Aviation cybersecurity oversight strategy

By Luke Hally

September 15, 2023

Categories: Cyber leadership & governance

Tags: Aviation, Security Culture

Task

As we have previously discovered, cybersecurity in the aviation sector is an emerging field. In light of other countries introducing specific aviation cybersecurity regulation and the failed Transport Security Amendment (Critical Infrastructure) Bill 2022, Australia seems to be lagging in this area.

Although the Department of Home Affairs is responsible for cybersecurity, when it comes to the aviation sector there appears to be a gap in relevant standards and oversight of the sector. The Civil Aviation Safety Authority has functions defined in legislation which align with filling these gaps, as evidenced in Part 172.155 of the Civil Aviation Safety Regulations (Civil Aviation Safety Regulations, (2022)). Your task is to develop them a new Cyber Strategy which will inform related policies for Australian civil aviation cyber security oversight (aviation cybersecurity).

1 Background

The civil aviation sector is expected to double in size by the mid 2030’s (ICAO, 2019b). To enable this, the sector is modernising “from ground-based analog systems to space-based digital systems” (Elmarady & Rahouma, 2021, p. 143998), which is increasing the complexity of an ecosystem which includes aircraft, air traffic management (ATM) and airports (ICAO et al., 2020, p. 5). The sector’s cybersecurity challenges are also becoming increasingly complex “making it difficult to holistically define and defend such an attack surface” (Cooper et al., 2019). These challenges include: emerging threats, such as emerging aviation technology and increasing connection; increasing prevalence of attacks on aviation; the realisation that cybersecurity has aviation safety implications; and the regulatory environment itself.

Cyber-attacks against aviation are growing, increasing 530% year-on-year between 2019 to 2020 (Stephenson Harwood, 2022), this is a concern across the sector with existing research revealing that emerging cybersecurity threats to the sector include:

Aircraft innovation: Remotely Piloted Aircraft Systems (RPAS, or, drones), Advanced Air Mobility (AAM) (DITRDC, 2021) and modern aircraft (Cooper et al., 2019, p. 3)
Increased connectivity:
- System Wide Information Management (SWIM) an “aviation intranet” (ICAO, 2016, p. 72) will connect all airspace users (Elmarady & Rahouma, 2021, p. 144013), making the aviation more vulnerable to cyber-threats (ICAO, 2022a, p. 1)
- Uncrewed aircraft system Traffic Management (UTM), used for controlling RPAS and AAM. UTM is complex, often with weak security (Riahi Manesh & Kaabouch, 2019, p. 398) and can be both target and vector of attacks (Sampigethaya et al., 2018).
Lagging regulation: regulators are powerless to enforce international standards without up to date regulation.

This increased connectivity is making the aviation ecosystem more vulnerable to cyber-threats (ICAO, 2022a, p. 1) and creating potential for vulnerabilities at one operator to be an attack vector to “spread to other systems on the network” (Latifi, 2016, p. 205).

2 Purpose

This strategy will enable CASA to be able to effectively regulate elements of cybersecurity which impact aviation safety (aviation cybersecurity). This aligns with CASA’s strategic priorities (CASA, 2023, p. 13). Key drivers for this strategy are:

The emerging threats outlined above
Aviation becoming a more attractive target to cyber attackers (Rosengren, 2017), with increasing external and insider threats (Reed, 2023)
The realisation that cyber-attacks “affect not only security but also safety of civil aviation” (ICAO, 2022a, p. 2)
- Other NAAs are responding to this with regulation.
Regulatory landscape,
- Internationally: Having ratified the Chicago Convention, Australia must comply with the SARPs set out its annexes (CASA, 2021), this applies to how CASA performs its functions (Civil Aviation Act 1988, 2021, s. 11). Within the context of Annex 17 these functions, including: standards; surveillance; reviewing safety risks; and monitoring international developments (Civil Aviation Act 1988, 2021, s. 9(1)), provide CASA with scope for a role in aviation cybersecurity.
- Proposed changes to The Aviation Transport Security Act (Transport Security Amendment (Critical Infrastructure) Bill 2022, 2022) provide insight into the appetite of the government to align with Annex 17
- Australia’s dispersed cybersecurity legislation does not cover aviation cybersecurity oversight.

