…A matter of collaboration, not compartmentalisation
The Covid-19 pandemic has impacted all industries and businesses like never before, with the aviation industry being one of the worst affected (90% traffic reduction during the crisis, and only 50% at the end of August 2020[i]). Just as in the 2009 financial crisis, this pandemic has exposed aviation’s economic and operational weaknesses, and most importantly, its lack of a holistic collaborative approach to security.
Historically speaking, aviation had been successful in building strong partnerships between its stakeholders (ie airport, airlines, ANPs, organisations and States) and working towards a common goal. But when it comes to security, it is treated as a separate, compartmentalised topic. With the 530% rise in cyber-attacks reported to or identified by EUROCONTROL’s EATM-CERT between 2019 and 2020[ii], and stakeholders’ inability to properly react to those attacks, the fundamental question that lies ahead is how can we start treating cybersecurity as a collective issue rather than an individual one?
At a recent webinar on Cybersecurity in Aerospace, a panel of experts considered the question “How secure is Aviation in relation to Infrastructure, Avionics, Connectivity, CNS and Data?”
Timo Blunck (ATM-CNS Security Expert – EUROCONTROL) talked about the importance of understanding the interdependencies between all systems (both civilian and military) involved in the aviation network, including ATM, ATC, navigation, surveillance and satellite. Without proper understanding of each of the system’s risks and vulnerabilities, and a proactive, collaborative approach of all system users towards defence of those systems, aviation will never be capable of enhancing its cybersecurity capabilities. The industry also needs to realise the importance of information sharing, especially in the areas of cybersecurity incidents. In today’s environment, organisations and States react to a cybersecurity incident with shame and embarrassment, instead of seeing it as a way to learn and improve both individually as an organisation and holistically as a member of the industry. Timo emphasised the importance of building a better security culture across aviation where organisations and States can work together on definition of an industry-based guidance to security by design, system development, threat mitigation, information sharing and awareness.
Aharon David (Chief WHO (White Hat Officer) & Manager, AFuzion-InfoSec Cyber-Security) took a closer look at the current state of cybersecurity regulation, specifically the ED-202/DO-326 Set of Standards. Although the regulation is not the only answer to enhancement of cybersecurity in aviation, it is a building block for achieving consistency across the industry. Despite efforts of security experts internationally to deliver a fully coordinated, cross-regional set of standards, the implementation is still fragmented between domains (aircraft, ground systems, airports) and countries. It is the rise of cyber-attacks and security research initiatives in the past few years that has helped the industry become proactive about the development of common standardisation.
Due to a huge effort from EUROCAE and others, we are now in a position where we see multiple standards being developed. Whether we solely focus on ED-202A that addresses the questions of “what” with regards to Airworthiness Security Process Specification, continue with other in-service standards such as ED-201 (Aeronautical Information System Security Framework Guidance), ED-203A (Airworthiness), ED-204A (Continuing Airworthiness) and ED-205 (ATM/ANS Ground Systems), ED-206 (Security Event Management with ED-206A ), or end with the upcoming ED-201A (expanded upon ED-201), ED-205A (expanded upon ED-205) and ED-206 (allocated to ED-ISEM covering Security Event Management), we recognise that the industry is one step closer to closing the security gap worldwide.
Florent Rizzo (Founder and CEO, CyberInflight) agreed with Timo Blunck on the importance of information sharing with regards to cyber incidents, and noted that there is no better time to start talking about cybersecurity in aviation than now after reaching the culminating point of the global pandemic. Based on their data from 2020, CyberInflight saw a substantial increase in attacks that was disproportionate to the normal annual increase levels, with airlines accounting for 61% of all detected aviation-related cyber-attacks. Looking at the attack vectors for incidents that occurred in 2020 and 2021, supply chain became the weakest entry point with an increased activity of criminals targeting Tier 1/Tier 2 subcontractors of suppliers. While the supply chain became a common weak point during attacks, there has been increased interest in cybersecurity onboard (ie embedded systems), specifically the areas of technological research, testing and adoption of best practices in aircraft cybersecurity, which represents a step forwards for threat mitigation in the product supply chain environment.
Unfortunately, the industry still sees a growing tendency amongst organisations to share a minimum amount of information about incidents externally and thus “protect” the organisation from further disclosure of internal control weaknesses. Victims of attack typically only share a minimum amount of information – partly due to fears of liability, but also due to fear of giving attackers additional information and increasing the risk of becoming a victim a second time. While this seems like a natural reaction, the industry needs to remember that threat mitigation in any area of critical infrastructure is more about working together and less about blaming each other. As far as the attackers are concerned, aviation is a coherent single target. Only by working together as one can we bring a suitable defence to the types of attack in use.
At the end of the panel discussion, the panellists were asked to consider the question: “Is now the right time for us to address disconnects between IT/OT, ground/air, regulations?” While each answered with a different emphasis, the overall consensus was that the global pandemic definitely helped put cybersecurity higher on the organisational agenda. At a time when it is much easier to attack infrastructure remotely instead of physically, we as the industry need to apply a holistic effort towards security through a combination of awareness, regulation, better use of existing resources, and security by design. But most importantly, we should learn from other aviation communities, like safety, that openly share information with each other, whereas we continue to treat the information as a code.
Bridging the silence gap (ie tendency to introspect after an attack) between organisations and raising the awareness of cybersecurity are challenges the aviation industry needs to address quickly. The panellists acknowledged the development and implementation of the EUROCAE standards is vital for cooperation between industry organisations and regions. Egis has contributed to these standards over many years, and we believe their adoption is only the first step on a longer journey. No organisation or industry can truly apply processes highlighted in a document unless their senior leadership understand and recognise the overall value in it, treat it as a priority rather than a “to-do” item on the list, and embrace a cyber-risk aware culture in the organisation.
It is never too late to assess an organisation’s current state of cybersecurity and define areas for enhancement, whether it is done internally or with the help of trusted independent advisors. Here at Egis, we support organisations to build cybersecurity awareness through training, standards implementation, and development of an effective cybersecurity roadmap going forward. Which approach will your organisation take?
[i] Take advantage of the crisis to reinvent European air traffic control – Mark Baumgartner
[ii] Aviation under attack: Faced with a rising tide of cybercrime, is our industry resilient enough to cope? EUROCONTROL EATM-CERT Services Think Paper #12 – 5 July 2021