C Y B E R S E C U R I T Y
The European safety agency is developing a
cybersecurity framework for all aviation
domains, which should help everyone
involved have a better understanding
of the risks and how to mitigate
against them. However, there are
currently several relevant regulations already containing
cybersecurity provisions that have already been developed
by EASA and that the sector should be compliant with.
These include a special condition called “Information
“When a jet
owner buys a
system there’s no
real plan in place for
how it is updated”
BUSINESS AIRPOR T INTERNATIONAL J U L Y 2 0 1 9 | 43
Systems under attack
In recent years there have been several reports
of successful cyber attacks on the aviation
industry, exposing vulnerabilities in the industry.
A report by PA Consulting, titled Overcoming
the silent threat – building cyber resilience in
airports, highlights a number of ransomware
attacks against aviation companies that occurred
in 2017. This included Latam Airlines having data
encrypted and Ukraine’s Boryspil International
losing access to its systems due to malicious
software (malware).
It also reports an attack against Vietnam
Airlines in 2016 that left 400,000 passengers’
data available to hackers and an attack against
Lot Polish Airlines in 2015 that saw flights
delayed and cancelled at Warsaw’s Frederic
Chopin Airport.
These attacks were all against ground-based
systems, but one particular breach hit headlines
when a Boeing 757 was remotely hacked while
parked up at Atlantic City International Airport,
in New Jersey, USA in November 2017. Thankfully,
the hackers turned out to be a team from the US
Department of Homeland Security. The team was
testing to see if it would be possible to hack into
and remotely control an aircraft. Even they were
shocked by their results.
“They got a lot further than they expected!
They shared the results of their test at the
2017 CyberSat Summit, highlighting a dramatic
vulnerability in commercial aircraft,” says
Alex Cowan, CEI of cybersecurity software
provider RazorSecure.
“This is something very important for
business aviation to think about,” he says.
“Consider how much scrutiny Boeing and
Airbus are under and how vulnerabilities
were still found. It’s likely that business jet
builders may not be investing as much time or
money on security as the commercial airliner
manufacturers, but they still have a lot of the
same risks.”
Security Protection of Aircraft Systems and
Networks” issued by EASA in accordance
with point 21A.16B of Annex I (Part 21)
to Regulation (EU) No 748/2012, as
well as Regulations (EU) No 139/2014
and (EU) 2017/373. These cover
cybersecurity requirements for product
certification and for aerodrome, air
traffic management and air navigation
service providers.
A recent change in the aviation
regulatory world is the introduction
of the EU Network and Information
Systems (NIS) Directive. This directive
requires EU member states to establish
local legislation to improve cyber resilience
operators of essential services.
“Unlike GDPR, where there is a similar approach for all
countries, each nation is likely to introduce cyber resilience
differently which might produce implementation challenges
for operators who operate in multiple countries,” says Lowe.
“It seems likely that the scope of these regulations may
soon increase as additional operators are classified as
operators of essential services.”
How to enhance cybersecurity
Regulation undoubtedly helps establish
a culture of cybersecurity, but above and
beyond regulatory compliance there are
actions businesses can take to ensure
their systems, operations and customers
are well protected.
Cybersecurity on the ground and in
the air should become a part of everyday
discussion across all departments within
a business and integrated into day-to-day
procedures and processes.
“There are many standard tools and
measures that can be used. Most of these
involve getting the basics right – robust
managing of IT systems and ensuring that
they are correctly configured,” says Lowe.
“That includes strong passwords
with multifactor authentication where
appropriate. Access to information and
systems should be locked down so that
only the appropriately authorized users
can access them.
“Anti-malware solutions should
be deployed to prevent malware
infections and all operating systems and