Many trade organizations are working hard to ensure the safety and security of the aviation industry. They include the following:
IATA IT Service Director and Chief Information Officer Pascal Buchner, told e-tech, at the 7th High-Tech Bridge Geneva Information Security Day (GISD), that collaboration and information sharing were essential. Buchner explained that a sector-specific Information Sharing and Analysis Centre (ISAC) that brings together airlines, suppliers and other contributors had been set up for this purpose. Its members “exchange a wide range of information, including on best practice; the aim is to expand this ISAC to include service providers, airports, traffic management, etc. In cyber security one has to manage the whole chain.”
“As regards air freight,” Buchner added. “there is also a multimodal aspect as it may include maritime, rail and road transport operators, so it is important to oversee the whole chain.”
Air freight may also present liability problems, in particular related to the disclosure of cyber breaches, it is a complex issue that may involve several actors, Buchner said.
All these trade organizations stress the importance of international standards for protecting the aviation industry from cyber attacks. For this they refer constantly to ISO/IEC 27001:2013, but also to other standards from the ISO/IEC 27000 family developed by the IEC and ISO joint technical committee for information technology. Additionally, the IEC 62443 series of standards developed for industrial-process measurement, control and automation, defines procedures for implementing electronically-secure Industrial Automation and Control Systems (IACS), and is also mentioned as being essential for the protection from cyber threats.
Aviation industry stakeholders also list the US National Institute of Standards and Technology (NIST) Cyber Security Framework for Improving Critical Infrastructure, as being vital for cyber security. The framework gives guidance to “identify, protect, detect, respond and recover” from cyber threats in order “to provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk”. For this, the ‘Framework Core’ refers specifically to ISO/IEC 27001 and to standards from the IEC 62443 series.
In addition to managing and protecting from cyber threats, IEC has developed many international standards which are critical for airport security. For example, for cards and personal identification, for machine-readable passports, machine-readable visas and official travel documents, and standards for biometrics. ISO/IEC 24713-2:2008 is an international standard covering “biometric profiles for interoperability and data interchange” specific to “physical access control for employees at airports”. It covers the basic biometric functions of enrolment, verification and identification and includes a database interface.
A holistic industry-wide risk management approach to all safety and security aspects, (including physical and cyber security), is essential for the aviation industry. This approach requires close cooperation, communication and exchange of information between all stakeholders and operators, implementation of existing standards and the future adoption of those under development. When possible, and ideally, airports should be secure by design, with physical and cyber security measures incorporated from the design phase, not added later.