Disclaimer: The content presented in this article is based exclusively on publicly available, unclassified information and open-source research. It does not draw upon any classified or proprietary data. The analysis is intended solely as a technical thought exercise to explore potential cybersecurity considerations in the context of legacy aircraft systems and industrial control system analogies. This article also does not represent official policy, guidance or recommendations of any government or agency, nor is it intended to inform acquisition, security policy or national defense decision-making. All opinions expressed are those of the author in a personal capacity.
I recently attended an Industrial Control System (ICS) Cybersecurity conference, where we learned how to use information technology (IT) cybersecurity strategies and tools to address operational technology (OT) security. It dawned on me that the basic design of aircraft control systems is similar to the OT systems we just learned about.
Cybersecurity professionals are increasingly asked to secure systems never designed for modern threats. Inspired by news of the US government evaluating a foreign-donated Boeing 747-8 for use as Air Force One (AF1), I felt the retrofit of a legacy aircraft for national security use offers a unique lens into the IT/OT convergence problem, and why physical access and legacy protocols must now be treated as front-line risks.
Daniel Hoffman
Legacy aircraft, modern risk
While the 747-8 is a technological leap beyond its predecessor, the 747-400, it still retains legacy protocols and architectures that introduce risk, especially when repurposed for top-tier national security missions. Many of these aircraft systems resemble industrial control systems (ICS), such as those used in critical infrastructure. Like legacy supervisory control and data acquisition (SCADA) systems, aircraft avionics often assume trusted internal communication, a trust model no longer sufficient in today’s threat landscape.
In factory settings, these systems were often “air-gapped” — they were isolated from other networks as a line of defense and only employees were allowed physical access. The aircraft evolved similarly. One of the main lines of defense was burying the cabling and components in the fuselage where unauthorized personnel could not access them.
Since the plane we are accessing was retrofitted in a foreign country, we must assume that there is potential for implanted, dormant devices or tampering with common devices.
Key vulnerabilities exposed
Threat type Impact Activation method Detection method Hardware implants Engine/control sabotage RF trigger, preset logic X-ray, teardown Firmware backdoors Navigation/system override GPS/time-triggered code Reverse engineering Cold-state trackers Location exfiltration Altitude or temp-based Environmental simulation Radar-based exfiltration Covert data leaks Waveform modulation Anomaly/radar signal analysis SATCOM hijack Comms interception RF signal hijacking Spectrum monitoring, validation Toolchain exploits Persistent access Malicious diagnostic tools Source and firmware audits MitM on avionics buses Command injection, replay attacks Cable tapping/spoofing Signal integrity/timing analysis Cellular subsystems Audio or GPS leakage Dormant baseband payloads Spectrum forensics, teardown Condensed threat matrix
Legacy protocols create new attack surfaces
One of the banes of the OT world is the reliance on legacy technology that cannot easily be patched or upgraded without causing major disruptions. Similarly, the Boeing 747-8 employs a hybrid bus architecture. While it integrates modern flight management technologies like the Thales TopFlight Flight Management System (FMS), many subsystems still rely on ARINC 429 and MIL-STD-1553, protocols that lack authentication or encryption.
As mentioned in arXiv:1707.05032, this can leave vulnerabilities such as code injection and manipulation, data injection, data leakage and DoS. Even the newer Ethernet-based systems using AFDX (ARINC 664) lack cryptographic safeguards. As we just mentioned, traditionally, the 747 relies on physical controls such as restricted physical accessibility. In this case, that control has already been compromised.
These channels expose the aircraft to MitM, spoofing and replay attacks, particularly during retrofitting or maintenance cycles. Ukwandu et al. (2022) highlight the avionics industry’s slow adoption of secure protocols. In industrial control environments, encryption overlays can mitigate similar threats, but latency concerns make this approach difficult to apply to real-time flight systems, where latency could cause serious consequences due to delayed flight control response.
Daniel Hoffman
Implants hidden during retrofit
Physical access during retrofitting introduces other opportunities for adversaries: Embedding covert implants, often designed to activate under specific environmental triggers. Munro (2020) outlines scenarios where miniature computers (e.g., Raspberry Pi-class) are concealed inside avionics bays or power rails, undetectable without teardown, signal analysis or x-ray. These devices can be used for a variety of purposes.
Implants and embedded surveillance
Surveillance implants can be introduced during retrofit, as mentioned above. Devices such as passive RF microphones, compromised baseband transceivers or altered inflight entertainment systems may capture sensitive audio or telemetry. Habler, Bitton and Shabtai (2022) show how these systems resist conventional detection methods, making post-deployment audits extremely difficult. These implants evade standard EM sweeps and require teardown or x-ray inspection for detection.
