Considerations Related to ICAO Cyber Security Regulatory Drivers

Sofema Online (SOL) www.sofemaonline.com considers the major challenges related to the need to address Cyber Security.

Aviation Cyber Security Strategy Introduction

The civil aviation sector is increasingly reliant on the availability of information and communications technology systems, as well as on the integrity and confidentiality of data.

The threat posed by possible cyber incidents to civil aviation is continuously evolving, with threat actors focusing on malicious intents, disruptions of business continuity and the theft of information for political, financial or other motivations.

Recognizing the multi-faceted and multi-disciplinary nature of Cyber Security, and noting that cyber-attacks can simultaneously affect a wide range of areas and spread rapidly, it is imperative to develop a common vision and define a global Cyber Security Strategy.

The Aviation Cyber Security Strategy underpins ICAO's Cyber Security vision for the global civil aviation sector to be resilient to cyber-attacks, safe and secure while continuing to innovate and grow.

The Strategy is a framework built over the following seven pillars:

>> International cooperation;
>> Governance;
>> Effective legislation and regulations;
>> Cyber Security policy;
>> Information sharing;
>> Incident management and emergency planning; and
>> Capacity building, training and Cyber Security culture.

ICAO’s Vision

>> The civil aviation sector is resilient to cyber-attacks and remains safe and trusted globally, whilst continuing to innovate and grow.

This can be achieved through:

>> Member States recognizing their obligations under the Convention on International Civil Aviation (Chicago Convention) to ensure the safety, security and continuity of civil aviation, taking into account Cyber Security;
>> Coordination of aviation Cyber Security among State authorities to ensure effective and efficient global management of Cyber Security risks, and
>> All civil aviation stakeholders commit to further develop cyber resilience, protecting against cyber-attacks that might impact the safety, security and continuity of the air transport system.
>> The Strategy aligns with other cyber-related ICAO initiatives and is coordinated with corresponding safety and security management provisions.

Co-operation National & International

Cyber Security and aviation are both borderless in nature. Both require cooperation at the national and international levels and call for mutual recognition of efforts to develop, maintain and improve Cyber Security with the aim of protecting the civil aviation sector from all cyber threats to safety and security.

>> Harmonized at the global, regional and national levels
>> Promote global coherence and ensure full interoperability of protection measures and risk management systems.

All ICAO Member States are encouraged to support and build upon the ICAO Aviation Cyber Security Strategy, to ensure the safety, security and continuity of civil aviation in a world increasingly jeopardized by Cyber Security threats.

>> States are encouraged to develop clear national governance and accountability for civil aviation Cyber Security.
>> Civil Aviation authorities are encouraged to ensure coordination with their competent national authority for Cyber Security, recognizing that the overall Cyber Security authority for all sectors may reside outside the responsibility of the civil aviation authority. It is also essential that appropriate coordination channels among various State authorities and industry stakeholders be established.
>> Member States are encouraged to include Cyber Security in their national civil aviation safety and security programmes.

Effective Legislation and Regulation

ICAO is committed to creating, reviewing and amending, as appropriate, guidance material relating to the inclusion of Cyber Security aspects to security and safety.

>> Relevant international legal instruments should be analyzed to identify existing or missing key legal provisions in air law for the prevention, prosecution, and timely reaction to cyber-incidents in order to form the basis for consistent and coherent implementation of Cyber Security legislation and regulations throughout the global aviation sector.
>> In the meantime, States are encouraged to ratify ICAO instruments, including the Convention on the Suppression of Unlawful Acts Relating to International Civil Aviation (Beijing Convention) and Protocol Supplementary to the Convention for the Suppression of Unlawful Seizure of Aircraft (Beijing Protocol).
>> States are encouraged to consider whether their national legislation requires an update or the adoption of new national legislation to allow for the prosecution of terrorist-related cyber threats as well as cyber-attacks negatively impacting civil aviation.
>> In parallel, States are encouraged to set up appropriate mechanisms for cooperation with ‘good faith’ security research, which is research activity carried out in an environment designed to avoid affecting the safety, security and continuity of civil aviation.

Cyber Security Policy

Cyber Security is to be included within a state’s aviation security and safety oversight systems as part of a comprehensive risk management framework.

Recognizing there are different risk assessment methodologies, priority should be afforded to the amendment and possible development of guidance material related to Cyber Security threat and risk assessments, to achieve comparability of the outcomes of such assessments.

Across the civil aviation sector, Cyber Security policies may consider the complete life-cycle of the aviation system, and include elements such as Cyber Security culture, promotion of security by design, supply chain security for software and hardware, data integrity, appropriate access control, proactive vulnerability management, improving agility in security updates without compromising safety, as well as incorporating systems and processes to monitor Cyber Security relevant data.

Information Sharing

The civil aviation sector is a global, interdependent system with many common systems and cyberattacks can easily spread and have a global impact.

>> The objective of information sharing is to allow for prevention, early detection and mitigation of relevant Cyber Security events before they lead to wider effects on aviation safety or security.
>> A culture of information sharing will significantly reduce systemic cyber risk across the aviation sector, the value of which has already been proved across aviation safety and security.
>> The sharing of information on such aspects as vulnerabilities, threats, events and best practices, through established and trusted relations can reduce the impact of ongoing attacks. Appropriate information-sharing mechanisms must be recognized, in line with existing ICAO provisions.

Incident Management and Emergency Planning

Appropriate and scalable plans that provide for the continuity of air transport during cyber incidents. It is recommended that States and the aviation sector make use of existing contingency plans that are already developed and amend these to include provisions for Cyber Security.

>> Cyber Security exercises are a useful tool to test existing cyber resilience and identify improvements and are therefore highly encouraged.
>> Such exercises can follow different formats (such as table-top exercises, simulations, or real-time exercises) and also vary in scale, (international, national, organizational).

Capacity Building, Training and Cyber Security Culture

The human element is at the core of Cyber Security. It is critically important that the civil aviation sector takes tangible steps to increase the number of personnel who are qualified and knowledgeable in both aviation and Cyber Security.

>> This can be done by increasing awareness of Cyber Security, as well as education, recruitment and training. Curricula relevant to Cyber Security, and – where practical – aviation-specific Cyber Security at all levels should be included in the national educational framework as well as in relevant international training programmes.
>> Innovative ways to merge and crosslink traditional information technology and cyber career paths with aviation-relevant professionals should be pursued.

Next Steps

Sofema Aviation Services offers the following courses delivered as classroom or webinar: EASA Compliant Organizational Cyber Security Responsibilities – 1 Day

Please see www.sassofia.com or email team@sassofia.com