3 Vision statement

Our vision is for a safe, innovative civil aviation sector taking advantage of emerging technologies, while being cyber-secure and resilient against increasingly prevalent cyber threats.

4 Diagnosis

When considering the threats identified in the Organisational Profile in conjunction with the realisation that cyber-attacks “affect not only security but also safety of civil aviation” (ICAO, 2022a, p. 2), this reveals that a single cyber-attack could have an impact on aviation safety across the sector. To enable a safe, connected aviation sector, “cyber security should be a priority for all parts of the sector, regardless of size or type of business” (Department for Transport, 2018, p. 7). This has been recognised by the International Civil Aviation Organization (ICAO) which has updated a number of conventions and documentation regarding aviation cybersecurity. In response to this, National Aviation Authorities (NAA) around the globe are creating regulations, as is the case with the UK CAA (Cyber Security Regulation, 2023).

Australia has a variety of legislation relating to cybersecurity, such as the Privacy Act 1988, Criminal Code Act 1995, the Australian Information Commissioner Act 2010 and Telecommunications Act 1997. But when it comes to cybersecurity and aviation it is limited to the Security of Critical Infrastructure Act (SOCI Act), which requires a limited segment of the industry to report cyber incidents (CISC, 2023) – this may be too late in the attack lifecycle to prevent a cyber-attack impacting aviation safety.

The challenge is to ensure that Australia’s civil aviation industry remains safe, through being secure and resilient against increasingly prevalent cyber threats so that it can continue to grow and take advantage of emerging technologies.

The main purpose of this strategy is to:

Ensure the cybersecurity and resilience of systems critical to aviation safety (Critical Systems)
Drive a cybersecurity uplift within CASA
Drive a cybersecurity uplift of the aviation industry through education, awareness and standards

5 Principles

As a regulator, CASA’s functions are defined in legislation, being outlined in Section 9 of the Civil Aviation Act 1988. Section 11 of the Civil Aviation Act 1988 goes on to declare that these functions must be undertaken in accordance with applicable international agreements.

Applicable international agreements have been issued by ICAO and aviation cybersecurity is included in a number of these, particularly the Chicago Convention, Beijing Convention and Beijing Protocol. Annex 17 of the Chicago Convention contains Standard 4.9.1, which requires identification of, and a plan to protect critical ICT systems and data used for civil aviation and Recommended Practice 4.9.2 which outlines measures for implementation (ICAO et al., 2020). Article 2(c) of the Beijing Convention establishes an offence to destroy, damage or interfere with air navigation facilities – air navigation facilities include “signals, data, information or systems” (ICAO, 2010b). While Articles 1-3 of the Beijing Protocol establishes an offence to threaten, attempt or execute a cyber-attack against aircraft (ICAO, 2010a). To aid in the implementation of these, ICAO has also published supporting documentation including its Cybersecurity Strategy (ICAO, 2019a), Cyber Action Plan (ICAO, 2022a) and Cybersecurity Policy Guidance (ICAO, 2022b).

These functions and obligations will inform the actions to achieve the vision statement, being guided by these principles:

Alignment of CASA functions with Australia’s international obligations using ICAO’s Cybersecurity Policy Guidance as a reference
Consider the domestic cybersecurity legislative landscape, aware that some cybersecurity responsibilities may sit with other departments or agencies
Develop this strategy into a policy to inform aviation cybersecurity oversight.

6 Actions

Actions required to achieve this strategy will include, but not be limited to the following.

6.1 Review international obligations and guidance

In accordance with CASA’s function 9(1)(h) “conducting regular and timely assessment of international safety developments” (Civil Aviation Act 1988, 2021), CASA will assess applicable international agreements. This will inform other actions required to achieve our vision.

6.2 Clarify applicable functions

Due to the interdependent nature of aviation cybersecurity, the first task is to clarify CASA’s boundaries of responsibility and which of its functions are applicable to aviation cybersecurity. This will require consultation with external departments such as Home Affairs.

6.3 Standards

In accordance with CASA’s function 9(1)(c) “developing and promulgating appropriate, clear and concise aviation safety standards” (Civil Aviation Act 1988, 2021), CASA will define or develop appropriate standards in relation to Critical Systems.