Surveillance threat vectors
- Passive RF microphones. These devices can harvest ambient audio and transmit it using harvested electromagnetic energy making them extremely hard to detect using traditional EM sweeps.
- Compromised baseband transceivers. These are found in satellite phones, LTE modems or embedded SIMs and can silently leak GPS coordinates, conversations or system data.
- Tampered inflight entertainment systems (IFE). IFEs may appear benign but often sit on segmented yet accessible network backplanes. If compromised, they can bridge passenger interfaces with avionics.
Non-traditional data exfiltration channels
When it comes to data exfiltration in a traditional IT/OT environment, we often rely on catching them on the way out by monitoring the transmission methods. That becomes much more complex on our 747. Radar emission modulation has been identified as a viable vector for stealth exfiltration. As outlined in NSA TEMPEST guidance (2023), such techniques mimic normal behavior and evade detection. Additional pathways include SATCOM hijacking, Bluetooth beacons or optical LED flicker, all under-monitored in legacy aircraft. Hardening this plane for use as AF1, we will need to consider these routes.
The supply chain as a soft target
The aviation supply chain continues to present a significant cybersecurity risk. Critical components such as firmware, diagnostic utilities and maintenance procedures may be altered or compromised during manufacturing or integration, especially when involving foreign vendors. The risk of malicious implants or latent, persistent vulnerabilities being introduced upstream is amplified by limited supplier visibility and insufficient cybersecurity controls across tiers (Aerospace Industries Association, 2023).
A widely cited example is the 2020 SolarWinds breach, in which attackers compromised the Orion software update system to distribute malware to more than 18,000 organizations, including US federal agencies and Fortune 500 companies. The incident revealed how deeply embedded vulnerabilities in trusted vendor pipelines can bypass perimeter defenses and persist for months
Interior compromise
Cabin interiors present significant risks, particularly in classified missions. Seats, partitions and power outlets may hide passive surveillance devices or logic circuits.
To align with SCIF and TEMPEST standards, best practices demand:
- Full teardown and rebuild of interior components
- X-ray and RF scanning of structural cavities
- Chain-of-custody validation for all replacements
- RF shielding and acoustic integrity testing
Standards like RTCA DO-355, DO-356A and CNSSAM TEMPEST/1-13 are essential to meeting executive transport and Continuity-of-Government mandates, Baker, Arlen & Parkinson, Paul. (2018).
Hardening retrofitted aircraft: actionable steps
- Apply RTCA and NIST best practices. Standards such as RTCA DO-355/356A and NIST SP 800-53 offer lifecycle risk frameworks, encryption recommendations and audit mechanisms. Though full-stack encryption may be infeasible, tailored implementations can reduce the attack surface without compromising performance.
- Validate every subsystem. Every avionics and support subsystem must undergo teardown, high-resolution imaging and verification against trusted baselines. Components failing this scrutiny should be replaced with certified domestic equivalents.
- Secure the toolchain. Vendors must meet DFARS cybersecurity requirements and ideally CMMC Level 2 or higher. Firmware developers and diagnostic engineers must operate within a verified secure development lifecycle (SDLC).
- Implement persistent telemetry and monitoring. Static scans are insufficient. Ongoing network behavior analysis, anomaly detection and forensic auditing are vital. This aligns with DoD recommendations in the 2023 Airborne Systems Cost Estimating Guide.
Cost and acquisition realities
While a donated airframe may seem economical, retrofitting costs can match or exceed new aircraft procurement. DoD and GAO benchmarks show that secure retrofits may cost hundreds of millions and still fall short of purpose-built assurances.
Domestic control still matters
Residual risk persists with foreign-origin systems, even after exhaustive review. This underlines the rationale behind VC-25B (Next AF1) procurement, a platform built domestically, under secure conditions. The project was slated for completion in 2024, Boeing now estimates 2027 – 2028. Which would still put delivery in line with, or ahead of a retrofit project, which could take 2-4 years according to Defense One and Aviation Source News.
For a look at what would go into trying to secure this plane, read a sample blue team playbook.
Conclusion: A playbook for IT/OT convergence
This scenario serves as a high-stakes case study in securing legacy, cyber-physical systems. Cybersecurity leaders will increasingly face unconventional challenges. Whether it’s a power plant, a legacy fleet or a retrofitted aircraft, those who can bridge IT and OT worlds will shape the future of security strategy.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
