Why securing the next generation of flight is an ecosystem problem, not just an aircraft one.
A modern airliner crossing the Northern Atlantic at thirty-five thousand feet is not flying alone. It is in continuous conversation. Position reports leave the aircraft over satellite links. Controller clearances arrive through datalink rather than voice. Weather updates, route revisions, and traffic information flow in from ground systems on two continents. The flight management computer is acting on navigation data loaded before pushback, supplied by a third-party vendor, and pushed to the aircraft through an electronic distribution system the airline does not own. In a maintenance control centre, a continuing airworthiness organisation is monitoring the engines in near real time through a telemetry feed routed via the manufacturer’s cloud. None of this is exotic, but it is a routine flight in the modern age (see Figure 1).
There is no second chance at thirty-five thousand feet.
Every one of those interactions depends on data integrity. The flight crew has to trust that the navigation database is the one the regulator certified, that the clearance came from the controller who issued it, that the weight-and-balance figures uploaded to the electronic flight bag are the ones the dispatcher signed off, and that the software component installed during last night’s maintenance turn is the one the manufacturer authorized. When integrity fails in aviation, safety fails. There is no second chance at thirty-five thousand feet.
This is the problem the cybersecurity community needs to understand: aviation safety is now a function of data integrity across a sprawling ecosystem of interconnected actors, and the regulatory architecture protecting that ecosystem has not yet caught up to the threat surface created.
WHAT THE REGULATORS HAVE DONE, AND WHAT THEY HAVE NOT
The picture is not bleak. Real progress has been made. In August 2024, the FAA issued a Notice of Proposed Rulemaking that would formalize cybersecurity requirements for transport category aircraft, engines, and propellers under Title 14 of the Code of Federal Regulations. The proposal introduces Intentional Unauthorized Electronic Interaction (IUEI) into the certification basis itself. On the European side, EASA has implemented Part-IS, a regulatory framework requiring the implementation and operation of Information Security Management Systems across design and production organizations from October 2025, and across the wider operational side of the aviation industry from February 2026, with the goal of managing information security risks with a potential impact on aviation safety. Industry standards bodies, including RTCA and EUROCAE, have produced substantial guidance such as DO-326A / ED-202A on airworthiness security and DO-355 / ED-204 on continuing airworthiness.
Read in sequence, that is a coherent story. Read against the actual operational picture, a gap appears. Each instrument governs a regulated party, such as the design approval holder, the production organization, the operator, the maintenance facility, the air navigation provider, amongst others, and each is anchored in the regulatory domain that party already inhabits. What no instrument cleanly governs is the interconnections between them:
- The cryptographic contract between the manufacturer who signs a navigation database and the airline whose aircraft consumes it.
- The trust boundary between the air traffic control system that issues clearance and the avionics that accepts it.
- The integrity assurance on the maintenance laptop that connects to an aircraft data bus and writes a software part into a certified configuration.
Every party secures its own perimeter. The space between perimeters belongs to everyone, which in practice means no one.
That is the problem worth naming clearly. The aircraft is not the front line. The front line is the set of interfaces between the aircraft and the ecosystem that keeps it flying.
WHY THE ECOSYSTEM HAS BEEN THE HARDEST PLACE TO DEFEND
Three things explain how the industry arrived here, and they are worth understanding because they constrain what the solution can look like.
The first is heritage. Civil aviation safety regulation grew up around the airframe. Certification, airworthiness, type design, operational approval — every regulatory instinct in the system radiates outward from the aircraft as the central object of attention. When cybersecurity arrived as a concern, regulators reached for the tools they had. The ecosystem around the aircraft was regulated separately, by domain, with cybersecurity bolted on later rather than designed in from the start. EASA’s Part-IS is the most serious attempt yet to fix this, but it works by extending the existing organizational approval regime, not necessarily by governing the interconnections themselves.
The cybersecurity profession learned long ago that the absence of a breach does not imply the presence of security.
The second is the safety record. Commercial aviation has built one of the most extraordinary safety records in industrial history. Hull-loss accidents in the developed world are now so rare that the public treats flight as the default mode of long-distance travel. Within the industry, that record is a source of legitimate pride and a quiet source of risk. When a sector is this safe, the absence of recent catastrophe is read as evidence that the existing controls are adequate. Cyber incidents that have already occurred, including ground system outages, datalink anomalies, navigation disruptions, scheduling failures, have rarely escalated into serious safety events, and that fact is repeatedly used to argue that the current architecture is working. The cybersecurity profession learned long ago that the absence of a breach does not imply the presence of security. Aviation is still learning it.