The ICAO Cybersecurity Guidance will serve as a starting point which recommends standards for:

Data security
Supply chain cybersecurity
Access management to Critical Systems
Documentation of plans for incident response and recovery of Critical Systems.

6.4 Surveillance and enforcement

To ensure compliance to standards, an appropriate surveillance and enforcement plan will be developed and implemented. This will align with CASA’s functions:

9(1)(d) “developing effective enforcement strategies to secure compliance with aviation safety standards” (Civil Aviation Act 1988, 2021)
9(1)(f) “conducting comprehensive aviation industry surveillance, including assessment of safety‑related decisions taken by industry management at all levels for their impact on aviation safety” (Civil Aviation Act 1988, 2021).

6.5 CASA Cybersecurity uplift

In order to lead industry, CASA must first undertake an internal cybersecurity uplift to strengthen its cyber posture, with the goal to be to implement zero-trust architecture and embed secure-by-design and security-in-depth practices. This may include:

Education and awareness
Process redesign, implementing secure-by-design business processes
Implementation of zero-trust architecture, on technological and non-technical assets – this may result in identifying opportunities for internal retooling
An updated corporate cybersecurity strategy, associated suite of documentation and enforcement mechanisms.

This uplift will need to align with CASA’s corporate plan and strategic goals to aid in acceptance and adoption of the changes involved.

6.6 Aviation sector Cybersecurity uplift

CASA will support the aviation industry in implementing the new standards as well as an industry cybersecurity culture uplift. The industry uplift should reflect CASA’s cybersecurity uplift at 5.5 where appropriate. This is aligned with its functions:

9(2)(a)(iii) “fostering an awareness in industry management, and within the community generally, of the importance of aviation safety and compliance with relevant legislation” (Civil Aviation Act 1988, 2021)
9(3)(e) “promoting the development of Australia’s civil aviation safety capabilities, skills and services, for the benefit of the Australian community” (Civil Aviation Act 1988, 2021).

7 Roadmap

Our roadmap is ambitious, but with adequate resourcing is achievable.

References

Amjad, A., Nicholson, M., Stevenson , C., & Douglas, A. (2016). From security monitoring to cyber risk monitoring. Deloitte Review, 19. https://doi.org/https://www2.deloitte.com/content/dam/insights/us/articles/future-of-cybersecurity-operations-management/DR19_FromSecurityMonitoringToCyberRiskMonitoring.pdf

Aviation Transport Security Act 2004, (2012).

CASA. (2021). Overview of CASA rule making principles and obligations. Civil Aviation Safety Authority. https://www.casa.gov.au/rules/changing-rules/overview-casa-rule-making-principles-and-obligations#Internationalagreementsandcommitments

CASA. (2023). Civil Aviation Safety Authority Corporate Plan 2023-2024. https://www.casa.gov.au/sites/default/files/2023-07/casa-corporate-plan-2023-24.pdf

CISC. (2023). Cyber and Infrastructure Security Centre website. Cyber and Infrastructure Security Centre Website. https://www.cisc.gov.au/compliance-and-reporting/overview

Civil Aviation Act 1988, (2021). https://www.legislation.gov.au/Details/C2021C00060

Civil Aviation Safety Regulations, (2022). https://www.legislation.gov.au/F1998B00220/latest/text/4

Cooper, P., Handler, S., & Shahwan, S. (2019, December 11). Aviation cybersecurity: Scoping the challenge. Atlantic Council. https://www.atlanticcouncil.org/in-depth-research-reports/report/aviation-cybersecurity-scoping-the-challenge-report/

Cyber security regulation. (2023). Civil Aviation Authority. https://www.caa.co.uk/commercial-industry/cyber-security/cyber-security-regulation/

Department for Transport. (2018). Aviation cyber security strategy. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/917529/aviation-cyber-security-strategy-document.pdf

Department of Foreign Affairs and Trade. (2021). Australia’s international cyber and critical tech engagement strategy. Australia’s International Cyber and Critical Tech Engagement. https://www.internationalcybertech.gov.au/strategy

Department of Home Affairs. (2020). Australia’s cyber security strategy 2020. https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf

Department of Home Affairs. (2023). CISC Fact Sheet – SOCI Act obligations for critical aviation assets. https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-soci-act-obligations-critical-aviation-assets.pdf

Department of Industry. (2021a). The Australian Aviation State Safety Programme 2021 State Safety Programme.

