Article

EUROCONTROL is building more cost-effective, wide-ranging cyber resilience capabilities

16 November 2020

This covers

As the air traffic management industry embraces a more digital future, the Agency is developing new programmes and assets to ensure all aviation stakeholders will have access to more capable and affordable cyber security services, explains Patrick Mana, EUROCONTROL's Cyber-Security Programme Manager.

Cyber-attacks on Europe’s air traffic management (ATM) system will become more numerous and complex. As aviation businesses of all types increase their digital working practices in the wake of the COVID-19 pandemic, accelerating long-term ATM towards replacing legacy humancentric systems with more digital systems, EUROCONTROL is scaling up its support programmes to deliver cost-effective cyber-security services to a wide range of stakeholders.

There are, broadly, three levels of cyber threat: Statesponsored groups conducting cyber-attacks mostly for political reasons; cyber-crime organisations for financial reasons by for example stealing and reselling information, ransomware, impersonating aviation stakeholders to extract money from legitimate organisations through deception or blackmail, and “hacktivists”, activists wanting to disrupt the aviation industry for motivational reasons.

While state-sponsored actors are responsible for around 23% of overall cyber-attacks they so far did not tend to target ATM organisations which are recognised as essential safetyof-life services – according to the current shared records of incidents. Will this remain? But cyber criminals are another matter. Their methods are becoming more complex and difficult to detect. They have begun adapting their operations from directly stealing money to stealing data and finding multiple ways of exploiting its value. These range from bombarding contacts with emails and only stopping when a ransom has been paid to encrypting part of a network and threatening to keep it locked – or expose it – unless money is handed over.

“Around 39% of all cyber-attacks are launched by cybercrime organisations and their motivation is financial,” says EUROCONTROL Cyber-Security Programme Manager Patrick Mana. “This is achieved by stealing money via fraudulent websites – impersonating airlines for example and selling fake tickets, or via frequent flyer programmes, where they sell miles from accounts to which they have access. But it can also be a scam impersonating EUROCONTROL.”

“Around 39% of all cyber-attacks are launched by cyber-crime organisations and their motivation is financial.”

In general, the COVID-19 pandemic has seen a significant increase in phishing especially using COVID-19 attractive themes (fraudulent attempts to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication) and malware (software designed to cause damage to a computer, server, client or computer network) attacks. These have become particularly harmful as the increase in remote working has given criminals a greater opportunity to access digital information. With so many people working in new ways it is more difficult to detect intruders when new working practices are being introduced. Many organisations are focused on survival, rather than expanding cyber security, and this has made the criminals’ job even easier.

“More digitalisation means a larger cyber threat,” says Mana, “and we are now working with a wide number of stakeholders – including air navigation service providers (ANSPs), airport operators, airspace users and other aviation stakeholders – providing services such as vulnerability scanning and Indicator of Compromise (IOC) scanning not just to support them but to support them in a cost-effective way.

"More digitalisation means a larger cyber threat."

"Cost-effectiveness is becoming an increasingly important component of the Agency’s cyber security operations – which means acquiring core skills and programmes which can then be distributed across a range of aviation stakeholder groups. “We are purchasing services that we provide free to our customers because they fund us,” says Mana. “Buying one licensed service that we can provide freely to a range of customers can be 12 to 15 times more cost-effective than if each organisation were to purchase a single licence.

EATM-CERT

European Air Traffic Management Computer Emergency Response Team

More info

“For example, we can provide a list of IOC scanners whereby stakeholders install the software free-of-charge and use our list of IOCs. But stakeholders can check their own data to see whether there are any files which have been compromised. We can also conduct penetration tests of organisations, where deidentified generic lessons can be learned and then shared with the community. When we identify incidents we can help stakeholders correlate that with what is happening in other places.”

Most of this work takes place via the EATM-CERT, which works both proactively and reactively to prevent security breaches and then manage and recover from incidents when they do occur. But more long-term programmes are also being developed.

One strategically important programme is the development of a trust framework for public key infrastructure (PKI) programmes such as system-wide information management (SWIM), which provides users with a digital certificate guaranteeing the validity of source material and originators, a kind of digital passport for SWIM as well as other aviation data providers and users. This Connecting Europe Facility (CEF) co-funded project under SESAR Deployment Manager portfolio is led and coordinated by EUROCONTROL. Thirty stakeholders (air navigation service providers, airspace users, airports and the military) contribute to it.

“This solution will provide and develop the means to ensure interoperability while securing the exchange of information,” says Mana. “It will ensure that information is shared using a network which accepts data from trusted parties. We are working initially on SWIM services but eventually this solution will be provided for other aviation information purposes. For example, it could be used to ensure that each radar sensor is identified and authenticated.

SWIM

System-wide information management

More info

SWIM common PKI and policies and procedures for establishing a Trust Framework

More info

The objective is to provide all users a level of assurance – from a security point of view – that network stakeholders are able to perform at a minimum level and this level can change depending on the nature of the data. It is a complex challenge because it means assessing what minimum level of data security is required for each aspect of data provision and then ensure via an audit that the stakeholder is performing to the required level of data security and, if not, develop a system which automatically rejects the inputs.

“We are working to determine what are the criteria needed to become a member and what are the criteria which should be used to periodically audit and potentially reject a member,” says Mana. “We are aiming for interoperability first within Europe then interoperability beyond, so we can have an operating solution in place by 2022/2023.”

Another strategic programme is the work to enhance the EUROCONTROL Network Manage (NM) infrastructure cyber security. In February 2020 NM launched a tender for the integrated Network Management (iNM) programme, designed to move NM’s legacy systems towards digital products based on an open digital platform.

iNM

integrated Network Management

More info

This will deliver innovative capabilities that harness artificial intelligence, robotic process automation, data analytics, and so on. Enhanced cyber security will be an integrated asset.

“We want to make sure the new system is developed in accordance with the best practices and that the life cycle of the system includes the security for the iNM,” says Mana.

Another strategic programme is OPTICS2, a research project connected to the European Commission and the European Union Aviation Safety Agency (EASA) which looks at the wide picture of future security and cyber security threats to the European aviation industry as more digitisation and artificial intelligence (AI) technologies are introduced. AI offers a number of challenges– and potential benefits – which will need to be fully understood.

“We have recently started a new project to assess how we can use AI in cyber-security,” says Mana. “For example, we are searching the dark web for relevant information and finding ways to extract it. Using humans for this work is time-consuming and costly, especially to the mental health of people who have to spend time in this very nasty environment. So we are using AI to analyse all the data that we have found and focus on what we think is probably most relevant. That project started at the beginning of June.”

"We have recently started a new project to assess how we can use AI in cyber-security."

AI-based technology, like all forms of digital systems, can provide multiple benefits and security challenges.

“If some guys want to corrupt the response by inserting fake data that will obviously influence the way the AI/machine learning system will behave,” says Mana. “The other challenge is how can you certify these kinds of systems? Because we are very much used to a functional approach where we can conduct a test which clearly shows what output will occur from any given input. AI/ machine learning operates in a different way. The response to a certain set of data today could be quite different in a year’s time, because the system will have learnt to react in a more optimal way. And that’s very difficult to certify.”