Task
As we have previously discovered, cybersecurity in the aviation sector is an emerging field. In light of other countries introducing specific aviation cybersecurity regulation and the failed Transport Security Amendment (Critical Infrastructure) Bill 2022, Australia seems to be lagging in this area.
Although the Department of Home Affairs is responsible for cybersecurity, when it comes to the aviation sector there appears to be a gap in relevant standards and oversight of the sector. The Civil Aviation Safety Authority has functions defined in legislation which align with filling these gaps, as evidenced in Part 172.155 of the Civil Aviation Safety Regulations (Civil Aviation Safety Regulations, (2022)). Your task is to develop them a new Cyber Strategy which will inform related policies for Australian civil aviation cyber security oversight (aviation cybersecurity).
1 Background
The civil aviation sector is expected to double in size by the mid 2030’s (ICAO, 2019b). To enable this, the sector is modernising “from ground-based analog systems to space-based digital systems” (Elmarady & Rahouma, 2021, p. 143998), which is increasing the complexity of an ecosystem which includes aircraft, air traffic management (ATM) and airports (ICAO et al., 2020, p. 5). The sector’s cybersecurity challenges are also becoming increasingly complex “making it difficult to holistically define and defend such an attack surface” (Cooper et al., 2019). These challenges include: emerging threats, such as emerging aviation technology and increasing connection; increasing prevalence of attacks on aviation; the realisation that cybersecurity has aviation safety implications; and the regulatory environment itself.
Cyber-attacks against aviation are growing, increasing 530% year-on-year between 2019 to 2020 (Stephenson Harwood, 2022), this is a concern across the sector with existing research revealing that emerging cybersecurity threats to the sector include:
- Aircraft innovation: Remotely Piloted Aircraft Systems (RPAS, or, drones), Advanced Air Mobility (AAM) (DITRDC, 2021) and modern aircraft (Cooper et al., 2019, p. 3)
- Increased connectivity:
- System Wide Information Management (SWIM) an “aviation intranet” (ICAO, 2016, p. 72) will connect all airspace users (Elmarady & Rahouma, 2021, p. 144013), making the aviation more vulnerable to cyber-threats (ICAO, 2022a, p. 1)
- Uncrewed aircraft system Traffic Management (UTM), used for controlling RPAS and AAM. UTM is complex, often with weak security (Riahi Manesh & Kaabouch, 2019, p. 398) and can be both target and vector of attacks (Sampigethaya et al., 2018).
- Lagging regulation: regulators are powerless to enforce international standards without up to date regulation.
This increased connectivity is making the aviation ecosystem more vulnerable to cyber-threats (ICAO, 2022a, p. 1) and creating potential for vulnerabilities at one operator to be an attack vector to “spread to other systems on the network” (Latifi, 2016, p. 205).
2 Purpose
This strategy will enable CASA to be able to effectively regulate elements of cybersecurity which impact aviation safety (aviation cybersecurity). This aligns with CASA’s strategic priorities (CASA, 2023, p. 13). Key drivers for this strategy are:
- The emerging threats outlined above
- Aviation becoming a more attractive target to cyber attackers (Rosengren, 2017), with increasing external and insider threats (Reed, 2023)
- The realisation that cyber-attacks “affect not only security but also safety of civil aviation” (ICAO, 2022a, p. 2)
- Other NAAs are responding to this with regulation.
- Regulatory landscape,
- Internationally: Having ratified the Chicago Convention, Australia must comply with the SARPs set out its annexes (CASA, 2021), this applies to how CASA performs its functions (Civil Aviation Act 1988, 2021, s. 11). Within the context of Annex 17 these functions, including: standards; surveillance; reviewing safety risks; and monitoring international developments (Civil Aviation Act 1988, 2021, s. 9(1)), provide CASA with scope for a role in aviation cybersecurity.
- Proposed changes to The Aviation Transport Security Act (Transport Security Amendment (Critical Infrastructure) Bill 2022, 2022) provide insight into the appetite of the government to align with Annex 17
- Australia’s dispersed cybersecurity legislation does not cover aviation cybersecurity oversight.
3 Vision statement
Our vision is for a safe, innovative civil aviation sector taking advantage of emerging technologies, while being cyber-secure and resilient against increasingly prevalent cyber threats.
