International Journal of Wireless and Microwave Technologies (IJWMT)
IJWMT Vol. 15, No. 6, 8 Dec. 2025
Cover page and Table of Contents: PDF (size: 807KB)
Cybersecurity in Philippine Aviation: A Multi-Method Evaluation of Vulnerabilities and Mitigation Strategies Through Document Analysis, Case Study, and Risk Modeling
PDF (807KB), PP.41-53
Views: 0 Downloads: 0
Author(s)
Arthur Dela Pena
1,*
Index Terms
Aviation Cybersecurity, Philippines, Risk Assessment, Policy Analysis, NIST Framework
Abstract
The digitalization of aviation has heightened exposure to cyber risk, yet Philippine aviation governance and practice remain fragmented. This study evaluates sectoral vulnerabilities and feasible mitigations using a multi-method design: (i) document analysis of CAAP circulars, DICT’s National Cybersecurity Plan 2022, and international guidance (ICAO, IATA, NIST, ISO/IEC 27001); (ii) case studies (Cathay Pacific breach; London Heathrow USB mishandling) chosen for analytic transferability to Philippine operations; and (iii) risk modeling via a likelihood–impact matrix with a transparent 1–5 rubric adapted from ICAO SMM, NIST SP 800-30, and DICT, scored independently by two researchers with consensus reconciliation. I integrate results through a SWOT–TOWS synthesis and propose an AI/ML feasibility roadmap tailored to on-prem/air-gapped constraints. Findings reveal high-priority risks, including unauthorized ATC access, reservation-system data breaches, and airport-network ransomware (ris score = 20), driven by monitoring gaps, legacy systems, and uneven policy enforcement. Moderately ranked threats (weak framework implementation; phishing) and under-analyzed insider risk reflect systemic and human-factor weaknesses, compounded by underreporting and limited inter-agency coordination. The study’s novel contribution is a localization map that operationalizes global frameworks for Philippine conditions: phased NIST CSF adoption, tiered ISO/IEC 27001 pathways, and ICAO-aligned CAAP–DICT coordination with centralized incident reporting; plus a staged, low-cost AI/ML roadmap with KPI tracking (MTTD/MTTR, precision/recall). Limitations include the absence of primary stakeholder data and local incident/cost series; we outline a quantitative extension using operator surveys and Expected Annual Loss modeling to strengthen future empirical grounding. The results inform regulators, airlines, and airports on risk-based prioritization and practical governance upgrades to enhance national aviation cyber resilience.
Cite This Paper
Arthur Dela Peña, "Cybersecurity in Philippine Aviation: A Multi-Method Evaluation of Vulnerabilities and Mitigation Strategies Through Document Analysis, Case Study, and Risk Modeling", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.15, No.6, pp. 41-53, 2025. DOI:10.5815/ijwmt.2025.06.04
Reference
[1]J. Urban, “Not Your Granddaddy's Aviation Industry: The Need to Implement Cybersecurity Standards and Best Practices within the International Aviation Industry,” Albany Law Journal of Science and Technology, 2016. [Online]. Available: https://doi.org/10.2139/ssrn.2787476
[2]S. Faye, J. Abdulrahman, R. A. Talb, and R. J. Martin, “Cybersecurity in aviation: A case-based approach to preparedness,” Int. J. Inf. Secur. Cybercrime, 2024. doi: 10.19107/ijisc.2024.02.03
