Aviation Cybersecurity: Regulatory Approach in the European Union

List of Abbreviations xiii
Acknowledgements xvii

Introduction 1

I Key Observations in Aviation Cybersecurity 5
1 Growth of Aviation Cyberattacks 5
1.1 Introductory Remarks 5
1.2 Genesis of Aviation Cyberattacks 5
1.3 Catalogue of Aviation Cyberattacks 6
1.4 Reasons for the Growth in Aviation Cyberattacks 10
1.4.1 Increased Number of Computers 10
1.4.2 Increased Connectivity with the Internet 12
1.4.3 Increased Automation 13
1.4.4 Increased Motives 15
1.4.5 Increased Reliance on Cyberattacks 15
1.4.6 Putting It Together 15
2 Aviation Cyber-Based Attack Methods 16
2.1 Introductory Remarks 16
2.2 Electronic-Based Cyberattack Methods 16
2.2.1 Malware 16
2.2.2 Denial of Service and Disruptive Denial of Service 18
2.2.3 Jamming and Spoofing 18
2.2.4 Tapping and Eavesdropping 19
2.2.5 Phishing 20
2.3 Physical-Based Cyberattack Methods 20
2.3.1 Theft 20
2.3.2 Tampering 21
2.3.3 Forceful Control 21
2.3.4 In Situ 21
3 Aviation Cybersecurity Victims 22
3.1 Introductory Remarks 22
3.2 Airlines and Manufactures 22
3.3 Airlines and Ground Infrastructure 25
3.4 Airports and Public Entities 27
3.5 Unmanned Aircraft 29
3.6 Passengers 30
3.7 Other Stakeholders 30
3.8 Accidental v. Deliberate 31
4 Aviation Cyber Attackers 32
4.1 Introductory Remarks 32
4.2 Categories of Attackers 32
4.3 Nation State and State-Sponsored Actors 34
4.4 Hacktivists and Hacktivism 36
4.5 Journalists 37
4.6 Terrorists and Criminals 38
4.7 Insiders and Opportunists 39
4.8 Anyone and Script Kiddies 40
4.9 Attribution 41

