The aviation industry has continually evolved, driven by technology and innovation in ways the Wright brothers may never have imagined. The aviation industry is not just about fancy airports and aeroplanes; it is a complex web of critical infrastructure and ecosystems – airlines, aircraft manufacturers, airports, industry-specific IT service providers, Maintenance, Repair, and Overhaul (MRO), Air Traffic Control (ATC), regulatory agencies, amongst others. For these different elements to operate and function cohesively, a million things – often under the hood – must play out correctly. One of these is the underlying infrastructure’s information and cybersecurity posture.
While information technology is the foundation of modern aviation, information and cybersecurity are the foundation of contemporary aviation safety and reliability. How so? Airports and aircraft rely heavily on digital technologies for critical operations, including navigation, communication, and flight management. Can you imagine the chaos we would have today if these systems were not relatively secure?
Drawing a parallel with the financial services sector, one that has also continually evolved, with technology at its core, we see that information and cybersecurity are critical success factors to the growth, spread, and adoption of financial technology platforms, including associated products and services. If these offerings are not secure – imagine that every 8 out of 10 transactions fail, data breaches of personal and confidential data happen every hour – we would not see the level of use and acceptance today because while we all want convenience, we also need trust and trust, is what security brings to the table. Hence, information and cybersecurity are the foundations of modern financial stability, growth, and adoption.
The progress of the industry in matters of cybersecurity is noteworthy – SecurityScorecard’s Cyber Risk Landscape of the Global Aviation Industry 2024 Report scores the sector a “B”, overall, on a scale of A–F, where A represents a security score of 90 and above and F is less than 60. However, global reports of cybersecurity risks materialising and their subsequent operational-crippling and confidentiality-compromising impacts have left much to be desired, emphasising the need for more intentional improvement, factoring in lessons learned from past incidents and trends foretelling what the future risk landscape could look like.
This article will highlight two of the top five aviation security and safety challenges spotlighted by the International Air Transport Association (IATA). We will break down what they are, cautionary tales, and how industry players can stay ahead in the “cat and mouse” game of cybersecurity.
Emerging Security Risks in Nigeria’s Aviation Sector: Cybersecurity and Supply Chain Vulnerabilities
As Nigeria’s aviation sector embraces digital transformation and deeper integration with global systems, it faces growing exposure to complex security threats. Cyberattacks and supply chain vulnerabilities now pose serious risks to operational stability, passenger safety, and national economic resilience. Addressing these risks is essential to safeguarding the integrity of Nigeria’s aviation infrastructure and maintaining public confidence in the sector.
Cybersecurity Threats
We can not discuss cybersecurity without focusing on the threats we are fighting and protecting our assets against. As mentioned, the aviation industry is a key part of our global critical infrastructure, making the industry, along with players within it, an attractive target for threat actors – the bad guys. These threat actors, ranging from script kiddies to state-sponsored actors, leverage different attack vectors to cause harm and bring disrepute to the industry. Two threats keep aviation executives up at night – ransomware and data breaches.
Ransomware is a top threat in the industry, and while it represents only 2.8% of all cyber incidents, it accounts for 84% of financial losses, according to Cyentia Institute. Even more concerning is the use of ransomware as a ‘double-edged sword’ in double extortion attacks – attackers don’t just encrypt data, they also steal it. This forces organisations to pay for decryption keys and cough up additional money to stop the attackers from leaking the data to the world.
In January 2024, Kenya Airways suffered the aftermath of a targeted cyberattack that exposed sensitive information, including login credentials and passenger personal information, posing significant challenges to its operations and reputation. In December 2024, the ransomware group FunkSec claimed to have breached EgyptAir’s digital infrastructure – they gained access to administrative portals and webmail systems, and while no specific ransom demand was publicly disclosed, a listing appeared on the dark web offering access to EgyptAir’s resources for $5,000.00 – $10,000.00. In 2023, Boeing confirmed that it was subject to a $200m ransomware extortion attempt, and while they did not pay the ransom, 43GB of company data was leaked online.
Nigeria’s aviation sector, like many globally, is becoming more digital, making it a more attractive target for cyber attackers. Airlines, ground operations, and even ticketing platforms have seen growing cyber threats ranging from phishing scams and insider attacks to ransomware.
While major incidents within Nigerian aviation have not mirrored the high-profile cases of Boeing or EgyptAir, there is increasing concern over vulnerabilities. In 2021, reports emerged of attempted cyber intrusions targeting flight booking platforms and third-party payment systems used by local carriers. In 2023, the Nigerian Communications Commission (NCC) and the Office of the National Security Adviser (ONSA) flagged the aviation sector as one of the key critical infrastructure categories at high risk of cyberattack, underscoring the need for pre-emptive action.
