Aviation cybersecurity lagging behind “big-time”: Cyviation CEO

Noah Bovenizer speaks with Cyviation CEO Avi Tenenbaum who outlines his view of the cybersecurity landscape in the aviation industry and the progress that needs to be made.

Avi Tenenbaum, CEO, Cyviation

With the ever-growing threat of cyber attacks to the world’s vital infrastructure and the increased connectivity offered on board our planes, it is surprising that the aviation industry appears to be falling behind on cybersecurity for the aircraft at the centre of operations. 

In recent years, organisations like IATA and the ICAO have introduced aviation cybersecurity strategies and frameworks hoping to push for greater cyber regulations in the industry, but some maintain that aircraft are not being built to be secure against cyber threats. 

One company hoping to make its mark as an early developer of aviation cybersecurity products is Israel-based Cyviation, which was founded in 2021 and is offering and developing a range of products to protect commercial and private aircraft from cyber attacks. 

Cyviation CEO Avi Tenenbaum outlines his view of aviation cybersecurity, including what happens when planes are compromised and what airlines can do to address the serious issue.

Noah Bovenizer: How did you get involved in the aviation cybersecurity sector?

Avi Tenenbaum: This is not the first start-up or venture into new technology that I have helped co-found. I had my first, called Pineapple, many years ago and then I was involved in a couple of others, in the Medical Technology field. Then, through my network, I was invited by Israeli Aerospace Industries (IAI), to take an idea and convert it into a business that could make flight more secure, and this is how we started Cyviation.

The company is a derivative of some work that was done by IAI, with the idea to develop a set of tools and capabilities for “cyber securing” commercial aviation and business jets. There is a lot of cybersecurity around defence and military transportation but, surprisingly enough, not enough cybersecurity goes into commercial airlines or the aircraft itself, so this was the mission that we started.

Currently, it is two years and six months since we launched and we have a couple of solutions that we’ve developed for which we’ve managed to gain a couple of patents. There’s been lots of traction and interest because we’re hitting a point that really needs to be mitigated.

Noah Bovenizer: Is the issue of aircraft cybersecurity something that the industry is lagging behind on?

Avi Tenenbaum: In our view, yes. The aviation industry is lagging behind big-time, especially if you compare it to enterprise, normal businesses, or banks, where there are usually budgets for cybersecurity, designated personnel with roles and responsibilities, and processes to mitigate the issue. All of this is, to some extent, lacking when we’re talking about aircraft and a fleet. 

There are a couple of reasons for this, one of them is that most of the aircraft that are flying today were designed 15 or 20 years ago when the word cyber was not in our vocabulary, so they were not cyber secure by design. Also, it’s not simple to step into an aircraft and make it cyber secure, because if you do things like penetration tests to try and figure out [a plane’s] vulnerabilities, the aircraft will lose its airworthiness and need to go back to the manufacturer, so nobody is actually doing it.

We have the regulation at one end, the state of the industry at the other end.

Even as we speak today, very popular aircraft, those that you’d probably go on vacation on, might be running some of their components on Windows XP, Windows 7, and all kinds of very old platforms that are prone to attackers. 

The second reason is the regulations. Aviation regulation regarding cybersecurity is a topic that only really began in 2016. It was only last year that we saw some of the regional regulators put a timestamp and say ‘If you want to land in Europe you’ll need to comply with a specific list of cyber regulations.’ Right now they’re talking about October 2025 so we are slightly less than two years from when commercial airlines landing in Europe will need to comply with much tighter cyber regulation. 

So, we have the regulation at one end, the state of the industry at the other end, and then the fact that we’re having more and more cyber attacks creates a need that needs to be addressed, and we took it as our mission to make flights more secure.

Noah Bovenizer: Could you outline some of the issues that could arise if aircraft cybersecurity is compromised?

Avi Tenenbaum: Here we don’t have to talk about hypothetical situations, but things that have happened recently, such as an El Al flight from Phuket, Thailand to Israel in recent weeks.

Along the route, they started getting readings and guidance from the ground to change course and take different coordinates for altitude and directions. Luckily, the pilots understood that something didn’t make sense. They called back to El Al headquarters to figure out what was going on and were instructed to disregard that information and try to take other measures to get back home safely. 

Aircraft from commercial airlines and others are relying on external communications from the ground, from air traffic control, to navigate and keep themselves safe but the problem is it’s very vulnerable, very easy to hack, and very easy to emulate. Pilots and aircrew need to understand that the information coming from the ground, may it be ACARS or GPS, can be spoofed and is actually being spoofed as we speak in many places around the world. 

So, the problems are definitely there, and we have a long list of different categories of events that either happen or can happen. I think airlines need to take it very seriously.

Noah Bovenizer: Is cybersecurity as much of an issue for business jets?

Avi Tenenbaum: The answer is 100% yes, but the motivation is very different. When you think about the hacking of commercial airlines, I would classify the hackers into two groups: One is actually ‘normal’ hackers looking for ransomware, identity theft, and data theft, which is a very common issue in other industries. While this may not take the aircraft down to the ground, it would definitely cause a lot of financial damage through brand reputation.

