Digitalisation is already a major enabler for transport systems globally and its importance is bound to increase exponentially in the future. Aviation, like other critical sectors, relies hugely on information and communication technologies to further improve its efficiency and connectivity. This also means that such transport systems are becoming increasingly vulnerable to malicious attacks. Since transport moves people and goods, any malicious interference might have serious social and economic consequences including the risk of loss of lives.
Cyber-attack techniques develop constantly, and are not limited to one specific field. The nature of the attack, the modus-operandi, can originate from a completely unrelated area, exploiting universal vulnerabilities linked to mass produced software or to infrastructure of general use. Protection and mitigating measures need to be adapted constantly.
That is why cybersecurity in aviation cannot be dealt with in isolation: the cyber protection of civil aviation requires the design and interaction of mechanisms that benefit from the input and experience of other interconnected domains and sectors. Already at the 39th ICAO Assembly, Executive Committee expressed unanimous support for a cybersecurity resolution that pinpointed the need to develop a holistic approach involving all domains and for sharing information/ best practices. The responsibility to shape the way to tackle cybersecurity cannot be limited to one specific field: there are implications for safety, security, ATM, etc. that may be different and require different solutions. This is particularly important for the identification of vulnerabilities.
Aviation is clearly a long-standing target for terrorists; it is highly possible that they would seek to target the aviation sector using cyber-techniques. But increasingly, the collateral impact of less aggressive types of cyber-attacks, for example causing economic disruption or simply to achieve “bragging rights” within the hackers’ community, should be considered. The potential consequences of a successful act of unlawful interference perpetrated against aircraft operations through ATM systems, flight-safety essential aircraft systems or core security airport systems may result in risks to the life of passengers, airlines crew, and to people on the ground.
The vulnerability of aviation systems will significantly increase with the implementation of new technologies, use of commercial software, e-enabled technologies and increasingly interconnected transport and ATM systems.
Assessing the vulnerability of different aviation systems to cyberattack is the most difficult part of any risk assessment, and also potentially the most important, since it points to areas where further mitigation measures may be needed.
What do we do at EU level and beyond to address cybersecurity?
Cybersecurity is high on the EU agenda. The 2017 Cybersecurity initiative, which is a follow-up to the 2013 EU Cyber security strategy, proposes the creation of a European Cybersecurity Agency. The initiative also contains a draft proposal for a security certification framework – an EU certification voluntary system with mandatory requirements to create a cyber-resilient eco-system.
The Directive on the Security of Network and Information Systems (“NIS Directive”) represents the first EU-wide rules on cybersecurity.
Its adoption in July 2016 was a key step towards building cybersecurity resilience.
An EU Roadmap on Cybersecurity in aviation has been prepared by EASA in close co-operation with the European Commission. One of its milestones is a creation of a European Centre for Cybersecurity in Aviation which shall primarily serve as a cyber threat and incident information management platform. Cybersecurity is also an integral part of the new edition of the EU ATM Master Plan and the SESAR 2020 work programme.
Recently, we were pleased to see the upgrade of ICAO Annex 17 recommendations under Article 4.9 on “measures relating to cyber” into standards. This is an important move. We are currently seeking how to reflect it in our legislative and non-legislative efforts.
It is important to invest in developing technical knowledge amongst staff who manage cyber threats.
There are many cyber-related activities carried out by different groups. We put considerable efforts into coordinating the works to remove gaps, loopholes and to avoid overlaps but also on the training of skills.
It is important to invest in developing technical knowledge amongst staff who manage cyber threats. One of the initiatives we are looking at is the development of a cybersecurity toolbox of advice and support that can be provided to key staff who work in mitigating cyber threats across all transport modes.
In November 2017, the Directorate-General for Mobility and Transport organised Digital Transport Days in Tallinn, where a range of public and private partners from all transport sectors met to discuss the digitalisation. The main conclusions were that transport must adapt to evolving challenges such as cyber-attacks which threaten lives and businesses, by inter alia raising awareness, collaborating and exchanging information. Working in isolation, in silos, is the best way to expose our systems to an ever evolving and mutating threat. We have to embrace the need for a holistic approach on cybersecurity and for sharing information/best practices at Member States/multi-stakeholders level.
We have to step-up our support for a strong, consistent, and coherent global strategy to address cybersecurity.
We work closely with the Regulatory Committee for Civil Aviation Security in addressing the evolving threats to civil aviation. We also work closely with the Stakeholders Advisory Group on Aviation Security, which is a formally constituted consultation body. We value our cooperation with the EU Member States, ICAO, ECAC, and like-minded countries.
The role of ICAO
The ICAO Cybersecurity Resolution (A-39-19) was a good first global step forward to tackle cyber threats across the globe. We welcome the establishment of the Cyber Study Group to reinforce the impact of the Resolution.
These initiatives empower us to promote cyber in our capacity-building programmes. We have to step-up our support for a strong, consistent, and coherent global strategy to address cybersecurity.
I believe that ICAO should continue to play the essential leadership role as the highest and broadest international forum providing guidance to all its States. The complexity of cyber threats in aviation is so important that only a strong organisation like ICAO can assist global aviation in defining the best way forward.
Per Haugaard , Director at the European Commission’s Directorate-General for Mobility and Transport, is responsible for policy coordination and secu rity. He worked at the European Commission’s Secretariat-General and was Member of the Cabinet of several European Commissioners. He has law degrees from University of Copenhagen and College of Europe in Bruges.
This article was originally written for the ICAO EUR/NAT Office’s Newsletter (Issue 3) on May 2018. A full list of their newsletters can be found here.