Air Traffic Safety
ELECTRONICS
INTER N AT I O N A L
THE LEADING JOURNAL IN GLOBAL CNS/ATM COVERAGE
Aviation Operations in a Cyber-Centric World
On 17 October 2023, the European Space Agency (ESA) staged a hackathon, dubbed ‘Pwn The Rover 2023’ hacking contest, at its Mission Control Centre in Darmstadt Germany in collaboration with Fraunhofer SIT and ATHENE-Center. The hackathon was meant to serve as an eerie depiction of a year 2075 scene and the quest to save Martian rovers from a cyber- attack.
The overriding intent, of course, was to create an opportunity for the younger generations in the complex and labyrinthine corridors of cybersecurity. Eight teams slugged it out trying very hard to outdo one another in a wide variety of areas, including shielding their rovers’ systems from attacks from competing teams, attacking competing rovers, and unlocking as well as unravelling strings of codes that were secretly hidden in vulnerable websites or programs.
And at the end of the contest, the SPAAAAAACE team from Warsaw University of Technology and University of Potsdam topped the chart with 2000 points, while the ‘pwnthemOle’ team from Politecnico di Torino and the ENOFLAG team from Technische Universitat Berlin and Universitat Paderborn settled for the runners-up slots with 1950 points and 1800 points respectively.
Although the ESA hackathon had its focus on the space exploration cyberspace, the contest nevertheless could be described as a solemn rendition of the sobering reality of the present and future significance of cybersecurity in a world that is becoming increasingly cyber-centric.
To be sure, issues revolving around cyber risks and threats are becoming a permanent and recurring decimal in virtually every sphere of life. And there isn’t going to be a let-down as more and more innovative digital technologies become available and the cyberspace continues to hold onto its billing as a fertile ground for hackers and all manners of cyber criminals.
AVIATION AND CYBERSECURITY
‘Digital Lifelines’ – that’s what virtually all the entities in the world, including the aviation industry, are currently hanging on to. And talking about the cyberspace, the disruptions in terms of risks, threats and exposures are still unfolding, reverberating through aviation’s techno-operational realms and definitely showing no sign of abating. The increasing digitalization, automation, virtualization and interoperability of virtually all the elements of the global aviation ecosystem have also been laying bare a sobering reality regarding the susceptibility and vulnerability of aviation to harmful and unlawful activities within the cyberspace.
“Cyber security is a very big challenge that traverses all operations and which for sure we must address,” said Costas Christoforou, International Federation of Air Traffic Safety Electronics Associations (IFATSEA) Regional Director for Europe in an interview featured in our Volume 1 Number 2 (2023) edition. “This is a price we must pay, I would say, as we are moving with all these revolutionary technological changes in aviation.”
“One of the most pressing concerns is the potential for hackers to infiltrate aircraft systems, compromising their safety and functionality,” says Ivani Valente, Head of Cybersecurity at the Angolan ANSP (ENNA-EP) and Host of the Podcast Radio ANGOAVIACÃO. “With modern planes becoming increasingly reliant on digital technologies, the risk of cyber-attacks disrupting flight operations or even causing accidents is a sobering reality.”
“Moreover, airports and airlines store vast amounts of sensitive information, including passenger details, flight plans, and security protocols,” adds Valente. “A breach of this data not only poses a threat to individual privacy but also undermines trust in the aviation industry as a whole.”
“We must bear in mind that as the number of digital applications and data networks increases, the same goes for the risk of exploitation,” said Costas Christoforou. “And recently, we have had many examples.”
And to be sure, we have had several examples as quite a large number of breaches have taken place, with distributed denial-of-service (DDOS) attacks accounting for the greater chunk of recorded attacks. On 27 June, 2017, for example, the flight information systems at Boryspil Airport in Ukraine were taken down due to an attack by the NotPetya computer virus, resulting in flight delays as the airport resorted to manual information feed. Sometime in 2018, British Airways incurred a whopping ₤183 million fine due to a data breach resulting in the theft of about 500 thousand personal data of passengers through the activities of cyber criminals. The same year, a ransomware attack took down the electronic flight information screens at UK’s Bristol Airport, resulting in the use of manual whiteboard information while the problem lasted. Boeing also suffered a ransomware attack by the WannaCry computer virus the same year, although the attack did not significantly impact the aircraft manufacturer’s systems.
