Air transport gets up to speed on cybersecurity
Thales is a tier-one supplier to major players in the air transport sector, including aircraft manufacturers, airlines, airport operators and air navigation services, and already has extensive experience of delivering network security solutions. The recently launched Cybersecured in Thales initiative is a broad-based programme aimed at helping customers step up to the cybersecurity challenges facing the air transport sector today.
More collaborative and more exposed to cyberthreats
Air traffic modernisation, built around the SESAR programme at European level, is based on the deployment of a battery of digital technologies — routers, software, onboard systems, antennas, etc. — on the ground (in control centres and weather stations), in the air (on board airliners) and in space (via satellites). All of these elements are connected to a vast network that enables information to be shared between all of the players concerned (known by the acronym SWIM in Europe). The connected aircraft is at the heart of this structure, acting as a node in the overall system and capable of exchanging data across the entire network environment as well as proposing new services to passengers via in-flight entertainment (IFE) systems.
Compared to a two-way communications model with exchanges between aircraft and control tower, airport and airline, etc., this new collaborative approach delivers gains in efficiency and competitiveness at all levels (less congestion around airports, optimised flight paths ensuring reduced fuel consumption, smoother airport operations based on real-time information updates, enhanced passenger information, etc.). On the downside, however, it increases vulnerability to cyberthreats.
With massive cyberattacks getting even bigger and becoming increasingly prevalent (the WannaCry ransomware attack in May 2017, for example, hit more than 200,000 victims in 150 countries), it is an urgent priority for players in the air transport sector to be aware of the risks involved and the solutions available to mitigate the threats. From the theft of passenger information to denial-of-service or ransomware attacks or even the destruction of air transport infrastructure, cyberattacks can be targeted at any or all of the links in the chain, and can have a major impact on operations.
Despite the many industry-wide initiatives aimed at improving cybersecurity at all levels within the air transport system, IT security capabilities across the sector still display widely varying degrees of maturity. To raise awareness, Thales has developed various programmes targeted at different stakeholders in the air transport sector.
Boosting awareness, convincing industry players
The major challenge facing airlines is how to manage the risks associated with increased aircraft connectivity and the advent of latest-generation “e-enabled” aircraft like the A380, A350, B787 and others. The connected IT architectures of these new aircraft leverage the power of digital information and communications systems to help flight crews operate more efficiently, optimise maintenance operations and boost airline revenues.
With the aircraft itself acting as a node in the information system, cybersecurity has to be taken into account at every level. It needs to be factored into incident response plans and there have to be ways to detect cyberattacks during a flight. Onboard WiFi systems need to be secure, and passengers’ personal data needs to be protected.
According to a recent PWC survey, 85% of airline CEOs say they are concerned about cybersecurity, compared with 61% of CEOs in other industries.
Thales’s awareness programmes are starting to deliver results: the company is working with one airline, for example, to help manage the cyber risks associated with the entry into service of its A350 fleet. In conducting the cybersecurity risk assessment for this customer, Thales combined its knowledge of the processes involved in airline operations with the specialised know-how of its cybersecurity teams.
Another key challenge is organisational. Airlines have offices at every airport and use their IT systems for a wide range of operational tasks. So a coordinated approach to risk management and cybersecurity is critical.
Air Navigation Service Providers (ANSPs), meanwhile, are starting to be considered as critical infrastructure providers in terms of cybersecurity. This means that they will be legally required to implement special security measures to protect against cyberattacks.
This is a complex task, particularly because levels of maturity and the different legal and regulatory requirements vary so widely from country to country. Thales is currently holding workshops with ANSPs to explain the key issues and challenges, and present ways to improve cybersecurity.
Although some in the sector remain to be convinced, cybersecurity is a seen as a growing concern by ANSPs, and two major air traffic management operators have already called upon Thales to carry out cybersecurity evaluations.
