Introduction
Aviation plays a pivotal role in the world today. It allows for transportation of a large number of individuals and significant amounts of cargo across the world with a very high speed. Every day, millions of people rely on the services of air travel companies in order to get to their desired destination. However, both the peculiarities of air transport and the scale at which aviation works makes it an appealing target for a variety of malefactors that may use an array of methods to attack airports or disrupt their operations (Benny 2013). In particular, one of the types of attacks which may be of great danger to the aviation industry is cyber attacks (Javaid et al. 2012). They might render the electronic and data storage and processing systems in an airport useless, thus paralyzing the airport and depriving it of the capability to launch and receive flights, coordinate the flights in progress, and communicate with other airports (Price & Forrest 2016).
Even further, hacking the information systems in an airport might pose a danger to flights which are currently in progress, for flight dispatchers may be deprived of their capability to properly coordinate flights (Javaid et al. 2012). In addition, malefactors may gain access to personal data of aircraft passengers (which is collected by airports, e.g., for the purposes of identification) and use that data, for instance, to gain access to bank accounts (Price & Forrest 2016). Therefore, it is paramount to take measures aimed at ensuring that airports are properly safeguarded against cyber attacks (see Figure 1 below). However, given the nature of cyber threats and the capability of malefactors to target airports from virtually anywhere, opposing these threats requires the cooperation of multiple air companies, or even the whole aviation industry, to be effective (Tan 2015).
Thus, in December 2014, a number of international aviation organisations agreed to align their actions aimed at preventing cyber attacks (Abeyratne 2016). A document entitled “Civil Aviation Cybersecurity Action Plan” was signed so as to provide the basis for these aligned actions (ICAO 2014b). The current paper provides a discussion and a critical evaluation of the plans and measures which they developed in order to address the threat of cyber attacks on the aviation industry.
Critical Evaluation of the Measures Aimed at Addressing Cyber Threats
On the whole, the document entitled “Civil Aviation Cybersecurity Action Plan,” which was created and signed by such international aviation organisations as the Civil Air Navigation Services Organisation (CANSO), Airports Council International (ACI), International Civil Aviation Organisation (ICAO), the International Air Transport Association (IATA), and the International Coordinating Council of Aerospace Industry Associations (ICCAIA), was aimed at providing the basis for future cooperation between these organisations (ICAO 2014a). This is needed to address the growing cyber threat to the air industry (see Figure 2 below). For this purpose, 11 main avenues of collaborative action were identified, and a roadmap for implementing these actions was proposed (ICAO 2014b). These principles, as well as the details of the manner of their implementation in the aviation security systems, as well as their implications, are discussed below.
Developing a Shared Comprehension of Cyber Risks and Threats
The first step in improving the level of protection against cyber attacks in the aviation industry is related to developing a clear understanding of the potential threats that the aviation is faced with and that originate from all types of cyber terrorists (ICAO 2014b; Korstanje 2017). In this respect, it should be noted that to better be able to resist a threat, it is paramount to first identify that threat (Benny 2013). Doing so allows for preparing the air travel industry and strengthening the potential avenues through which the aviation might be attacked, as well as for developing certain specific countermeasures which may be deployed in the situation when a cyber attack does take place. Also, the analysis of potential threats could be handy in finding out what vulnerable spots an aviation organisation has so as to minimise these vulnerabilities and better prepare for a cyber attack (Gopalakrishnan et al. 2013). In addition, the identification of potential threats might also allow for developing certain mitigating countermeasures in order to deal with the adverse impact of a cyber attack once it had occurred. Therefore, identifying the potential threats is of paramount importance because it may permit for preparing the aviation industry to potential cyber attacks, identifying the vulnerabilities of an air travel organisation, and developing countermeasures which would allow for minimising the adverse impact of a potential cyber attack (Javaid et al. 2012).