4 Diagnosis
When considering the threats identified in the Organisational Profile in conjunction with the realisation that cyber-attacks “affect not only security but also safety of civil aviation” (ICAO, 2022a, p. 2), this reveals that a single cyber-attack could have an impact on aviation safety across the sector. To enable a safe, connected aviation sector, “cyber security should be a priority for all parts of the sector, regardless of size or type of business” (Department for Transport, 2018, p. 7). This has been recognised by the International Civil Aviation Organization (ICAO) which has updated a number of conventions and documentation regarding aviation cybersecurity. In response to this, National Aviation Authorities (NAA) around the globe are creating regulations, as is the case with the UK CAA (Cyber Security Regulation, 2023).
Australia has a variety of legislation relating to cybersecurity, such as the Privacy Act 1988, Criminal Code Act 1995, the Australian Information Commissioner Act 2010 and Telecommunications Act 1997. But when it comes to cybersecurity and aviation it is limited to the Security of Critical Infrastructure Act (SOCI Act), which requires a limited segment of the industry to report cyber incidents (CISC, 2023) – this may be too late in the attack lifecycle to prevent a cyber-attack impacting aviation safety.
The challenge is to ensure that Australia’s civil aviation industry remains safe, through being secure and resilient against increasingly prevalent cyber threats so that it can continue to grow and take advantage of emerging technologies.
The main purpose of this strategy is to:
- Ensure the cybersecurity and resilience of systems critical to aviation safety (Critical Systems)
- Drive a cybersecurity uplift within CASA
- Drive a cybersecurity uplift of the aviation industry through education, awareness and standards
5 Principles
As a regulator, CASA’s functions are defined in legislation, being outlined in Section 9 of the Civil Aviation Act 1988. Section 11 of the Civil Aviation Act 1988 goes on to declare that these functions must be undertaken in accordance with applicable international agreements.
Applicable international agreements have been issued by ICAO and aviation cybersecurity is included in a number of these, particularly the Chicago Convention, Beijing Convention and Beijing Protocol. Annex 17 of the Chicago Convention contains Standard 4.9.1, which requires identification of, and a plan to protect critical ICT systems and data used for civil aviation and Recommended Practice 4.9.2 which outlines measures for implementation (ICAO et al., 2020). Article 2(c) of the Beijing Convention establishes an offence to destroy, damage or interfere with air navigation facilities – air navigation facilities include “signals, data, information or systems” (ICAO, 2010b). While Articles 1-3 of the Beijing Protocol establishes an offence to threaten, attempt or execute a cyber-attack against aircraft (ICAO, 2010a). To aid in the implementation of these, ICAO has also published supporting documentation including its Cybersecurity Strategy (ICAO, 2019a), Cyber Action Plan (ICAO, 2022a) and Cybersecurity Policy Guidance (ICAO, 2022b).
These functions and obligations will inform the actions to achieve the vision statement, being guided by these principles:
- Alignment of CASA functions with Australia’s international obligations using ICAO’s Cybersecurity Policy Guidance as a reference
- Consider the domestic cybersecurity legislative landscape, aware that some cybersecurity responsibilities may sit with other departments or agencies
- Develop this strategy into a policy to inform aviation cybersecurity oversight.
6 Actions
Actions required to achieve this strategy will include, but not be limited to the following.
6.1 Review international obligations and guidance
In accordance with CASA’s function 9(1)(h) “conducting regular and timely assessment of international safety developments” (Civil Aviation Act 1988, 2021), CASA will assess applicable international agreements. This will inform other actions required to achieve our vision.
6.2 Clarify applicable functions
Due to the interdependent nature of aviation cybersecurity, the first task is to clarify CASA’s boundaries of responsibility and which of its functions are applicable to aviation cybersecurity. This will require consultation with external departments such as Home Affairs.
6.3 Standards
In accordance with CASA’s function 9(1)(c) “developing and promulgating appropriate, clear and concise aviation safety standards” (Civil Aviation Act 1988, 2021), CASA will define or develop appropriate standards in relation to Critical Systems.
The ICAO Cybersecurity Guidance will serve as a starting point which recommends standards for:
- Data security
- Supply chain cybersecurity
- Access management to Critical Systems
- Documentation of plans for incident response and recovery of Critical Systems.
