Cyber Security

Luke Hally

Aviation cybersecurity oversight presentation

October 9, 2023
Categories:
Tags: ,

Task

In this assessment you will consider the policy implications of your new Cyber Strategy, highlighting and explaining two policy statements which support the strategy. These implications will be communicated through a presentation (5-minute recorded video presentation), and an executive brief document (1-page written summary). The presentation and brief will be aimed at the executives of your profiled organisation.

Presentation

Transcript

Executive brief

Title: Industry cybersecurity strategy overview.

Purpose: For information of policy changes to achieve our cybersecurity oversight strategy goals.

Points to note:

  • The aviation sector is growing, doubling by 2030’s, as is its emerging technology and connectivity
  • Cyber attacks on aviation is growing at 530% year on year
  • The combination of aviation sector growth, increasing complexity and connection is increasing our cyber-risk
  • The effect of Cyber-attacks on aviation safety is recognised by ICAO, EASA, UK CAA, FAA
  • The executive have already endorsed an industry cybersecurity oversight strategy. Policy will be required for this to succeed. Two key policy changes are 5.1.1 Secure business processes and 5.2 Verify CASA’s cyber functions:
    • 5.1.1 Secure business processes: Will embed cybersecurity into our ways-of-working to secure data and systems at each stage and transition of business processes, even in a breach. Business owners will be responsible for the security of their processes. Standards and guidelines will be developed to support this change.
    • 5.2 Verify CASA’s cyber functions: Will clarify our role in industry cybersecurity oversight by identifying our international cybersecurity obligations then mapping our functions to them. This will be undertaken by a responsible business unit. Having the executive appoint the responsible business unit, will provide flexibility to accommodate organisational changes without the need to update policy. Standards and procedures, along with existing legislation and international agreements will enable this policy statement.
  • Cybersecurity is not just another risk to go on the register. It is an enabler to emerging technology, connectivity and growth of the aviation sector, as well as foundational to protect our sector from growing cyber-risk, now and into the future.

Recommendation: Endorse the policy changes and development of associated documentation.

Contact Officer: Luke Hally

Transcript

Intro

In March this year, Sabena Engineering, a European certified Maintenance provider was the victim of a ransomware attack.​

So it’s not a stretch to imagine a cyber-attack which modifies maintenance records of​ an Independent Maintainer and​ leads to falsified Authorised Release Certificates. ​

I’d like you to consider for a few seconds, how this scenario could impact aviation safety with a your own thought  experiment.

Hello, I’m Luke Hally. Today I’m going to provide an overview of our new industry cyber oversight strategy and present some key policy changes, so we can avoid a scenario like this in Australia.​

Aviation sector overview

The aviation sector is growing, expected to double by the 2030’s.​

It’s also experiencing unprecedented growth in emerging technology and interconnectivity, examples being: drones, Advanced Air mobility and an aviation intranet which will connect all airspace users. While bringing exciting opportunities – these factors are increasing the vulnerability of our sector in the face of cyber-attacks which are growing 530% year on year. ​

In short, cyber risk is increasing.​

Cyber impact on aviation

CASA is responsible for aviation safety, so why am I talking about cybersecurity? Because, as you would have concluded from our thought experiment, cyber-attacks can “affect not only security but also safety of civil aviation”, this is a view shared by ICAO, EASA, the UK CAA and the FAA. ​

So if we consider this link between cyber-attacks and aviation safety, with increasing cyber-risk – we can see why I’m here today. Because cybersecurity mitigates risks weakening the link to aviation safety. ​

To enable this, a strategy has been developed which has been circulated, but to summarise: we are going to clarify our role in industry cybersecurity oversight and work out what this means to how we perform our functions so as to maintain aviation safety.

Slide 4: Policy impact

Our strategy is going to change the way we do things. This will need policy support to be successful, today we will be looking in more detail at these two items (CASA cyber uplift policy and CASA’s cyber oversight policy.)​

Slide 5: CASA cyber uplift policy

Our first policy statement “business process design”, is part of the CASA cyber uplift policy. ​

5.5.1 Business process design

Business process owners:

  1. Must ensure processes adhere to the business process design procedure 
  2. Are responsible for identifying:
    1. business objectives
    2. security objectives
    3. associated assets
  3. Must adhere to the data lifecycle standard
  4. Are responsible for data assets being classified.

This policy will ensure that business processes will always be in an authorised state – in other words systems and data are secure at each stage and transition of the process – even in the event of a breach. This will add teeth to our awareness and training aspects of our uplift as it means that everyone is living and breathing cyber-awareness just by following the secure processes.​

This policy statement will see business owners taking responsibility for the security of the processes they own and ensuring that each process is secure-by-design, as recommended by ICAO and Home Affairs. By making business owners responsible, we are ensuring that secure-by-design is pushed throughout the organisation and uplift our ways-of-working. ​

We will develop a range of documentations including standards which will be used throughout the policy.