[3]S. Adhikari, “An analysis of the AIAA aviation cybersecurity framework in relation to NIST, COBIT, and DHS frameworks,” in AIAA Aviation 2020 Forum, 2020. doi: 10.2514/6.2020-2930
[4]E. Blancaflor, M. M. T. Cortez, D. M. Geneta, N. T. D. Miembro, and C. B. G. Alegre, “Comparative analysis of cybersecurity frameworks utilized by industries in the Philippines,” in Proc. Int. Conf. Conceptual Structures, 2023. doi: 10.1109/ICCS59700.2023.10335521
[5]N. Kagalwalla and P. P. Churi, “Cybersecurity in aviation: An intrinsic review,” in Proc. 2019 5th Int. Conf. Comput., Commun., Control and Autom. (ICCUBEA), pp. 1–6, 2019. doi: 10.1109/ICCUBEA47591.2019.9128483
[6]K. Y. Chai and M. Zolkipli, “Review on confidentiality, integrity, and availability in information security,” J. ICT Educ., vol. 8, no. 2, pp. 44–59, 2021. doi: 10.37134/jictie.vol8.2.4.2021
[7]Department of Information and Communications Technology, National Cybersecurity Plan 2022, 2017. [Online]. Available: https://tinyurl.com/5fcfm78f
[8]A. Shabtai, Y. Elovici, and L. Rokach, “Introduction to information security,” in Cyber Security for Industrial Control Systems, Springer, 2012, pp. 1–38. doi: 10.1007/978-1-4614-2053-8_1
[9]S. M. H. Bamakan and M. Dehghanimohammadabadi, “A weighted Monte Carlo simulation approach to risk assessment of information security management systems,” Int. J. Enterprise Inf. Syst., vol. 11, no. 4, pp. 41–58, 2015. doi: 10.4018/IJEIS.2015100103
[10]J. Informatika, “Manajemen risiko keamanan informasi menggunakan framework NIST SP 800-30 Revisi 1 (studi kasus: STMIK Sumedang),” J. Informatika dan Telekomunikasi, vol. 2, no. 2, pp. 31–40, 2017. doi: 10.30591/JPIT.V2I2.484
[11]J. C. Haass, J. P. Craiger, and G. C. Kessler, “A framework for aviation cybersecurity,” in Proc. IEEE Nat. Aerosp. Electron. Conf. (NAECON), pp. 132–136, 2018. doi: 10.1109/NAECON.2018.8556747
[12]M. Malatji, S. Von Solms, and A. Marnewick, “Socio-technical systems cybersecurity framework,” Inf. Comput. Secur., vol. 27, no. 2, pp. 233–272, 2019. doi: 10.1108/ICS-03-2018-0031
[13]K. Charitoudi and A. Blyth, “A socio-technical approach to cyber risk management and impact assessment,” J. Inf. Secur., vol. 4, no. 1, pp. 33–41, 2013. doi: 10.4236/jis.2013.41005
[14]M. Thinyane, “Unpacking the complex socio-technical systems assemblages in cybersecurity,” in Proc. Eur. Conf. Cyber Warfare and Secur., 2024. doi: 10.34190/eccws.23.1.2155
[15]A. Baron, R. F. Babiceanu, and R. Seker, “Trustworthiness requirements and models for aviation and aerospace systems,” in Proc. 2018 Integr. Commun., Navig., Surveillance Conf. (ICNS), pp. 1B3-1–1B3-10, 2018. doi: 10.1109/ICNSURV.2018.8384831
[16]M. Niraula, “Cybersecurity and interoperability of the aviation safety service ecosystem,” in Proc. 2022 Integr. Commun., Navig. and Surveillance Conf. (ICNS), pp. 1–12, 2022. doi: 10.1109/ICNS54818.2022.9771482
[17]G. L. Dillingham, G. C. Wilshusen, and N. Barkakati, “Air Traffic Control: The FAA Needs a More Comprehensive Approach to Address Cybersecurity as the Agency Transitions to NextGen,” 2015. [Online]. Available: https://tinyurl.com/bdhs6wsx
[18]G. Dave, G. Choudhary, V. Sihag, I. You, and K. R. Choo, “Cybersecurity challenges in aviation communication, navigation, and surveillance,” Comput. Secur., vol. 112, p. 102516, 2021. doi: 10.1016/j.cose.2021.102516
[19]A. A. Elmarady and K. Rahouma, “Studying cybersecurity in civil aviation, including the development and application of aviation cybersecurity risk assessments,” IEEE Access, vol. 9, pp. 143997–144016, 2021. doi: 10.1109/ACCESS.2021.3121230