6.4 Surveillance and enforcement
To ensure compliance to standards, an appropriate surveillance and enforcement plan will be developed and implemented. This will align with CASA’s functions:
- 9(1)(d) “developing effective enforcement strategies to secure compliance with aviation safety standards” (Civil Aviation Act 1988, 2021)
- 9(1)(f) “conducting comprehensive aviation industry surveillance, including assessment of safety‑related decisions taken by industry management at all levels for their impact on aviation safety” (Civil Aviation Act 1988, 2021).
6.5 CASA Cybersecurity uplift
In order to lead industry, CASA must first undertake an internal cybersecurity uplift to strengthen its cyber posture, with the goal of implementing zero-trust architecture and embed secure-by-design and security-in-depth practices. This may include:
- Education and awareness
- Process redesign, implementing secure-by-design business processes
- Implementation of zero-trust architecture, on technological and non-technical assets – this may result in identifying opportunities for internal retooling
- An updated corporate cybersecurity strategy, associated suite of documentation and enforcement mechanisms.
This uplift will need to align with CASA’s corporate plan and strategic goals to aid in acceptance and adoption of the changes involved.
6.6 Aviation sector Cybersecurity uplift
CASA will support the aviation industry in implementing the new standards as well as an industry cybersecurity culture uplift. The industry uplift should reflect CASA’s cybersecurity uplift at 6.5 where appropriate. This is aligned with its functions:
- 9(2)(a)(iii) “fostering an awareness in industry management, and within the community generally, of the importance of aviation safety and compliance with relevant legislation” (Civil Aviation Act 1988, 2021)
- 9(3)(e) “promoting the development of Australia’s civil aviation safety capabilities, skills and services, for the benefit of the Australian community” (Civil Aviation Act 1988, 2021).
7 Roadmap
Our roadmap is ambitious, but with adequate will and resourcing is achievable.
References
Amjad, A., Nicholson, M., Stevenson , C., & Douglas, A. (2016). From security monitoring to cyber risk monitoring. Deloitte Review, 19. https://doi.org/https://www2.deloitte.com/content/dam/insights/us/articles/future-of-cybersecurity-operations-management/DR19_FromSecurityMonitoringToCyberRiskMonitoring.pdf
Aviation Transport Security Act 2004, (2012).
CASA. (2021). Overview of CASA rule making principles and obligations. Civil Aviation Safety Authority. https://www.casa.gov.au/rules/changing-rules/overview-casa-rule-making-principles-and-obligations#Internationalagreementsandcommitments
CASA. (2023). Civil Aviation Safety Authority Corporate Plan 2023-2024. https://www.casa.gov.au/sites/default/files/2023-07/casa-corporate-plan-2023-24.pdf
CISC. (2023). Cyber and Infrastructure Security Centre website. Cyber and Infrastructure Security Centre Website. https://www.cisc.gov.au/compliance-and-reporting/overview
Civil Aviation Act 1988, (2021). https://www.legislation.gov.au/Details/C2021C00060
Civil Aviation Safety Regulations, (2022). https://www.legislation.gov.au/F1998B00220/latest/text/4
Cooper, P., Handler, S., & Shahwan, S. (2019, December 11). Aviation cybersecurity: Scoping the challenge. Atlantic Council. https://www.atlanticcouncil.org/in-depth-research-reports/report/aviation-cybersecurity-scoping-the-challenge-report/
Cyber security regulation. (2023). Civil Aviation Authority. https://www.caa.co.uk/commercial-industry/cyber-security/cyber-security-regulation/
Department for Transport. (2018). Aviation cyber security strategy. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/917529/aviation-cyber-security-strategy-document.pdf
Department of Foreign Affairs and Trade. (2021). Australia’s international cyber and critical tech engagement strategy. Australia’s International Cyber and Critical Tech Engagement. https://www.internationalcybertech.gov.au/strategy
Department of Home Affairs. (2020). Australia’s cyber security strategy 2020. https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf
Department of Home Affairs. (2023). CISC Fact Sheet – SOCI Act obligations for critical aviation assets. https://www.cisc.gov.au/critical-infrastructure-centre-subsite/Files/cisc-factsheet-soci-act-obligations-critical-aviation-assets.pdf
Department of Industry. (2021a). The Australian Aviation State Safety Programme 2021 State Safety Programme.
