Cyber Security in Aviation
VerifiedAdded on 2023/04/17
|115
|33698
|384
AI Summary
This thesis explores the significance of cyber security in the aviation industry, focusing on the measures taken to protect against cyber threats. It covers the legal standpoint, pillars of aviation, and includes case studies to provide a comprehensive understanding of the topic.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Cyber Security in Aviation
Thesis
Hp
Thesis
Hp
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
Table of Contents
Chapter 1: Introduction....................................................................................................................3
1.1. Introduction to Cyber Security..........................................................................................4
1.2. Introduction to Aviation....................................................................................................7
1.3. Introduction to Cyber Security in Aviation - Airlines, ATC and Airports.......................9
1.4. Research objectives, hypothesis and questions...............................................................13
1.4.1. Research objectives.................................................................................................13
1.4.2. Research hypothesis.................................................................................................14
1.4.3. Research questions...................................................................................................14
1.5. Research methodology....................................................................................................14
1.6. Research outline (chapterization)....................................................................................15
Chapter 2: Legal standpoint and bodies.........................................................................................18
2.1. International regulator: ICAO.........................................................................................18
2.2. Law and bodies in India: IT Act and applicability in Aviation......................................24
2.2.1. BCAS.......................................................................................................................24
2.2.2. Legislative history...................................................................................................26
2.2.3. IT Act, 2000.............................................................................................................30
2.2.4. The National Cyber Security Policy, 2013..............................................................33
2.2.5. XII Five Year Plan report on Cyber Security (2017– 2022)...................................34
2.2.6. NCIIPC Guidelines and CERT-In Rules.................................................................35
pg. 1
Table of Contents
Chapter 1: Introduction....................................................................................................................3
1.1. Introduction to Cyber Security..........................................................................................4
1.2. Introduction to Aviation....................................................................................................7
1.3. Introduction to Cyber Security in Aviation - Airlines, ATC and Airports.......................9
1.4. Research objectives, hypothesis and questions...............................................................13
1.4.1. Research objectives.................................................................................................13
1.4.2. Research hypothesis.................................................................................................14
1.4.3. Research questions...................................................................................................14
1.5. Research methodology....................................................................................................14
1.6. Research outline (chapterization)....................................................................................15
Chapter 2: Legal standpoint and bodies.........................................................................................18
2.1. International regulator: ICAO.........................................................................................18
2.2. Law and bodies in India: IT Act and applicability in Aviation......................................24
2.2.1. BCAS.......................................................................................................................24
2.2.2. Legislative history...................................................................................................26
2.2.3. IT Act, 2000.............................................................................................................30
2.2.4. The National Cyber Security Policy, 2013..............................................................33
2.2.5. XII Five Year Plan report on Cyber Security (2017– 2022)...................................34
2.2.6. NCIIPC Guidelines and CERT-In Rules.................................................................35
pg. 1
Cyber Security in Aviation
2.2.7. SARPs compliance..................................................................................................36
2.2.8. Other measures........................................................................................................38
2.3. International Scenario: Law and bodies in US and applicability in Aviation.................39
2.3. International Scenario: Law and bodies in Euro Control and applicability in Aviation....44
Chapter 3: Pillars of Aviation........................................................................................................50
3.1. Cybersecurity in ATC.........................................................................................................53
3.1.1. ATC and threats looming around it.........................................................................53
3.1.2. Major events in Air Traffic control.............................................................................60
3.2. Cybersecurity in Airlines....................................................................................................62
3.3. Cybersecurity in Airports/Aerodromes...............................................................................66
Chapter 4: Aerodromes/Airports...................................................................................................69
4.1. Case Study: Application of security measures at leading airport...................................80
4.2. Case Study: Hacking of websites....................................................................................85
4.3. Case Study: Unsecured data...........................................................................................86
4.4. Case Study: Hacking computer systems........................................................................87
4.5. Case Study: Indian perspective......................................................................................88
4.6. Case law: R v Daniel Devereux......................................................................................90
Chapter 5: Findings and Comparative Analysis............................................................................92
Chapter 6: Conclusion...................................................................................................................97
Chapter 7: Suggestions................................................................................................................102
Bibliography................................................................................................................................105
pg. 2
2.2.7. SARPs compliance..................................................................................................36
2.2.8. Other measures........................................................................................................38
2.3. International Scenario: Law and bodies in US and applicability in Aviation.................39
2.3. International Scenario: Law and bodies in Euro Control and applicability in Aviation....44
Chapter 3: Pillars of Aviation........................................................................................................50
3.1. Cybersecurity in ATC.........................................................................................................53
3.1.1. ATC and threats looming around it.........................................................................53
3.1.2. Major events in Air Traffic control.............................................................................60
3.2. Cybersecurity in Airlines....................................................................................................62
3.3. Cybersecurity in Airports/Aerodromes...............................................................................66
Chapter 4: Aerodromes/Airports...................................................................................................69
4.1. Case Study: Application of security measures at leading airport...................................80
4.2. Case Study: Hacking of websites....................................................................................85
4.3. Case Study: Unsecured data...........................................................................................86
4.4. Case Study: Hacking computer systems........................................................................87
4.5. Case Study: Indian perspective......................................................................................88
4.6. Case law: R v Daniel Devereux......................................................................................90
Chapter 5: Findings and Comparative Analysis............................................................................92
Chapter 6: Conclusion...................................................................................................................97
Chapter 7: Suggestions................................................................................................................102
Bibliography................................................................................................................................105
pg. 2
Cyber Security in Aviation
Chapter 1: Introduction
Every other day, there is headline-grabbing story related to online attacks and the
frequency of such publications point towards the rising number of online attacks. The last decade
or so has seen a range of data breaches, which have been spread across varied industries like
health insurance, online businesses, retail and banking, amongst the others. Just the financial
impact part is enough to draw concern. As per one of the reports, the estimated cost of data
breaches on global economy by end of 2019 will be $2 trillion1. As per Accenture, these
estimates are set to rise, with the cost of such crimes for companies reaching $5.2 trillion over
the course of coming five years2. With time, cyber treats have not only grown in number, but
also in their sophistication and cost. This is present in every industry, due to rampant reliance on
technology and internet devices like mobiles presenting an open invitation for the criminals to
undertake cyber-attacks.
Cybersecurity risk is of particular significance in the airlines industry. As per one of the
surveys undertaken by PwC, 85% of CEOs of airlines stated that they were concerned about
cybersecurity risks, as against 61% of other industry CEOs3. This 24% difference is contributed
to the complications of cyber-attack in airlines industry as compared to the other industries. This
is because such attacks in other industries are mostly related to company data or sensitive
customer information theft. However, for airlines, apart from these threats, the connectivity to
flight operations and air traffic systems increases the complications for the airlines industries.
Even though this advance integration and communication is required to improve operational and
financial performance, it does present a higher opportunity for exploiting such advancements4.
1 Zack Whittaker, Data breaches to cost global economy $2 trillion by 2019 (12 May 2015)
<https://www.zdnet.com/article/data-breaches-to-cost-2-trillion-by-2019/>
2 Alison Geib, Cybercrime Could Cost Companies US$5.2 Trillion Over Next Five Years, According to New
Research from Accenture (17 January 2019) <https://www.apnews.com/ac9bb114045c49c59089abae155045e4>
3 PwC, Getting clear of the clouds Will the upward trajectory continue? (2018)
<https://www.pwc.es/es/publicaciones/transporte/pwc_2015_global_airline_ceo_survey.pdf>
4 PwC, Tailwinds 2017 airline industry trends (2017) <https://www.pwc.fr/fr/assets/files/pdf/2017/12/2017-
tailwinds-airline-industry-trends-pwc.pdf>
pg. 3
Chapter 1: Introduction
Every other day, there is headline-grabbing story related to online attacks and the
frequency of such publications point towards the rising number of online attacks. The last decade
or so has seen a range of data breaches, which have been spread across varied industries like
health insurance, online businesses, retail and banking, amongst the others. Just the financial
impact part is enough to draw concern. As per one of the reports, the estimated cost of data
breaches on global economy by end of 2019 will be $2 trillion1. As per Accenture, these
estimates are set to rise, with the cost of such crimes for companies reaching $5.2 trillion over
the course of coming five years2. With time, cyber treats have not only grown in number, but
also in their sophistication and cost. This is present in every industry, due to rampant reliance on
technology and internet devices like mobiles presenting an open invitation for the criminals to
undertake cyber-attacks.
Cybersecurity risk is of particular significance in the airlines industry. As per one of the
surveys undertaken by PwC, 85% of CEOs of airlines stated that they were concerned about
cybersecurity risks, as against 61% of other industry CEOs3. This 24% difference is contributed
to the complications of cyber-attack in airlines industry as compared to the other industries. This
is because such attacks in other industries are mostly related to company data or sensitive
customer information theft. However, for airlines, apart from these threats, the connectivity to
flight operations and air traffic systems increases the complications for the airlines industries.