In 2019, a phishing attack targeting Air New Zealand Airpoints customers exposed the personal information of over 110,000 customers. The same year, Albany International Airport in the United States suffered a ransomware attack resulting in the encryption of the airport database and forcing the airport authority to pay a ransom to retrieve the decryption code. In 2020, the international transportation giant, Maersk, suffered an attack, resulting in the payment of $300 million in ransom. In October 2023, the notorious LockBit ransomware gang, masterminded by Dimitry Yuryevich Khoroshev, hacked into Boeing’s systems, stealing about 43GB of data, including the American aircraft manufacturer’s IT management software, monitoring logs and a host of other auditing tools in a yet another cyber heist. The gang demanded a $200 million ransom for the return of the stolen data but Boeing vehemently declined the demand, forcing the LockBit gang to follow through their threats by publishing the stolen data.
These occurrences, as monumental as they are, raise serious questions regarding the significance of cyber threats in today’s aviation working environments.
“In today’s aviation working environment, cyber threats pose a significant and evolving challenge, particularly concerning CNS equipment,” says Sam Mahlangu, IFATSEA Regional Director for Africa. “As aviation technology advances, CNS systems have become increasingly interconnected and reliant on digital infrastructure. This interconnectivity allows cyber attackers to exploit vulnerabilities and potentially compromise critical aviation systems.”
“Addressing cybersecurity threats in the aviation sector is crucial to ensure the safety and integrity of air transportation systems,” opined Dr. Sallami Chougdali, Head of Laboratories Management Unit at Moroccan Airports Authority’s Mohammed VI International Academy of Civil Aviation, Casablanca, in an interview featured in our Volume 2 Number 1 (2024) edition.
“Cybersecurity in aviation is not merely a matter of protecting data; it’s a critical component in ensuring the safety and integrity of air travel,” says Ivani Valente. “The interconnected nature of aviation systems makes them vulnerable to a wide array of cyber threats, ranging from ransomware attacks targeting airlines’ operational systems to malicious interference with air traffic control networks.”
CNS/ATM IN THE CYBERSPACE
The growing digitalization, automation, virtualization and interoperability of the communication, navigation, surveillance/air traffic management (CNS/ATM) working environment has come with a price. And this has nothing to do with the fact that the core determinant of vulnerabilities appears to be an exposure to the cyberspace. Rather it speaks to issues surrounding the susceptibility of CNS/ATM systems to cyber-attacks.
“The case of cybersecurity is related to the architecture of the CNS/ATM system and whether this is of distributed nature and information exchange over, for example, SWIM, “said Theodore Kiritsis, IFATSEA President in an interview featured in our Volume 1 Number 1 (2023) edition. “The key enabler to this approach must not be seen as an IT problem as attack vectors will not come only from the network but can also be introduced on the signal in space in a possible combined attack, for example spoofing.”
“The ANS and ATM systems introduces vulnerabilities that can be exploited by cyber attackers. Weaknesses in network security within these interconnected systems create opportunities for malicious actors to compromise critical aviation infrastructure,” says Sam Mahlangu. “The interconnected nature of ATM systems amplifies the potential impact of cyber-attacks. Vulnerabilities in one component can cascade across the entire network, leading to widespread disruptions in air traffic operations. Additionally, the gradual transition from legacy systems to modernized ATM technologies presents challenges in maintaining robust cybersecurity measures.”
