ICAO is preparing for the inaugural ICAO Cyber Summit and Exhibition, a joint aviation safety and security event, with the theme: Making sense of cyber – security, safety and resilience, that will be convened in Dubai, United Arab Emirates from 5 to 6 April 2017. The event, which is being hosted by the General Civil Aviation Authorities (GCAA), will bring together States, industry, partners and other key players to address challenges to aviation resulting from cyber threats for the first time in a high-level strategic forum to discuss current and future cybersecurity issues.
A workshop will be held the day prior to the Summit on 4 April 2017 and will provide participants an opportunity to interact with industry professionals to gain hands-on knowledge of cyber issues. Participants can pre-register for the free event here.
As organizations around the world and in all sectors are fast discovering, cyber attacks have become the “new normal.” It is no longer a question of if an organization will be attacked, it is a question of when. Luc Tytgat, Director of Strategy and Safety Management at the European Aviation Safety Agency (EASA), said recently that aviation systems were subject to an average of 1,000 attacks each month. In the US, Turkey, Sweden, Spain, and Poland, aviation systems infected with malware or security breaches have provoked delays, loss of information, and growing concern among public officials, regulators, aircraft operators, and passengers.
Critical infrastructure serves as the backbone of the economy, and is essential to the functioning of modern society. Protecting critical infrastructure such as power and water supplies, banking and financial services, and transportation systems from cyber attacks is a global issue that requires governments and industry to work together. The economic impact of a coordinated and sustained cyber attack on critical infrastructure is estimated to easily run into the tens of billions of dollars.
A University of Cambridge Centre for Risk Studies report released last year, pointed to one example where a cyber attack on the power distribution network in South-East England would see up to 13 million people hit by blackouts, alongside disruption to a million rail and more than 300,000 air passenger journeys each day.
The potential of large scale cyber attacks against the aviation system is very real. Global aviation has one of the most complex and integrated systems of information and communications technology (ICT). ICT is pervasive across the aviation ecosystem, from designing and manufacturing aircraft to flight operations, reservations and ticketing, maintenance, communications, navigation, surveillance, and air traffic management (CNS/ATM). As a growth sector, the global aviation system is also in a continual state of evolution through the rapid adoption of new technologies, and becoming increasingly interconnected through the integration of subsystems and the exchange of data.
The new generation of aircraft are IP-enabled, and by 2025 up to 70% of the global fleet will provide in-flight connectivity. Specific aircraft interfaces are being designed into the wider aviation ecosystem and easily interface with commercial-off-the-shelf (COTS) technologies. Connectivity enhances aircraft capabilities and passenger amenities, but it also increases the number of entry points into systems. The CNS/ATM system is also becoming more dependent on digital technology enablers. However, certain CNS/ATM technologies were not designed with the cyber threat in mind.
Automated Dependent Surveillance-Broadcast (ADS-B) – a cooperative surveillance technology and an integral component to the future air traffic system – is vulnerable to spoofing and jamming because it is unencrypted and unauthenticated, showing aircraft ID, altitude, latitude/longitude position, bearing, and speed. The same holds true for the Aircraft Communication and Reporting System (ACARS), and without encryption and authentication a malicious actor could inject false data or information into the system, causing havoc for air traffic control and flight operations.
Organizations that make up the aviation system must therefore develop and implement cybersecurity strategies to become more secure, vigilant, and resilient. This will involve more than just adopting good security policies and implementing technical fixes. It also requires that organizations collaborate more and acquire new intelligence about cyber threats through the sharing of information within and across industries. Governments have an important role to play to ensure the right conditions exist that will make this happen.
THE IMPORTANCE OF COLLABORATION AND INFORMATION SHARING
It is widely recognized that no one organization can have complete awareness of every security threat, vulnerability, and incident that it may face and the assets and processes that need to be protected. However, organizations in the same or similar business sectors that work in comparable environments often have the same security concerns, and sharing security information can help protect their individual organization and increase the effectiveness of the community’s collective response to security attacks. To combat cyber crime, businesses and governments must improve their strategy around cyber threat information-sharing and collaborative communication. The more information organizations have about cyber crime techniques, the better they will understand how cyber criminals operate and what behaviours to look for.
In 2013, the Obama Administration took the step of issuing a Presidential Policy Directive on Critical Infrastructure Security and Resilience that strengthened the partnership with industry and encouraging new information sharing programs such as the creation of the Information Sharing and Analysis Centers (ISACs).
In December 2014, the Civil Aviation Cybersecurity Action Plan was signed by Airports Council International (ACI), Civil Air Navigation Services Organisation (CANSO), International Air Transport Association (IATA), International Coordinating Council of Aerospace Industries Associations (ICCAIA), and ICAO. The Action Plan committed to information sharing and the development and promotion of best practices in combating cyber crime.