Even though this advance integration and communication is required to improve operational and
financial performance, it does present a higher opportunity for exploiting such advancements4.
1 Zack Whittaker, Data breaches to cost global economy $2 trillion by 2019 (12 May 2015)
<https://www.zdnet.com/article/data-breaches-to-cost-2-trillion-by-2019/>
2 Alison Geib, Cybercrime Could Cost Companies US$5.2 Trillion Over Next Five Years, According to New
Research from Accenture (17 January 2019) <https://www.apnews.com/ac9bb114045c49c59089abae155045e4>
3 PwC, Getting clear of the clouds Will the upward trajectory continue? (2018)
<https://www.pwc.es/es/publicaciones/transporte/pwc_2015_global_airline_ceo_survey.pdf>
4 PwC, Tailwinds 2017 airline industry trends (2017) <https://www.pwc.fr/fr/assets/files/pdf/2017/12/2017-
tailwinds-airline-industry-trends-pwc.pdf>
pg. 3
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
This is the reason why this industry is constantly brining in technological advancements towards
protecting its assets and data. There is use of complicated software along with sophisticated
hardware to safeguard from instances of cyber-attacks.
The air traffic control has been drastically modernized and this brings with it many cyber
issues, one of which is NextGen. NextGen or the “Next Generation Air Transportation System”
presented by FAA (“Federal Aviation Administration”), is over 40 years old, relying on radars
and brings forth limited connectivity. It helps in improving the efficiency of network through the
use of Global Positioning System (GPS), which is software based, and internet connected. This
very connectivity brings high security threats5. The IATA (International Air Transport
Association) has maintained that the effective way of dealing with such risks is allocating and
prioritizing resources towards protection of most valuable assets of airlines. In addition to this,
there was a need for developing such global security systems, which could adopt “an end-to-end
risk-based approach6.” Effectively there is a need to prevent, detect and react to such threats, as a
way of protecting the aviation industry from such threats.
1.1. Introduction to Cyber Security
To go into the threats posted by cyber-attacks into aviation industry, there is a need to
understand what cybersecurity actually means. In the most basic sense, cybersecurity relates to
such processes, practices and technologies, which have been designed in a manner so as to
safeguard programs, data, devices and networks from any kind of unauthorized access, attack or
damage. In short, the safeguarding of the crucial assets related to technology, there is a need to
deploy proper measures, and these are in form of cybersecurity. Anything connected with
internet, presents with it a cyber-threat, which requires strict measures to be adopted, to avoid
these threats being converted into real life incidents and this is where the role of cybersecurity
comes in.
5 PwC, Aviation perspectives 2016 special report series: Cybersecurity and the airline industry (2016)
<https://www.pwc.com/us/en/industrial-products/publications/assets/pwc-airline-industry-perspectives-
cybersecurity.pdf>
6 IATA, Remarks of Tony Tyler at the IATA 22nd AVSEC World in Istanbul (05 November 2013)
<https://www.iata.org/pressroom/speeches/Pages/2013-11-05-01.aspx>
pg. 4
This is the reason why this industry is constantly brining in technological advancements towards
protecting its assets and data. There is use of complicated software along with sophisticated
hardware to safeguard from instances of cyber-attacks.
The air traffic control has been drastically modernized and this brings with it many cyber
issues, one of which is NextGen. NextGen or the “Next Generation Air Transportation System”
presented by FAA (“Federal Aviation Administration”), is over 40 years old, relying on radars
and brings forth limited connectivity. It helps in improving the efficiency of network through the
use of Global Positioning System (GPS), which is software based, and internet connected. This
very connectivity brings high security threats5. The IATA (International Air Transport
Association) has maintained that the effective way of dealing with such risks is allocating and
prioritizing resources towards protection of most valuable assets of airlines. In addition to this,
there was a need for developing such global security systems, which could adopt “an end-to-end
risk-based approach6.” Effectively there is a need to prevent, detect and react to such threats, as a
way of protecting the aviation industry from such threats.
1.1. Introduction to Cyber Security
To go into the threats posted by cyber-attacks into aviation industry, there is a need to
understand what cybersecurity actually means. In the most basic sense, cybersecurity relates to
such processes, practices and technologies, which have been designed in a manner so as to
safeguard programs, data, devices and networks from any kind of unauthorized access, attack or
damage. In short, the safeguarding of the crucial assets related to technology, there is a need to
deploy proper measures, and these are in form of cybersecurity. Anything connected with
internet, presents with it a cyber-threat, which requires strict measures to be adopted, to avoid
these threats being converted into real life incidents and this is where the role of cybersecurity
comes in.
5 PwC, Aviation perspectives 2016 special report series: Cybersecurity and the airline industry (2016)
<https://www.pwc.com/us/en/industrial-products/publications/assets/pwc-airline-industry-perspectives-
cybersecurity.pdf>
6 IATA, Remarks of Tony Tyler at the IATA 22nd AVSEC World in Istanbul (05 November 2013)
<https://www.iata.org/pressroom/speeches/Pages/2013-11-05-01.aspx>
pg. 4
Cyber Security in Aviation
The crux of the matter is that the term cyber security is used to refer to the information
technology’s security. The goal is to safeguard the “computers, networks, programs and data”
from unauthorized use and access. The data collected by different entities, be it governments,
hospitals or even military, is not transmitted on another device, without proper approvals. The
sensitive business information and personal information needs to be protected. Similarity, the
nation’s security is protected guarded from the modern day cyber-attacks. There are many types
of actions, which can be taken as a measure to safeguard against such attacks. These include
avoidance of spywares, protecting the passwords, keeping the firewalls turned on, preventing
identity theft, making use of anti-virus software, and taking proper back up of relevant data.
The term cyber security has been coined under the Indian laws as well. The Information
Technology Act, 20007 defines cybersecurity under section 2(1)(nb)8 as:
This very definition has been adopted under certain other legislative instruments as well,
including the CERT-In Guidelines covered under the Information Technology Act, 2000. There
are many facets of the cyber threats faced by the aviation industry. These take the form of
phishing attacks, jamming attacks, remote hijacking, distributed-denial-of-service attacks and
botnet attacks, along with the Wi-Fi based attacks9. This is majorly due to the hyper-connected
world of Internet of Things (IoT), which has resulted in all kinds of networks to be
interconnected; thereby resulting in higher chances of such instances of cyber-attacks taking
place10.
7 Information Technology Act, 2000
8 Information Technology Act 2000, s2(1)(nb)
9 Dan Virgillito, Cyber Threat Analysis for the Aviation Industry (26 February 2015)
<https://resources.infosecinstitute.com/cyber-threat-analysis-aviation-industry/#gref>
10 Jon Stanford, Air Traffic Control and Industrial Control Systems in the Age of Cybersecurity Threats (15 July
2016) <https://www.hstoday.us/channels/federal-state-local/air-traffic-control-and-industrial-control-systems-in-the-
age-of-cybersecurity-threats/>
pg. 5
The crux of the matter is that the term cyber security is used to refer to the information
technology’s security. The goal is to safeguard the “computers, networks, programs and data”
from unauthorized use and access. The data collected by different entities, be it governments,
hospitals or even military, is not transmitted on another device, without proper approvals. The
sensitive business information and personal information needs to be protected. Similarity, the
nation’s security is protected guarded from the modern day cyber-attacks. There are many types
of actions, which can be taken as a measure to safeguard against such attacks. These include
avoidance of spywares, protecting the passwords, keeping the firewalls turned on, preventing
identity theft, making use of anti-virus software, and taking proper back up of relevant data.
The term cyber security has been coined under the Indian laws as well. The Information
Technology Act, 20007 defines cybersecurity under section 2(1)(nb)8 as:
This very definition has been adopted under certain other legislative instruments as well,
including the CERT-In Guidelines covered under the Information Technology Act, 2000. There
are many facets of the cyber threats faced by the aviation industry. These take the form of
phishing attacks, jamming attacks, remote hijacking, distributed-denial-of-service attacks and
botnet attacks, along with the Wi-Fi based attacks9. This is majorly due to the hyper-connected
world of Internet of Things (IoT), which has resulted in all kinds of networks to be
interconnected; thereby resulting in higher chances of such instances of cyber-attacks taking
place10.
7 Information Technology Act, 2000
8 Information Technology Act 2000, s2(1)(nb)
9 Dan Virgillito, Cyber Threat Analysis for the Aviation Industry (26 February 2015)
<https://resources.infosecinstitute.com/cyber-threat-analysis-aviation-industry/#gref>
10 Jon Stanford, Air Traffic Control and Industrial Control Systems in the Age of Cybersecurity Threats (15 July
2016) <https://www.hstoday.us/channels/federal-state-local/air-traffic-control-and-industrial-control-systems-in-the-
age-of-cybersecurity-threats/>
pg. 5
Cyber Security in Aviation
The aviation industry is highly reliant on computer system for its flight and ground
operations. The airlines system security has a direct impact over the efficiency and operational
safety of this industry; along with indirectly affecting its reputation and service11. Thus,
cybersecurity of this industry takes centre stage. This significance was garnered through the very
first airplane hijacking, resulting in huge sum being incurred yearly towards enhancing
the .cybersecurity measures. Even before the occurrence of such incidents, the aspects of
cybersecurity were present and known to this industry, but no significant contributions were
taken towards ensuring cybersecurity. With speculations rising, that disappearance of certain
plane was a result of cyber-attacks, despite the denials from aircraft manufacturers, the focus on
cybersecurity took a bullet train. Such instances, and rumours, coupled with the accelerated
information technologies’ adoption in aviation industry have seen the growth of cybersecurity
sophistication in this industry12.
