For inaction on cyber
1,713 – that's the number of new incidents involving malware that reported on EUROCONTROL's Malware Information Sharing (MISP) Platform in Q3 2019. The following quarter it was 2,507, an increase of over 40% in just three months.
Before the downturn in aviation traffic due to COVID-19, it was already a challenge to defend operational systems against ever evolving threats. "Air gaps" continued to be bridged by the demands of efficiency and interconnectedness. Striking the right balance between security and capability was like walking a tightrope.
2020 has brought a significantly changed landscape, with remote working in ways and in numbers that nobody had ever projected. Operational needs changed, and innovative approaches to system installation, maintenance and operation have changed with them.
At the same time, the attackers have not stood still. COVID-19 presented a unique opportunity to them, and one they fully embraced. By April 2020, volumes of COVID-19 related spam and phishing emails had skyrocketed, pushing an ever more diverse range of malware. The threat didn't reduce when the world shut down – it increased instead.
For aviation specifically, the threat is spread across the whole industry. Airlines and airports are often the first target, but more advanced threats often seek widespread disruption by targeting air navigation service providers and original equipment manufacturers too. With much of aviation's infrastructure evolving over decades, it is inevitable that legacy or unpatched equipment will be exposed somewhere. It's not a question of "if" the attackers succeed, but "when" and "how effectively".
The most dynamic security defences are human awareness, training, and simple "good" behaviours. Now is the time to form good security habits, effective security cultures, and "challenge mindsets". Now is the time to stop using the same three passwords both at home and at work, and to call and double check when that suspicious email arrives claiming to be from a colleague!
Within Europe, the NIS Directive sets a baseline expectation for security approaches in critical industries, and states have found various approaches to apply this. In the UK, the CAA addresses this through their Cybersecurity Oversight Process (CAP1753), which uses a baseline known as the Cyber Assessment Framework (or "CAF") to provide indicators of good practice as a benchmark.
For UK aviation, the Cybersecurity Oversight Process involves the use of an ASSURE accredited auditor to validate the assessments against the CAF, giving a third-party opinion on the effectiveness of security protections.
Many of the planned timescales for security improvements will of course be adjusted as the industry rebuilds after 2020, but inaction is not an option. Getting the basics right is key to recovery – it's not going to be easy, but there's an opportunity here to build a solid foundation. One where cyber-attacks and malicious actors are not some rare exception to be handled, but a fundamental reality of life; where the effects that they can cause are anticipated, planned for and effectively mitigated through disciplined business processes.
Building this solid foundation sometimes needs some outside help, and for the UK aviation market, Helios is working with other experts in a group called the ASSURE Support Team to help connect the Cybersecurity Oversight Process with wider cybersecurity practices, and to build long term effective protections for aviation.
Find out more about the ASSURE Support team in this short video.