Cyber threats to the aviation sector are rapidly becoming a major issue for airlines, aircraft manufacturers and authorities. But Europe is finding legacy problems and new challenges to address cyber risks for its air transportation systems.
Sources consulted by euractiv.com describe a fragmented landscape, with a poor understanding of the threat by officials, and substantial differences within the industry when it comes to the involvement of the EU.
“For the time being, it is extremely difficult to exchange information,” said Pascal Andrei, who has been responsible for aircraft security at Airbus for fifteen years.
After years of being neglected as a major issue, cyber security is now becoming a priority in Europe. Inspired by US efforts, the EU is trying to catch up.
However, officials and the private sector are still trying to calibrate the right level of cooperation, as the industry considers that EU authorities, mostly the Commission, are “far from reality” on this matter. “There is too much bla bla bla,” an industry source said.
“Cybersecurity and cyber attacks are a rapidly developing issue,” said Dirk Polloczek, president of the European Cockpit Association. “We need to invest more on what could be done, but the question is also who is responsible and who is leading,” he added.
Late and duplicated
The US created an Aviation Information Sharing and Analysis Center (A-ISAC) in September 2014.
Its goal is to exchange sensitive information about incidents and vulnerabilities in a “secure trust network”, the A-ISAC website says.
The group includes airlines, Boeing and intelligence agencies such as the National Security Agency, the FBI and the CIA.
Airbus and Lufthansa are the only European voices in the association, according to one of the members.
While in the US all the efforts to tackle cyber attacks have been channelled through the A-ISAC, in Europe government and industry are developing different initiatives.
Last February, the European Aviation Safety Agency (EASA) set up a European Centre for Cyber Security in Aviation (ECCSA).
EASA invited aircraft manufacturers, airlines and other stakeholders to become members of ECCSA (free of charge) in order to benefit from intelligence sharing of cyber attacks.
The EU agency also offered operational means to face these threats.
“It is not so easy to connect all these actors because they tend to work in isolation most of the time”, said Davide Martini, aviation cybersecurity officer at EASA and responsible for the implementation of ECCSA.
“We saw in the past not really efficient dynamics in information exchange relevant to cybersecurity,” he commented.
But companies remain wary of the EU’s role in dealing with cyber risks.
Some players decided not to wait for the EASA’s initiative and, in November, set up a European Strategic Coordination Platform.
The platform will include key industry stakeholders, but also member states and EU institutions. A first meeting is scheduled for 2017.
The new platform will substitute an existing informal group including Airbus, airlines and other actors.
Not with you
But the participation of the EU institutions could impact on the free flow of sensitive information, some industry sources feared.
The largest aircraft manufacturers also hold different views on the EU authorities’ involvement.
“We support Boeing’s approach of having a closed-door system to exchange sensitive information, but in order to face a threat which is organised and worldwide, you need to talk to other people. So it should work both ways,” said Airbus’s Andrei.
“Boeing is among the members of the aviation industry actively participating with government agencies and industry partners in efforts to make commercial aviation, already the safest form of transportation, even safer,” according to Boeing’s Vice President for Safety, Security & Compliance, Elizabeth A. Pasztor.
“Developing and agreeing upon cybersecurity standards for airliners and advancing information sharing both across industry and governments are some of those efforts,” she replied in a statement.
Andrei argued that EU institutions should play a role as a “music director” in order to harmonise specifications and requirements for manufacturers, airlines, airports, suppliers and air traffic management systems.
“Today, most EASA regulations are for aircraft manufacturers. However, security is a chain. You need to harmonise the specifications and requirements and address all stakeholders.”
He hoped that stakeholders would exchange a lot of information also once the EU institutions are part of the new industry-led platform.
But he stressed that officials also needed to be more in contact with experts with operational knowledge to draft operational directives in order to bolster their proposals.
Other industry voices bluntly commented that, in order to guarantee that companies continue sharing sensitive information once the Commission and EASA are involved, that they should have the appropriate skills and competences, which is not the case today in the case of the executive.
“Probably we will be more exposed to cyber-security information than we are today,” EASA’s Martini said.
“That will mean that EASA will be successful because this is exactly the purpose of the enterprise but not only for us, for every [ECCSA] member.”
The Commission did not respond to EURACTIV’s request for a comment.
EASA believes that the EU institutions’ approach (‘top-down’) and the industry-led effort (bottom-up) are “complementary initiatives” and are both needed, a spokesperson said.
Mistrust exists not only between the EU and the aviation industry but also between member states
This hampered the exchange of sensitive information in the past because countries “don’t share the US mindset when it comes to the security culture”, Andrei explained.
Working with the A-ISAC may be easier not only because all the intelligence agencies belong to a single country, but also thanks to the stakeholders’ “patriotic” stance that inspires them to address common threats, the Airbus official said.
Once the new industry-led platform is set up, he commented that the European platform would “not compete with but rather complete” what the US group is doing.
Andrei recalled the “high level of cooperation” between Boeing and Airbus when it comes to physical and cyber-security and safety.
The US-based Boeing and Europe’s Airbus control most of the aircraft manufacturing market. The tough competition between the two companies has led to mutual accusations of illegal state subsidies.
“Since 11-S, we exchanged a lot sensitive info. We are not in competitive mode with Boeing” on these issues, Andrei concluded.
(with Catherine Stupp)
Analysts agree that the main vulnerabilities to aviation are identified with on-the-ground networks connected to planes which upload or download flight-related information.
The EASA points out that these systems are less secure than those installed on aircraft.
Nowadays, hardware used by passengers during the flights, such as the Wi-Fi connection or entertainment consoles, are physically separated from critical onboard safety systems.
In June 2015, an attack grounded around 1,400 passengers when the flight plan system of 10 planes went down for around five hours at Warsaw’s Chopin airport.
The International Air Transport Association (IATA) has developed a three-pillar strategy to understand, define and assess the threats and risk of cyber attacks, the basis for appropriate regulation and the mechanisms for increased cooperation throughout the industry, with the support of governments.