Earlier this year in August, IOActive, a global leader in cybersecurity consultation services, engaged in what they label ‘responsible disclosure’ with EASA regarding SatCom systems that provide internet connectivity to passengers in-flight to guard against vulnerabilities being capitalised upon. This information has since been fed into operators and authorities to coordinate action to overcome this vulnerability. Other areas where the Aerospace sector are increasingly reliant on IT systems include EFBs (Electronic Flight Bags for Pilots), e-ticketing or wireless connectivity. The potential operational impact of cyber-attacks in aviation is clear, and is now a major priority for the industry and EU Policy-Makers alike.
The aforementioned cooperation between IOActive and EASA is just one demonstration of how industry is aiming to support improvements in Cybersecurity, but to ensure industry stays ahead of the cybersecurity curve in a way that continually mitigates cyber threats, digitalised systems must look to be securely implemented, with decisive management considering all future risks to future-proof systems. However as noted by KLM’s Vice-President in an interview with IATA “Cybersecurity is not a boardroom topic in general…It is mentioned but without sufficient knowledge. And the fact is that every day brings a new challenge.”
What are policy-makers therefore doing to support industry initiatives in relation to threats to both IT systems and of course aviation operation?
Back in 2016, in partnership with the European Cyber Security Organisation (ECSO) the European Commission set-up the Cybersecurity Public-Private Partnership (cPPP), created ‘to foster cooperation between public and private actors at early stages of the research and innovation process in order to allow people in Europe to access innovative and trustworthy European solutions (ICT products, services and software).’
More recently, in order to drive improvements in cybersecurity across the aerospace industry, a revision of the EASA Basic Regulation was completed (July 2018) which recognised the interdependencies between safety and the many other technical domains of aviation, in which digitalisation has become ever-present. However, this legislation only begins to scratch the surface of this sizable and complex topic which will be a major feature of aviation and other major industries for the foreseeable future. This complexity and necessity for expertise is perhaps the main driver for the proposed European Commission’s Proposal for a Regulation on self-certification for ICT Cybersecurity which followed the first round of inter-institutional negotiations on the topic.
To support awareness and effective implementation of secure IT systems across key industries, the European Commission is also keen on developing skills within the industry to build capacity, in support of which the recently agreed EU budget proposes €2bn to invest into the area of ‘Cybersecurity and Trust’ which will have greater focus on supporting industry for innovation and other forms of capacity building.
The role of industry-led groups will be key in the interaction with policy makers when targeting an increase in cyber resilience in the near future. Correspondingly, EU policy-makers and Standards Development Organisations will provide essential support in this process, by providing the necessary level of oversight to ensure this continues at an effective rate.
Generally, all cybersecurity stakeholders should continue to prioritise this area when moving forward so that industry and policy-makers ensure digitalised operations in the aviation sector are protected.