Eurocontrol is calling on the industry to develop its defensive capability against cyber threats. The agency is urging all stakeholders to take a collaborative approach to building a federated, trusted cyber-resilience framework as the number of cyber-attacks on aviation rises. The intensity—the time and magnitude—of the breaches also has heightened. Reports of cyber-attacks on aviation have exceeded 30 in the first half of this year while most likely more occurred but went publicly unreported or even detected, the Brussels-based intergovernmental ATM organization noted in its “Think Paper” on cybersecurity in aviation. The data refers to cyber events on a global level and across the industry, not just ATM.
Though not always a threat to safety, the cyber-attacks sometimes disrupted the ability to deliver services. Belgian OEM Asco Industries, for instance, had to halt production at its sites in Belgium, Canada, the U.S., and Germany for several days and even weeks following a large-scale ransomware attack on June 7. On top of the serious business consequences, the attacks bear a financial cost, Eurocontrol pointed out. Estimates place the average cost of a cyberattack at $1 million, but some recent aviation cyber incidents cost much more; the UK’s data protection authority in July imposed a £183.4 million ($230 million) fine on British Airways over the theft of passenger data in 2018.
It identified three main categories of cyber threats on aviation: state-sponsored attacks; cyber-crime, which according to Eurocontrol is “an industry”; and “hacktivism,” a form of cyber-attack ostensibly motivated by environmental concerns that often target aviation for its perceived negative effect on climate change and its intense media exposure. “Those hacktivists are sharp and can rely on an extended network of skilled hackers. Their motivation is their strength,” Eurocontrol’s cyber-intelligence unit explained.
The number of aviation actors potentially affected by a cyber-attack will “inevitably increase,” Eurocontrol emphasized, because of the industry’s widespread introduction of digitalization thanks to new technologies and concepts using non-aviation specific means, such as Cloud, 5G, internet, satellite communications, and navigation. It said its comprehensive penetration tests and ethical hacking on many ATM systems revealed that most current ATM systems are vulnerable. “The challenge now lies in making aviation systems [and] services progressively more and more cyber-resilient while remaining safe and cost-effective,” Eurocontrol concluded.
It cautioned, however, against an isolationist approach, which it said could not work in aviation because stakeholders are connected to each other. “One-by-one we are an easy target. The goal is to build a federated trusted cyber resilience framework,” it stressed.