Sharing the Estimates of Threats and Risks With One Another
Another pivotal step that is aimed at improving the level of cyber security in the air transport industry is related to the need to share the assessments of threats and risks among different aviation organisations and companies so as to permit them to be better protected against these threats, as well as to enable more effectual collaboration when it comes to cyber security (ICAO 2014b). More specifically, it is proposed to conduct a comparison of various assessment processes that are utilised by different stakeholders, which might allow for identifying the strengths and weaknesses of each of these processes and select the ones that have the largest number of advantages, simultaneously mitigating their drawbacks. Furthermore, it is offered to identify a platform or mechanism which is later to be employed for constant sharing of information pertaining to cyber security, and to engage in such sharing. This can become the next step in successful collaboration of numerous air transport companies, if a convenient and effectual system for communicating the risk assessments is created (Vacca 2014). On the whole, the communication of airports and organisations related to air travel with the purpose of sharing risk assessments is critical, for it may allow for collaboratively developing measures aimed at dealing with the currently existing risks of cyber attacks, as well as for creating methods which might permit addressing the currently existing vulnerabilities within an existing air transport system (Price & Forrest 2016).
Agreeing Upon Common Notions and Language to Be Used in Relation to Cyber Security Issues
Another step that was planned to be taken in order to align the actions of various air travel organisations so as to address the cyber security risks was related to creating a common language which was to be used to describe various problems related to cyber security (ICAO 2014b). Developing a common language is crucial if the communication between a wide array of stakeholders is to be effectual. This is due to the fact that the information technology is developing rapidly nowadays, which opens additional avenues that might enable malefactors to launch cyber attacks on air companies (Korstanje 2017). These avenues and threats often might require a considerable amount of technical knowledge and expertise to be adequately described, and if the communication about them is to be clear and effective, it is essential that all the participants of discussions are capable of quickly and univocally understanding one another (Vacca 2014). The creation of a common language and shared terminology require that the existing standards and frameworks are reviewed so as to identify and define the terms which are needed to adequately describe the cyber threat posed by potential malefactors. These terms are then to be compiled into a single compendium, a glossary of terms, and then to be utilised by aviation companies and organisations (ICAO 2014b).
Formulating Collective Positions and Recommendations
In order to appropriately address the risks pertaining to cyber security of air companies, it is pivotal for these companies to take a common stand which would allow for developing a collective position with respect to cyber threats. Creating such a position is paramount if any effectual collective actions are to be taken with the purpose of addressing such threats and mitigating the currently existing risks and vulnerabilities in the aviation industry (Price & Forrest 2016). To carry out this step, it was proposed to identify the main spheres in which regulation is required and develop joint recommendations and positions which would permit proper regulation of various aspects of functioning of the system aimed at addressing aviation cyber security risks (ICAO 2014b). This was to be done in the short term (up to 6 months); in the longer term (6-12 months), it was decided to prepare a joint paper which would elaborate the main problems pertaining to regulation of measures aimed at addressing aviation cyber security issues. Another task was to identify the main areas in which regulations were only at the stage of emergence, and develop joint recommendations for regulating these areas. Finally, in the term of 1-1.5 years, it was planned to supply a certain amount of input so as to guide the further process of creation of regulations such as recommendations, guides, and standards, in order to more effectively address the cyber security risks faced by air travel companies today (ICAO 2014b).
Presenting a Joint Approach to Dealing With Cyber Risks and Threats in the Aviation Industry
According to this element of the roadmap for the Civil Aviation Cybersecurity Action Plan, it is needed to formulate a consistent and coherent approach which would allow for identifying the risks and threats that the air travel industry is faced with, and for deploying highly effective measures aimed at minimising these risks and threats or neutralising them to negate the potential damage which they may cause to aviation companies (ICAO 2014b; Quigley & Roy 2012). For this purpose, it is paramount to make an agreement pertaining to the general format of communication not only among different agents who work or are otherwise engaged in the aviation industry, but also between these agents and the general public, for the latter may often be involved in situations when a cyber threat to aviation companies has been realised (Price & Forrest 2016). Such an agreement might be handy in a situation when there is a need to promptly address a breach in cyber security, for it will allow for executing a coordinated set of actions aimed at neutralising the threat. Refining and updating the agreement on communication should provide the opportunity to make the amendments which become necessary due to various changes, such as the development of the information technology industry and the resulting emergence of new threats.