According to the NCC, Nigeria loses about $500 million annually to cybercrime. The reality is that Nigeria is not immune. With Lagos, Abuja, and Port Harcourt airports handling millions of passengers annually, even a temporary system failure due to a cyberattack could lead to widespread disruptions, affecting flights, compromising passenger data, and shaking public confidence.
Supply Chain Risks
Airlines had 4% more breaches than the industry benchmark due to vulnerabilities in lower-scoring vendors raising their third-party risks – SecurityScorecard, 2024
“You are as strong as your weakest link”, a saying that rings especially true for the aviation industry’s enormously complex and globally connected supply chain. The scope and magnitude of the industry’s supply chain create an immense attack surface with countless opportunities for compromise. Supply chain attacks in aviation can impact everything: the services passengers rely on, the sensitive data stored behind the scenes, the physical infrastructure that keeps planes flying, and the software and firmware embedded in complex electronic hardware (CEH).
Unsurprisingly, these risks grow exponentially when vendors “drop the ball” on security, becoming the weak link the bad guys love exploiting. Compounding the problem is the aviation industry’s dependence on ageing technology and legacy systems, often managed by third parties. These old, sometimes overlooked pieces of tech become easy targets for exploitation, leaving the entire ecosystem vulnerable.
An example that clearly shows the impact of supply chain compromises is the 2021 SITA hack. SITA, a global IT provider for hundreds of airlines, suffered a breach that compromised the personal data of millions of passengers. Airlines affected included Lufthansa, Singapore Airlines, Air New Zealand, and South African Airways, to name just a few. The incident showed how quickly attackers can exploit a weak link to access sensitive data across an entire industry – a grim reminder of how interconnected aviation supply chains are and how a lapse in one part can ripple out and affect countless others.
In Nigeria, the absence of mandatory cybersecurity standards for aviation vendors compounds the risk. Many smaller service providers in the country are not subject to the same scrutiny as the airlines or airport authorities they serve. Legacy systems and inconsistent patch management further open the door to exploitation.
Defying Gravity and Cyber Risks: Soaring Above
Ultimately, the aviation industry’s complex ecosystem isn’t going away, and neither are the threats. The risks are real and constantly evolving, from ransomware and data breaches to supply chain vulnerabilities. Staying ahead of the curve isn’t a luxury anymore; it’s crucial for navigating, surviving, and thriving in this complex ecosystem.
To tackle these challenges, aviation players must commit to cybersecurity as a top priority, starting at the highest levels of leadership. Leadership’s role goes beyond setting policy; it’s about shaping a culture where security is seen as a strategic enabler, not just a cost centre. This means weaving cybersecurity goals into broader business objectives and understanding that investments in security are investments in resilience and reputation.
Aviation organisations must deploy the proper technical controls to mitigate ransomware and data breaches at the tactical and operational levels. Endpoint detection and response (EDR) to spot suspicious activity, continuous infrastructure monitoring, network segmentation, multi-factor authentication (MFA), and secure, immutable backups are critical. Regular vulnerability assessments and patching keep known weaknesses closed, mature incident response initiatives enable early detection and response, and security awareness training empowers staff as the first line of defence.
Equally crucial is how we approach supply chain security. It’s not enough to demand good security practices from vendors. Organisations must gain real visibility into those third, fourth, and nth-party relationships – leveraging automated assessments, continuous monitoring, and threat intelligence sharing to catch weaknesses early. Lastly, modernising legacy systems wherever possible will help eliminate those ageing gaps that attackers love to exploit.
Combined, these steps will help aviation organisations turn these challenges into opportunities to build resilience and trust for the long haul.
Conclusion
The future of aviation depends on how well the industry secures its digital backbone. Security must become a core business priority as cyber threats and supply chain risks escalate. This is not just about protecting systems but also about preserving trust, safety, and continuity. Aviation leaders must act now to build resilience or risk being grounded by tomorrow’s threats.
As a trusted consulting partner, pcl. supports aviation stakeholders in strengthening their cybersecurity posture through tailored services spanning strategy development, risk assessment, and regulatory compliance. We help identify and mitigate threats like ransomware and supply chain vulnerabilities by modernising legacy systems, enhancing third-party risk management, and embedding cybersecurity into enterprise governance. With expertise in policy advisory, incident readiness, and staff capability building, pcl. empowers airlines, airports, and regulators to build resilient, secure, and future-ready aviation operations.
Written by:
Ikenna Ndukwe
Consultant