A rising threat in aviation
According to the European Aviation Safety Agency (EASA), the aviation industry currently receives over a 1,000 cyber-attacks per month. Aircraft infected with malware and security breaches have caused delays and loss of vital information. With the implementation of more advanced technology, such as those forming part of the Single European Sky ATM Research (SESAR) Programme, an increasing concern is that, one day, terrorists sitting in their home will be able to cause an aircraft to crash or disappear from radar screens.
In response to this growing threat, the EASA has recently announced the implementation of the European Centre for Cyber Security in Aviation (ECCSA). The ECCSA forms part of a wider initiative aimed at protecting Europe’s aircraft and drones from cyber threats. The intention is to involve the whole aviation chain, from air traffic control to airports and maintenance organisations.
A bigger issue?
Despite a focus on airlines, it is not just aircraft and drones that may be targeted but the aviation industry as a whole. Cyber-attacks are becoming both more frequent and more sophisticated. Incidents vary from the inconvenience of a malware attack, to the loss of millions of pounds/dollars where payment has inadvertently been made to hackers instead of the supplier. In these cases, hackers socially engineer their way into your network, patiently watch your activities and then strike at the right moment to obtain payment into a bank account that has been compromised.
As well as unauthorised payments, cyber-attack may result in a network being taken off line, business interruption, reputational damage and contractual breach, incurring financial penalties and cancellation of contracts.
Changes in the legislation
In May 2018, parts of the aviation industry will become subject to the Network and Information Systems Directive (NISD). The aim of the directive is to set common standards for network and information security across the EU. It places obligations on operators of essential services, such as air carriers, airports and air traffic control services, to take appropriate security measures and to notify national authorities of serious incidents.
Shortly after the NISD comes into force, we will also become subject to the new General Data Protection Regulations (GDPR) which will have an impact on businesses’ obligations to protect personal data.
What steps should you take?
Ultimately, the aim is to protect your systems, infrastructure and information from both external attacks and internal user weaknesses and system/software defects. As with all exercises in risk management, you must identify what critical assets and data are at risk to ensure that their security strategy is robust. This should include assets that are controlled by network computers, as hackers often exploit weaknesses in third party vendors used by organisations to gain access.
To ensure you are protected and legally compliant:
- Update virus software and patches, including prompt installation of critical patches and documentation of such actions.
- Intrusion detection software should be considered as it provides timely detection and reporting of security incidents.
- Conduct regular security reviews of systems to identify weaknesses/risks and take steps to mitigate them.
- Training staff in cyber security is crucial to managing the risks.
- Have policies and protocols in place to protect your networks – regularly test and monitor these.
- Disaster recovery and business continuity policies must address cyber risk, as well as physical risks.
- Insurance is an important risk management tool to recover losses and damage caused by cyber-attack.
How can we help?
We can assist you in managing a cyber-attack or data breach. We advise on:
- risk mitigation measures including cyber security assessments
- policies and protocols (including response plans) to protect your network
- the immediate response to a cyber breach or incident
- assisting with the notification of customers and suppliers
- regulatory investigations
- handling customer complaints
- statutory liabilities arising from the breach.
For more information on aviation law or related enquiries, contact Alina Nosek, Head of Aviation.
Published: 2 May 2017