The third constraint is the one that resonates most with anyone who has tried to push a change through an aviation program. Aviation products are certified. The configuration on the aircraft is the configuration the regulator approved, and changes travel through formal change processes that are slow by design, for good safety reasons. When a vulnerability is identified in a certified system, the operator cannot simply patch it the way a corporate IT team would patch a server. The fix has to be designed, tested, validated, certified, and rolled out across the fleet. Threats move at the speed of the attacker. Certified products move at the speed of safety assurance. The mismatch is structural, and it means the certified aircraft should not be the primary line of cyber defense. It has to be one layer among several across the entire aviation ecosystem.
A DIFFERENT ARCHITECTURE
The solution is not to invent a new regulatory regime from scratch. It is to take the instruments that already exist or are in flight and stitch them together around a different organizing idea. The aircraft is one defensive layer. The ecosystem of interconnections is another. Each is governed by the discipline appropriate to it, while also factoring in the interdependence between them.
Concretely, four pieces have to come together.
Regulators across the globe need to extend the cybersecurity rulemaking already in motion to cover the interfaces between the aircraft and the ecosystem, not just the aircraft and the organizations in isolation. That means treating every external interface on a certified aircraft, such as datalink, satellite communications, gatelink, electronic flight bag synchronization, maintenance data exchange, software part distribution, navigation database loading, to name a few, as a trust boundary with named security properties. It means requiring the regulated party on the other side of that boundary, whether an air navigation service provider or a maintenance organization or a navigation data vendor, to meet a reciprocal obligation enforced through its own regulatory regime. EASA Part-IS already provides much of that hook on the European side. The FAA’s Civil Aviation Cybersecurity Aviation Rulemaking Committee, established under the 2024 FAA Reauthorization Act, is the natural forum for the American counterpart.
Standards bodies need to translate regulatory objectives into engineering profiles that aircraft and ecosystem interfaces can actually be built and certified against. RTCA, EUROCAE, ARINC, and SAE would be well placed to develop harmonized interconnection security profiles for aviation, covering areas such as cryptographic primitives, key management, integrity verification, audit logging, and incident-handling expectations. This would make regulatory requirements more testable and interoperable across organizations, even though today the aviation cybersecurity standards landscape remains more fragmented than the networking and software-assurance models it seeks to emulate.
Manufacturers need to treat each external interface as a certified security function with the same rigour applied to its assurance as to its safety analysis. The architectural shift that matters most is cryptographic agility — designing the aircraft so that algorithms, keys, and trust anchors can be rotated across the certified life of the product without a full re-certification cycle. The certified airframe gets to remain slow-moving and conservative. The cryptographic layer running on top of it gets to move at the speed the threat landscape demands.
And operators, continuing airworthiness organizations, maintenance providers, and air navigation service providers need to run all of this in their daily operations. That is the layer Part-IS already governs and the layer the FAA rulemaking should reach. Key custody, monitoring of interconnection integrity, incident response that limits operational and safety impact before it pursues root cause, and supply-chain assurance across every third-party vendor on the data path. The Information Security Management System sits inside existing safety management, not beside it.
WHERE THIS LANDS
Taken together, the four layers give the ecosystem something it does not currently have: a coherent end-to-end architecture in which the certified aircraft is one defensive layer, deliberately slow, surrounded by ecosystem layers that are deliberately fast, with the obligations of each party defined by the interfaces it owns and the contracts it has with the parties on the other side.
Aviation is the most visible example because the safety stakes are so unambiguous.
For cybersecurity leaders watching this from outside aviation, the lesson worth taking is this: the hardest problems in critical infrastructure security are no longer about hardening individual assets. They are about governing the interconnections between assets owned by different parties, regulated by different authorities, and operating at different speeds. Aviation is the most visible example because the safety stakes are so unambiguous.
The next generation of flight will be more digital, more interconnected, and more software-defined than anything that came before it. The aircraft will not get safer by trying to make the aircraft carry the cyber defense alone. It will get safer by treating the whole ecosystem as the system to be secured — and by doing it before the absence of a major incident is mistaken, one more time, for the presence of security. 
Luka Pace Bonello
Leave a Comment