Cyber Security in the European Digital Strategy: upcoming changes?
The uptake of digital technologies has grown exponentially in the last months since the beginning of the COVID19 pandemic. Since it is one of the key priorities in the European Digital Strategy by the European Commission, Business aviation is also gradually being immersed into digitalisation and needs to build cyber-resilience.
Becoming cyber-resilient can be done through solid information security management systems and an appropriate approach to cybersecurity. Considering our industry provides a service with safety of life risks, cyber-resilience is a critical first concern for facilitating business continuity, as well as upholding the highest level of safety.
Aviation is a system of systems
It relies on globally interdependent, and interconnected processes, which can lead to potential cyberattacks on various actors at national, regional and international level, and so, a consecutive increasing number of security vulnerabilities to detect, test and tackle. Information sharing, clear global vision and international cooperation are key tools to enable the necessary resilience to cyberattacks and cyberthreats.
Aviation decision-makers at global level as well as national level are taking steps to deal with the need to protect aviation’s critical infrastructure, information and communication technology systems and data against cyber threats. The EU already set up horizontal legislation addressing cybersecurity challenges, covering critical infrastructure sectors, including large aviation stakeholders.
On top of this, the Aviation Security regulatory frameworkwas also reviewed to transpose ICAO’s requirements for cybersecurity. EASA is also preparing rules to tackle the safety aspects of information security risks. And so, even though European cybersecurity legislation has been in place for some time, (some) aviation stakeholders are not fully familiar with it.
EBAA is enthusiastic to educate, raise awareness and is developing an informational note to summarise the European policy landscape which is and will apply to our sector. It will be available soon.
Sharing information is important
Information sharing is an essential building block of proper cybersecurity resilience. To serve this purpose, several voluntary information-sharing platforms co-exist at the European level.
EUROCONTROL created the European Air Traffic Management Computer Emergency Response Team (EATM-CERT). It provides support to stakeholders to enable a proper protection ‘against cyber threats that would impact the confidentiality, integrity and availability of their operational IT assets and data’. EBAA has called several times on Eurocontrol’s assistance to detect and deal with fraudulent websites and has always been able to count on extremely quick and efficient replies from EATM-CERT.
Where to start?
Setting up a proper company cybersecurity policy may be an added-value from a customer point of view and also provides clarity within a business as to what protocols to follow in case of a threat to cybersecurity. Business aviation is at the forefront of innovation. This is a key asset to successfully engage – and cope – with travel expectations of the hyper-connected and highly-tech-focused new generation. It is composed of potential future clients who have the tools and the knowledge to compare and analyse all means of transportation.
Business aviation should build on this innovative image in the long term. New costumers will care about data protection. They will only use the services offered by Business aviation with full confidence if it can demonstrate a high degree of cybersecurity resilience and data protection.
The safe transfer of personal data from one organisation to another and between jurisdictions is a requirement upon European Regulation on general data protection. Business aviation stakeholders are required to comply with the regulation and gaving a proper company cybersecurity policy is a good place to start.
Business aviation is in the scope of the (current and future) European cybersecurity rules. It certainly leads to some adaptations in the company’s management systems. While the return on cybersecurity investment is difficult to assess, a cyber-attack may however cost a fortune, potential judicial problems in case of a breach in data protection and significant disruptions in the functioning of the company business.
Want to know more about this topic? We are working on an informational note going into more depth which will be published here soon! In the meantime, please don’t hesitate to contact us if you have any questions.