The Russian invasion of Ukraine has defined a new era for cyber warfare and hacktivism. It is a whole new game for unlocking and bringing the potential of cyberattacks into the physical war front, to disrupt critical infrastructures, establish pre-positioning activities, engage in cyber influence operations and disinformation and propaganda, to mention but a few.
In this new era it is paramount to understand that without cybersecurity there will be no trust to be able to fully reap the benefits of a digital economy and society in Europe. If we don't invest in those benefits and technologies, we won't be in the position to strengthen our digital autonomy. So what measures can we take to increase the resilience of critical, safety-of-life infrastructures such as ATM?
The European Union has developed and is still developing a number of legislative measures in order to implement the its EU Cybersecurity Strategy. Major policies developed so far include the Directive on measures for a high common level of cybersecurity across the Union (known as NIS2), the Cyber Resilience Act (CRA), or the Digital Operational Resilience Act for the financial sector.
Latest developments in legislation show a tendency to focus on and address the needs of specific sectors. The EU has therefore pioneered a set of inter-linked legislative initiatives which are unprecedented worldwide.
As for the aviation sector, in particular opinion Nº 03/2021 proposes "the introduction of an information security management system (ISMS) for the competent authorities and for organisations in all aviation domains and requires them to report incidents and vulnerabilities related to information security," (Horizontal Rule Part-IS ).
The Horizontal Rule Part-IS text has been developed in consultation with the European Strategic Coordination Platform (ESCP). ENISA is a Member of ESCP and has contributed to the consultation process by participating in two expert working groups.
In addition, under the recently adopted NIS2, ENISA has established a service-oriented sectorial strategy, under which ENISA's "service catalogue" is delivered in the format of a package (according to a sector's specificities) that aims to boost capability and overall resilience. Aviation is one of such sectors targeted by the service package.
But our work does not end here. Given that attackers are sector-agnostic, when it comes to critical infrastructure – as is the case of the aviation industry – targeted cooperation among sectorial bodies and agencies, public and private sectors can help fill gaps in the digital autonomy of strategic sectors, help foster and promote initiatives and ensure common responses to common threats.
ENISA has had a close collaboration with EUROCONTROL over the past years, sharing relevant information and analysis under the threat landscape and EUROCONTROL/EATM-CERT reports respectively, thus boosting overall threat knowledge and situational awareness. In addition, EUROCONTROL experts are part of the ENISA ad hoc working group on cyber threat landscapes, and they regularly exchange know-how with ENISA on aviation threats.
ENISA also actively participates in the Aviation Cybersecurity Working Group and liaises with the European Union Aviation Safety Agency (EASA) on multiple initiatives as a catalyst for collaboration and exchange in the aviation sector. These include, but are not limited to, information sharing (e.g. threats and incidents), disseminating good practices (e.g. incident reporting, taxonomies), and work with stakeholders to achieve EU-wide harmonisation.
In conclusion, first we need to gear up collaboration and make full use of the tools in our hands in an effort to strengthen resilience and trust.
Secondly, we need research, innovation, foresight and looking at emerging technologies (e.g. passwordless authentication, AI-based security operations, decentralised identity, cloud native application protection platforms, etc.) as the key to getting ahead of the cybersecurity game. But we also have to make sure that the technologies of tomorrow are deployed to make our internal market more cyber secure and not less so.
Thirdly, we need responsibility. The newly adopted directive introduces now accountability for top management for non-compliance with cybersecurity risk management measures. This accountability is an important tool as it is designed to direct the attention of operators of critical infrastructures to strategic investments in the necessary cybersecurity and risk-based solutions and approaches.
The pandemic has made it clear just how much of our critical infrastructures and economy depend on an open and secure access to the internet. As a community, we need to come together to cooperate and prepare to respond to a future large-scale cyber incident.