Aviation Security Managers need to know about Airline Cyber attacks. It is within their remit, and it is also in their Security Manuals. AVSEC Managers might outsource Cybersecurity – but they will still retain full responsibility for it.
Which comes as a surprise to a lot of you.
Are you an Aviation Security manager? Managing Avsec for a regulated entity in accordance with the NCASP?
Or are you an IT Security Manager? Who works in the Aviation infrastructure sector, reporting activities covered in the NCASP to a Security Manager. You too need to bookmark this page.
Under the NCASP (National Civil Aviation Security Plan) Security Managers are legally responsible for their organization’s obligations. Let me repeat that – if you are a Security Manager then YOU ARE LEGALLY RESPONSIBLE should you fail to comply with the obligations of your company in matters of security.
Malicious actors and activities such as breaches, or attacks, or insider threats are yours to answer for. Should you fail in your efforts to protect against cyber criminals. A Cyber Attack on SAS caused havoc earlier in 2023.
The NCASP (National Civil Aviation Security Program) is derived from ICAO guidelines that have been adopted by your National Authority.
The NCASP is an actual document created by your national authority that directs regulated entities (Airports, Airlines, Ground Handling companies, FBO’s) and how they do their jobs as it relates to Aviation Security. It also tells you how you should background check, train, and certify all your staff.
A “Regulated Entity” is a company that’s involved in products or services that include access to aircraft or at the Airport. They are companies that operate at the Airport, or deliver products, or serve the airport/airline community. They are regulated because they provide services in the SRA (Security Restricted Area) and so are high-risk.
This includes Airlines, Airports, Handling Agents, Fuellers, Catering companies or anyone else that needs access to the ramp or the SRA to do their job. Simply put, anyone who might want to introduce a bomb or a weapon on board an aircraft would see these companies as opportunities.
And this regulatory framework – and the NCASP – includes Cybersecurity Strategy. Because it’s 2022. And we no longer need to physically get into these vulnerable areas to cause disruption. Or cause death or destruction. And strong passwords don’t cut it.
First off, Security is not Safety. They are separate and different. We have Safety protocols such as SMS (Safety Management Systems), Safety Training, and Quality Systems (QMS). But Security is separate and additional. Yes, it has identical nomenclature but deals specifically with Security and threats to security.
Each entity (company) operating under the NCASP must have a Security Manager. He, or She, or They must work with a Security Program that outlines all the steps they should take to stop attackers or threats in day-to-day operations. Including Cybersecurity strategies.
CHAPTERS in the NCASP deals with the regulations (read: Obligations) of each area. They detail how you might protect your company from attacks, how you train staff and how to do background checks on people who join your organization. It also addresses Cyber Attacks and Cyber Security Resources.
And so, the responsibility for Cyber activity is at the doorstep of the Security Manager. Not only that, but the technology and business continuity planning around Cyber defense must be included in the security program. We know a lot about the Avsec landscape, and we have been looking closely at this topic for a couple of years.
We’re sad to report that Aviation has not been quick to homogenize virtual security and cyber security. The Airlines lead the way, but that is mostly because their main interaction with their customers is digital. And threats like Ransomware attacks can shut them down and cause billions in damage.
Cybersecurity has been around for a while and malicious software has caused issues for Airlines. British Airways, for example, has had its trials and tribulations. So has American. Cyber attackers are constantly using ransomware to attack poorly defended, out of date devices. Or naïve staff.
The NCASP is good at practical stuff such as hiring staff or putting up fences. But we have been slow on the approach to Cybersecurity. Most worryingly, the Security Manager of the regulated entity is rarely a trained Cybersecurity whizz kid. And the physical and digital securities are managed by different domain experts. Mostly. But they are connected in the eyes of your government.
In a lot of cases Security Managers are just trying to run a business. Or trying to stop stuff from being tampered with or stolen. Most companies have IT software systems and IT cloud services that are run by the IT department, but these are disconnected from normal “Avsec” operations. And herein lies the problem.
In recent years, big airlines have started to see a need to create “pods” with cyber security professionals that handle cyber criminals to ensure the protection of assets. But these cybersecurity controls are the exception. The wider world still has open doors to their critical applications.