Slide 6: CASA’s cyber oversight policy

Our second policy statement is Verify CASA’s cyber functions, as part of the CASA cyber oversight policy. ​

5.1.1 Verify CASA’s cyber functions

  1. The executive: 
    1. Must appoint a responsible business unit for 5.1.1 b
    2. Must review the appropriateness of the responsible business unit annually
    3. May direct the responsible business unit to undertake its responsibilities at any time
  2. The responsible business unit will: 
    1. Be responsible for reviewing our cybersecurity obligations, annually or as directed by the executive
    2. Be responsible for identifying CASA’s functions relevant to its cybersecurity obligations  
    3. Must adhere to the CASA assess cybersecurity obligations procedure

The purpose of this policy statement is to identify our international obligations in regards to aviation cybersecurity, for example Standard 4.9.1 and Recommended Practice 4.9.2 of Annex 17 of the Chicago Convention, then to align these with our functions, as defined in the Civil Aviation Act. The desired outcome of this policy statement is to understand which of our functions align with cybersecurity obligations.​

This will be undertaken by the responsible business unit which will be appointed and reviewed by the executive. Executive involvement will provide flexibility to accommodate organisational changes without the need to update policy. The executive may also direct the responsible business unit to undertake its responsibilities at any time, enabling response to new information or environmental changes.​

Documentation:​

  • Procedure: CASA assess cybersecurity obligations
  • Guideline: ICAO cybersecurity policy guidance

Slide 7: Endorsement

I want to underline how important this is. There’s a perception that cybersecurity is just another risk to go into the register – it’s much more than that, so I want to dispel that perception, right now. Cybersecurity is foundational to overcome the challenges that we face in our sector – today and into the future. With a foundation of good cybersecurity we are preparing our sector for inevitable attacks so we can maintain aviation safety.​

Making these proposed policy changes is critical to implementing our strategy in the desired manner so we can mitigate the impact of cyber-attacks on aviation safety. I’m seeking your endorsement to proceed with these changes and update our policies.

Slide 8: Thoughts / Questions (26)

Thank you for your time to consider this important strategy, I’m looking forward to progressing this and am happy to hear your thoughts or questions if you have any.​

References

CASA. (2021). Overview of CASA rule making principles and obligations. Civil Aviation Safety Authority. https://www.casa.gov.au/rules/changing-rules/overview-casa-rule-making-principles-and-obligations#Internationalagreementsandcommitments 

Dave, G., Choudhary, G., Sihag, V., You, I., & Choo, K.-K. R. (2022). Cyber security challenges in aviation communication, navigation, and surveillance. Computers & Security, 112, 102516. https://doi.org/10.1016/j.cose.2021.102516 

Department of Home Affairs. (2023). 2023-2030 Australian cyber security strategy. https://www.homeaffairs.gov.au/reports-and-pubs/files/2023-2030_australian_cyber_security_strategy_discussion_paper.pdf 

DITRDC. (2021). National Emerging Aviation Technologies POLICY STATEMENT. https://www.infrastructure.gov.au/sites/default/files/documents/national-emerging-aviation-technologies-policy-statement.pdf

EASA. (2017). Cybersecurity overview. EASA. https://www.easa.europa.eu/en/domains/cyber-security/overview

Elmarady, A. A., & Rahouma, K. (2021). Studying cybersecurity in civil aviation, including developing and applying aviation cybersecurity risk assessment. IEEE Access, 9, 143997–144016. https://doi.org/10.1109/access.2021.3121230 

FAA. (2022). FLIGHT PLAN 21. https://www.faa.gov/sites/faa.gov/files/Flight%20Plan%2021_2022_0.pdf

Hally, L. (2023). Advanced cyber risk monitoring. A Cyber Security Blog by Luke Hally. http://www.lukehally.com.au/cyber-risk-resilience/advanced-cyber-risk-monitoring/ 

ICAO. (2010a). Supplementary to the convention for the suppression of unlawful seizure of aircraft. https://www.icao.int/secretariat/legal/Docs/beijing_protocol_multi.pdf

ICAO. (2010b). Suppression of Unlawful Acts Relating to International Civil Aviation. https://www.icao.int/secretariat/legal/Docs/beijing_convention_multi.pdf

ICAO. (2016). 2016–2030 Global Air Navigation Plan. In International Civil Aviation Organization. https://www.icao.int/publications/Documents/9750_5ed_en.pdf

ICAO. (2019). Future of aviation. https://www.icao.int/Meetings/FutureOfAviation/Pages/default.aspx

ICAO. (2022a). Cyber Action Plan. https://www.icao.int/aviationcybersecurity/Documents/CYBERSECURITY%20ACTION%20PLAN%20-%20Second%20edition.EN.pdf 

ICAO. (2022b). Cybersecurity Policy Guidance. ICAO. https://www.icao.int/aviationcybersecurity/Documents/Cybersecurity%20Policy%20Guidance.EN.pdf 

ICAO, CANSO, & Airbus. (2020). Cybersecurity in Annex 17. https://www.icao.int/NACC/Documents/Meetings/2020/ACI/P02-CybersecurityAnnex17-ENG.pdf 

NIST. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Riahi Manesh, M., & Kaabouch, N. (2019). Cyber-attacks on unmanned aerial system networks: Detection, countermeasure, and future research directions. Computers & Security, 85, 386–401. https://doi.org/10.1016/j.cose.2019.05.003

Stephenson Harwood. (2022). Aviation is facing a rising wave of cyber-attacks in the wake of COVID. https://www.shlegal.com/insights/aviation-is-facing-a-rising-wave-of-cyber-attacks-in-the-wake-of-covid

UK CAA. (2022, December 9). The Cyber Security Team. Civil Aviation Authority. https://www.caa.co.uk/commercial-industry/cyber-security/the-cyber-security-team/

Recent posts

© Copyright 2021, Luke Hally