Reflecting growing international concern, cybersecurity was on the agenda of the ICAO Assembly in September. ICAO urged Member States to align cybersecurity responsibilities within respective governments and adopt a flexible, outcome-focused approach to deal with new kinds of risks.
In EASA’s new cybersecurity centre, an Aviation Computer Emergency Response Team will help understand the nature of the threats, collect evidence of previous cyber attacks, identify security flaws and vulnerabilities, analyze and develop responses to cyber incidents or vulnerabilities. These efforts mirror recommendations by a 2015 US Federal Aviation Administration (FAA) advisory committee.
Nonetheless, many organizations in the aviation sector have not moved much past discussion and good intentions. Information is not adequately being shared for a variety of reasons, with organizations citing legal reasons or business concerns as the main factors. The reality is that businesses are apprehensive about sharing critical cyber information, even on a voluntary basis. This may be due to law, regulation, or contract, which can create obligations of secrecy and expose a company to legal liability risk if information is shared.
There are also concerns over reputational risk, as a company that discloses its vulnerabilities may cause concern for its customers and shareholders. Disclosed vulnerabilities may even encourage further attacks.
To overcome the reluctance to share information, businesses need to better understand how they can share information safely and effectively and how they can realize the benefits from information sharing. Fundamentally, information sharing is a matter of trust, and governments can help create this trust by clarifying the rights and obligations of those who share and receive information as well as the protections that are offered when the arrangements on information disclosure and use are respected.
INFORMATION-SHARING COMMUNITIES AND TECHNOLOGY ENABLERS
Developing an effective information-sharing community requires careful consideration of the oversight and governance arrangements so that members can trust that their rights and obligations are clearly governed and that security measures are in place to prevent the sharing of unauthorized data.
Consideration must be given to the information to be shared, its timing, and the audience: anonymization, redaction, obfuscation, and delay in the release of the information must all be considered in order to minimise individual or collective vulnerability yet still inform recipients. Building effective information-sharing communities can be further enabled through the employment of digital engagement tools and techniques.
Having agreements in place for cross sector sharing will allow the community to learn from other industries’ experiences and lessons learned from cyber attacks that may not yet have manifested in the aviation system. The creation of such information sharing communities could in turn help develop the collaborative relationships with government agencies to provide and be provided with cybersecurity threat information that will help all organizations – public or private – to prevent, detect, and respond to threats in a more timely and effective manner.
SOME GOOD PRACTICE EXAMPLES OF VOLUNTARY ONLINE AND SECURE INFORMATION
Starting small and not initially setting too high ambitions for information sharing communities will help build trust and the type of industry/government collaborative relationships that are needed to prevent, detect, and respond to cyber attacks. This can be covered by the terms of use of an information-sharing platform, which will need to be actively enforced.
Community membership criteria and a clearly defined member application sharing communities already exist. The Gloucestershire Safer Cyber Forum (GSCF) – http://www.safercybergloucestershire.uk– was launched by the Gloucestershire’s Police Constabulary as a means to step up the fight against cyber crime. And, the CSO Alliance – http://www.csoalliance.com– was launched to tackle organized maritime crime, active in over 60 countries, through real-time intelligence-sharing and to promote a coordinated approach to maritime security, from piracy to smuggling, illegal boarding, theft, and corruption, as well as cyber crime.
The valuable human interactions that are facilitated through such secure online members-only platforms help to enhance “security through community,” process are equally important to ensuring members are vetted and duly authorised by their organizations to participate.
The benefits from participating in a digital information sharing community will also need to be realised quickly. The functionality of the technology platform should provide members with the ability to engage, share, and learn of best practices and insights. Value-added content such as statistics, trend analyses, and intelligence reports and this same philosophy and approach needs to be explored and encouraged for the aviation sector.
While there is always a risk that shared information will be misused by a recipient, the experience has been that the benefits of sharing security information within closed communities far outweigh the risks, especially when the digital engagement technology and process environment supports the relevant levels of functionality, security, and privacy that are needed by the community. Strength comes from working together, smartly and securely, utilizing the digital engagement technology that exists today.
ABOUT THE CONTRIBUTOR
Eugene Hoeven is the President and Founding Partner of EH&A Aviation Management Consulting, Montréal, Canada. Previously he was Director ICAO Affairs with the Civil Air Navigation Services Organisation (CANSO) and Director, Risk Management and Insurance at the International Air Transport Association (IATA).
Eugene Hoeven is the President and Founding Partner of