Investing early in cyber resilience will avoid major disruptions in the longer term

Digitalisation is a package and part of it is the cybersecurity dimension. There is still a disconnect between promoting digitalisation and implementing it and we see some digitalisation practices being implemented without having the right cyber policies and practices in place.

So we are advocating for security by design, configuration and very important by default, for it to be in place as soon as the systems and services are deployed. This is not just a technology issue it’s a people issue with education at the heart of it.

I prefer the term “cyber resilience” to “cyber security” as “cyber security” can give you the impression that the system is 100% secure, which is not possible. We are pushing to have cloud services made secure by default. Today, when you purchase cloud services, the level of security can be quite minimal. There are some options to go to a higher level, but 95% of the companies have challenges moving to this level. Together with colleagues from other industries we are pushing the big three – Microsoft, Google and Amazon – to offer a service which is secure by default, so if there are security features that you don't want, then you deselect them.

We will always have to manage the problem of integrating new systems, with a good level of security, with those from the past, with either obsolete or no security at all. There will always be systems that will evolve with some parts having better levels of security than others. That's why we need to have this culture of cyber resilience where we anticipate, rather than react to, potential vulnerabilities.

No aviation stakeholder can work on this alone. We are all interdependent. We all share the risk. It's important that we know how we interact with others, that we understand the risks that we are vulnerable to.

There are many standards available to us from nonaviation specific industries, like ISO27K or NIST Cyber Security Framework. Others are more aviation specific, such as EUROCAE ED-20X. And ICAO is also developing some guidance material.

But how to measure the effectiveness? That's very difficult.

I organised two conferences on developing cyber security frameworks and cyber metrics, not just with aviation colleagues but more widely with representatives from transport, energy, telecoms, finance and international organisations. We have all concluded that it is difficult to measure security in terms of key performance indicators, qualitative and quantitative measures. That's where we need to improve.

Our EATM-CERT team publishes an annual report on the cyber-attacks we have detected, and those which other stakeholders have shared with us, which have impacted the aviation industry. In our most recent report we have identified 6,320 events and categorised these into different aviation stakeholder groups – airports, air navigation service providers, airspace users, authorities and the supply chain, for example – along with the motivation behind these attacks.

Financial gain is the main motivation. Fraudulent websites, phishing, hacking, malware, distributed denial of services (DDoS), ransomware. We also provide more specific cyber security incident reports and risks, such as ransomware attacks on aviation systems.

The good news is that, until now, we have never had any cyber-attack compromising flight safety. The bad news is that these attacks have cost aviation industry billions of euros (worldwide).

Two-thirds of ransomware attacks are aimed at the supply chain, and these attacks can take weeks and months to resolve.

We had a surge in DDoS attacks where in many cases aviation is used to amplify the message of the hacktivists. If something impacts the aviation industry we are immediately in the media.

And this threat landscape is evolving over time. For example, there were very few DDoS attacks before February 2022, but recently these have been evolving quickly. In 2022 there were around 320 of these types and in  2023 there were more than 500.

Investment in cyber resilience is much more effective before a cyber-attack than after one.

EUROCONTROL manages the European Aviation Crisis Coordination Cell (EACCC) and each year we conduct a major exercise to simulate an event that would trigger the activation of the EACCC. Last year, this exercise was a cyberattack on NewPENS, which is the intranet for the European Air Traffic Management Network. Two days of outages of NewPENS was estimated as having a financial impact of €1.5 billion; so investing €30 million in cyber resilience over 50 years would be a great investment, even though it would not generate revenue.

And we need to distinguish between the threats and the risks. Threats may increase, but our job is to mitigate those threats so that the risk remains acceptable. How can we mitigate the threats? First, by securing the design and thinking about the people, processes and technology that will be needed to manage the threat. Second, by providing a better capability to respond, mitigate and recover, so the risk remains acceptable.

The biggest threat will come from deploying new technologies without the right level of education. Many products are not mature enough, and vendors want to go on the market rapidly without having the assurance that the systems are at the right level of cyber security. In our tenders we should insist that vendors sell us equipment which is cyber-assured. We are working in the NDTECH/CYBERG (Cyber Group) on developing these kinds of requirements.

The introduction of more digital technologies should increase cyber resilience as long as the supply chain is playing the game – which is why sometimes regulation is needed. But in aviation we will also have to work with companies providing services to a wide range of customers, not just to aviation. Which means that contracting e.g. cloud services not specific to aviation will involve a cyber resilience challenge.

The bad guys are super creative and evolving faster than us, we are always working hard to catch up.

We have many roles. The EATM-CERT team, for example, provides both proactive and reactive services. We support the community by identifying the main cyber-attacks against aviation and where the system vulnerabilities lie.

If we first identify where the threats are coming from, we can prioritise mitigation and detection methods. That's the way to be more effective. We also provide services to enhance the level of awareness and culture. Our NDTECH/CYBERG, Cyber Group of stakeholders, from airlines, airports, manufacturers and ANSPs, meets three times a year to share lessons learned from cyber incidents and ways of helping each other.

We also provide services such as penetration tests which identify the vulnerabilities in aviation systems and share the lessons from this. For example, we can test the resilience of an organisation to a DDoS attack. We are putting in place a European Aviation Public Key Infrastructure (PKI) service to allow aviation stakeholders to have a validated digital identity, a digital passport which gives confidence that you are connected to the intended party.

I'm a member of ICAO’s Cybersecurity Panel of the Aviation Security Commission Committee and the Air Navigation Commission’s Trust Framework panel. In Europe, we have developed, thanks to the European Union Aviation Safety Agency (EASA) and its European Strategic Coordination Platform (ESCP), the appropriate regulatory framework and we are promoting it to ICAO while making sure Europe is aligned with what is being done globally.

We also deliver many cyber security training courses and workshops to our Member States via our Luxembourg Aviation Learning Centre, to help raise awareness. The new EASA regulation 2023/203 (Part IS Regulation) will require aviation stakeholders, including suppliers, to have an information security management system in parallel to a safety management system, and we are supporting the community to become compliant with this.

Our new Network Manager iNM system will connect to other stakeholders globally so we have also taken some measures to ensure access to these services will be cyber secure and cyber resilient.

Cyber-attacks can be seriously disruptive. A company can be subject to a cyber-attack because someone has clicked on an attachment or a URL in the accounting department – so the training has to be across the organisation.

Planning ahead is vital. We need to have a vision for the future. And today, unfortunately, I see that there is a lot more focus on the business side than on the cyber resilience side.