Department of Industry. (2021b). The Australian National Aviation Safety Plan. https://www.infrastructure.gov.au/sites/default/files/documents/national-aviation-safety-plan-2021.pdf

DITRDC. (2021). National Emerging Aviation Technologies. https://www.infrastructure.gov.au/sites/default/files/documents/national-emerging-aviation-technologies-policy-statement.pdf

EASA. (2017). Cybersecurity. EASA. https://www.easa.europa.eu/en/the-agency/faqs/cybersecurity

Elmarady & Rahouma, K. (2021). Studying cybersecurity in civil aviation, including developing and applying aviation cybersecurity risk assessment. IEEE Access, 9, 143997–144016. https://doi.org/10.1109/access.2021.3121230

ICAO. (2010a). Supplementary to the convention for the suppression of unlawful seizure of aircraft. https://www.icao.int/secretariat/legal/Docs/beijing_protocol_multi.pdf

ICAO. (2010b). Suppression of Unlawful Acts Relating to International Civil Aviation. https://www.icao.int/secretariat/legal/Docs/beijing_convention_multi.pdf

ICAO. (2016). 2016–2030 Global Air Navigation Plan. In International Civil Aviation Organization. https://www.icao.int/publications/Documents/9750_5ed_en.pdf

ICAO. (2018). Convention on the suppression of unlawful acts relating to international civil aviation done at beijing on 10 september 2010.

ICAO. (2019a). Aviation Cybersecurity Strategy. https://www.icao.int/aviationcybersecurity/Documents/AVIATION%20CYBERSECURITY%20STRATEGY.EN.pdf

ICAO. (2019b). Future of aviation. https://www.icao.int/Meetings/FutureOfAviation/Pages/default.aspx

ICAO. (2022a). Cyber Action Plan. https://www.icao.int/aviationcybersecurity/Documents/CYBERSECURITY%20ACTION%20PLAN%20-%20Second%20edition.EN.pdf

ICAO. (2022b). Cybersecurity Policy Guidance. ICAO. https://www.icao.int/aviationcybersecurity/Documents/Cybersecurity%20Policy%20Guidance.EN.pdf

ICAO. (2023). Unmanned Aircraft Systems Traffic Management (UTM) – A Common Framework with Core Principles for Global Harmonization. https://www.icao.int/safety/UA/Documents/UTM%20Framework%20Edition%203.pdf

ICAO, CANSO, & AirBus. (2020). Cybersecurity in Annex 17. https://www.icao.int/NACC/Documents/Meetings/2020/ACI/P02-CybersecurityAnnex17-ENG.pdf

Latifi, S. (Ed.). (2016). Information technology: New generations: 13th International Conference on Information Technology (1st ed., Vol. 448). Springer.

Reed, J. (2023, June 14). Increasing insider cyber threats pose risks to aviation. Avionics International. https://www.aviationtoday.com/2023/06/14/increasing-insider-cyber-threats-pose-risks-to-aviation/

Riahi Manesh, M., & Kaabouch, N. (2019). Cyber-attacks on unmanned aerial system networks: Detection, countermeasure, and future research directions. Computers & Security, 85, 386–401. https://doi.org/10.1016/j.cose.2019.05.003

Rosengren, S. (2017). Working together: Mitigating cyber security risks in aviation. https://www.icao.int/Meetings/CYBER2017/Presentations/Summit%20Day%201%20-%205%20April%202017/Session%203%20-%20P03%20-%20Working%20together-Mitigating%20cyber%20security%20risks%20in%20aviation%20-%20AUSTRALIAN%20GOVT%20-%20S.%20ROSENGREN.pdf

Sampigethaya, K., Kopardekar, P., & Davis, J. (2018, April). Cyber security of unmanned aircraft system traffic management (UTM). 2018 Integrated Communications, Navigation, Surveillance Conference (ICNS). http://dx.doi.org/10.1109/icnsurv.2018.8384912

Stephenson Harwood. (2022). Aviation is facing a rising wave of cyber-attacks in the wake of COVID. https://www.shlegal.com/insights/aviation-is-facing-a-rising-wave-of-cyber-attacks-in-the-wake-of-covid

Cyber Security

Luke Hally