In 2017, the European Centre for Cybersecurity in Aviation (ECCSA) was established to counter any cyberattack posed to aviation. Supported by the European Union Aviation Safety Agency (EASA), it is a voluntary, cooperative partnership within the aviation community to provide collective support in dealing with cybersecurity incidents, weaknesses and unauthorised interactions that could potentially affect the industry’s resilience and safety. Report by Gerry Ngu, Davide Martini and Ansgar Sickert.
The total cost of cybercrime for 2019 is expected to exceed US$2 trillion (€1.8trn) – a quadrupling information exchange on cyber risks and best practices on how to address them. Only close cooperation between all stakeholders based on mutual trust and agility can make the industry resilient to the rising cyber threats.
This initiative has led to the set-up of the European Centre for Cybersecurity in Aviation (ECCSA), a knowledge centre and information-sharing network that launched its “open membership” registration to eligible European-based organisations from the aviation sector, in July this year. During a nearly two-year pilot phase, completed in March 2019, the 12 founding members representing the entire value chain of the aviation industry in Europe developed membership criteria and a governance code outlining the purpose and workings of ECCSA.
The founding members – Airbus, Air France/KLM, Brussels Airport, the Civil Aviation Authority of the Republic of Poland, EASA, ENAV S.p.A., EUROCONTROL, Finnair, Fraport AG, Leonardo S.p.A., Lufthansa Group, NAV Portugal and Thales Group – are now represented in ECCSA’s Steering Committee, which will guide the fledgling forum in its strategy, policy and activities. The Brussels-based Computer Emergency Response Team (CERT-EU) assisted with technical infrastructure and expertise as well as with the development of information products such as advisories, newsletters and threat landscape reports related to aviation.
Essential cooperation/partnerships that are being carried out or envisaged by ECCSA are with the following:
- EASA – European Union Aviation Safety Agency (acting for the moment as main supporter),
- CERT-EU – Computer Emergency Response Team for the EU institutions, agencies and bodies,
- EATAM-CERT – European Air Traffic Management Computer Emergency Response Team (supported by EUROCONTROL),
- ENISA – European Union Agency for Cybersecurity,
- US A-ISAC – Aviation Information Sharing and Analysis Center for the majority US industry and
- EA-ISAC – Aviation Information Sharing and Analysis Center for the majority EU industry.
The key purpose of ECCSA and main benefit for its members will be information sharing on potential and real cyber threats. ECCSA will dedicate its activities to the identification of potential risks, recommending pre-emptive protection measures to reduce vulnerabilities, as well as to the detection of and response to actual cyber events when they happen. To be effective, this has to happen in an atmosphere of mutual trust and openness but also with the necessary discretion, taking account of the operating and very real legal constraints some members may be facing.
ECCSA membership provides access to the various fora for information exchange and best practices as well as to ad hoc activities. In addition, it offers feeds of relevant daily news for the aviation community and the general public. It also offers support to individuals that want to report vulnerabilities uncovered in good faith research activities (for more information: https://www.easa.europa.eu/eccsa/eccsa-request-assistance-vulnerability-disclosure).
Membership is open to all aviation related organisations that have their principle base of business in Europe and are firmly committed to the high principles of industry cooperation aiming to strengthen information security, safety and security resilience of organisations and travellers. Organisations can receive more information about ECCSA and the process to join as a member, by completing a short online “Expression of Interest” form (available at https://www.easa.europa.eu/eccsa/eccsa-membership-expression-interest).
Concerning Rulemaking activities, an important milestone has been achieved by EASA through the release of the following materials:
• NPA 2019-01 (Aircraft Cybersecurity): was published on 22 February 2019, with the objective to mitigate the potential effects of cybersecurity threats on safety. Its intent is the amendments to CS-23, CS-25, CS-27, CS-29, CS-E, CS-ETSO, CS-P, and, as applicable to their related acceptable means of compliance (AMC)/guidance material (GM), together with AMC-20. The amendments would introduce cybersecurity provisions into the relevant certification specifications (CSs), taking into account the existing special conditions (SCs) and the recommendations of the Aviation Rulemaking Advisory Committee (ARAC) regarding aircraft systems information security/protection (ASISP). They should also improve harmonisation with the Federal Aviation Administration (FAA) regulations.
• NPA 2019-07 (Management of Information Security Risks): was published on 27 May 2019, with the objective to propose the introduction of provisions for the management of information security risks related to those information systems used in civil aviation. These provisions shall apply to competent authorities and organisations in all aviation domains (i.e. design, production, management of continuing airworthiness, maintenance, air operations, aircrew, air traffic management/air navigation services (ATM/ANS), and aerodromes), include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards.
• The public consultation for NPA 2019-07 is open for comments until 27 September 2019 (available at https://www.easa.europa.eu/document-library/notices-of-proposed-amendment/npa-2019-07) and is expected to draw significant interest from Member States and the industry, including ACI EUROPE, which has been consolidating comments from and submitting them on behalf of its members.
The regulation is foreseen to apply to all aviation stakeholders and is a first worldwide in its systematic and wide-ranging regional approach.
ECCSA is a clear example of how the aviation industry is working hand in hand to mitigate cybersecurity threats in Europe. Thomas Leonhardt, Fraport SB Member, commented “Today, cyber threats, whether they come from individuals, organised crime or state sponsored parties, have become a fact of life for every company and organisation. The nature of cyber threats is such that it is no longer possible to face them alone. With that in mind, I’m very happy that the aviation community is joining forces under the umbrella of ECCSA to strengthen cybersecurity and build resilience across the aviation value chain.”
Gerry Ngu is Senior Technical Coordinator at EASA/CERT-EU.
Davide Martini is Senior Expert – Cybersecurity in Aviation at EASA.
Ansgar Sickert is ACI EUROPE Liaison Officer to EASA.