what many industry professionals are only now realizing: a security breach can quickly become a safety issue. If flight systems are designed with safety in mind, but not security, they are not truly safe. A breach of security will cause a violation of safety.
Building a Modern Aviation Cybersecurity Strategy
Recognition of the problem is the first step toward solving it. The Federal Aviation Administration proposed new cybersecurity requirements in August 2024 that would make cyber protection a standard part of airworthiness for newly built airplanes and equipment.
Additionally, one of the recommendations stemming from the CSC report is that “The FAA and TSA should harmonize cybersecurity regulatory requirements for the aviation subsector.” This includes referencing existing NIST frameworks and adding guidelines for supply chain security unique to the needs of the aviation industry.
The Challenge of Legacy Aircraft and Flight Systems
Compliance with regulations, however, is far from simple and comes at a significant cost, particularly for legacy or long-lived systems. Take the F-35, for example. Its prototype and design work began in the 1990s, well before today’s cybersecurity threats had taken shape. While it incorporates cutting-edge technology, much of its foundational architecture was conceived in a pre-cyber era. These systems must now be retrofitted or augmented to meet security measures within the constraints of rigid defense budgets that often make comprehensive overhauls impossible.
Steps to Strengthen Aviation Flight Safety Through Cybersecurity
Where should the aviation industry invest its time and dollars? The first step is elevating software security to the same level of importance as flight safety. A July 2024 study by SecurityScorecard, a cybersecurity firm, found that the aviation industry overall scores a “B” on cybersecurity and that aviation-specific software and IT vendors scored the lowest in cybersecurity readiness across industries.
1. The Role of SBOMs and Embedded Software Security
Improving this score requires implementing Software Bills of Materials (SBOMs) to track every software component in aviation systems and prioritizing vulnerability management with the same rigor as mechanical maintenance.
2. Securing Legacy Aircraft with Runtime Protections
For older systems, runtime code protection technologies can strengthen cybersecurity without requiring full code rewrites, bridging the gap between legacy architecture and modern security standards.
3. Toward Safety-Certifiable Cybersecurity
Also on the horizon are security solutions that attain safety of flight certifiability, making security a much easier and obvious piece of highly-regulated aircraft.
From Blind Spot to Cybersecurity Strategy
Aviation’s cybersecurity blind spot didn’t develop overnight, and isn’t easily resolved. However, the industry’s legendary commitment to safety provides a strong foundation for building equivalent security standards. The same methodical, evidence-based approach that made flying safer than driving can be applied to making it more secure.
The industry that taught the world how to fly safely now has the opportunity to show how to fly securely as well.
Read more about how RunSafe supports an overall aviation cybersecurity strategy in our white paper: “RunSafe Security Safety of Flight Approach.”
