By Ajay Kapur
New Delhi. 22 January 2019. Have you ever imagined a chaos where the passengers queuing on the check in counters of the ever busy Indira Gandhi Airport where the booking number is yours but the name is unknown? A software glitch and we feel frustrated at the time loss but is this a normal error? In times of heavy dependency on the internet, intranet and online activities could a sabotage be ruled out? As all other facets of the modern working styles and paperless offices where the threat on the cyber world looms large , the civil aviation industry is not to be left untouched by this writing in the wall.
Hazards which jeopardize the safety of civil aviation are unlawful seizure of aircraft, destruction of an aircraft in service, hostage-taking on board aircraft or on aerodromes, forcible intrusion on board an aircraft, at an airport or on the premises of an aeronautical facility, introduction on board an aircraft or at an airport of a weapon or hazardous device or material intended for criminal purposes, use of an aircraft in service for the purpose of causing death, serious bodily injury, or serious damage to property or the environment, data network crashes, denial-of-service (network unavailable to its intended users), precision navigation and timing disruption (e.g. jamming, spoofing).
The above threats can be addressed only with an effective organization cyber security strategy that encompasses right set of security controls and by implementing the right governance framework around those implemented security controls for their continuous monitoring and measurement of effectiveness for any gaps.
For an educated lay man cyber security is the buzz word and is formally the collection of technologies, policies, security controls, processes and best practices designed to protect networks, computers, cyber environment, programs, data and organization from attack, damage or unauthorized access. The focus of this highly technical threat is not limited to above but has a larger aim to preserve confidentiality, integrity and availability of information in the Cyberspace based on organization and domain security requirements & compliances. And the biggest disaster that can happen with this is the crashing of computers is his analogy. But threats are much more grave than can be anticipated.
With a constantly growing aviation sector cyber security is a major concern for the authorities and industry in the sector keeping in mind the increasing dependence on electronic systems and technology not limited to iSMAC (IoT, Software, Mobility, Analytics & Cloud) for their business critical operations & including safety. Cybersecurity encompasses the protection of electronic systems from malicious electronic attack (unlawful interference) and the means of dealing with the consequences of such attacks in pro-active manner to mitigate any unforeseen situation that triggers threats to CIA- Confidentiality, Integrity and Availability of data.
To acknowledge the importance of protecting civil aviation’s critical infrastructure, information and communication technology systems from cyber threats, the 39th Session of the ICAO- International Civil Aviation Organization Assembly was called for a coordinated approach to cyber security to bring uniformity in cyber security counter measures and to protect the critical infrastructure. As per ICAO Unified Approach its Resolution A39-19 addresses cybersecurity in civil aviation, sets out the actions to be undertaken by States and other stakeholders to counter cyber threats to civil aviation through a cross-cutting, horizontal and collaborative approach.
To meet these objectives, ICAO established the Secretariat Study Group on Cybersecurity (SSGC) and several related Working Groups, composed of subject matter experts from Member States and industry.
Few of the key area of focus for SSGC is to serve as the focal point for all ICAO cyber security work, to define relevant areas to be considered and to consolidate existing Standards and Recommended Practices (SARPs) related to cyber security and to promote cyber security awareness throughout the aviation community.
A39-19 –ICAO while addressing challenges posed by cyber threats in the sector keeps in mind the increasing reliance on the availability of information and communications technology systems for business continuity, integrity and confidentiality of data based on sector requirements, the application of safety management systems and risk management. In addition it also identifies the threats and risks from possible cyber incidents on civil aviation operations and critical systems, and their serious consequences that can arise from such incidents and the responsibilities of national agencies and industry stakeholders with regard to cyber security in civil aviation.
As its role of an umbrella organisation ICAO encourages the development of a common understanding among member states of cyber threats and risks, and of common criteria to determine the criticality of the assets and systems that need to be protected. It also encourages government/industry coordination with regard to aviation cyber security strategies, policies, and plans, as well as sharing of information to help identify critical vulnerabilities that need to be addressed. Systematic sharing of information on cyber threats, incidents, trends and mitigation efforts is another area of stress by ICAO for its member nations.
ICAO Annex 17 Section 4.9 refers to measures relating to cyber threats. Recommendations have been given under sub section 4.9.1 and 4.9.2.
4.9.1 Recommendation.— Each Contracting State should, in accordance with the risk assessment carried out by its relevant national authorities, ensure that appropriate measures are developed in order to protect the confidentiality, integrity and availability of critical information and communications technology systems and data used for civil aviation purposes from interference that may jeopardize the safety of civil aviation.
4.9.2 Recommendation.— Each Contracting State should encourage entities involved with or responsible for the implementation of various aspects of the national civil aviation security programme to identify their critical information and communications technology systems and data, including threats and vulnerabilities thereto, and to develop and implement protective measures to include, inter alia, security by design, supply chain security, network separation, and remote access control, as appropriate.
The threat is new but not unknown and cannot definitely be ignored. Cyber crimes are making inroads into all facets of life and cannot be much behind when it comes the fully automated and digital civil aviation sector, if not already having made inroads. The international agencies in the arena and regulatory bodies need to wake up to the looming black clouds of the cyber threats hovering over them.