Complying with cybersecurity regulations in not enough.
More than 60 cyber-attacks on aviation have been publicly reported since January 2019. Furthermore, statistics show that when it comes to cybersecurity, the risk of attacks is rapidly increasing.
At a time when the average cost of a cyber-attack is estimated at USD 1 million, the objective of "just" complying with various new cybersecurity regulations has been overtaken by events. Senior management, technical staff and system designers all need to move away from the illusion that their systems or services could manage a cyber-attack, simply because nothing has happened in the past. In the current climate, they need to face up to the genuine risk that a cyber-attack could target themselves or partners to whom they are linked, and that this could have very serious business or financial consequences.
A new challenge
The aviation ecosystem was designed to put safety first, but not to prevent an emerging threat such as those covered by cybersecurity. Aviation remains a patchwork of systems more or less loosely coupled, some more protected than others. Conducting penetration tests on ground systems shows that the level of isolation and independence is not always as high as assumed. Consequently, we are living with holes and vulnerabilities in most of our systems, mostly unknown to us but offering attractive vulnerabilities to hackers.
“The challenge now is to make aviation systems and services progressively more and more cyber resilient while remaining safe and cost-effective”, says Patrick Mana, EATM-CERT Manager at EUROCONTROL.
The only valid strategy consists in anticipating the occurrence of cyber-attacks. Aviation actors need to increase their preparations for such events in such a way as to reduce the magnitude and the duration of any negative impact on services, systems and operations.
“One by one, we need to make sure we are not seen as easy targets. The goal is to build a federated, trusted cyber resilience framework,” stresses our expert.
This is the key to being more cybersecure. An isolationist approach cannot work in aviation, because stakeholders are so closely connected to each other by data streams. The attack may come through a stakeholder and not be directly on one’s infrastructure and systems. Attacks which can affect an organisation can also affect others. Attacks may also target common suppliers outside aviation, such as telecommunications or energy service providers.
“Cyber resilience will not make any business 100% cyber-proof but will give it assurance, and no one can do it alone,” Patrick Mana reminds us.
Making aviation more resilient
Cyber attacks pose a serious risk to the aviation sector, but we all know that no business will ever be 'cyber-proof'. So what can we do about it?
At EUROCONTROL, we work closely with our partners to build on existing initiatives to create a cyber resilience framework and make it available to all stakeholders across Europe.
Promoting cybersecurity and cyber resilience
At EUROCONTROL, we believe that while no-one can ever declare that they are fully cybersecure, it is nevertheless a realistic goal to become much more cyber resilient together.
The Agency is seeking to support the establishment of a pan-European cyber resilience framework to promote cybersecurity and cyber resilience leveraging on existing and ongoing initiatives at global (ICAO) and European (European Commission, EASA, ECAC, EUROCAE, etc.) level to which EUROCONTROL is contributing very actively.
We work with our partners to ensure that greater interconnectivity can be delivered in a secure, resilient and trustworthy manner. Our European Air Traffic Management Computer Emergency Response Team (EATM-CERT) helps stakeholders develop proactive and reactive capabilities against cyber threats.
We carry out security threat and risk assessments, while supporting the implementation of a harmonised security approach. We collect, generate and distribute cyber intelligence. We are starting to coordinate pan-European responses to air traffic management (ATM) cybersecurity alerts and incidents. We provide cyber services of common interest for the benefit of the aviation community. As an inter-governmental organisation, we support national cybersecurity centres by providing then with independent combined ATM/cyber expertise.
We assist our Member States and stakeholders in enhancing their capabilities to keep aviation safe, and we promote risk awareness and preparedness. Furthermore, we contribute our technical know-how in the development of standards such as EUROCAE (e.g. ED-205). We also support the aviation community in organising workshops, (e.g. MITRE ATT&CK in May 2019 and Cybersecurity frameworks, mappings and metrics in January 2020).
Learn more about our event
Join our cybersecurity frameworks, mappings and metrics event.
Last but not least, we deliver training courses about cybersecurity in aviation at our training institute in Luxembourg (IANS). We support stakeholders through on-site workshops, gathering together local aviation actors and the national cybersecurity entity in order to explain the regulatory framework and provide guidance on how to address cybersecurity, including the development of coordinated responses to cybersecurity threats, and in general help them work together.
Cybersecurity month at EUROCONTROL
October marks the kick-off of the European cybersecurity month (ECSM), coordinated by the European Union Agency for Cybersecurity (ENISA) and the European Commission, and supported by the Member States. This campaign focuses on increasing awareness of cybersecurity among citizens across Europe. At EUROCONTROL, we are backing it via multiple initiatives on our channels and digital platforms.
Subscribe to our channels
Follow us to get the latest developments from EUROCONTROL and the aviation sector.