Advanced Air Mobility (AAM) is poised to revolutionize how we move—expanding access to transportation, enabling faster emergency response, and opening new markets for air services. But behind every eVTOL flight, vertiport landing, or automated route decision lies a cyber-physical ecosystem that must be secured end to end. AAM systems are deeply interconnected, blending cloud software, autonomy algorithms, aircraft hardware, and ground infrastructure, making them vulnerable at every node. To ensure safe, scalable operations, cybersecurity must be treated not as an afterthought, but as a foundational layer from design through deployment.
As a cyber-physical system—a complex, dynamic system-of-systems—the AAM ecosystem must be protected from all entry points. This includes eVTOL aircraft, autonomy software, 5G/C-band links, cloud- and ground-based Third-Party Service Providers (TSPs), and all the people and processes that keep everything running. Cybersecurity starts with early design, treating every connection as untrusted, and demanding continuous improvement after entry into service.
When autonomy and safety intersect in dense urban environments, cyber failures quickly become safety-of-life events. In city corridors, an eVTOL has no place to glide if a command link drops. A compromised scheduler in the cloud could ground an entire fleet. A spoofed GPS signal could steer an aircraft into protected airspace. These risks aren’t isolated; security lapses in one part of the ecosystem ripple across the rest. Every stakeholder has a role to play. By adopting comprehensive cybersecurity measures across TSPs, ground systems, and digital networks, the AAM industry can ensure the safety and resilience of its future.
Risks with Cloud-Based Systems
Threats like GNSS spoofing and jamming already disrupt traditional aviation systems, and uncrewed flight will require even more precise navigation. The introduction of autonomy widens the attack surface since machine learning models and sensor fusion introduce code that is not covered by classical avionics standards. With high-tempo operations and increased reliance on distributed cloud-based systems, one misconfiguration can affect fleet telemetry.
Autonomy replaces routine filters performed by humans with code, data, and machine learning models, creating new entry points for cyber attackers. If training data for machine learning models is poisoned, aircraft can misidentify obstacles and corridors. A spoofed sensor means the fusion algorithm may output a believable but wrong awareness of the surrounding environment. Remote updates are essential for model refreshes, but they also become high-value targets for supply-chain attacks.
The aviation industry tends to categorize incidents and failures based on the impact they have on safety. Traditionally, cybersecurity attacks may not have caused a threat to human lives, but in this new landscape, these attacks can ground aircraft, steal data, and put lives at risk.
Securing a New Kind of Ecosystem
A shift away from traditional aviation entails transferring responsibilities from onboard the aircraft to the cloud. This presents a unique challenge as it merges safety-critical aviation systems (like detect-and-avoid sensors), always-connected operational technology infrastructure (think 5G, LTE, satellites), and cloud-native API-driven software. These three consequential factors are not typically integrated, which increases the systems’ vulnerability to threats.
TSPs serve as the backbone for data management and connectivity, making them attractive targets for cyber threats. A zero-trust approach should be taken, meaning every user, device, and service must be verified and meet strict security checks every time data needs to be accessed. Access should be granted with the least privilege needed and should be continuously monitored.
In dense, urban flight corridors, a cybersecurity fault is a safety fault, making this an airworthiness attribute. Interoperability hinges on zero-trust architecture, as every interaction between aircraft, vertiports, and cloud services can expose vulnerable components. A leaked cloud credential or misconfigured API gateway can ground a fleet, misroute an aircraft, and risk lives.
AAM security is still siloed. There is currently no path to certification and approval, so aircraft are certified under DO-178 and DO-356 rules, TSPs rely on ISO 27001 audits, and ground networks use methods from telecom playbooks. While certification is a necessary step, it does not equate to security. As systems grow more interconnected and more dependent on digital infrastructure, security becomes an ongoing and changing landscape that requires constant adjustments.
Collective Effort to Prioritize AAM Security
Securing the AAM ecosystem means focusing on four key areas: creating cyber resiliency through design, pulling from diversity, segmentation, and graceful degradation practices to ensure systems can fight through cybersecurity attacks; managing risks associated with systems-of-systems across all components, not just the aircraft; ensuring low-latency communications protect data at rest and in motion; and reinforcing supply-chain assurance.
Original Equipment Manufacturers (OEMs) must embed “secure-by-design” principles, prove cybersecurity resilience at the system level, and provide ongoing vulnerability disclosures. TSPs should function on zero-trust, abide to the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 Detect & Respond outcomes, and publish secure versioned APIs and service-level security objectives to OEMs and operators. Regulators need to define harmonized cyber safety rules that merge aviation airworthiness with ISO 27001 governance and NIST technical depth, require risk-based continuous monitoring instead of one-off certifications, and facilitate data-sharing and incident-reporting frameworks across borders.
Adhering to Best Practices
Establishing security practices moving forward will enable AAM stakeholders to demonstrate that the system is safe from the outset and allow time for trust in these new systems to develop. The AAM ecosystem should align with the NIST Cybersecurity Framework, which offers a comprehensive and adaptable structure focused on flexibility, risk management, and best practices appropriate for high-risk industries through five core functions: Identify, Protect, Detect, Respond, and Recover. Read our white paper, Closing the Gap: Addressing the Need for Comprehensive Cybersecurity in Advanced Air Mobility, to learn more about securing the AAM ecosystem and the NIST Cybersecurity Framework.
Securing Advanced Air Mobility isn’t optional—it’s foundational. By designing cybersecurity in from day one, treating every connection as untrusted, and maintaining continuous vigilance, we can build trust, resilience, and safety into the urban skies of tomorrow. The time to act is now, before the first fleet takes off.