The other group, still in commercial aviation, becomes a major risk when we’re talking about terrorist, or government-initiated terror attacks, which can take a plane off course.

When considering business jets, we’re usually looking at the owner, who is probably a wealthy person who either owns the jet or is using it. This person would likely like to preserve the data that they are communicating, if they are working or talking, to be as secure as possible. The other potential risks of identity theft, diverting a business jet flight, hijacking, [also impact] high net worth individuals.

The considerations are slightly different, but I would assume that a business jet owner flying a brand-new Gulfstream or Bombardier aircraft, who has spent $50m or more, would be expecting the aircraft to be much more secure than it is today. Addressing these two markets brings slightly different initiatives but, at the end of the day, both of them need cybersecurity.

Noah Bovenizer: So how does Cyviation address these aviation cybersecurity concerns?

Avi Tenenbaum: Today, we have a platform that means you can pick and choose [solutions], as we assume that airlines and our potential customers may have different priorities. Starting with SkyRay, which is a vulnerability assessment or risk assessment for the aircraft or fleet. We called it SkyRay because it’s similar to going to the doctor and getting sent for an X-ray. The key advantage is that we do isn’t intrusive, we don’t even touch the aircraft, and therefore we maintain airworthiness.

Instead, we build all kinds of digital twins and analyse different sources, but the basic idea is to understand the vulnerabilities and offer mitigations. Some of those can be done by the airline, some through training, and some need to go through the OEM. This is the first platform that can maintain this certain [kind of] management by monitoring any time there is a change with the aircraft, as our platform will identify it and update risk factors. 

The second product came from, surprisingly enough, when we looked into the market and asked how we could improve safety. We learned that pilots and aircrew have practically zero cybersecurity training related to their aircraft.

We said, why don’t we share the knowledge that we have about different cyber-attacks? Then, we came up with training that we call SkyWiz, where we look at training [programmes] both for ground schooling and for flight simulators. In short, we have the capability to insert events into a simulator to simulate a cyberattack, and therefore develop a pilot’s capabilities around them and allow pilots to be ready. 

The third element is one that we are developing, called SkySIEM, which stands for ‘security information event management’. Here, we are looking into a platform that will help manage a cyber event, something you have in many other industries, but don’t have today in aviation. 

The last thing that we are developing is something called SkyBeep, which can identify intrusion into an aircraft in real-time, which we already have patents for.

Noah Bovenizer: Cyviation was founded in Israel but is expanding into the US and has an eye on Europe, why not expand more into the Middle East and Israel’s neighbouring countries?

Avi Tenenbaum: For us, it’s not about neighbours and not neighbours, we want to be as close as possible to the customers because what we’ve seen so far is uncharted territory. Airlines, even those that are interested in learning more or taking the initial steps into cybersecurity, need handholding in many ways. 

I think the North American carriers, at least to some extent, are in an advanced mode in terms of understanding the need for cyber security and, while we have an excellent talent source in Israel for cyber researchers, we wanted to have an entity in the US as some of our potential customers require us to be there. We’re definitely working in parallel in Europe, and we are also very friendly with some of our Middle East operators. We will grow as customers will accept us.

Noah Bovenizer: Looking ahead, what plans are in the works for Cyviation?

Avi Tenenbaum: I think the first thing is to get airlines entrenched into cybersecurity procedures because once we get in we can identify the threat and suggest mitigation. But there is a deployment process for an airline to even figure out that there is a cyber issue and that they need to take care of it. It’s beyond a project, it’s a mindset, and I would like to see some major airlines adopting it. 

This industry is usually a follower. When one major airline adopts something then others will as well. I can already see major aviation organisations, such as IATA and the ICAO, ramping up their capabilities around cyber knowledge. So we are definitely at a demarcation point in the industry where people understand the need for cybersecurity, which is a major difference from two years ago when we started.

We had a problem finding who to talk to at an airline because, while IT guys were dealing with IT when we asked about IT on the aircraft they would say “Go to flight operations, this is their responsibility”.  

I want to make sure that every aircraft has a sticker saying ‘Cyviation certified’.

We now see chief information security officers approaching us to talk about cyber, and understanding what they need and what to look for, so I see good progress. Hopefully, it will be the airlines and the MRO companies that will see the need to uplift their services, and eventually the OEMs.

A friend of mine at the FAA said that the OEMs will need to do development with cyber-by-design because it’s very difficult to try and secure a platform where all the devices did not have cyber in mind when they were planned. Cyber-by-design is one of the key elements for the future when we are talking about connected aviation, or fly-by-wire, which is part of all of the new aircraft coming out to factories today. 

I want to make sure that every aircraft has a sticker saying ‘Cyviation certified’, then I will know that I left my fingerprint on the industry.

Noah Bovenizer: How many airlines are using Cyviation’s aviation cybersecurity products already?

Avi Tenenbaum: Not many yet, this industry is working rather slowly. We were established only two and a half years ago, and we got to the commercial stage about six to nine months ago. Since then, we have been heavily engaged with many airlines and operators, but nothing that I can share right now. Not until those relationships become more mature, and airlines are willing to open up and share that information around.