The very possibility of the vital airplane functions being taken over and the control of
such airplanes being taken over by a third parties, is a key concern, and could result in instances
of hacking the plane. A plane, which has been hacked, can be made to fly at the behest of a third
party, as against the ones responsible for flying such aircraft safely and putting the safety of
crew, passengers and other parties at risk13. The biggest example of this is the September 11
attacks14. This attack resulted in death of 2,996 individuals, where 2,977 victims and 19
hijackers15. Even though this attack was carried on manually, there have been instances where
the breach of cybersecurity measures, have resulted in attacks as well. These will be covered in
the later part of this research.
Just to give an idea of catastrophes surrounding IT failures, the recent instances of flights
being grounded can be looked into. Such recent incidents have shown the cascading losses due to
11 IATA, Aviation Cyber Security Toolkit (2019) <https://www.iata.org/publications/store/Pages/aviation-cyber-
security-toolkit.aspx>
12 Adrie Stander and Jacques Ophoff, ‘Cyber security in civil aviation’ (2016)Imam Journal of Applied Sciences
<http://www.e-ijas.org/temp/ImamJApplSci1123-1857601_050936.pdf>
13 IEEE, Airline CyberSecurity (2019) <http://sites.ieee.org/ocs-cssig/?page_id=875>
14 David Dunbar and Brad Reagan, Debunking 9/11 Myths: Why Conspiracy Theories Can't Stand Up to the Facts :
Includes New Findings on World Trade Center Building 7 (Hearst Books, 2011)
15 Arthur Berm, When Reality Hits: From WW II to the New World Order (FriesenPress, 2014)
pg. 6
The aviation industry is highly reliant on computer system for its flight and ground
operations. The airlines system security has a direct impact over the efficiency and operational
safety of this industry; along with indirectly affecting its reputation and service11. Thus,
cybersecurity of this industry takes centre stage. This significance was garnered through the very
first airplane hijacking, resulting in huge sum being incurred yearly towards enhancing
the .cybersecurity measures. Even before the occurrence of such incidents, the aspects of
cybersecurity were present and known to this industry, but no significant contributions were
taken towards ensuring cybersecurity. With speculations rising, that disappearance of certain
plane was a result of cyber-attacks, despite the denials from aircraft manufacturers, the focus on
cybersecurity took a bullet train. Such instances, and rumours, coupled with the accelerated
information technologies’ adoption in aviation industry have seen the growth of cybersecurity
sophistication in this industry12.
The very possibility of the vital airplane functions being taken over and the control of
such airplanes being taken over by a third parties, is a key concern, and could result in instances
of hacking the plane. A plane, which has been hacked, can be made to fly at the behest of a third
party, as against the ones responsible for flying such aircraft safely and putting the safety of
crew, passengers and other parties at risk13. The biggest example of this is the September 11
attacks14. This attack resulted in death of 2,996 individuals, where 2,977 victims and 19
hijackers15. Even though this attack was carried on manually, there have been instances where
the breach of cybersecurity measures, have resulted in attacks as well. These will be covered in
the later part of this research.
Just to give an idea of catastrophes surrounding IT failures, the recent instances of flights
being grounded can be looked into. Such recent incidents have shown the cascading losses due to
11 IATA, Aviation Cyber Security Toolkit (2019) <https://www.iata.org/publications/store/Pages/aviation-cyber-
security-toolkit.aspx>
12 Adrie Stander and Jacques Ophoff, ‘Cyber security in civil aviation’ (2016)Imam Journal of Applied Sciences
<http://www.e-ijas.org/temp/ImamJApplSci1123-1857601_050936.pdf>
13 IEEE, Airline CyberSecurity (2019) <http://sites.ieee.org/ocs-cssig/?page_id=875>
14 David Dunbar and Brad Reagan, Debunking 9/11 Myths: Why Conspiracy Theories Can't Stand Up to the Facts :
Includes New Findings on World Trade Center Building 7 (Hearst Books, 2011)
15 Arthur Berm, When Reality Hits: From WW II to the New World Order (FriesenPress, 2014)
pg. 6
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
IT system failures. The cancellation of two US airlines in 2016 caused major disruptions in
booking programmes and even saw the cancellations of various flights. Even though these
instances where not as a result of malware or hacking issues, still they provide insights on the
costs and level of disruption associated with such failures. Even though the actual losses from
these two cancellations were not made common knowledge, the experts have put in the estimates
between US$ 80 million and 150 million each. A basic human error resulted in nearly seventy
five thousand passengers being stranded in May 2017, that too on a busy public holiday
weekend, resulting in the British flag carrier bearing losses of nearly £80 million. This amount
does not include the cost of reputation damage16.
1.2. Introduction to Aviation
Air transport, or aviation, in the most basic sense refers to such activities, which are
present in the aircraft industry and are related to mechanical flight. Its history can be traced back
to the age of hot air balloons, to moving on to Wright brothers’ invention of airplanes, and to the
modern day aircrafts and jets17. Aviation is what connects the present communities, across the
globe, as it helps individuals in moving to places in a fast manner. The present decade is
experiencing a sharp rise in the unmanned and manned aircrafts and their systems, where there is
constant focus on bringing in new features, along with creating unprecedented applications. The
role of information technology, software and computer networks, i.e. cyber technology is
fundamental and crucial for advancement of aviation. The reason for it is that these cyber
technologies help in fulfilling the needs of ecosystem of aviation, including that of pilots,
aircraft, passengers, society, personnel and stakeholders18.
There is a growing use of aviation cyber technology in varied aspects of air travel,
including booking of tickets, airline counter checking in, clearing airport security, in-flight
entertainment and connecting to Wi-Fi in aircraft cabins. However, majority of the advancements
take place back space, including the air traffic control, airports (including the ones in space, on
16 Helga Munger, Cyber threats in aviation The sky’s the limit? (17 September 2018)
<https://www.munichre.com/topics-online/en/digitalisation/cyber/cyber-threats-in-aviation.html>
17 Dawna L. Rhoades, Evolution of International Aviation: Phoenix Rising (Routledge, 2016)
18 Jon C. Haass, Krishna Sampigethaya, and Vincent Capezzuto, ‘Aviation and Cybersecurity: Opportunities for
Applied Research’ (2016) TR News (304) <http://commons.erau.edu/publication/299>
pg. 7
IT system failures. The cancellation of two US airlines in 2016 caused major disruptions in
booking programmes and even saw the cancellations of various flights. Even though these
instances where not as a result of malware or hacking issues, still they provide insights on the
costs and level of disruption associated with such failures. Even though the actual losses from
these two cancellations were not made common knowledge, the experts have put in the estimates
between US$ 80 million and 150 million each. A basic human error resulted in nearly seventy
five thousand passengers being stranded in May 2017, that too on a busy public holiday
weekend, resulting in the British flag carrier bearing losses of nearly £80 million. This amount
does not include the cost of reputation damage16.
1.2. Introduction to Aviation
Air transport, or aviation, in the most basic sense refers to such activities, which are
present in the aircraft industry and are related to mechanical flight. Its history can be traced back
to the age of hot air balloons, to moving on to Wright brothers’ invention of airplanes, and to the
modern day aircrafts and jets17. Aviation is what connects the present communities, across the
globe, as it helps individuals in moving to places in a fast manner. The present decade is
experiencing a sharp rise in the unmanned and manned aircrafts and their systems, where there is
constant focus on bringing in new features, along with creating unprecedented applications. The
role of information technology, software and computer networks, i.e. cyber technology is
fundamental and crucial for advancement of aviation. The reason for it is that these cyber
technologies help in fulfilling the needs of ecosystem of aviation, including that of pilots,
aircraft, passengers, society, personnel and stakeholders18.
There is a growing use of aviation cyber technology in varied aspects of air travel,
including booking of tickets, airline counter checking in, clearing airport security, in-flight
entertainment and connecting to Wi-Fi in aircraft cabins. However, majority of the advancements
take place back space, including the air traffic control, airports (including the ones in space, on
16 Helga Munger, Cyber threats in aviation The sky’s the limit? (17 September 2018)
<https://www.munichre.com/topics-online/en/digitalisation/cyber/cyber-threats-in-aviation.html>
17 Dawna L. Rhoades, Evolution of International Aviation: Phoenix Rising (Routledge, 2016)
18 Jon C. Haass, Krishna Sampigethaya, and Vincent Capezzuto, ‘Aviation and Cybersecurity: Opportunities for
Applied Research’ (2016) TR News (304) <http://commons.erau.edu/publication/299>
pg. 7
Cyber Security in Aviation
the ground and airborne), infrastructure in avionics and airlines. There is a deep integration of
cyber tech in time critical fabric, which assures and controls the performance, operations and
safety of aviation19.