ORGANIZATIONAL STRATEGIES
The growing cybersecurity concerns in the global aviation landscape have, expectedly, been greeted with a flurry of responses by national, regional and international aviation entities notwithstanding the variabilities revealed by the International Telecommunication Union’s (ITU) Global Cybersecurity Index 2020 in terms of scores and ranks across countries and regions. For example, in 2019, the International Civil Aviation Organization (ICAO) came up with a Global Aviation Cybersecurity Strategy anchored on seven pillars: International cooperation; Governance; Effective legislation and regulations; Cybersecurity policy; Information sharing; Incident management and emergency planning; and Capacity building, training and cybersecurity culture.
This strategy was adopted by the ICAO General Assembly vide Resolutions A40-10, which is anchored on addressing cybersecurity in civil aviation. The International Air Transport Association (IATA) has also – within the framework of the ICAO-initiated Global Aviation Security Plan – identified five strategic objectives, one of which pertains to the development of an industry-led cyber/digital security strategy. The International Federation of Air Traffic Safety Electronics Associations (IFATSEA) is also not left behind in this race. According to Theodore Kiritsis, “IFATSEA has provided an architectural solution for cyber-secure SMC for ANSPs, which was submitted to the ICAO Assembly in 2016. The same concept has been submitted to SESAR and EASA in Europe and also presented in several international meetings.”
Aside from ICAO initiatives, there are also national initiatives. Montenegro in Europe is one instance.
“Yes, the Montenegro aviation industry has a framework in place for addressing cybersecurity issues. All aviation entities in Montenegro closely collaborate on this matter,” says Nikola Cojic, a Montenegrin air traffic safety electronics professional and IFATSEA Treasurer/Executive Board member. “What is even more significant is that the state of Montenegro has started to systematically address this issue. It began with the preparation of a Law on Information Technologies harmonized with the NIS2 European standard. The establishment of a Cybersecurity Agency is underway, as well as the formation of a government CIRT with a SOC (Security Operation Center) function aimed at incident prevention. The CIRT team operates 24/7 and is equipped with a set of security tools, creating a cybersecurity ecosystem where all aviation entities will find their place and role. It is important to note that Montenegro will soon have a regional cyber security center, which is also a recognition of the quality work in this area.”
Angola is also on the radar. According to Ivani Valente, the Angolan CAA “… is in the process of drafting the Angolan Civil Aviation Cybersecurity Strategy (ACACS) to address the evolving cyber threat landscape whose frameworks and strategies are in accordance with the ICAO Annex 17 (its relevant provisions), the Cybersecurity Culture in Civil Aviation, Cybersecurity Strategy, Cybersecurity Policy Guidance and the Cybersecurity Action Plan documents.”
The Kingdom of Morocco also comes into focus. Says Dr. Sallami Chougdali: “The cybersecurity field and the associated threats have attracted the attention of our ANSP since 2010 and to deal with these threats, the Moroccan ANSP has created an operational entity specializing in cybersecurity, and carried out audits to analyze and identify cyber risks and threats.”
“The ANSP has, in addition, conducted not only awareness campaigns for all employees but also scheduled training sessions on the subject,” Dr. Chougdali added.
And there are also regional initiatives. In Europe, for example, the European Centre for Cybersecurity in Aviation (ECCSA) – part of EASA – administers aviation cybersecurity issues in Europe.
BREACHES IN CLOUD COMPUTING
That said, questions need to be asked regarding organisations that have become highly reliant on IP connectivity and cloud computing technologies. And talking about cloud computing, some experts like Engr. Mohammed Sadiq Bandiya, an OCI Foundation Architect/MultiCloud Associate and Technical Assistant to the Director of Safety Electronics and Engineering Services at the Nigerian Airspace Management Agency (NAMA), would rather argue that the risks are a function of a number of elements including data ownership and data privacy.
“As aviation operations become more reliant on cloud services, they may face enhanced risks related to data privacy, system integrity, regulatory compliance, and the ownership of data. It’s a matter of who owns the data or has control over your data when on cloud,” says Engr. Bandiya. “Obviously, big American cloud corporations have control over the data, thus, one may argue that they own the data. Thus, reliance on third-party cloud providers adds another layer of risk, necessitating stringent security measures. Having said that, the use of cloud infrastructure provides more robust security measures more than what could be provided by the on-premise infrastructures.”