Stimulating Collaboration Among Governmental Authorities and the Aviation Industry to Create Coordinated Cyber Security Plans and Strategies
A crucial step in enhancing the levels of protection of civil aviation against the potential security threats and risks is related to stimulating collaboration and coordinated action of various state and governmental agents with the companies which exist within the aviation industry (ICAO 2014b). Such cooperation is pivotal due to the fact that usually governmental organisations have a monopoly on the utilisation of the physical force, so in case a threat to safety is imminent and requires such force, effective action on part of the government is paramount (Gopalakrishnan et al. 2013; Kelly 2012). Of course, it might be possible to state that in the case of cyber security breach, the direct use of force is rarely required immediately; however, there still might be situations when, for instance, cyber attacks precede other types of attacks with the purpose of making an air company more vulnerable (Kelly 2012). In any case, for the execution of the current step of the roadmap, it was required to determine the mechanisms which could be employed with the purpose of coordinating the actions of governmental authorities and the representatives of the aviation industry; to launch joint workshops for further developing and testing such mechanisms; and to create a plan of coordinated action in the case of a cyber security threat (ICAO 2014b).
Stimulating the Development of Organisational Cultures Characterised by High-quality Cyber Security Readiness
Organisational culture plays a key role in the manner in which a company functions, and, to a considerable degree, determines the way in which it responds to a wide array of situations (Abeyratne 2017). Consequently, it is pivotal that civil aviation companies promote organisational cultures which are characterised by high level of awareness of the potential cyber security risks and threats, and within which the employees have a full access to high-quality guides elaborating the ways of enhancing the level of cyber safety on a daily basis (ICAO 2014b). The existence and prevalence of such organisational cultures in companies that represent the aviation industry might allow for achieving a significantly greater level of cyber safety within these companies, which means that these cultures should be promoted (Abeyratne 2017). The roadmap to Civil Aviation Cybersecurity Action Plan provides that an awareness program should be launched to stimulate the development of such cultures, and to supply the necessary guides for organisations which require them (ICAO 2014b). It was planned that within 12-18 months, nearly 80% of all the organisations within the aviation industry would have successfully promoted a high-quality cyber security organisational culture (ICAO 2014b, p. 4).
Promoting the Utilisation of the Currently Existing Design Principles and Standards for Achieving High Levels of Cyber Security, and Developing New Ones When Needed
This step of the roadmap suggests that the standards and best practices pertaining to information security and cyber protection should be promoted and shared among the various organisations which are parts of the aviation industry (ICAO 2014b). Doing so ought to be a highly effective method of raising the levels of cyber security in the aviation companies due to the fact that such an exchange should allow for selecting the most efficacious practices out of the available ones, and implementing them in order to minimise the risks and vulnerabilities currently existing within a company while simultaneously implementing methods aimed at providing a prompt response to a cyber threat should it emerge (Price & Forrest 2016). In fact, implementing this step will allow for sharing the experience of various companies so as to let them use the achievements of their “peers” while also retaining their own unique methods which are suited specifically for them.
Creating Means for Communication and Sharing Information on Threats, Incidents, and Current Defences
This step is aimed at providing the opportunity for aviation companies and organisations to communicate and share with each other the information about the existing and identified threats, the incidents which occurred recently, and the innovative developments and implementations in the sphere of defence (ICAO 2014b). Whereas such information is usually confidential, the proposed agreement ought to allow for creating means of sharing such data with the purpose of alerting the aviation companies to the potential threats so as to prevent an emergence of an actual cyber security breach and to avert the adverse consequences that might result from such a breach (Vacca 2014). It is noteworthy that with the purpose of creating such means, it is needed to assess the existing requirements for information-sharing in order to identify the potential solutions and mechanisms which might allow for safe and effective exchange of data so as to avert or deflect a possible cyber attack.
Communicating the Information Pertaining to the Identified Cyber Threats
The current step is aimed at creating a common way of comprehending certain problems and issues which might arise in the process of organising a response to a potential cyber security threat (ICAO 2014b). The execution of this step should allow for establishing an effectual communication between the agents of the civil aviation industry so as to be able to promptly engage in collaborative actions aimed at analysing these threats and quickly developing an adequate response to them with the purpose of neutralising them so as to avert the potential harm to the aviation organisations (Price & Forrest 2016; Vacca 2014). On the whole, it should be stressed that an effective exchange of information is a necessary condition for being able to deliver an adequate response to an identified threat and to minimise or neutralise the risk that it poses to the aviation company, passengers, organisations, and other stakeholders involved in the use or provision of air transportation services.