Even with the high profits, which are expected and earned, the reliance on cyber
technology exposes aviation industry to costly and dangerous world of threats. There have been
many threats made in this industry, resulting in the industry maturing its operations towards such
threats; this is in addition to the physical difficulties faced by aviation from humankind and
nature. It is also crucial to state here that saving of a single flight, or apprehending two or three
events are not enough to ensure that the threats and risks on performance and safety of aviation
industry, are managed. The cybersecurity threats are a major concern and the unpredictable
nature of such attacks make the comprehension of such risks, a difficult task. Apart from this, the
opportunities are ever rising, with the growth and development of systems and new services20.
The reason why so much emphasis is given on the aviation industry is because it acts as
the key foundation towards investments, international trade and tourism, along with being
significant towards the development of global economy. 3.5% of the GRP (Gross Domestic
Product) or 2.7 trillion dollars ride on the back of air transport industry, along with provided 9.9
million direct jobs to individuals across the globe. It has been forecasted that by the end of 2034,
the airfreight and the air passenger traffic is set to be the double of 2016 figures. It is projected
that airfreight will see a growth of 4.2% on annual basis, and would reach 466 billion FTKs
(Freight Tonne-Kilometres). It has also been estimated that the passenger traffic would see a
growth of 4.5% on annual basis, and would reach 14 trillion RPKs (Revenue Passengeer-
Kilometres)21.
Thus, the size of this industry puts forth the need for paying heed to the cyber threats
brought with the increase digitalization. Even though digitalization has increased interoperability
and intelligence on one hand, this has on the other hand brought major risks with it. There is a
19 Ibid
20 Ibid
21 Georgia Lykou, George Iakovakis, and Dimitris Gritzalis, ‘Aviation Cybersecurity and Cyber-Resilience:
Assessing Risk in Air Traffic Management’ (2019) Critical Infrastructure Security and Resilience <http://sci-
hub.tw/10.1007/978-3-030-00024-0_13>
pg. 8
the ground and airborne), infrastructure in avionics and airlines. There is a deep integration of
cyber tech in time critical fabric, which assures and controls the performance, operations and
safety of aviation19.
Even with the high profits, which are expected and earned, the reliance on cyber
technology exposes aviation industry to costly and dangerous world of threats. There have been
many threats made in this industry, resulting in the industry maturing its operations towards such
threats; this is in addition to the physical difficulties faced by aviation from humankind and
nature. It is also crucial to state here that saving of a single flight, or apprehending two or three
events are not enough to ensure that the threats and risks on performance and safety of aviation
industry, are managed. The cybersecurity threats are a major concern and the unpredictable
nature of such attacks make the comprehension of such risks, a difficult task. Apart from this, the
opportunities are ever rising, with the growth and development of systems and new services20.
The reason why so much emphasis is given on the aviation industry is because it acts as
the key foundation towards investments, international trade and tourism, along with being
significant towards the development of global economy. 3.5% of the GRP (Gross Domestic
Product) or 2.7 trillion dollars ride on the back of air transport industry, along with provided 9.9
million direct jobs to individuals across the globe. It has been forecasted that by the end of 2034,
the airfreight and the air passenger traffic is set to be the double of 2016 figures. It is projected
that airfreight will see a growth of 4.2% on annual basis, and would reach 466 billion FTKs
(Freight Tonne-Kilometres). It has also been estimated that the passenger traffic would see a
growth of 4.5% on annual basis, and would reach 14 trillion RPKs (Revenue Passengeer-
Kilometres)21.
Thus, the size of this industry puts forth the need for paying heed to the cyber threats
brought with the increase digitalization. Even though digitalization has increased interoperability
and intelligence on one hand, this has on the other hand brought major risks with it. There is a
19 Ibid
20 Ibid
21 Georgia Lykou, George Iakovakis, and Dimitris Gritzalis, ‘Aviation Cybersecurity and Cyber-Resilience:
Assessing Risk in Air Traffic Management’ (2019) Critical Infrastructure Security and Resilience <http://sci-
hub.tw/10.1007/978-3-030-00024-0_13>
pg. 8
Cyber Security in Aviation
need to have a high level of awareness and attention of the potential cyber threat’s future
development. The goal here needs to be to bring down the vulnerability of cyber related risks,
along with strengthening of “the air transportation systems’ resilience” in contradiction of such
cyber threats22. Thus is crucial to make certain that the industry continues to be safe, and is able
to continue contributing to economy, as was highlighted through the figures presented earlier.
1.3. Introduction to Cyber Security in Aviation - Airlines, ATC and Airports
There are three key pillars of aviation industry, i.e. the airlines, the ATC (Air Traffic
Control), and the airports. The airlines are the flights and are the medium of air travel; the
airports are where the airlines are made available; and the ATC is the service that the ground
based air traffic controllers provide for directing the flights. ATC covers the communications
with the aircraft for assisting in maintaining separation. This ensures that the aircraft is far
enough (be it vertically or horizontally), to pose no risk of collision. A depiction of ATC,
covering how wireless technology is used in ATC between satellites, aircraft and ground station,
is covered below. Each of the arrows shows the communication direction for every protocol.
22 Ibid
pg. 9
need to have a high level of awareness and attention of the potential cyber threat’s future
development. The goal here needs to be to bring down the vulnerability of cyber related risks,
along with strengthening of “the air transportation systems’ resilience” in contradiction of such
cyber threats22. Thus is crucial to make certain that the industry continues to be safe, and is able
to continue contributing to economy, as was highlighted through the figures presented earlier.
1.3. Introduction to Cyber Security in Aviation - Airlines, ATC and Airports
There are three key pillars of aviation industry, i.e. the airlines, the ATC (Air Traffic
Control), and the airports. The airlines are the flights and are the medium of air travel; the
airports are where the airlines are made available; and the ATC is the service that the ground
based air traffic controllers provide for directing the flights. ATC covers the communications
with the aircraft for assisting in maintaining separation. This ensures that the aircraft is far
enough (be it vertically or horizontally), to pose no risk of collision. A depiction of ATC,
covering how wireless technology is used in ATC between satellites, aircraft and ground station,
is covered below. Each of the arrows shows the communication direction for every protocol.
22 Ibid
pg. 9
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
(Source: Strohmeier, 201623)
These three combined are the backbone of aviation; and as these are the backbone, cyber
threats pose a great challenge on aviation through their unauthorized access/ use. The reason for
this is very clear. If an airline is hacked, incident like 9/11 can take place. If ATC is taken over,
the flight can be made to go rogue and fly of course, even resulting in collisions and casualties.
Lastly, if the airports are taken over, or if the security in these is manipulated, both aircrafts and
ATC can be put in jeopardy, and the world can be left at the mercy of criminals.
One of the earliest cyber-attacks was the one undertaken by Worcester (Massachusetts)
teenager back in 1997. This teenager exploited a loophole in the telecommunications service
infrastructure of the local airport. There was a “denial of service attack”, which highlighted the
shortfall of the system, along with displaying the unfailing availability of an infrastructure. The
recent remote hacking incidents where the ATC systems, airports and airlines have been
23 Martin Strohmeier, Security in Next Generation Air Traffic Communication Networks (2016)
<https://www.bcs.org/upload/pdf/security-air-traffic.pdf>
pg. 10
(Source: Strohmeier, 201623)
These three combined are the backbone of aviation; and as these are the backbone, cyber
threats pose a great challenge on aviation through their unauthorized access/ use. The reason for
this is very clear. If an airline is hacked, incident like 9/11 can take place. If ATC is taken over,
the flight can be made to go rogue and fly of course, even resulting in collisions and casualties.
Lastly, if the airports are taken over, or if the security in these is manipulated, both aircrafts and
ATC can be put in jeopardy, and the world can be left at the mercy of criminals.
One of the earliest cyber-attacks was the one undertaken by Worcester (Massachusetts)
teenager back in 1997. This teenager exploited a loophole in the telecommunications service
infrastructure of the local airport. There was a “denial of service attack”, which highlighted the
shortfall of the system, along with displaying the unfailing availability of an infrastructure. The
recent remote hacking incidents where the ATC systems, airports and airlines have been
23 Martin Strohmeier, Security in Next Generation Air Traffic Communication Networks (2016)
<https://www.bcs.org/upload/pdf/security-air-traffic.pdf>
pg. 10
Cyber Security in Aviation
targeted, highlight that the cyber risks are constantly evolving, where the crew, baggage control
systems, airport passport control and airlines passengers are targeted frequently24.
