Thwarting cyber attacks in aviation

Collaboration is required from many organizations to make the flying experience safe and secure on the ground and in the air

Cyber attacks are carried out by a range of perpetrators. They include individuals, organized criminals and state-sponsored entities. Sometimes their malicious goals are distinct or overlapping and may include one or more of the following: extortion, fraud, business or reputational damage and disruption interfering with (or taking down) the infrastructures of companies or states. Actors, like goals, often span several areas, making identification and attribution difficult.

Air traffic controllers
Air traffic controllers at work in the area control centre (Photo: Skyguide)

Collaboration and information exchange between stakeholders

Many trade organizations are working hard to ensure the safety and security of the aviation industry. They include the following:

  • The International Air Transport Association (IATA), created in 1945, is a worldwide trade association of airlines. It has released a cyber security toolkit, now in its second version.
  • The International Civil Aviation Organization (ICAO) is a specialized United Nations (UN) agency set up in 1944, whose members agreed on a Civil Aviation Cybersecurity Action Plan in December 2014. ICAO members also reached a number of cyber-related resolutions. ICAO organised its “Second high-level conference on aviation security“ in Montreal in November 2018.
  • The Société Internationale de Télécommunications Aéronautiques (SITA) is an air transport IT and communications provider established in 1949. It has some 400 members that include airlines, airports, aerospace companies, air traffic management organizations, air freight businesses, governments and international organizations and more. SITA offers cyber security solutions.
  • The Airports Council International (ACI), created in 1991, is the global trade body representing all airport authorities. ACI develops standards, policies and recommended practices for airports; these include work on cyber security issues. ACI works with ICAO and governments and presented a joint contribution (together with IATA) on ‘Vision for aviation security at airports’ at the ICAO November 2018 “Second high-level conference on aviation security”.
  • In February 2017,  the European Aviation Safety Agency (EASA) signed a memorandum of mutual cooperation (MoC) with the European Union Computer Emergency Response Team (CERT-EU) for the implementation of a European Centre for Cyber Security in Aviation (ECCSA), aimed at increasing collaboration and information sharing in cyber security amongst aviation stakeholders.

IATA IT Service Director and Chief Information Officer Pascal Buchner, told e-tech, at the 7th High-Tech Bridge Geneva Information Security Day (GISD), that collaboration and information sharing were essential. Buchner explained that a sector-specific Information Sharing and Analysis Centre (ISAC) that brings together airlines, suppliers and other contributors had been set up for this purpose. Its members “exchange a wide range of information, including on best practice; the aim is to expand this ISAC to include service providers, airports, traffic management, etc. In cyber security one has to manage the whole chain.”

“As regards air freight,” Buchner added. “there is also a multimodal aspect as it may include maritime, rail and road transport operators, so it is important to oversee the whole chain.”

Air freight may also present liability problems, in particular related to the disclosure of cyber breaches, it is a complex issue that may involve several actors, Buchner said.

International standards are central to aviation security

All these trade organizations stress the importance of international standards for protecting the aviation industry from cyber attacks. For this they refer constantly to ISO/IEC 27001:2013, but also to other standards from the ISO/IEC 27000 family developed by the IEC and ISO joint technical committee for information technology. Additionally, the IEC 62443 series of standards developed for industrial-process measurement, control and automation, defines procedures for implementing electronically-secure Industrial Automation and Control Systems (IACS), and is also mentioned as being essential for the protection from cyber threats.

Aviation industry stakeholders also list the US National Institute of Standards and Technology (NIST) Cyber Security Framework for Improving Critical Infrastructure, as being vital for cyber security. The framework gives guidance to “identify, protect, detect, respond and recover” from cyber threats in order “to provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk”. For this, the ‘Framework Core’ refers specifically to ISO/IEC 27001 and to standards from the IEC 62443 series.

In addition to managing and protecting from cyber threats, IEC has developed many international standards which are critical for airport security. For example, for cards and personal identification, for machine-readable passports, machine-readable visas and official travel documents, and standards for biometrics. ISO/IEC 24713-2:2008 is an international standard covering “biometric profiles for interoperability and data interchange” specific to “physical access control for employees at airports”. It covers the basic biometric functions of enrolment, verification and identification and includes a database interface.

A holistic industry-wide risk management approach to all safety and security aspects, (including physical and cyber security), is essential for the aviation industry. This approach requires close cooperation, communication and exchange of information between all stakeholders and operators, implementation of existing standards and the future adoption of those under development. When possible, and ideally, airports should be secure by design, with physical and cyber security measures incorporated from the design phase, not added later.