II European Union Regulation of Aviation Cybersecurity 44
1 Introduction 44
1.1 European Union Cybersecurity Strategy 44
1.2 Digital Single Market Strategy for Europe 45
1.3 Resilience, Deterrence and Defence in the European Union 47
1.4 Endorsement of the Strategies: Tallinn Digital Summit 49
2 Role of the European Union in Air Transport 49
2.1 Legal Basis for Air Transport in the European Union 49
2.2 Regulating Aviation Safety in the European Union 51
2.2.1 Regulation 216/2008 and the European Aviation Safety Agency 51
2.2.2 Joint Aviation Authorities 52
2.2.3 Objective and Scope of the European Aviation Safety Agency 52
2.2.4 Regulation 216/2008 and Cybersecurity 54
3 Early Steps Taken by the European Aviation Safety Agency 56
4 European Aviation Cyber Strategy – Bucharest Declaration 57
4.1 Coordination 58
4.2 Sharing of Information and Reporting 59
4.3 Regulations 62
4.4 Risk Assessments 63
4.5 Cybersecurity Promotion, Awareness and Preparedness 63
4.6 Knowledge and Foresight 64
4.7 Commitment and Resources 64
4.8 Next Steps 65
4.9 Bucharest Conference in Context 65
4.10 Transport Cybersecurity Conference 66
5 Information Sharing Activities Post Bucharest 67
6 European Aviation Cyber Strategy – Krakow Declaration 69
6.1 High Level Conference on Cybersecurity 69
6.2 Role of the European Aviation Safety Agency 69
6.3 Role of Other Stakeholders 70
6.4 Non-Regulatory Solutions 74
6.5 European Strategic Coordination Platform 75
7 European Aviation Safety Agency Rulemaking Programme 76
7.1 Rulemaking Competencies of European Aviation Safety Agency 76
7.2 Rulemaking Programme and Cybersecurity 77
7.2.1 RMT.0648 – Amendments to Certification Specifications 78
7.2.2 SPT.071 – Cybersecurity Road Map 84
7.2.3 SPT.072 – Aviation Computer Emergency Response Team 84
7.2.4 RMT.0720 – Cybersecurity Risks 85
7.2.5 SPT.071 – Strategy for Cybersecurity in Aviation 87
7.2.6 RES.012 – Common Aeronautical Vulnerabilities Database 88
8 Information Sharing and Cooperation in the European Union 88
8.1 Foundations of the European Centre for Cybersecurity in Aviation 88
8.2 Computer Emergency Response Team – European Union 89
8.3 Membership of the European Centre for Cybersecurity in Aviation 90
8.4 Network and Information Systems Directive 91
8.5 ‘Large-Scale’ Cybersecurity Incidents and Crises 94
8.6 Responsible Disclosure 95
9 New Aviation Safety Regulation 96
9.1 European Union Aviation Strategy 96
9.2 Objective and Scope of the European Aviation Safety Agency 96
9.3 Recital to Regulation 2018/1139 99
9.3.1 Recital 12 99
9.3.2 Recital 59 100
9.3.3 Use of the Terms ‘Security’ and ‘Safety’ 100
9.3.4 Context: Regulation 2018/1139 105
9.4 Principles for Measures Under This Regulation 105
9.5 Interdependencies Between Civil Aviation Safety and Security 106
9.5.1 Article 88(1) 106
9.5.2 Article 88(2) 107
9.5.3 Article 88(3) 108
9.6 Essential Requirements to Regulation 2018/1139 110
9.7 Implementing Rules 113
10 Aviation Security in the European Union 115
10.1 Introduction to the Aviation Safety Regulation 115
10.2 European Civil Aviation Conference 116
10.3 Objectives of Regulation 300/2008 117
10.3.1 Protect Against 118
10.3.2 Unlawful Interference 118
10.3.3 Must Jeopardise the Security of Civil Aviation 120
10.4 Scope of Regulation 300/2008 120
10.5 Common Basic Standards 121
10.5.1 Restricted Areas 123
10.5.2 Prohibited Articles 123
10.5.3 Training 125
10.5.4 Third Countries 126
10.6 Additional Common Basic Standards 127
10.7 More Stringent Measures and Derogations 127
10.8 Implementation and Oversight 129

III International Regulation of Aviation Cybersecurity 131
1 Introduction 131
2 Setting the Scene: Declaration on Cybersecurity in Civil Aviation 132
3 Convention on International Civil Aviation of 1944 134
3.1 Applicability of the Chicago Convention 134
3.1.1 International 134
3.1.2 Aviation 136
3.1.3 Civil 138
3.1.4 War and Emergency Conditions 138
3.1.5 Cybersecurity 139
3.2 Shooting Down of Civilian Aircraft 140
3.2.1 Setting the Scene 140
3.2.2 Background to Article 3 bis 143
3.2.3 Definition in International Law 144
3.2.4 Definition in ‘Cyber Law’ 146
3.2.5 Closer to a Definition? 146
3.3 Misuse of Civil Aviation 147
3.4 Scheduled and Non-scheduled Air Services 149
3.4.1 Introductory Remarks 149
3.4.2 Non-Scheduled Air Services 149
3.4.3 Scheduled Air Services 150
3.4.4 Case Study: United States – European Union Air Transport Agreement 151
3.5 Other Articles of the Chicago Convention 156
4 Annexes to the Chicago Convention 157
4.1 Introductory Remarks 157
4.2 Annex 17 on Security 159
4.2.1 ‘Cyber Threats’ 159
4.2.2 Aviation Security Manual 162
4.2.3 Aviation Security Policy Section 163
4.3 Unlawful Interference 163
4.4 Electromagnetic Interference 168
4.5 Filling the Gaps 169
4.6 Limited Scope of Annexes 170
5 International Civil Aviation Organization 172
5.1 Introductory Remarks 172
5.2 General Assembly Resolutions 173
5.2.1 First Ever Cybersecurity Resolution 173
5.2.2 Working Papers 176
5.3 Global Aviation Security Plan 180
5.4 European Aviation Security Training Institute 181
5.5 External Support 182
5.6 Secretariat Study Group on Cybersecurity 184
6 Industry High Level Group 185
6.1 Introductory Remarks 185
6.2 Airports Council International – World 187
6.3 Civil Air Navigation Services Organization 187
6.4 Eurocontrol 188
6.4.1 Background 188
6.4.2 System Wide Information Management 188
6.4.3 CS6-7 Operations and Coordination of Network Security 188
6.4.4 White Hack Hackathon 190
6.4.5 Training 190
6.5 International Air Transport Association 191
6.5.1 Background 191
6.5.2 Three-Pillar Strategy 191
6.5.3 Regulatory Efforts 192
6.5.4 Cybersecurity Toolkit 192
6.5.5 Operations Work Groups 193
6.6 International Coordinating Council of Aerospace Industries Associations 194
6.7 International Federation of Air Line Pilots 194
6.7.1 Background 194
6.7.2 Position Paper 195
6.7.3 Security Briefing Leaflet 195
7 International Criminal Aviation Law Treaties 195
7.1 Introductory Remarks 195
7.2 Cybersecurity Offences 196
7.2.1 Tokyo Convention 1969 196
7.2.2 The Hague Convention 1970 198
7.2.3 Montreal Convention 1971 200
7.2.4 Montreal Protocol 1988 205
7.2.5 Beijing Convention 2010 206
7.2.6 Beijing Protocol 2010 207
7.2.7 Montreal Protocol 2014 208
7.3 General Issues 208
7.4 Liability Conventions 210
7.5 Cybersecurity Treaties (Budapest Convention 2001) 211
7.5.1 Introduction 211
7.5.2 Cybersecurity Offences 211
7.5.3 Procedural Elements 213
7.5.4 Jurisdiction for Aircraft 213
7.5.5 Remain Points 214