Over seventy-five airports in US reports phishing emails in 2013, where the goal was
defrauding users, so that their financial information was revealed. The very same year saw over
twenty thousand-hack attempts on daily basis on Miami International Airport. There were around
2.9 million hacking attempts and over sixty thousand internet misuse attempts blocked by Los
Angeles World airports. A Tunisian hacking team targeted computer and communication
systems of US airport in 2014. LOT Polish Airlines saw the flights being grounded in summer of
2015 at Warsaw airport as a result of hackers disabling the flight plans meant for the outbound
aircraft. There have been some cyber advances that have helped in operations of this industry,
including the use of commercial technologies (like internet protocols, virtualization, cloud
computing, GPS and Wi-Fi). These have contributed to the faster, interoperable and cheaper
aviation systems across the globe; but their inherent vulnerabilities are often take advantage of
by the cyber adversaries25.
The powerful, open sourced and cheap tools allow for such vulnerabilities to be exploited
with ease, making the occurrence of cyber-attacks far less complicated. A leading example of
this is the White Sands Missile Range test exercise, which clearly highlighted the possibility of
accessing drones and unmanned aircrafts through use of GPS signals. These can be used to
access these devices remotely and to guide such devices into erroneous paths. There has also
been a reiteration of feasibility of attacking ATC systems through use of cheap equipment, at the
hacker conferences’ simulation studies. A cyber-attack could be undertaken in a way where the
ATC controllers and pilots see a bogus aircraft on their screens, resulting in unwarranted
performance losses and unsafe actions being undertaken. Apart from this, one of the recent
instances where a suicide pilot (as per allegations) crashed the Germanwings flight, showing the
possibility of insider threats. This further emphasizes on the need for bringing improvement in
people management, particularly when entrusted with authorized access to ATC systems26.
24 At 18 (Jon C. Haass)
25 Ibid
26 Ibid
pg. 11
targeted, highlight that the cyber risks are constantly evolving, where the crew, baggage control
systems, airport passport control and airlines passengers are targeted frequently24.
Over seventy-five airports in US reports phishing emails in 2013, where the goal was
defrauding users, so that their financial information was revealed. The very same year saw over
twenty thousand-hack attempts on daily basis on Miami International Airport. There were around
2.9 million hacking attempts and over sixty thousand internet misuse attempts blocked by Los
Angeles World airports. A Tunisian hacking team targeted computer and communication
systems of US airport in 2014. LOT Polish Airlines saw the flights being grounded in summer of
2015 at Warsaw airport as a result of hackers disabling the flight plans meant for the outbound
aircraft. There have been some cyber advances that have helped in operations of this industry,
including the use of commercial technologies (like internet protocols, virtualization, cloud
computing, GPS and Wi-Fi). These have contributed to the faster, interoperable and cheaper
aviation systems across the globe; but their inherent vulnerabilities are often take advantage of
by the cyber adversaries25.
The powerful, open sourced and cheap tools allow for such vulnerabilities to be exploited
with ease, making the occurrence of cyber-attacks far less complicated. A leading example of
this is the White Sands Missile Range test exercise, which clearly highlighted the possibility of
accessing drones and unmanned aircrafts through use of GPS signals. These can be used to
access these devices remotely and to guide such devices into erroneous paths. There has also
been a reiteration of feasibility of attacking ATC systems through use of cheap equipment, at the
hacker conferences’ simulation studies. A cyber-attack could be undertaken in a way where the
ATC controllers and pilots see a bogus aircraft on their screens, resulting in unwarranted
performance losses and unsafe actions being undertaken. Apart from this, one of the recent
instances where a suicide pilot (as per allegations) crashed the Germanwings flight, showing the
possibility of insider threats. This further emphasizes on the need for bringing improvement in
people management, particularly when entrusted with authorized access to ATC systems26.
24 At 18 (Jon C. Haass)
25 Ibid
26 Ibid
pg. 11
Cyber Security in Aviation
The scale and visibility of aviation industry makes it a lucrative target for such malicious
intent. Even when an isolated and single disruption of aviation is undertaken, say for example
through a sole computer failure, natural disaster within the locality of airport or weather affected
sector, can result in losses across system, and have an impact over the economy of that region for
days, if not months. A number of individuals could be stranded, resulting in global
inconvenience and financial losses as stated earlier. This makes aggressively addressing aviation
cybersecurity a critical task27.
Even though aviation industry is not a single industry, which is facing the cybersecurity
related threats, the challenges that are associated with the transportation system, particularly in
this industry, have uniqueness in them. This is the reason why this industry is constantly making
attempts to comprehend the management, threats and risks of cybersecurity. An example of this
is the ISAC (“Aviation Information Sharing and Analysis Center”), and the Cyber Security
Toolkit’s second edition, given by the IATA. These act as the guidelines for the strategic
partners and airlines regarding the latest rules, and new attacking points, amongst the others.
There are other efforts taken in this regard, including ICAO’s (International Civil Aviation
Organization) Cybersecurity Special Task Force. There is also the proposed the Cyber AIR Act,
which focuses on meeting the goals in context of cybersecurity in aviation industry. The other
objectives include the identification of vulnerabilities of cybersecurity, finding standard
mitigations, and assessing threats, so that the risks are properly managed in the system28.
In order to effectively deal with the cyber risks presented to aviation industry, there is a
need to segregate the intended function of every system, along with critically analysing the
threats of each component. One of the examples of it is the communication-taking place with
controller regarding the ATC data relating to separating inflight aircraft, which is a different
function from collecting manifests of passengers and also of the credit card information for the
payment of tickets. However, when there is a situation where all this information is stored up on
a cloud-based platform, a single attack on such information could result in a life-threatening
situation, which is also time-sensitive29.
27 Ibid
28 Ibid
29 Ibid
pg. 12
The scale and visibility of aviation industry makes it a lucrative target for such malicious
intent. Even when an isolated and single disruption of aviation is undertaken, say for example
through a sole computer failure, natural disaster within the locality of airport or weather affected
sector, can result in losses across system, and have an impact over the economy of that region for
days, if not months. A number of individuals could be stranded, resulting in global
inconvenience and financial losses as stated earlier. This makes aggressively addressing aviation
cybersecurity a critical task27.
Even though aviation industry is not a single industry, which is facing the cybersecurity
related threats, the challenges that are associated with the transportation system, particularly in
this industry, have uniqueness in them. This is the reason why this industry is constantly making
attempts to comprehend the management, threats and risks of cybersecurity. An example of this
is the ISAC (“Aviation Information Sharing and Analysis Center”), and the Cyber Security
Toolkit’s second edition, given by the IATA. These act as the guidelines for the strategic
partners and airlines regarding the latest rules, and new attacking points, amongst the others.
There are other efforts taken in this regard, including ICAO’s (International Civil Aviation
Organization) Cybersecurity Special Task Force. There is also the proposed the Cyber AIR Act,
which focuses on meeting the goals in context of cybersecurity in aviation industry. The other
objectives include the identification of vulnerabilities of cybersecurity, finding standard
mitigations, and assessing threats, so that the risks are properly managed in the system28.
In order to effectively deal with the cyber risks presented to aviation industry, there is a
need to segregate the intended function of every system, along with critically analysing the
threats of each component. One of the examples of it is the communication-taking place with
controller regarding the ATC data relating to separating inflight aircraft, which is a different
function from collecting manifests of passengers and also of the credit card information for the
payment of tickets. However, when there is a situation where all this information is stored up on
a cloud-based platform, a single attack on such information could result in a life-threatening
situation, which is also time-sensitive29.
27 Ibid
28 Ibid
29 Ibid
pg. 12
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
There are many bodies, which are constantly working towards safeguarding the aviation
industry from cyber-attacks. The leading one in this context is ICAO. ICAO was responsible for
bringing forth the Convention of “International Civil Aviation” and creation of “International Air
Transit Service Agreement”, along with the Five Freedoms Agreement, and the Interim
agreement on International Civil Aviation. In particular, the establishment of SARPs (“Standards
and Recommended Practices”) has been a major contributory factor towards the present day
safety measures in aircraft industry. ICAO has been given the key responsibilities in context of
regulating and coordinating the international air travel. This convention has enabled the rules
regarding airspace and aircraft safety and registration to be implemented and created. The details
of these measures and other such bodies will be covered in the discussion carried on in the latter
parts of this research work.
