Over the decades, stakeholders within the field of aviation have been forced to pay more and more attention to potential cybersecurity threats. EUROCONTROL is one such party.
“When I joined EUROCONTROL 25 years ago, cybersecurity was not a concern,” Patrick Mana, Cybersecurity Program Manager at EUROCONTROL and European Air Traffic Management Computer Emergency Response Team (EATM-CERT) Manager, told AeroTime in an interview at World Aviation Festival 2023. “I started trying to introduce it in 2009, but there was no appetite for it.”
After several attacks and/or incidents, attitudes started to change. Part of that has been digitalization “that we are all facing,” Mana said, adding that cyber threats “are part of digitalization”, with cyber criminals also undergoing their digitization revolution too.
“The world has completely changed, the IT environment has completely changed,“ Mana noted.
One of the signs that the world has changed is the more frequent attacks against the European aviation system since Russia invaded Ukraine in February 2022. According to Mana, the frequency has increased “significantly” since that time, more specifically distributed denial-of-service (DDoS) attacks. He pointed out that those DDoS attacks have been mostly aimed at airports of countries that have supported Ukraine.
But the system’s resilience comes back to the proudest moment of his 25-year-long career at EUROCONTROL, namely the creation of the EATM-CERT. Supporting EUROCONTROL’s services that it provides to the air traffic control sector, EATM-CERT helps stakeholders “protect themselves against cyber threats that would impact the confidentiality, integrity, and availability of their operational IT assets and data”.
“It was something I pushed for at the beginning, we started from scratch, and we had to create everything,” Mana said, adding that the service is now helping stakeholders supporting the European aviation market and is being recognized for adding value.
“I am really happy about that,” Mana said.
Proactively countering threats
But there are ways to proactively counter cybersecurity threats, even within the realm of aviation.
By way of example, Mana pointed out that they were able to anticipate attacks on EUROCONTROL by finding threats from hacktivist groups on Telegram. Still, according to the EATM-CERT Manager, that does not mean that companies can come up with “miracles” and improve their systems’ resilience, “but at least people are ready”.
“From a human point of view and from a psychological point of view, it changes your mindset,” Mana continued, noting that knowing an attack is very likely coming can certainly change your mindset.
According to Mana, aviation, like any other sector, is prone to cyber attacks. Some attacks are aimed at the corporate level, with phishing activities, while others could impact the operational side of an organization.
“Air Navigation Services Providers [ANSP] are not the top targets,” Mana commented, adding that the reason is that they are “not commercially exposed”. The EUROCONTROL representative pointed out that the vast majority of cyber attacks are financially motivated, which is why attacks against ANSPs are hard to monetize.
“[ANSPs] do not hold, for example, passenger data, including credit card data,” he continued. While they are not immune from attacks, the greater proportion of the attacks can be compared to those affecting airspace users, airports, or aviation, including aircraft manufacturers.
Focusing on responding to cyber attacks
Still, cyber incidents within the domain of air traffic control have been rare, at least on the surface.
According to Mana, that is a good thing, because during a time of crisis, cybersecurity teams want to control the situation as much as possible. “We want to be the first to disclose information and to explain certain problems and there are cyber attacks that can take weeks or months to understand,” he said.
“The less you are in the media, the more you can work in a quiet way and focus on the cyber attack itself,” he added. Another reason Mana highlighted as to why some of those incidents might go under the radar, at least in terms of the general public, is that many people have no knowledge about the roles of ANSPs, even if they understand airlines and airports.
But for ANSPs and EUROCONTROL, the threats are similar to those that other industry service providers have continued to face.
“We are subject to attacks like phishing or malware because some cyber threat actors are randomly sending out emails, trying to enter a system, scanning, and they do not even know what kind of entity it is,” Mana explained. “But if they have a grip, they use it.”
However, the industry is also facing operational attacks, with hacktivists flooding systems with DDoS attacks, which is also seen due to the “geopolitical context” within Europe.
Regulations are also hard to navigate, Mana noted. “We have two sides of regulations, one from the International Civil Aviation Organization [ICAO] or from the European Union Aviation Safety Agency [EASA] and from the European Union [EU],” he noted.
“We have to reconcile the two and it is a challenge, not only from a compliance point of view but also from the reconciliation of the two, since [ICAO and/or EASA and the EU] can request nearly the same things in two slightly different ways,” Mana expressed.
This is especially true as, at the end of the day, EUROCONTROL as well as all aviation stakeholders have a single information security management system that they operate, which makes navigating regulatory hurdles a challenge.
At times another challenge could be the lack of data from aviation stakeholders of EUROCONTROL member states. While Mana noted that EATM-CERT has “a reasonable view of what is happening”, the more information the stakeholders share, the better. This would also help understand “variations across time and geographical areas” when aviation stakeholders are facing a cyber attack.
The landscape continues to change, too, not least with the dawn of the era of Artificial Intelligence (AI).
According to Mana, “the bad guys are using AI to generate more efficient attacks that are also less expensive, while also opening up the capability to conduct a cyber attack on a wider audience”.
“For us, that is an issue, because that will disrupt our understanding of who can attack and what motivated them to do so,” he said. “It is a change in the threat landscape, we maybe have new motivating factors and ways of executing cyber attacks that are generated by AI”.