Conclusions 215
1 Summary: Is the Current Regulatory Approach in the European Union Appropriate for International Civil Air Transportation? 215
2 Next Steps 219
3 Cybersecurity Considerations for Aviation Regulation 220
3.1 Introductory Remarks 220
3.2 Control Types 220
3.2.1 Physical Controls 220
3.2.2 Technical Controls 221
3.2.3 Procedural Controls 221
3.2.4 Legal Controls 222
3.2.5 Putting It Together 222
3.3 Control Modes 222
3.3.1 Preventative 222
3.3.2 Detective 223
3.3.3 Corrective 223
3.3.4 Putting It Together 223
3.4 Life Cycle of a Cyberattack 223
3.4.1 Initial Reconnaissance 223
3.4.2 Penetration and Gaining a Foothold 224
3.4.3 Following Access 225
3.4.4 Exfiltration 225
3.4.5 Putting It Together 226
3.5 Digital Defence Points 226
3.6 Common Goals 227
3.6.1 Confidentiality 227
3.6.2 Integrity 227
3.6.3 Availability 227
3.6.4 Putting It Together 228
4 Aviation Considerations for Cybersecurity Regulation 228
4.1 Introductory Remarks 228
4.2 Regulations 228
4.3 Development of Industry Standards 229
4.4 Information Sharing and Reporting 230
4.5 Risk Assessments 230
4.6 Training 230
4.7 Commitment of Resources 230
4.8 Awareness Promotion 231
5 Six Basic Assertions 231
5.1 Cybersecurity Will Grow in Importance for Civil Aviation 231
5.2 Cybersecurity Is Not One Homogenised Topic, But Is an Overarching Title That Encompasses Numerous Acts, Different Actors, Varying Victims and a Plethora of Consequences 233
5.3 Regulation Should Not Be the Only Tool in Promoting Cybersecurity 233
5.4 Role of the European Union in Aviation Cybersecurity Will Increase 234
5.5 Regulators Must Work More Closely with Stakeholders from All Domains and Not Just Aviation Stakeholders or Member States 235
5.6 Convention on International Civil Aviation and Its 19 Annexes Have Not Gone Far Enough to Effectively and Efficiently Regulate Aviation Cybersecurity 236
6 Overall Conclusion 236

About the Author 237
List of Tables and Figure 239
Index 241