Here's how the aviation sector is stopping cyberattacks from getting off the ground
By Rashad Karaky, Aviation Cybersecurity Officer, International Civil Aviation Organization (ICAO)
Saulo Da Silva, Chief Global Interoperable Systems Section, International Civil Aviation Organization (ICAO)
Sylvain Lefoyer, Deputy Director, Aviation Security and Facilitation, International Civil Aviation Organization (ICAO)
The past years have witnessed a giant leap in terms of technological advancements and their application into businesses, including developments in machine-learning techniques, telecommunications (5G), the internet of things and more.
The aviation sector, as with all other industries, endeavoured to benefit from those advancements to support its development, including the integration of new airspace users, the development of advanced aircraft systems and applications, automation and integration in data applications and decision-making systems in airports and airlines, and the interconnection between previously isolated systems through data-sharing across the aviation value chain.
Those developments in the air transport sector enhanced efficiency and capacity, allowing the sector to sustain the fast growth rates it has witnessed over the past two decades. It also resulted in positive spillovers on safety, security and the environmental footprint of international civil aviation. However, the above developments brought with them cyberthreats. These threats have grown exponentially during the past decade as the cyber domain became an attractive field for malicious actors to make financial gains, cause harm, and/or instill chaos in the global economic system.
Accordingly, ensuring the cybersecurity and resilience of the civil aviation sector became a high priority, and indeed a prerequisite for the sustainability of this sector and its ability to grow in a safe and secure manner.
The International Civil Aviation Organization (ICAO) has been long aware of the cybersecurity challenges facing the international civil aviation sector, and has been, and still is, the natural forum for the global international air-transport community to discuss and address those threats in a consistent, harmonized and cross-cutting manner across the different air-transport domains. As international cooperation is key to address cybersecurity and resilience in civil aviation, ICAO engages with relevant international fora to support global discussion of the topic. The collaboration between ICAO and the World Economic Forum is one example of successful public-private collaboration among stakeholders to exchange views and share experience and best practices in support of a cyber-resilient international civil aviation system.
ICAO’s work on cybersecurity and resilience began with the publication of the Global ATM Operational Concept in 2005. As the civil aviation sector’s reliance on information and communication systems increased over time, ICAO initiatives and discussions over cybersecurity evolved to cover the whole air transport sector, such as addressing cyberthreats in ICAO Standards and Recommended Practices (SARPs), Procedures for Air Navigation Services (PANS), and guidance material.
Those discussions further led to the adoption of two ICAO assembly resolutions: Resolution A39-19 in 2016, superseded in 2019 by Resolution A40-10 – Addressing Cybersecurity in Civil Aviation, which urges states to adopt and implement the Beijing Convention and Protocol of 2010 as means for dealing with cyberattacks against civil aviation, and calls upon states and stakeholders to take actions to counter cyberthreats to civil aviation.
The 40th Assembly also adopted the Aviation Cybersecurity Strategy; a translation of ICAO’s cybersecurity vision for the global civil aviation sector to be resilient to cyberattacks, safe and trusted globally, while continuing to innovate and grow.
The strategy is a framework built on seven pillars, which include the following main principles:
• Cybersecurity and aviation are both borderless in nature. Both require cooperation and harmonization at the national, regional and international level.
• States are encouraged to develop clear national governance and accountability for civil aviation cybersecurity and to include cybersecurity in their national civil aviation safety and security programmes.
Effective legislation and regulations
• States must ensure that appropriate legislation and regulations are formulated and applied prior to implementing a national cybersecurity policy for civil aviation.
• States are encouraged to consider whether their national legislation requires an update or the adoption of new national legislation to allow for the prosecution of cyberattacks against civil aviation.
• States are encouraged to set up appropriate mechanisms for cooperation with “good faith” security research.
• Cybersecurity is to be included within a state’s aviation security and safety oversight systems as part of a comprehensive risk-management framework.
• A culture of information-sharing will significantly reduce systemic cyber-risk across the aviation sector, the value of which has already been proved across aviation safety and security.
Incident management and emergency planning
• There is a need to have appropriate and scalable plans that provide for the continuity of air transport during cyber incidents.
• States and stakeholders are encouraged to make use of existing contingency plans that are already developed and amend these to include provisions for cybersecurity.
• Cybersecurity exercises are a useful tool to test existing cyber-resilience and identify improvements, and are therefore highly encouraged.
Capacity-building, training and cybersecurity culture
• It is critically important that the civil aviation sector takes tangible steps to increase the number of personnel that are qualified and knowledgeable in both aviation and cybersecurity.
• The civil aviation sector has established an enviable safety record that is founded upon a proactive safety culture seen as everybody’s responsibility. The principles of this safety culture are to be applied to develop and maintain a cybersecurity culture across the aviation sector.
The Cybersecurity Action Plan
The first edition of the Cybersecurity Action Plan was published in November 2020. It is a living document that aims at supporting states and stakeholders in implementing the Cybersecurity Strategy. The Action Plan identified 29 Priority Actions, which are further broken down into 54 time-bound Measures and Tasks, providing the foundation for ICAO, states and stakeholders to cooperate and work together to better address cybersecurity and resilience in civil aviation.
Cybersecurity Capacity Building
ICAO recognizes the importance of capacity-building and the top-down approach required to address cybersecurity and resilience in civil aviation. As such, a training portfolio is under development, starting with two courses that are currently being finalized: Foundations of Aviation Cybersecurity Leadership and Technical Management; and Managing Security in ATM.
The International Aviation Trust Framework
ICAO initiated in 2019 a project that aims at ensuring that the air navigation system is secure and resilient to cyberattacks, and that the storage, processing and exchange of data and information meets the requirements of confidentiality, integrity and availability. The ongoing work includes the development of a concept of operations and governance options for an International Aviation Trust Framework, the development of a certificate policy for digital identity management, and the development of guidance material, requirements and procedures for technical and organizational trust. On the network side, the work continues to define performance-based requirements for processing, exchange and storage of information in network applications, including the development of technical requirements needed to cover current and future aviation needs, as well as work on the necessary protocols to allow logical isolation of aviation communication data from the public internet.
In conclusion, ICAO continues to address cybersecurity and resilience in civil aviation as a matter of high priority, and is committed to support the sector in developing the guidance and tools needed to manage these emerging threats in order to ensure its safe, secure and sustainable development.