Perfecting the Best Practices and Basic Principles on Which Defence Systems Operate
The last step of the roadmap for the Civil Aviation Cybersecurity Action Plan reflects the need to not only implement best practices and operational principles within the aviation security sphere, but also to continuously perfect these practices and principles in order to make them adequate to the constantly developing sphere of the information technology that also results in the ongoing process of refining the mechanisms and ways using which a cyber attack on an aviation organisation could be launched (ICAO 2014b; Jaffe 2016). The execution of this step requires continuous reviewing and improvement of various guidance materials for the agents of the air transport industry, as well as the implementation of the recommendations supplied within these materials by the aviation companies (ICAO 2014b). For more effectual implementation of best practices, principles, and recommendations by the agents of the civil aviation industry, high-quality communication between these agents is pivotal so as to permit efficacious and rapid coordination of these agents with the purpose of sharing and further refining the principles in question (Jaffe 2016). On the whole, effectual implementation of best practices and principles is paramount because it might allow for considerably decreasing the cyber risks and threats faced by a wide array of stakeholders involved in the process of provision or utilisation of the services of the civil aviation industry (Price & Forrest 2016).
Conclusion
All in all, it should be stressed that in the modern world, the threat to cyber safety in the sphere of aviation is constantly increasing, and cyber terrorists are gaining more and more ways to launch attacks on air travel companies. This necessitates taking actions aimed at providing cyber security in the sphere of aviation. For this purpose, collaboration of various aviation organisations is paramount. Therefore, in December 2014, several international aviation organisations such as CANSO, ACI, ICAO, IATA, and ICCAIA proposed a Civil Aviation Cybersecurity Action Plan aimed at developing measures to take collaborative action against cyber security threats. This plan includes a roadmap which provides a list of steps that were to be taken to enhance cyber security. It can be concluded that the plan proposes an array of measures that may allow for effective collaboration within the industry, thus effectually increasing the levels of cyber security companies and organisations within the aviation industry.
Reference List
Abeyratne, R 2016, Rulemaking in air transport: a deconstructive analysis, Springer, Cham.
Abeyratne, R 2017, Megatrends and air transport: legal, ethical and economic issues, Springer, Cham.
Benny, DJ 2013, General aviation security: aircraft, hangars, fixed-base operations, flight schools, and airports, CRC Press, Boca Raton, FL.
Gopalakrishnan, K, Govindarasu, M, Jacobson, DW & Phares, BM 2013, ‘Cyber security for airports’, International Journal for Traffic and Transport Engineering, vol. 3, no. 4, pp. 365-376.
ICAO 2014a, Aviation unites on cyber threat, Web.
ICAO 2014b, Civil aviation cybersecurity action plan, Web.
Jaffe, SD 2016, Airspace closure and civil aviation: a strategic resource for airline managers, Routledge, New York, NY.
Javaid, AY, Sun, W, Devabhaktuni, VK & Alam, M 2012, ‘Cyber security threat analysis and modeling of an unmanned aerial vehicle system’, in 2012 IEEE Conference on Technologies for Homeland Security (HST), Piscataway, NJ, pp. 585-590.
Kelly, BB 2012, ‘Investing in a centralized cybersecurity infrastructure: why hacktivism can and should influence cybersecurity reform’, Boston University Law Review, vol. 92, pp. 1663-1711.
Korstanje, ME 2017, Threat mitigation and detection of cyber warfare and terrorism activities, IGI Global, Hershey, PA.
Military & Aerospace Electronics 2016, 2017 DOD budget calls for 15 percent increase in military cyber security spending, Web.
Price, JC & Forrest, JS 2016, Practical aviation security: predicting and preventing future threats, 3rd edn, Elsevier, Cambridge, MA.
Quigley, K & Roy, J 2012, ‘Cyber-security and risk management in an interoperable world: an examination of governmental action in North America’, Social Science Computer Review, vol. 30, no. 1, pp. 83-94.
Tan, EEG 2015, Cybersecurity in civil aviation: need for industry-wide approach, Web.
Umer, T 2017, Use of computer in aviation industry, Web.
Vacca, JR 2014, Cyber security and IT infrastructure protection, Syngress, Waltham, MA.