Filter By:

ERA attends high-level cybersecurity meeting

Cyber attacks against civil aviation could potentially be catastrophic with significant casualties, disruption to services and/or damage to critical infrastructure. The meeting, organised jointly by the French DGAC and EASA, brought together approximately 100 key industry stakeholders to raise awareness of the threats, as well as discuss and develop practical and sustainable policies.

The High-Level Meeting held on 14-15 November at the National School of Meteorology, Toulouse, focussed on the progress achieved to date of the European Strategic Coordination Platform (ESCP) and included three discussion panels. The areas of progress include institutional setup, legislation advancement, risk assessment methodology, cybersecurity promotion, research activities, commitments and resources devoted to cybersecurity to ensure a secure environment for aviation.

The meeting commenced with a welcome address by Patrick Gandil, Director General French DGAC. This was followed by various keynotes on the political dimension of cybersecurity in aviation in Europe. Luc Tytgat, EASA Strategy & Safety Management Director, outlined the concept of the ESCP and why it was created in response to the need for developing a co-ordinated defence against the threat of cyber attack. Tytgat explained that to be consistent, there must be cooperation between all the states to bridge the gap between safety and security. However, the process should not be rushed and it is therefore important to get things done right instead of expeditiously. With this in mind, the signing of the ESCP Strategy on Cybersecurity, which so far has received a high volume of support, was delayed until there is a more co-ordinated approach between all the stakeholders.

Philip Merlo, Director Eurocontrol, warned that a cyber attack on Eurocontrol may not necessarily have direct safety implications, but could still be catastrophic from an ATM perspective. Cybersecurity services are effective only if all stakeholders adopt them, not just some. Therefore, the appropriate funding and resources must be made available to all the stakeholders to enable implementation of the necessary measures to protect themselves from cyber attack.

The first discussion panel focussed on the European Strategy for Cybersecurity in Aviation. The panel addressed the strategic dimension of cybersecurity in aviation and its implications on the various operational actors. The overall aim is for the future aviation system to be a trustworthy and dependable environment, so that aviation stakeholders will be able to rely on services and information provided by others for the accomplishment of their operational objectives. The many references made during day one to the need for a co-ordinated effort was encouraging. All agreed that awareness is key with communicating and the sharing of information paramount and the ESCP is thus on track to achieve a harmonised EU approach between all stakeholders.

Day two of the meeting commenced with the second panel session discussion which covered the regulatory process. Juan Anton, EASA Cybersecurity in Aviation & Emerging Risks Section Manager, set the scene by providing a detailed overview of the ongoing Regulatory Processes Work Stream. Juan outlined the current work of the EASA Rulemaking Task (RmT) on cybersecurity, advising that a Notice of Proposed Amendment (NPA) will be published before the end of 2018. Additionally, a further EASA RmT covering the Requirements for the Management of Cybersecurity for all organisations will result in a further NPA, expected during the first half 2019.

The second panel then discussed the current activities carried out at EASA, in co-ordination with the ESCP, in order to introduce a strong and flexible cybersecurity regulatory system for all aviation domains. The panel outlined the various challenges created by the need to ensure consistency between these activities, the implementation of the NIS Directive (EU) 2016/1148 by the member states and the ongoing amendments being discussed to align the aviation security Regulation (EU) 2015/1998 with the latest amendments of Annex 17 to the Chicago Convention. The panel agreed how it is important for member states to clearly define who will be the competent authority for the cybersecurity elements applicable to aviation organisations, thus ensuring appropriate co-ordination at national level between the authorities responsible for safety and security.

The third and final panel session focussed on the importance of shared trans-organisation risk management and moderated by Stéphane Plichon, EASA Cybersecurity in Aviation Officer. The panel, made up of representatives from various regulatory bodies, including ICAO, DGAC France and Eurocontrol, explored the challenges to be faced by the aviation community in the near future with regards to cybersecurity and how they are appealing for a renewed approach for risk management. The panel discussed the benefits of shared trans-organisational risk management as well as the obstacles to overcome from the perspective of the different stakeholders in the aviation sector.

To conclude, the meeting was very well attended and there was excellent debate both during the panel sessions and the networking breaks. As explained previously, the consensus of opinion is there should not be a rush regarding the concept of introducing mitigating measures to combat the threat of cyber, as the issue is too important to get wrong. Therefore, information exchange and deliberation will continue in order to achieve the ultimate goal of a co-ordinated approach between all stakeholders that will make the aviation industry both safer and secure.

For further information regarding cybersecurity and the work of the ESCP, please contact Christopher Mason, Manager Policy & Technical via email christopher.mason@eraa.org