Cybersecurity in Aviation – EASA Perspective

Rachel Daeschler Head of Safety Intelligence and Performance

ICAO Cyber Summit, Dubai 5th April 2017

TE.GEN.00409-001

EASA Mission Statement

To provide the EU citizens safe air travel in Europe and worldwide.

EASA in facts and figures

3

Partnership with EU Member States

4

Member states

Implementing EU Legislation

Oversight of national organisations Production

Maintenance

OPs/Licencing

Training

ATM

Aerodromes

Implementing rules

Oversight of Member States

Aircraft and products certification

Safety of non-EU operations

Approval of non-EU organisations Production

Maintenance

Training

ATM

Attacks on Aviation are happening

On June 21st 2015 operations were disrupted at

Warsaw Airport. By what LOT Polish Airlines said

was a cyberattack on flight-planning computers.

10 LOT flights were canceled, 15 others were grounded

for several hours, affecting 1,400 passengers.

Examples

Availability

On July 8th 2015 – United Airlines issued a

statement saying it suffered from “a network

connectivity issue”

About 4,900 flights were impacted by the problem

worldwide.

Aviation Cybersecurity Landscape

EFB

ATM WWW

Pax Entert. Services

Software Hardware Software Software Hardware

Health and Usage Data

WWW

Flight Plans Weight & Balance

Manufacturer MRO Airline

Sup

plie

rs

Software tampering

Denial of SW crates distribution

ICA modification

Maintenance data (e.g. lifing) corruption

Tampering of GSE and EFB

Asset diversion

SW tampering during shop maintenance

Denial of Service Attack

Trojan, Virus and Malware infection

CNS Data spoofing

CNS Data corruption

The pilot engages the malformed flight plan on the FMS…

The Safety Effect

Flight Plan

What is EASA concerned about?

The FMS software crashes if a malformed flight plan is engaged.

The Vulnerability

EFB

Flight Plan

The Attacker Exploitation

An Attacker loads a maliciously formatted flight pan onto the FMS

for example…

…that crashes, becoming unavailable! INTENT

Conditions resulting from exploitation of vulnerabilities having an adverse safety

effect on the Aircraft and/or its occupants

Comparing Safety and Security

SAFETY SECURITY

VS

FORTUITY INTENT

Comparing Safety and Security

SAFETY SECURITY

VS

The notion of

INTENT

EASA involvement in Cybersecurity

EASA elaborated a plan and initiated a number of actions

EASA Involvement in Cybersecurity

Conference in Brussels

EASA tasked to develop an Action Plan

Conference in Bucarest EASA to facilitate a Strategic European

Coordination Platform

Nov. 8th - 9th 2016

Regulations and Standards

Promotion and Awareness

Information Exchange

Collaboration

May 25th 2015

Regulations and Standards

Promotion and Awareness

Information Exchange

Collaboration

EASA Involvement in Cybersecurity

Regulations and Standards

Promotion and Awareness

Information Exchange

Collaboration

EASA Involvement in Cybersecurity

Review of Safety Rules

Reporting schemes

Standards

Developing the European Centre for Cyber Security in

Aviation (ECCSA)

Presenting Cybersecurity in Conferences and Seminars

ECAC, ICAO, ARAC ASISP*, Member States, Industry, Other

Aviation Authorities

* Aircraft System Information Security/Protection

What is next?

Two main initiatives foreseen in 2017

EASA tasked to facilitate a Strategic

European Coordination Platform

including representatives of key Industry

stakeholders, Member States, and EU institutions

High Level Meeting

CYBERSECURITY IN CIVIL AVIATION

Core Members and Partners engagement in the

ECCSA foundations activities

to define governance and sharing rules Pilot Phase

Thank you