1.4. Research objectives, hypothesis and questions
1.4.1. Research objectives
This research is focused on analysing the varied laws as are applicable on the aviation
industry, particularly in context of cyber security. In doing so, the laws applicable in Europe,
India and United States will be evaluated, to see the variations/ similarities in the legal standing
of these three regions. The research would clearly demarcate on the variations in cybersecurity
and laws concerning Air Traffic Control (ATC), airports and airlines. This is because these three
are the key pillars of aviation industry and are particularly facing a key threat, in the present age,
thereby increasing the emphasis on cyber security. Each of these pillars of aviation face varied
types of threats, resulting in the need to create proper measures, in terms of law, to safeguard
them. This is of particular significance due to the nature of aviation industry, in both civil and
military areas; though, the focus of this study is on the former. The research would compare the
laws of three regions and would undertake a comparative analysis. This would help in proving
the research hypothesis correct and in fulfilling the research objectives. This would be done by
highlighting that the cybersecurity of this nation, i.e. India, is reactive and imitative, whereas the
cybersecurity of United States is proactive and original.
pg. 13
There are many bodies, which are constantly working towards safeguarding the aviation
industry from cyber-attacks. The leading one in this context is ICAO. ICAO was responsible for
bringing forth the Convention of “International Civil Aviation” and creation of “International Air
Transit Service Agreement”, along with the Five Freedoms Agreement, and the Interim
agreement on International Civil Aviation. In particular, the establishment of SARPs (“Standards
and Recommended Practices”) has been a major contributory factor towards the present day
safety measures in aircraft industry. ICAO has been given the key responsibilities in context of
regulating and coordinating the international air travel. This convention has enabled the rules
regarding airspace and aircraft safety and registration to be implemented and created. The details
of these measures and other such bodies will be covered in the discussion carried on in the latter
parts of this research work.
1.4. Research objectives, hypothesis and questions
1.4.1. Research objectives
This research is focused on analysing the varied laws as are applicable on the aviation
industry, particularly in context of cyber security. In doing so, the laws applicable in Europe,
India and United States will be evaluated, to see the variations/ similarities in the legal standing
of these three regions. The research would clearly demarcate on the variations in cybersecurity
and laws concerning Air Traffic Control (ATC), airports and airlines. This is because these three
are the key pillars of aviation industry and are particularly facing a key threat, in the present age,
thereby increasing the emphasis on cyber security. Each of these pillars of aviation face varied
types of threats, resulting in the need to create proper measures, in terms of law, to safeguard
them. This is of particular significance due to the nature of aviation industry, in both civil and
military areas; though, the focus of this study is on the former. The research would compare the
laws of three regions and would undertake a comparative analysis. This would help in proving
the research hypothesis correct and in fulfilling the research objectives. This would be done by
highlighting that the cybersecurity of this nation, i.e. India, is reactive and imitative, whereas the
cybersecurity of United States is proactive and original.
pg. 13
Cyber Security in Aviation
1.4.2. Research hypothesis
The purpose of research hypothesis is to clearly specify the statement concerning the
potential results of the research being undertaken on a topic. It is the most basic thing in a
research, which has to be established by the researcher; and which gives a direction to any
research. There are two hypotheses for this research and these are:
Hypothesis 1: Indian Cyber Security is guided by the US System/European System.
Hypothesis 2: There is fundamental difference in approaches to Safety of Cyber Security
Infrastructure, in Aviation, in India/US and Europe.
1.4.3. Research questions
The research questions are the questions related to the query or issue at hand. In context
of research, it relates to the answerable inquiry of specified issues or concern. The research
questions for this thesis are:
Are the cybersecurity laws of India, reactive and imitative?
Are the cybersecurity laws of United States, proactive and original?
Are there any similarities/ divergences in cybersecurity laws of India/US and Europe?
1.5. Research methodology
The focus of this research is more on the analytical aspects, where the laws of the three
regions are evaluated in context of the three pillars of aviation industry. This is the reason why
the research is qualitative in nature. The nature of this task is subjective, and the research holds
an interpretivist perspective. This qualitative research supports in-depth understanding of the
topic at hand, and is majorly language based. Hence, there is no use of primary research, in terms
of surveys and interviews. This research is based on reviewing the existing literature, in both
offline and online forms. Through the analysis of this literature, the various flaws and success,
the varied measures taken by different bodies and the other aspects revolving around civil
aviation and cybersecurity will be put forth. Literature review would allow the researcher to
answer the research questions, which are driving force behind this study and would give answers
to the research questions. This extensive literature survey would help in theoretical natured
pg. 14
1.4.2. Research hypothesis
The purpose of research hypothesis is to clearly specify the statement concerning the
potential results of the research being undertaken on a topic. It is the most basic thing in a
research, which has to be established by the researcher; and which gives a direction to any
research. There are two hypotheses for this research and these are:
Hypothesis 1: Indian Cyber Security is guided by the US System/European System.
Hypothesis 2: There is fundamental difference in approaches to Safety of Cyber Security
Infrastructure, in Aviation, in India/US and Europe.
1.4.3. Research questions
The research questions are the questions related to the query or issue at hand. In context
of research, it relates to the answerable inquiry of specified issues or concern. The research
questions for this thesis are:
Are the cybersecurity laws of India, reactive and imitative?
Are the cybersecurity laws of United States, proactive and original?
Are there any similarities/ divergences in cybersecurity laws of India/US and Europe?
1.5. Research methodology
The focus of this research is more on the analytical aspects, where the laws of the three
regions are evaluated in context of the three pillars of aviation industry. This is the reason why
the research is qualitative in nature. The nature of this task is subjective, and the research holds
an interpretivist perspective. This qualitative research supports in-depth understanding of the
topic at hand, and is majorly language based. Hence, there is no use of primary research, in terms
of surveys and interviews. This research is based on reviewing the existing literature, in both
offline and online forms. Through the analysis of this literature, the various flaws and success,
the varied measures taken by different bodies and the other aspects revolving around civil
aviation and cybersecurity will be put forth. Literature review would allow the researcher to
answer the research questions, which are driving force behind this study and would give answers
to the research questions. This extensive literature survey would help in theoretical natured
pg. 14
Cyber Security in Aviation
material to be presented by the researcher. Such a presentation would help in bringing forth the
information, thereby assisting in undertaking the comparative analysis. This would ultimately
help in fulfilling the research objectives.
1.6. Research outline (chapterization)
Every research follows certain structure in order to assist in the readability of any task.
This research too follows a structure, to fulfil this very objective. The very first chapter of this
research is introduction. This chapter would bring forth an overview of the topic of this study.
This chapter covers the background of this research, in terms of elaborating the key terms of this
research. Along with this, the problem statement, or the issues, which led to this research, would
also be covered in this very chapter. This would enable the reader in setting the base of this
research, and in being clear on the overall idea of this research. Thus, the two key concepts of
cybersecurity and aviation would be clarified through this chapter, along with getting a brief
overview on the interplay of these two concepts with the three pillars of aviation, i.e. ATC,
airlines and airports. This chapter also labels out clearly the research objectives, hypothesis and
questions, along with the methodology followed to undertake this research. By presenting out
these aspects of the thesis, the researcher enables the readers in clarifying the direction of this
thesis, and on the issues, which this research would help in expounding.
The second chapter of this research is the key discussion point of this research and covers
an extensive review of literature in context of the legal standing of cybersecurity in aviation in
the three regions, i.e. US, India and Europe. This chapter would highlight the different laws,
regulations, bodies and directives, which have been used by these three regions to work towards
strengthening cybersecurity in aviation, particularly to avoid the threats looming on this industry.
The entire focus of this will be on civil aviation. This chapter would also touch upon the reasons
for the variations and divergences in the laws of these three regions, particularly due to the origin
point of these laws being in similar threatening situations, and being a result of the initiative of
global bodies, working towards strengthening the aviation industry from cyber threats. Some of
the key aspects of this chapter include the discussion on ICAO (“International Civil Aviation
Organization”), its SARPs (“Standards and Recommended Practices”), Information Technology
Act 2010, threats in airlines, and threats in ATC, amongst the other things. The detailed nature of
pg. 15
material to be presented by the researcher. Such a presentation would help in bringing forth the
information, thereby assisting in undertaking the comparative analysis. This would ultimately
help in fulfilling the research objectives.
1.6. Research outline (chapterization)
Every research follows certain structure in order to assist in the readability of any task.
This research too follows a structure, to fulfil this very objective. The very first chapter of this
research is introduction. This chapter would bring forth an overview of the topic of this study.
This chapter covers the background of this research, in terms of elaborating the key terms of this
research. Along with this, the problem statement, or the issues, which led to this research, would
also be covered in this very chapter. This would enable the reader in setting the base of this
research, and in being clear on the overall idea of this research. Thus, the two key concepts of
cybersecurity and aviation would be clarified through this chapter, along with getting a brief
overview on the interplay of these two concepts with the three pillars of aviation, i.e. ATC,
airlines and airports. This chapter also labels out clearly the research objectives, hypothesis and
questions, along with the methodology followed to undertake this research. By presenting out
these aspects of the thesis, the researcher enables the readers in clarifying the direction of this
thesis, and on the issues, which this research would help in expounding.
The second chapter of this research is the key discussion point of this research and covers
an extensive review of literature in context of the legal standing of cybersecurity in aviation in
the three regions, i.e. US, India and Europe. This chapter would highlight the different laws,
regulations, bodies and directives, which have been used by these three regions to work towards
strengthening cybersecurity in aviation, particularly to avoid the threats looming on this industry.
