Aviation cyber-security: are we under attack yet?

Written by: Matt Shreeve
Back to insights

Cyber-security was one of the subjects at our 'hot topics' seminar during Farnborough Airshow and deservedly so. The number of talks and articles on cyber-security in the last year has exploded - it was pretty much on a par with remote towers and RPAS at WAC earlier in the year. Cyber-security presents new challenges for an industry that has always been both safety-conscious and keenly aware of the physical threats to a highly symbolic industry. We must overcome these challenges if we are to benefit from the new technologies, connectedness and automation that the industry needs to progress.

Coincidentally at the beginning of the Airshow week, EASA, in announcing their new aviation cyber-security centre, had reported that aviation systems were subject to an average of 1,000 cyber-attacks each month. This sort of data collection and sharing is important if we are to understand the reality of the threats we face, an inter-connected industry means interdependent risks. Most directly, this means that the likelihood of an attack on your systems is dependent on the likelihood of attack on your neighbouring systems, as each interface you have is a potential entry point for attackers

Of course better and more data is needed than a single '1000 attacks' data point. Sharing more (but certainly not everything) about common threats and vulnerabilities is crucial, since if one stakeholder is targeted, you may be next. Indeed, one 'hot topics' seminar attendee confided that their organisation had recently been targeted by a particularly irresistible spear-phishing attack – combining simultaneous email and telephone requests to a member of staff. Sharing attack details, to forewarn others isn't easy, but does strengthen our collective protection and resilience.

In my seminar presentation, I summarised industry developments, pointing out the proliferation of initiatives and groups as the industry continues to work out how to respond. In one timely development, the Directive on the Security of Network and Information Systems (the 'NIS Directive') was eventually adopted by the European Parliament on 6 July 2016, and will enter into force in August 2016. Aviation organisations identified by Member States as 'operators of essential services' (expected to include airports and air service navigation providers) will have to comply. Two of the main requirements are better reporting and cooperation.

Planning ahead in this ever-changing environment is difficult, and risks both duplicated effort, and key activities 'falling between the gaps'. I concluded that a well-coordinated 'gate-to-gate' approach is necessary. Subsequent discussion picked up on this theme – with a good point made that the aviation sector is already complex, but with the NIS Directive coming outside of the aviation domain, then we must find opportunities for streamlining reporting requirements. The next few years will be immensely challenging but the vision is clear – a safe, secure and modern aviation sector that end-users deservedly trust.


Call us to discuss your next project: +44 1252 451 651

Contact us