The 39th Assembly of the International Civil Aviation Organisation (ICAO) recently took place in Montreal. Given that cyber-security is one of the most relevant issues in civil aviation today, it is no surprise that multiple stakeholders, including South Africa, addressed the Executive Committee on the development of a global framework for cyber-security and a cyber security defense strategy in civil aviation.
Cyber security in aviation
Cyber-security is driven by threat evolution which in turn is fuelled by technological advances. The civil aviation industry is particularly vulnerable to cyber threats as expansion of the civil aviation industry leads towards a greater dependency on information communication and technology. Whilst this increased risk may make for great cinema there could be dire economic and social consequences should it materialise. Cybercrime is no longer a fiction; anything from an in-flight entertainment system to an electronic check-in system creates vulnerabilities in the aircraft security system. There is a pressing need to cultivate a greater appreciation of cyber-threats within aviation security culture and ways to avoid risks.
ICAO has recognised the serious challenges posed by cyber security threats. In October 2012 at the 12th ICAO Air Navigation Conference, cyber security was discussed and recognised as a major concern and a cyber security task force was formed to evaluate the extent of the problem and develop the global cyber security architecture. Since 2013 ICAO Annex 17 now deals with cyber threats and provides that each contracting state must develop measures to protect information and communication technology systems used for civil aviation purposes from interference that may jeopardise safety. In March 2014 the ICAO Aviation Security Panel (AVSEC) deliberated a number of issues concerning cyber threats including encouraging states to develop security plans which incorporate incident management and business continuity.
At a regional level the United States, Europe, and the International Air Transport Association (IATA) have begun initiatives to address this issue. For example IATA developed a cyber-security tool kit for airlines. Despite these proactive steps there are a multitude of issues which are yet to be addressed and which could be guided by the advent of a global framework. The global framework which is being canvassed would be based on existing best practices in information security and developed in consultation with aviation safety and security experts. The ICAO Member States have set out their proposal in a working paper which supports the need for a horizontal approach which will ensure coordinated, proportionate, and effective implementation.
Cyber security defense strategy
The Civil Air Navigation Services Organisation (CANSO) is also presenting a working paper directed at a cyber security defense strategy. CANSO’s proposals include:
- ICAO should issue guidance material aimed at harmonization of existing initiatives;
- Member States must focus their attention on vulnerabilities in systems and networks rather than on threats;
- the establishment of a forum for aviation firms to share best practices in a secure and trusted environment so that effective tools and techniques that enhance security can be shared; and
- Member States should review recent initiatives presented at AVSEC panel, in order to upgrade the current Recommended Practice in Annex 17.
A global framework could provide necessary guidance on standard requirements regarding cyber security protection and mitigation measures; how to evaluate compliance with Annex 17; and may lead to a much needed cyber security policy and plan within ICAO The recommendations that were put forward at the 39th Assembly represent a crucial step towards greater recognition, awareness and action.
Inside Africa would like to thank Shanae Pillay, Candidate Attorney, for her contribution to this blog post.