So, what exactly does the NCASP cover? In the regulations it is the critical systems used by the airlines and Air Traffic Controllers.
The core Cybersecurity regulations cover what we deem CRITICAL INFRASTRUCTURAL SYSTEMS.
These are.
Aircraft
ATC (Air Traffic Control)
Data Protection (Passengers, Staff, Cargo)
Networks (Communications)
As you can see these are the core elements of Aviation. Where critical software executes an enormous amount of data, and any cybersecurity incident could be extremely dangerous.
As you can imagine the IT security around Aircraft communications systems, Air Traffic Control systems, and Airport data centers are well protected. They have (or should have) cyber security professionals on constant guard.
Layers of cyber security, as well as multiple backup systems, keep serious threats at bay. But as the world becomes increasingly digitized – and the devices we use to share data and that have APIs that make the passenger journey sleeker and more fluid – we open the door further for those who wish to do us harm.
“Known and Unknown threats” to use a popular phrase. Here are the primary threats to Civil Aviation
Religious Fanatics
Criminals
Political activists
Mental Health sufferers and substance abusers
There are also “Insider Threats”. Where staff can abuse their position (or attain it purposefully) to commit an act. Like steal an aircraft to take it for a joy ride.
Because staff offer the most opportunities for clever attackers. That’s right. The easiest and most effective way to beat Cybersecurity is to just gain access via the operational technology. Such as an employee using their login credentials or using direct hard access. Such as popping in a USB key to a server.
The most professional and diligent Cyber Security software team can be beaten by a low-level employee who walks into a server room and sticks a USB stick into a slot. Similarly, a check-in desk employee who leaves her post for a few minutes could allow someone access a system with millions of people’s flight and personal information.
A phishing email or a trojan virus, targeted at the right person, can allow access to operational technology or even critical systems that can threaten flights. And lives.
Security Controls 101 – Hire the right people.
Since 2019, the background checking parameters have changed dramatically. In days of yore, we would call up 1 or 2 previous employers and ask if Fred was a good worker. And you were good to go. Now, thankfully, it’s a different ball game.
Criminal histories are checked via local law enforcement (and higher), and social media and other online postings are reviewed. They also check regional and sometimes global intelligence data sources depending on your role. And they will do this for the last 5 years and in all the countries you have lived to that point.
If you’ve been too political on social media, then you can expect this to be flagged. Especially if you apply for an Airport ID or apply to be a security manager at a regulated entity. But this shouldn’t come as a surprise.
If you are planning to visit the United States sometime in the future, this is part of the checking process in security controls. There’s a rule that we stick by here at WT towers – don’t say anything on social media that you wouldn’t mind being posted on the front page of tomorrow’s Wall Street Journal. If you do, expect it to be read by someone who may have control over your future.
Other than that, your company should really be doing a lot of training of staff. All staff that have access to digital systems could be threatened by Cybercrime. This training should include (as a minimum) how to deal with suspicious emails, social media hacks, phone or text hacks, and phishing simulators. And what you want to focus on is REPORTING.
Staff need to report anything they deem unusual to you immediately. The faster you spot something, the easier the remedy. You will not stop all attacks, but if staff report all of them – you will do a lot better over time.
As an Avsec Manager, you need to be aware of the IT Cyber Strategy and all security controls. Whether you like it or not, it’s going to be part of your domain. Security is security whether the breaches are through a fence, or a door or via a password hack. Why? Because the target is the same.
Passengers, baggage, infrastructure, or Aircraft are always the target. Those guys trying to hack your IT system are not after some other thing that doesn’t affect you. They are after the very same valuable stuff that you have, except they can do it from a great distance and anonymously.
And they will use your staff (knowingly or unknowingly) to do it for them. And if that sounds far-fetched then we can point to many examples of how vulnerable people can be tricked into doing unbelievable things, if the perpetrator is willing to invest time and effort and is persistent.
As a Security Manager, we advise leaving the One’s and Zero’s to the IT experts. But make sure you are compliant, and the Cyber Security systems are suitable for your operation. After that – hire and support staff so they are best equipped for these Cyber-attacks.
And get them to REPORT anything suspicious. People love to be suspicious and to question others. That’s a great trait to have in Avsec.