At airports, the sheer number of stakeholders (airport operators, subcontractors, police and security personnel, etc.) and the variety of different systems involved (Airport Operational Databases, SCADA , passenger information, baggage handling, access control, etc.) make cybersecurity a critical factor in effective information sharing and coordination of airport operations and the key to the success of the digital transformation.
Industry-wide cybersecurity initiatives
The players in the air transport sector are highly interdependent, and today they are becoming increasingly interconnected. As a result, the sector needs to adapt its cybersecurity posture and adopt a coordinated approach at all levels, just as it has done with flight safety.
Leading industry organisations have understood this, and are actively communicating around the topic. The International Air Transport Association (IATA), for example, has issued an “aviation cybersecurity toolkit” to its members, and the initiative is bearing fruit: as of 2016, as many as 91% of airlines were planning to invest more in cybersecurity over the coming three years, compared with less than half (47%) three years earlier.
Thales is actively involved in ongoing industry initiatives. At European level, for example, the Aerospace and Defence Industries Association of Europe (ASD) has set up a Civil Aviation Cybersecurity task force, which I chair. The task force is involved in drawing up the cybersecurity roadmap of the European Aviation Safety Agency (EASA), with the aim of establishing regulations that can be implemented from the first quarter of 2019 onwards. At global level, the International Civil Aviation Organization (ICAO) adopted a resolution on cybersecurity in civil aviation in October 2016 — the organisation’s first resolution dedicated entirely to cybersecurity. It gives the ICAO a clear mandate to move more quickly on cybersecurity issues and will ultimately require each individual member state to propose a cybersecurity action plan.
As an active member of various industry working groups, Thales is pushing for action on a number of fronts, including integration of cybersecurity into communications standards (Asterix, ADS-B, ACARS, CPDLC, etc.), cybersecurity evaluation and certification of systems, products, components and services, and management of vulnerabilities in terms of disclosure and awareness.
A comprehensive value proposition
Underpinning the Cybersecured in Thales initiative is a unique combination of specialised aerospace know-how and cybersecurity capabilities. This allows the Group to offer a comprehensive cybersecurity value proposition specifically for the air transport sector, with cutting-edge solutions and services including multi-level protection (from perimeter security to the protection of core system components); tailored solutions for specific domains such as communications, radar, air traffic management, IFE, avionics, etc.; preventive maintenance; security supervision incorporating specific threat intelligence; and rapid response teams in case of an attack.
With its unique positioning in the aerospace sector and a comprehensive vision of the air transport industry and the cybersecurity challenges it faces, Thales has an increasingly important role to play in defining cybersecurity solutions and standards to support air transport in its digital transformation.
Thales, a key player in cybersecurity
No.1 in banking transaction security, managing 80% of the world’s bank transactions
Cybersecurity for 9 out of the top 10 Internet giants
5,000 IT and security engineers, including 2,000 cybersecurity specialists supporting security operations in over 50 countries
3 Cybersecurity Operations Centres (CSOC) (France, UK, Netherlands)
5 high-security data centres
Only player in the industry to operate its own ITSEF/CERT (Information Technology Security Evaluation Facilities/Computer Emergency Response Team)
No.1 in banking transaction security, managing 80% of the world’s bank transactions
(1)The SESAR (Single European Sky ATM Research) programme aims to provide Europe with high-performance air traffic management systems. Its ambitious objectives include cutting air traffic control costs by half, reducing the environmental impact of flights by 10%, improving safety by a factor of ten, and enabling a three-fold increase in airspace capacity. The US equivalent of SESAR is the NextGen programme.
Thales is the leading industry partner in SESAR, and the only one working across all of the programme’s different segments (ground infrastructure; communication, navigation and surveillance (CNS); flight management systems (FMS); and satellite systems). Thanks to its comprehensive vision, Thales is also a key contributor to the programme’s cybersecurity roadmap.
(2)SWIM: System Wide Information Management. Find out more at: www.eurocontrol.int/swim
(3)Supervisory Control and Data Acquisition systems, used for remote control of technical systems and facilities
(4)Source: SITA annual Airline IT Trends survey