[20]E. Ukwandu et al., “Cyber-security challenges in aviation industry: A review of current and future trends,” Information, vol. 13, no. 3, p. 146, 2022. doi: 10.3390/info13030146
[21]C. A. Viveros, “Analysis of the cyber attacks against ADS-B perspective of aviation experts,” 2016. [Online]. Available: https://tinyurl.com/4hmaxtv8
[22]M. Pyzynski, “Cybersecurity of unmanned aircraft systems (UAS),” in Proc. 2020 Int. Conf. Unmanned Aircraft Syst. (ICUAS), pp. 1265–1269, 2020. doi: 10.1109/ICUAS48674.2020.9213922
[23]M. Żmigrodzka, “Cybersecurity – one of the greatest challenges for civil aviation in the 21st century,” Saf. Def., vol. 6, no. 2, pp. 33–41, 2020. doi: 10.37105/sd.73
[24]S. Jeon, “Improvement measures for aviation security policies and the security management system against potential in-flight cyber threats,” J. Korean Inst. Commun. Inf. Sci., vol. 48, no. 11, pp. 1525–1533, 2023. doi: 10.7840/kics.2023.48.11.1525
[25]C. Nobles, D. Burrell, and T. Waller, “The need for a global aviation cybersecurity defense policy,” Land Forces Acad. Rev., vol. 27, no. 1, pp. 19–26, 2022. doi: 10.2478/raft-2022-0003
[26]G. Choudhary, V. Sihag, S. Gupta, and S. K. Shandilya, “Aviation attacks based on ILS and VOR vulnerabilities,” J. Surveill., Secur. Saf., vol. 3, no. 1, pp. 27–40, 2022. doi: 10.20517/jsss.2021.17
[27]A. Luoto and M. Hakkarainen, “Cyber resiliency of aircraft systems: A literature review,” in Proc. Eur. Conf. Cyber Warfare and Secur., 2024. doi: 10.34190/eccws.23.1.2359
[28]D. Lundberg et al., “On the security of mobile cockpit information systems,” in Proc. 2014 ACM SIGSAC Conf. Comput. Commun. Secur. (CCS ’14), pp. 633–645, 2014. doi: 10.1145/2660267.2660375
[29]H. Lubbe, R. Serfontein, and M. Coetzee, “Assessing the effectiveness of ADS-B mitigations,” in Proc. Int. Conf. Cyber Warfare and Secur., 2024. doi: 10.34190/iccws.19.1.2032
[30]E. Habler, R. Bitton, and A. Shabtai, “Assessing aircraft security: A comprehensive survey and methodology for evaluation,” ACM Comput. Surv., vol. 56, no. 4, Art. 96, pp. 1–40, 2023. doi: 10.1145/3610772
[31]A. B. Garcia, R. F. Babiceanu, and R. Seker, “Artificial intelligence and machine learning approaches for aviation cybersecurity: An overview,” in Proc. 2021 Integr. Commun., Navig. and Surveillance Conf. (ICNS), pp. 1–8, 2021. doi: 10.1109/ICNS52807.2021.9441594
[32]A. Markel and A. Sanghvi, “Addressing electric aviation infrastructure cybersecurity implementation,” United States, 2022. doi: 10.2172/1906953
[33]International Civil Aviation Organization, Aviation Cybersecurity Strategy, Oct. 2019. [Online]. Available: https://tinyurl.com/3mb2nevp
[34]International Air Transport Association, Aviation Cybersecurity, Version 3, May 2020. [Online]. Available: https://tinyurl.com/4987tuej
[35]National Institute of Standards and Technology, NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments, 2012. [Online]. Available: https://tinyurl.com/yc6jw3d4
[36]Cathay Pacific Airways, “Cathay Pacific announces data security event affecting passenger data,” Oct. 24, 2018. [Online]. Available: https://tinyurl.com/4e3aj73u
[37]Information Commissioner’s Office, “Monetary penalty notice: Heathrow Airport Limited,” Oct. 8, 2018. [Online]. Available: https://tinyurl.com/rkux5p7c