Recent years have heralded myriad technological advancements including developments in machine-learning techniques, telecommunications (5G), the internet of things and more. The benefits to industries like aviation are clear. Technological advancements support growth and development, including the integration of new airspace users, the development of advanced aircraft systems and applications, automation and integration in data applications and decision-making systems in airports and airlines, and the interconnection between previously isolated systems through data-sharing across the aviation value chain.
But with new technology comes new threats, which have grown in number and scale as malicious actors use the digital world to make financial gains, cause harm, and/or create instability and chaos.
Today, the aviation sector plays a vital role transporting not only people and traditional freight, but also vaccines – representing the largest single transport challenge in its history. It is highly likely that aviation networks and other sectors associated with the vaccine distribution supply chain will be subject to a significant volume of targeted, adversarial cyber activities during this period.
At the World Economic Forum’s ‘Pathways to a Cyber Resilient Aviation Ecosystem’ virtual event on April 14, the International Civil Aviation Organization (ICAO) Secretary General Dr. Fang Liu explored the key cyber resilience priorities for aviation now being addressed by ICAO, noting that as the air transport sector continues to modernize and digitize, cyber risks still threaten the data, systems, and technological infrastructure of airports, airlines, and air navigation service providers, as well as many other service suppliers.
“This digital penetration will only increase with time,” she explained, “especially considering the continuous innovation being seen in communications and applications, and the advent of new airspace users such as drones and Remotely Piloted Aircraft Systems.”
ICAO’s Aviation Cybersecurity Strategy, and a related ICAO Assembly Resolution assists countries to work together and counter aviation cyber threats while working towards rapid national adoption of the Beijing Convention and Protocol of 2010, where member countries agree to criminalize certain terrorist actions against civil aviation.
ICAO is pursuing its “living” action plan to support government progress with the Aviation Cybersecurity Strategy and related objectives, and Dr. Liu noted that the UN agency is expanding its scopetent and reviewing and refining the accountability, transparency, and efficiency by which it now addresses cyber security topics through its panels and expert groups:
ICAO’s Secretariat Study Group on Cybersecurity (SSGC) serves as the focal point for all ICAO cybersecurity work. It promotes cybersecurity awareness throughout the aviation community and encourages government/industry partnerships and mechanisms, nationally and internationally, for the systematic sharing of information on cyber threats, incidents, trends and mitigation efforts.
The Research Sub-Group on Legal Aspects (RSGLEG) was established as a necessity to review the adequacy of the existing international legal framework to address cyber threats against civil aviation and to review the draft Cybersecurity Strategy. The group continues its work and has extended its scope to categorize or analyze the cyber threats and vulnerabilities to civil aviation and associated risks. It also works to establish a common understanding and terminology of the cybersecurity language, RSGLEG reviews and analyzes the adequacy of the current international legal framework as well as assessing the need to reinterpret or amend the existing international air law instruments dealing with cyber threats legal framework or to adopt new instruments. In line with this, the group analyzes cybersecurity related international instruments developed in other international transportation and communications domains such as maritime or railway or telecommunications in order to determine whether certain provisions could serve as analogy/a reference for the aviation international legal framework.
The Working Group on Airlines and Aerodromes (WG-AAD), part of the ICAO SSGC, addresses cybersecurity matters related to airport and airline operations not related to air navigation systems or airworthiness. The group focuses on cyberspace related to facilitation, infrastructure protection, passengers and airline systems (check-in, baggage and cargo handling), and other systems not related to air navigation with a direct impact to operations.
WG-AAD advises the SSGC on cybersecurity matters related to the airport and airline operations at aerodromes and coordinates the development and/or updates of relevant Standards and Recommended Practices and Guidance Materials through the respective ICAO Panels and Study Groups. It also determines all relevant cybersecurity areas affecting airport and airline operations on the ground, not related to air navigation systems and prioritizes them accordingly for action.
Meanwhile, the Working Group on Air Navigation Systems was created to address cyber safety, security, and cyber resilience aspects of current and existing airport, air navigation and information management systems. The group focuses on, among other areas: airport interactions with air navigation systems, initial ATM system design considerations (i.e. secure-by-design); system-wide information management (SWIM) global interoperability; and air-ground, air-air and ground-ground links through all appropriate connection means.
And the Working Group on Cybersecurity for Flight Safety was created to address cyber safety, security, and cyber resilience aspects of airworthiness. This group focuses on three primary areas of airworthiness: initial design considerations (i.e. secure-by-design); modifications to in-service aircraft; and aircraft maintenance (with a specific focus on field-loadable software). Remotely Piloted Aircraft Systems are also considered within the scope of work, including the command-and-control link between the remote pilot station and the aircraft.
The first edition of ICAO’s Cybersecurity Action Plan was published in November 2020. It is a living document that aims at supporting states and stakeholders in implementing the Cybersecurity Strategy. The Action Plan identified 29 Priority Actions, which are further broken down into 54 time-bound Measures and Tasks, providing the foundation for ICAO, states and stakeholders to cooperate and work together to better address cybersecurity and resilience in civil aviation.
At the virtual event, Dr. Liu noted that further improvements must still be pursued with respect to government information sharing, capacity building, and the realization of robust cybersecurity culture across the sector and its supply chains.
The World Economic Forum, host of the event, has collaborated with Deloitte on a report that aims to advance cyber resilience in the aviation sector and help identify, measure and shape approaches to mitigate cyber risks that are endemic to technology adoption in critical infrastructure.
The report says aviation organizations should consider cyber risks in the broader context of corporate and the ecosystem’s resilience, looking at both the cyber and physical elements of operational risks to their business as they become increasingly dependent on the internet and digital channels. In addition, it says organizations need to adopt a resilience mindset to govern how they would respond to and recover from any major cyber event as an extension to their robust emergency response practices for safety and physical security incidents.
ICAO designated 2020 as the Year of Security Culture (YOSC), and with the COVID-19 pandemic severely impacting aviation last year, this has been extended through 2021. As part of these efforts, ICAO has been intensifying collaboration with countries and industry in supporting efforts to promote security culture in the greater aviation community. This includes offering training, assistance and issuing guidance across all security concerns, including cyber.
2021 will of course also commemorate the 20th Anniversary of 9/11 and the worst acts of unlawful interference in the history of aviation. The importance of understanding the threat to aviation and promoting best practices in security throughout all aviation operations is therefore imperative. And the shadow of the SolarWinds hack illustrates only too clearly that protecting against unseen threats is just as vital as physical security at airports.