“If the concern is about the sophisticated data breaches and attacks, I would rather go for cloud, but if the concern is about who owns the data, I will go for on-premise,” adds Engr. Bandiya. “The other option that many European countries are considering is the use of Edge Computing, which allows them to process and store the sensitive data at edge level and non-sensitive data in the cloud.”
ATSEP PERSPECTIVES
Understanding and defining the role of air traffic safety electronics personnel (ATSEP) is crucial to institutionalizing sustainable approaches to tackling cybersecurity issues in the CNS/ATM terrains.
“The ATSEP responsible for the CNS/ATM systems will make the decision on how to mitigate the cyber-event to ensure continuity of service even at a degraded mod without compromising safety,” said Theodore Kiritsis.
“ATSEPs play a pivotal role in ensuring the integrity and security of CNS equipment. Traditionally, ATSEPs have been trained primarily in electrical or electronic systems, with limited exposure to cybersecurity concepts,” says Sam Mahlangu. “However, as the aviation industry becomes increasingly digitalised, there is a growing imperative for ATSEPs to upskill themselves and become more IT-conscious. ATSEPs need to undergo comprehensive training in cybersecurity to effectively identify and respond to cyber threats targeting CNS equipment. This includes understanding the various types of cyber-attacks, such as malware injections, denial-of-service attacks, and insider threats. Additionally, ATSEPs must familiarise themselves with network protocols, encryption methods, and cybersecurity best practices to detect and mitigate cyber intrusions effectively.”
“Moreover, ATSEPs should be equipped with the necessary tools and resources to monitor and analyse network traffic for signs of abnormal behaviour or unauthorised access. Implementing intrusion detection systems and security incident response procedures can help ATSEPs promptly identify and mitigate cyber threats before they escalate into full-blown security incidents,” Mahlangu adds. “By enhancing their IT awareness and cybersecurity proficiency, ATSEPs can play a proactive role in safeguarding CNS equipment against cyber threats, thereby ensuring the continued safety and efficiency of aviation operations.”
MITIGATING THE RISKS
Managing the risks and threats associated with cyber incidents, experts have often said, requires a multi-pronged approach, which should necessarily involve the understanding that not all the associated risks can be identified or fully managed as well as an understanding of the role of continuity and enhancement of system resilience.
“Cyber protection is a concept that needs continuity. It is important to have a line of communication between generations that are dealing with these challenges now and the generations that will come in the future,” opines Nikola Cojic. “It is important for people to know what exactly is being defended and how it can be defended. Only then will they be aware of any changes in the functional system and exposure to threats. This is particularly important for ATSEP personnel, who can be first responders in the case of a cyber-attack on air traffic control systems.”
Sam Mahlangu supports the prioritization of cybersecurity within the ANS/ATM infrastructure by aviation authorities and industry stakeholders as a veritable means of mitigating cyber risks. According to Mahlangu: “This includes implementing comprehensive security protocols, conducting regular cybersecurity assessments, and fostering collaboration between cybersecurity experts and aviation professionals. Enhancing the resilience of ANS/ATM systems against cyber threats is paramount to ensuring the safety and integrity of air traffic operations. This requires a proactive approach to identifying and addressing vulnerabilities, as well as ongoing investment in cybersecurity measures to adapt to evolving threats in the digital landscape.”
Dr. Sallami Chougdali offers some pieces of advice for the aviation sector to effectively confront cyber threats. “Risk assessment and vulnerability analysis, the implementation of robust cybersecurity policies and continuous monitoring and incident response are key to confronting cyber threats in aviation,” Dr. Chougdali suggests.
“In addition, there is a need for secure network architecture involving the design and maintenance of a secure network architecture, segregating critical systems from less critical ones to minimize the potential impact of a breach, implementing firewalls, intrusion detection systems, and encryption protocols,” Dr. Chougdali adds. ◙