The entire focus of this will be on civil aviation. This chapter would also touch upon the reasons
for the variations and divergences in the laws of these three regions, particularly due to the origin
point of these laws being in similar threatening situations, and being a result of the initiative of
global bodies, working towards strengthening the aviation industry from cyber threats. Some of
the key aspects of this chapter include the discussion on ICAO (“International Civil Aviation
Organization”), its SARPs (“Standards and Recommended Practices”), Information Technology
Act 2010, threats in airlines, and threats in ATC, amongst the other things. The detailed nature of
pg. 15
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
this analysis would further highlight the constant steps taken in this industry to keep it guarded,
and how these steps still fail, due to the expertise of criminals being strengthened, as a result of
increased digital literacy.
The third chapter of this study is specifically related to highlighting the cybersecurity
threats looming on the ATC and airlines; where the details on cybersecurity in airports and
aerodromes would be covered in fourth chapter. These will show where cybercrimes have even
contributed to devastating incidents. This chapter would also involve case study analysis of
airports, to go into the depths of such incidents; and to understand where and how the different
laws and/or security measures fall short in front of the modern day sophisticated criminals, who
are digitally well versed. The focus would be on not only highlighting where these failures
occurred, but also on highlighting the resultant steps taken by the varied bodies, to avoid any
such repetitions. This chapter would particularly help in understanding the need for the laws to
be constantly evolved and updated, as a result of the present digital literacy. The third and fourth
chapter combined would cover the cybersecurity in aviation, through the focus on the three
pillars of aviation, namely ATC, airlines and airports/aerodromes.
The fifth chapter of this research is quite crucial, as it brings forth this research and helps
in actually undertaking the analysis part. This chapter would evaluate the undertaken literature
review in context of the research hypothesis. This would also cover the answering of the research
questions put in the introduction part of this thesis, as covered under chapter 1, and would also
assist in throwing light at the attainment of research objectives. This chapter is basically the
unison of the issues raised in this research with the material analysed for this research.
The sixth chapter relates to concluding the entire dissertation, thereby highlighting the
key questions and the key analysis undertaken in this research. This would be an overall
summary of the entire work done and would holistically present the theme of this discussion. The
last chapter of this chapter puts forth the suggestions for Indian civil aviation industry and the
future steps which can be taken by the nation, to further improve upon cybersecurity in this
industry. This would also involve the suggestions which can be applied globally to further
improve the threats associated with cyber-attack on the three pillars of ATC, airports and
airlines. This chapter hold particular significance as it would cover the suggestions laid down by
pg. 16
this analysis would further highlight the constant steps taken in this industry to keep it guarded,
and how these steps still fail, due to the expertise of criminals being strengthened, as a result of
increased digital literacy.
The third chapter of this study is specifically related to highlighting the cybersecurity
threats looming on the ATC and airlines; where the details on cybersecurity in airports and
aerodromes would be covered in fourth chapter. These will show where cybercrimes have even
contributed to devastating incidents. This chapter would also involve case study analysis of
airports, to go into the depths of such incidents; and to understand where and how the different
laws and/or security measures fall short in front of the modern day sophisticated criminals, who
are digitally well versed. The focus would be on not only highlighting where these failures
occurred, but also on highlighting the resultant steps taken by the varied bodies, to avoid any
such repetitions. This chapter would particularly help in understanding the need for the laws to
be constantly evolved and updated, as a result of the present digital literacy. The third and fourth
chapter combined would cover the cybersecurity in aviation, through the focus on the three
pillars of aviation, namely ATC, airlines and airports/aerodromes.
The fifth chapter of this research is quite crucial, as it brings forth this research and helps
in actually undertaking the analysis part. This chapter would evaluate the undertaken literature
review in context of the research hypothesis. This would also cover the answering of the research
questions put in the introduction part of this thesis, as covered under chapter 1, and would also
assist in throwing light at the attainment of research objectives. This chapter is basically the
unison of the issues raised in this research with the material analysed for this research.
The sixth chapter relates to concluding the entire dissertation, thereby highlighting the
key questions and the key analysis undertaken in this research. This would be an overall
summary of the entire work done and would holistically present the theme of this discussion. The
last chapter of this chapter puts forth the suggestions for Indian civil aviation industry and the
future steps which can be taken by the nation, to further improve upon cybersecurity in this
industry. This would also involve the suggestions which can be applied globally to further
improve the threats associated with cyber-attack on the three pillars of ATC, airports and
airlines. This chapter hold particular significance as it would cover the suggestions laid down by
pg. 16
Cyber Security in Aviation
independent observers, which allows a new perspective being brought forth, as against following
the suggestions of set bodies and key personnel in civil aviation. This approach is particularly
important as the criminals behind the cyber-attacks do adopt new approaches, which are often
missed by the law setting bodies. These new perspectives are also significant as they highlight
the loopholes or the ways of present measures being manipulated, thereby enabling such attacks
on aviation industry.
pg. 17
independent observers, which allows a new perspective being brought forth, as against following
the suggestions of set bodies and key personnel in civil aviation. This approach is particularly
important as the criminals behind the cyber-attacks do adopt new approaches, which are often
missed by the law setting bodies. These new perspectives are also significant as they highlight
the loopholes or the ways of present measures being manipulated, thereby enabling such attacks
on aviation industry.
pg. 17
Cyber Security in Aviation
Chapter 2: Legal standpoint and bodies
2.1. International regulator: ICAO
ICAO, or the “International Civil Aviation Organization”, is the United Nations’
specialized agency, through which the techniques and principles of air navigation, across the
globe, are codified. ICAO is responsible for fostering the planning and the development aspects
of the global air transport, in order to make certain that the same is safe and has an orderly
growth. The ICAO was created on 04th April 1947 and it was the result of Convention on
International Civil Aviation coming into force30. The “Convention on International Civil
Aviation” was adopted; further, it was signed on 07th December 1944 at Chicago, Illinois31.
Because of the considerations, the conference adopted a middle ground whereby a new
international body called the “International Civil Aviation Organization” (ICAO) was to be set
up. ICAO was given the key duties of technical standard setting, accompanied by the overall
generic supervisory functions32. Economic regulations were left to bilateral regulation
(agreements) between the state, except regulation of rates, tariffs, and fares. These aspects were
left out for multilateral self-regulation as per industry conferences; however, these were still
subjected to the approval of government. The main strategic objectives of ICAO included
security and facilitation, environmental protection, safety (the paramount objective), air
navigation capacity as well as efficiency, in addition to the fiscal development of air transport33.
This compromise had been embodied in various facets. The first was seen in the
“Convention of International Civil Aviation”, which was the main instrument adopted by the
Conference and which sets forth the constitution of ICAO. The next one was covered under the
International Air Transit Service Agreement, which provide for mutual exchange of transit
rights. The third one was covered under the Five Freedoms Agreement, which provides for the
30 ICAO Doc. 7300/8
31 Proceedings of the International Civil Aviation Conference, Chicago, Illinois, 1 November-7 Dec1944
32 L. Weber, ‘Chicago Convention’, in R Bernhardt (ed.), Encyclopedia of Public International Law, Vol. I, (1992)
p.571.
33 ICAO, Annual Report of the ICAO Council: 2014 (2014)
<https://www.icao.int/annual-report-2014/Pages/default.aspx>
pg. 18
Chapter 2: Legal standpoint and bodies
2.1. International regulator: ICAO
ICAO, or the “International Civil Aviation Organization”, is the United Nations’
specialized agency, through which the techniques and principles of air navigation, across the
globe, are codified. ICAO is responsible for fostering the planning and the development aspects
of the global air transport, in order to make certain that the same is safe and has an orderly
growth. The ICAO was created on 04th April 1947 and it was the result of Convention on
International Civil Aviation coming into force30. The “Convention on International Civil
Aviation” was adopted; further, it was signed on 07th December 1944 at Chicago, Illinois31.
Because of the considerations, the conference adopted a middle ground whereby a new
international body called the “International Civil Aviation Organization” (ICAO) was to be set
up. ICAO was given the key duties of technical standard setting, accompanied by the overall
generic supervisory functions32. Economic regulations were left to bilateral regulation
(agreements) between the state, except regulation of rates, tariffs, and fares. These aspects were
left out for multilateral self-regulation as per industry conferences; however, these were still
subjected to the approval of government. The main strategic objectives of ICAO included
security and facilitation, environmental protection, safety (the paramount objective), air
navigation capacity as well as efficiency, in addition to the fiscal development of air transport33.
This compromise had been embodied in various facets. The first was seen in the
“Convention of International Civil Aviation”, which was the main instrument adopted by the
Conference and which sets forth the constitution of ICAO. The next one was covered under the
International Air Transit Service Agreement, which provide for mutual exchange of transit
rights. The third one was covered under the Five Freedoms Agreement, which provides for the
30 ICAO Doc. 7300/8
31 Proceedings of the International Civil Aviation Conference, Chicago, Illinois, 1 November-7 Dec1944
32 L. Weber, ‘Chicago Convention’, in R Bernhardt (ed.), Encyclopedia of Public International Law, Vol. I, (1992)
p.571.
