Digitalisation and automation together with the deployment of more cyber technologies comes as an opportunity, but also risk facilitating the fast-evolving threat to the critical operations of air transport. Careful design and cautious systems integration are vital if airports are to become more resilient to cyberthreats. Jérôme Morandière reports.
There is an old saying, “To err is human, to forgive is divine” that has in recent years been revised by the onslaught of ever-present technology. Luddites and cynics prefer the new version “To err is human, but to really mess things up, you need to be on a computer”. This could arguably be the first humorous reference to cybersecurity, but the subject is no laughing matter. Not so long ago, it might have seemed unlikely that some seemingly harmless computer codes could be weaponised and used to disarm and disrupt so much of society. But that is precisely where we are now.
As the world comes to terms with the implications of cyberattacks, cyberbots and fake online information campaigns on the democratic process in various countries, the need for every industry to sharpen its cybersecurity strategy becomes more urgent by the month.
On the one hand, data driven operations within an integrated air transport global network present an unprecedented opportunity. Even if the past decade has seen rising update in airport-collaborative decision-making in Europe, airports, airlines, air navigation services providers (ANSPs) are still looking for fresh gains in operational efficiencies. Systems are becoming faster, more convenient, more efficient, and better integrated, but on the other hand, the potential for cyber-vulnerabilities has become more acute as well. Here are some of the ways cyberthreats can hit airports:
Unintentional malfunctions, power cuts, hardware failure represent a significant part of known cyber-events having already made their presence felt during several aviation-related activities.
- On 28 September 2017 the UK Telegraph newspaper website announced that air passengers have been suffering major disruption at airports around the world after computer check-in systems crashed.
- In February 2017 a major computer malfunction caused by a faulty hardware affected one of Europe’s largest transportation hubs for hours, causing delays or cancellations of more than 100 flights.
All Information and Communication Technologies (ICT) rely on power supply as well as on the wider internet access depending on the function provided. Important power failures affecting air transport have been reported in the past year with consequences on airports, airlines or air traffic control operations in Europe.
Intentional disruptions represent also a growing risk for organisations that are “ICT reliant” (e.g. growth of ransomware, attacks involving phishing techniques, information theft or data corruption etc.). Significant incidents have been reported in aviation over the last ten years:
- In July 2008 E-ticketing kiosks at Toronto Airport, using credit card authentication, were tampered with in order to steal passengers’ credit card details.
- In February 2009, The Federal Aviation Administration’s (FAA) Air-Traffic Networks were breached by attackers who obtained access to personal information.
- In 2013, a phishing scam seeking to breach US commercial aviation networks targeted no less than 75 US airports.
- The civil aircraft manufacturer Airbus Group is reportedly subject to up to 12 cyber-attacks per year, mostly in the form of ransomware and hostile actions.
- In July 2016, hackers successfully attacked Vietnam’s two largest airports and the nation’s flag carrier, Vietnam Airlines.
Luckily enough, none of these events put lives directly or indirectly at risk, but with the escalation of these incidents, how are airports and other aviation stakeholders preparing themselves?
Room for improvement
According to the latest SITA’s 2017 Air Transport IT Trends Insights, cyber security is now topping the CIO agenda, with 95% of airlines and 96% of airports planning to invest in major cybersecurity programmes over the next three years. But there is still room for improvement with only one third of boards at airlines, and a fifth at airports, having fully integrated cybersecurity into their business plans. ACI EUROPE can confirm these trends following its own surveys done in 2017. The respondents sample, a wide range of airport operators’ sizes representing together 25% of the annual traffic in and out of the EU, confirmed that a large majority recognised the risks at board level and are planning accordingly. But policies and programmes developed remain to be fully enforced; this being also explained by the difficult challenge of the resources and expertise it requires. It is worth noting that airports are more and more joining efforts and ACI EUROPE has recently set up a cybersecurity task force to facilitate information exchange, sharing of experiences, understanding and to foster development of best practices.
There is growing awareness among national and supra-national entities worldwide of the need for organisations and governments to work together on this. In December 2014, the major international civil aviation stakeholders including ICAO, ACI, IATA, CANSO, ICCAIA co-signed and initiated cooperation with the “Cybersecurity Civil Aviation Action”.
