Cyber threats to the aviation sector are rapidly becoming a major issue for airlines, aircraft manufacturers and authorities. But Europe is finding legacy problems and new challenges to address cyber risks for its air transportation systems.
Sources consulted by EURACTIV.com describe a fragmented landscape, with a poor understanding of the threat by officials, and substantial differences within the industry when it comes to the involvement of the EU.
“For the time being, it is extremely difficult to exchange information,” said Pascal Andrei, who has been responsible for aircraft security at Airbus for fifteen years.
After years of being neglected as a major issue, cyber security is now becoming a priority in Europe. Inspired by US efforts, the EU is trying to catch up.
However, officials and the private sector are still trying to calibrate the right level of cooperation, as the industry considers that EU authorities, mostly the Commission, are “far from reality” on this matter. “There is too much bla bla bla,” an industry source said.
“Cybersecurity and cyber attacks are a rapidly developing issue,” said Dirk Polloczek, president of the European Cockpit Association. “We need to invest more on what could be done, but the question is also who is responsible and who is leading,” he added.
Late and duplicated
The US created an Aviation Information Sharing and Analysis Center (A-ISAC) in September 2014.
Its goal is to exchange sensitive information about incidents and vulnerabilities in a “secure trust network”, the A-ISAC website says.
The group includes airlines, Boeing and intelligence agencies such as the National Security Agency, the FBI and the CIA.
Airbus and Lufthansa are the only European voices in the association, according to one of the members.
While in the US all the efforts to tackle cyber attacks have been channelled through the A-ISAC, in Europe government and industry are developing different initiatives.
Last February, the European Aviation Safety Agency (EASA) set up a European Centre for Cyber Security in Aviation (ECCSA).
EASA invited aircraft manufacturers, airlines and other stakeholders to become members of ECCSA (free of charge) in order to benefit from intelligence sharing of cyber attacks.
The EU agency also offered operational means to face these threats.
“It is not so easy to connect all these actors because they tend to work in isolation most of the time”, said Davide Martini, aviation cybersecurity officer at EASA and responsible for the implementation of ECCSA.
“We saw in the past not really efficient dynamics in information exchange relevant to cybersecurity,” he commented.
But companies remain wary of the EU’s role in dealing with cyber risks.
Some players decided not to wait for the EASA’s initiative and, in November, set up a European Strategic Coordination Platform.
The platform will include key industry stakeholders, but also member states and EU institutions. A first meeting is scheduled for 2017.
The new platform will substitute an existing informal group including Airbus, airlines and other actors.
Not with you
But the participation of the EU institutions could impact on the free flow of sensitive information, some industry sources feared.
The largest aircraft manufacturers also hold different views on the EU authorities’ involvement.
“We support Boeing’s approach of having a closed-door system to exchange sensitive information, but in order to face a threat which is organised and worldwide, you need to talk to other people. So it should work both ways,” said Airbus’s Andrei.
“Boeing is among the members of the aviation industry actively participating with government agencies and industry partners in efforts to make commercial aviation, already the safest form of transportation, even safer,” according to Boeing’s Vice President for Safety, Security & Compliance, Elizabeth A. Pasztor.
“Developing and agreeing upon cybersecurity standards for airliners and advancing information sharing both across industry and governments are some of those efforts,” she replied in a statement.
Andrei argued that EU institutions should play a role as a “music director” in order to harmonise specifications and requirements for manufacturers, airlines, airports, suppliers and air traffic management systems.
“Today, most EASA regulations are for aircraft manufacturers. However, security is a chain. You need to harmonise the specifications and requirements and address all stakeholders.”
He hoped that stakeholders would exchange a lot of information also once the EU institutions are part of the new industry-led platform.
But he stressed that officials also needed to be more in contact with experts with operational knowledge to draft operational directives in order to bolster their proposals.
Other industry voices bluntly commented that, in order to guarantee that companies continue sharing sensitive information once the Commission and EASA are involved, that they should have the appropriate skills and competences, which is not the case today in the case of the executive.
“Probably we will be more exposed to cyber-security information than we are today,” EASA’s Martini said.
“That will mean that EASA will be successful because this is exactly the purpose of the enterprise but not only for us, for every [ECCSA] member.”
The Commission did not respond to EURACTIV’s request for a comment.
EASA believes that the EU institutions’ approach (‘top-down’) and the industry-led effort (bottom-up) are “complementary initiatives” and are both needed, a spokesperson said.
Mistrust exists not only between the EU and the aviation industry but also between member states
This hampered the exchange of sensitive information in the past because countries “don’t share the US mindset when it comes to the security culture”, Andrei explained.
Working with the A-ISAC may be easier not only because all the intelligence agencies belong to a single country, but also thanks to the stakeholders’ “patriotic” stance that inspires them to address common threats, the Airbus official said.