Department of Industry. (2021b). The Australian National Aviation Safety Plan. https://www.infrastructure.gov.au/sites/default/files/documents/national-aviation-safety-plan-2021.pdf
DITRDC. (2021). National Emerging Aviation Technologies. https://www.infrastructure.gov.au/sites/default/files/documents/national-emerging-aviation-technologies-policy-statement.pdf
EASA. (2017). Cybersecurity. EASA. https://www.easa.europa.eu/en/the-agency/faqs/cybersecurity
Elmarady & Rahouma, K. (2021). Studying cybersecurity in civil aviation, including developing and applying aviation cybersecurity risk assessment. IEEE Access, 9, 143997–144016. https://doi.org/10.1109/access.2021.3121230
ICAO. (2010a). Supplementary to the convention for the suppression of unlawful seizure of aircraft. https://www.icao.int/secretariat/legal/Docs/beijing_protocol_multi.pdf
ICAO. (2010b). Suppression of Unlawful Acts Relating to International Civil Aviation. https://www.icao.int/secretariat/legal/Docs/beijing_convention_multi.pdf
ICAO. (2016). 2016–2030 Global Air Navigation Plan. In International Civil Aviation Organization. https://www.icao.int/publications/Documents/9750_5ed_en.pdf
ICAO. (2018). Convention on the suppression of unlawful acts relating to international civil aviation done at beijing on 10 september 2010.
ICAO. (2019a). Aviation Cybersecurity Strategy. https://www.icao.int/aviationcybersecurity/Documents/AVIATION%20CYBERSECURITY%20STRATEGY.EN.pdf
ICAO. (2019b). Future of aviation. https://www.icao.int/Meetings/FutureOfAviation/Pages/default.aspx
ICAO. (2022a). Cyber Action Plan. https://www.icao.int/aviationcybersecurity/Documents/CYBERSECURITY%20ACTION%20PLAN%20-%20Second%20edition.EN.pdf
ICAO. (2022b). Cybersecurity Policy Guidance. ICAO. https://www.icao.int/aviationcybersecurity/Documents/Cybersecurity%20Policy%20Guidance.EN.pdf
ICAO. (2023). Unmanned Aircraft Systems Traffic Management (UTM) – A Common Framework with Core Principles for Global Harmonization. https://www.icao.int/safety/UA/Documents/UTM%20Framework%20Edition%203.pdf
ICAO, CANSO, & AirBus. (2020). Cybersecurity in Annex 17. https://www.icao.int/NACC/Documents/Meetings/2020/ACI/P02-CybersecurityAnnex17-ENG.pdf
Latifi, S. (Ed.). (2016). Information technology: New generations: 13th International Conference on Information Technology (1st ed., Vol. 448). Springer.
Reed, J. (2023, June 14). Increasing insider cyber threats pose risks to aviation. Avionics International. https://www.aviationtoday.com/2023/06/14/increasing-insider-cyber-threats-pose-risks-to-aviation/
Riahi Manesh, M., & Kaabouch, N. (2019). Cyber-attacks on unmanned aerial system networks: Detection, countermeasure, and future research directions. Computers & Security, 85, 386–401. https://doi.org/10.1016/j.cose.2019.05.003
Rosengren, S. (2017). Working together: Mitigating cyber security risks in aviation. https://www.icao.int/Meetings/CYBER2017/Presentations/Summit%20Day%201%20-%205%20April%202017/Session%203%20-%20P03%20-%20Working%20together-Mitigating%20cyber%20security%20risks%20in%20aviation%20-%20AUSTRALIAN%20GOVT%20-%20S.%20ROSENGREN.pdf
Sampigethaya, K., Kopardekar, P., & Davis, J. (2018, April). Cyber security of unmanned aircraft system traffic management (UTM). 2018 Integrated Communications, Navigation, Surveillance Conference (ICNS). http://dx.doi.org/10.1109/icnsurv.2018.8384912
Stephenson Harwood. (2022). Aviation is facing a rising wave of cyber-attacks in the wake of COVID. https://www.shlegal.com/insights/aviation-is-facing-a-rising-wave-of-cyber-attacks-in-the-wake-of-covid