In Europe, national and supra-national regulators have begun coordinating their efforts: the “first ever cybersecurity law” in the EU, the Network and Information Security (NIS) Directive 1148/2016 will be enforced at the latest as of May 2018. But the EU NIS Directive leaves open the risk for disharmonised implementation of measures and oversight requirements. Indeed, the security measures and the definition criteria for Operators of Essential Services (OES) are left to every State to decide. The EU NIS Directive allows up for sector specific rules. This means that it does not prevent a sector-specific approach as necessary, for example one that can address civil aviation safety specifics concerns. In this instance, ACI EUROPE strongly recommends the need and utmost importance that the safety critical elements of aviation flow in a consistent and coordinated way with the existing EU NIS Directive ground base requirements, recognising that aviation is only one aspect of an “airport city” activity.
In 2015, the European Commission tasked the European Aviation Safety Agency (EASA) with establishing an aviation specific cybersecurity roadmap. This EASA-led plan resulted in the recent establishment of a European Strategic Coordination Platform (ESCP) that involves all the key aviation actors from EU authorities and industry, including ACI EUROPE. The work started in July 2017 and the aim is to shape European aviation cybersecurity rules and requirements for tomorrow’s safety challenges (2020 being foreseen as the horizon for the first safety rules package). The new EASA Basic Regulation 216 (currently under review at EU political level) will define a new EASA legal base and mandate for such a European rulemaking task.
The default assumption is that every organisation is exposed. However, recognising that systems/services used/delivered at airports are not all critical helps determine the areas for prioritisation. Before establishing the aviation safety regulated perimeter, the criticality of each function, operation, or service and the degree to which any system and process contribute to these functions, operations, or services will have to be defined and carefully assessed.
Furthermore, there are several other challenges that EU regulators will have to recognise and will have to overcome, such as:
- The definition criteria for OES under the terms of the NIS Directive in each EU country may vary. Aviation stakeholders should support a full harmonisation with OES requirements arising from the transposition of the EU NIS Directive and support national and EU supra-national authorities to coordinate among themselves in this respect. By empowering EASA to coordinate with the EU NIS Cooperation group and with the EU Member States authorities, it also prevents the risk of duplication, and conversely the risk of mitigation gaps too.
- Like the industry, authorities in charge will also be concerned by the new aviation cybersecurity regime. When it comes to oversight and compliance control activities, a stakeholder-centric approach rather than a system-centric approach is preferable since it would be more efficient.
- When it comes to aviation cybersecurity inter-organisational needs, every airport platform has a unique structure of services. And critical stakeholders in the EU (ATC, airlines, airports etc.) have already established a common and fruitful taskforce to share efforts and solve the abundant challenges more efficiently by standardising among themselves as much as possible. These efforts are on-going. In this respect, ACI EUROPE welcomes and supports EASA’s call on industry to come up with standards that may be recognised by regulators as acceptable means of compliance.
- Traditionally aviation safety certification (e.g. airworthiness) is a lengthy process, which may be in conflict with a need for rapid implementation of mitigation measures due to the nature of cyber risks. There is an evident need to address cyber risks specific to aviation safety, so aviation stakeholders will have to collectively find a compliance mechanism that does not hinder the effectiveness and need for rapid deployment of solutions (and which may not be a “certification mechanism” at the end of the day). A different or new approach may be necessary in this respect. In addition, regulators should recognise that airport aviation safety is only one element out of other cyber risks that an airport has to cope with (e.g. some airports operate hospitals, metro or train station, energy power plants etc.). Therefore the implementation of any new cybersecurity measures for aviation safety should not weaken the effectiveness of other key services or functions at the airport.
Addressing and ensuring an appropriate cybersecurity and resilience level in aviation is first and foremost a collective responsibility, a political and a technical challenge. Let’s be clear, crafting laws and regulations in an area of rapid technological change and lightning-fast hackers is not an easy task – quite the opposite. To advance successfully, the industry must work together, most likely in a form of bottom-up approach based on the industry best practices either in development and already in existence. Counterbalancing the necessary flexibility and adaptability with an ambitious and rigorous approach will be vital. The devil is in the details.