33 ICAO, Annual Report of the ICAO Council: 2014 (2014)
<https://www.icao.int/annual-report-2014/Pages/default.aspx>
pg. 18
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
mutual give-and-take of the traffic rights, but which has remained a dead letter. Lastly, the fourth
and final one was undertaken through the Interim agreement on “International Civil Aviation”,
which allowed the “Provisional International Civil Aviation Organization” (PICAO) to be set up;
however, this was still pending entry into the main Convention coming in force.
ICAO has developed 19 Annexes to the Convention, which are based solely on the
Convention on Civil Aviation Organization, particularly its Article 54(1). This has resulted in the
establishment and set of both “Procedures for Air Navigation Services” (PANS)34 and the
“Standards and Recommended Practices” (SARPs)35. ICAO updates the technical Annexes as
and when required, in accordance with the Article 54(m) and Chapter XX of the Convention.
Annex 13 is focused upon and caters to the Aircraft Accident Investigation, Annex 17 deals with
the Security, and Annex 19 deals with the Safety Management System.
The Safety Audits are an essential aspect of a protection program. Such audits extend to
uncovering the hazards; revealing level of obedience, in context of the regulatory standards;
measuring the efficiency of security programs; and evaluating the controlling concerns, which
could have an outcome in terms of hazards. The numerous Global safety audit/ valuation
programmes include:
ICAO Universal Safety Oversight Audit Programme (USOAP)
International Aviation Safety Assessment (IASA)
IATA’s Operational safety Audit (IOSA)
ECAC Safety Assessment of Foreign Aircraft (SAFA)
ICAO has the responsibility of regulating the Aviation security worldwide through the
Annex 17 and its various resolutions. Some of the provisions of “Chicago Convention”, various
bilateral agreements, and the multilateral “International Air Services Transit Agreement of 1944”
acted out, in global air transport, as the base for interchanging of the commercial rights. The
1929’s Warsaw Convention, as had been modified through 1955’s Hague Protocol followed this.
These conventions and protocols are universally recognized. Further, these are responsible for
governing the obligation of air carriers regarding worldwide carriage of baggage, cargo, and
34 Procedures for Air Navigation Services-Air Traffic Management (PANS-ATM), Doc.4444.
35 ICAO’s Assembly Resolution A35-14
pg. 19
mutual give-and-take of the traffic rights, but which has remained a dead letter. Lastly, the fourth
and final one was undertaken through the Interim agreement on “International Civil Aviation”,
which allowed the “Provisional International Civil Aviation Organization” (PICAO) to be set up;
however, this was still pending entry into the main Convention coming in force.
ICAO has developed 19 Annexes to the Convention, which are based solely on the
Convention on Civil Aviation Organization, particularly its Article 54(1). This has resulted in the
establishment and set of both “Procedures for Air Navigation Services” (PANS)34 and the
“Standards and Recommended Practices” (SARPs)35. ICAO updates the technical Annexes as
and when required, in accordance with the Article 54(m) and Chapter XX of the Convention.
Annex 13 is focused upon and caters to the Aircraft Accident Investigation, Annex 17 deals with
the Security, and Annex 19 deals with the Safety Management System.
The Safety Audits are an essential aspect of a protection program. Such audits extend to
uncovering the hazards; revealing level of obedience, in context of the regulatory standards;
measuring the efficiency of security programs; and evaluating the controlling concerns, which
could have an outcome in terms of hazards. The numerous Global safety audit/ valuation
programmes include:
ICAO Universal Safety Oversight Audit Programme (USOAP)
International Aviation Safety Assessment (IASA)
IATA’s Operational safety Audit (IOSA)
ECAC Safety Assessment of Foreign Aircraft (SAFA)
ICAO has the responsibility of regulating the Aviation security worldwide through the
Annex 17 and its various resolutions. Some of the provisions of “Chicago Convention”, various
bilateral agreements, and the multilateral “International Air Services Transit Agreement of 1944”
acted out, in global air transport, as the base for interchanging of the commercial rights. The
1929’s Warsaw Convention, as had been modified through 1955’s Hague Protocol followed this.
These conventions and protocols are universally recognized. Further, these are responsible for
governing the obligation of air carriers regarding worldwide carriage of baggage, cargo, and
34 Procedures for Air Navigation Services-Air Traffic Management (PANS-ATM), Doc.4444.
35 ICAO’s Assembly Resolution A35-14
pg. 19
Cyber Security in Aviation
passengers, by air. India has implemented these, as it is a party to the amended convention,
through the carriage by the act as amended in 2016. The security feature of air law is primarily
concerned with the following:
The Tokyo Convention of 1963’s Offences and some other acts taken place on board
aircraft;
The Hague Convention of 1970’s subdual of illegal seizure of aircraft; and
The Montréal Convention of 1971’s subdual of illegal acts against the safety of civil
aviation.
Since the Resolution (A38-15) was adopted in the 38th Session of the Assembly, work
has progressed, as this requested council for directing ICAO’s Secretary General for continuing
the address towards cyber threats to the aviation security. The last days of February 2014 saw the
council adopting 14th amendment to Annex 17. These had been based on the recommendations
given by the AVSECP, i.e. the Aviation Security Panel. Under these were covered two of the
recommended practices pertaining to the cyber threats measures. Annex 17’s sub section 4.9.136
and 4.9.237 cover these very recommendations for contracting states.
36 Section 4.9.1 of ICAO Annex 17 to the Convention on International Civil Aviation under title “Measures relating
to cyber threats” pg. 4-5
37 Section 4.9.2 of ICAO Annex 17 to the Convention on International Civil Aviation under title “Measures relating
to cyber threats” pg. 4-5
pg. 20
passengers, by air. India has implemented these, as it is a party to the amended convention,
through the carriage by the act as amended in 2016. The security feature of air law is primarily
concerned with the following:
The Tokyo Convention of 1963’s Offences and some other acts taken place on board
aircraft;
The Hague Convention of 1970’s subdual of illegal seizure of aircraft; and
The Montréal Convention of 1971’s subdual of illegal acts against the safety of civil
aviation.
Since the Resolution (A38-15) was adopted in the 38th Session of the Assembly, work
has progressed, as this requested council for directing ICAO’s Secretary General for continuing
the address towards cyber threats to the aviation security. The last days of February 2014 saw the
council adopting 14th amendment to Annex 17. These had been based on the recommendations
given by the AVSECP, i.e. the Aviation Security Panel. Under these were covered two of the
recommended practices pertaining to the cyber threats measures. Annex 17’s sub section 4.9.136
and 4.9.237 cover these very recommendations for contracting states.
36 Section 4.9.1 of ICAO Annex 17 to the Convention on International Civil Aviation under title “Measures relating
to cyber threats” pg. 4-5
37 Section 4.9.2 of ICAO Annex 17 to the Convention on International Civil Aviation under title “Measures relating
to cyber threats” pg. 4-5
pg. 20
Cyber Security in Aviation
The collective awareness regarding cyber threats was promoted in July 2015 through the
Singapore held Civil Aviation Cybersecurity Conference; focusing specifically on security
equipment providers, airport operators, aircraft engine manufacturers, international
organizations, security service providers, regulators, airlines, ground handlers, and varied
aviation security stakeholders. The risks to aviation, specifically from the measured acts of
illegal interferences, routed by cyber-attacks were considered back in March 2016 through
AVSECP38.
Till now, the cyber-attacks taking place in this sector have caused limited impact, being
low-levelled; yet the result of such successful attacks on the operations of civil aviation has the
possibilities of resulting in something catastrophic. This is further complicated due to the air
navigation service providers, airlines, airports and other stakeholders (including the cargo agents,
fuel companies, security service providers, and ground handling companies) becoming reliant on
the advanced and modern day computer and IT systems for undertaking their basic operations39.
Aviation system faces such threats from varied sources. The terrorist groups deem Cyber
as a mode of attack; the hacker groups and hackers are scattered and yet have shown the capacity
to deface website and to deny access, on different organizations. Such demonstrations have also
been undertaken by the organized crime groups, which are focused on other industries/ sectors at
present. There is also the case of skilled insiders posing major threat owing to specified
knowledge and them holding valid access to such systems and networks40.
The various laws, Conventions and protocols in this respect are enunciated by
“International Civil Aviation Organization” (ICAO).
ICAO’s Security Manual of 1970s- assist its Member States to take measures for the
prevention of unlawful interference, minimize its effects,
SARPs Annex 17 to the Chicago Convention.
38 International Civil Aviation Organization, Agenda Item 36: Aviation safety and air navigation implementation
support (26 August 2016) <https://www.icao.int/Meetings/a39/Documents/WP/wp_236_rev1_en.pdf >
39 Ibid
40 Ibid
pg. 21
The collective awareness regarding cyber threats was promoted in July 2015 through the
Singapore held Civil Aviation Cybersecurity Conference; focusing specifically on security
equipment providers, airport operators, aircraft engine manufacturers, international
organizations, security service providers, regulators, airlines, ground handlers, and varied
aviation security stakeholders. The risks to aviation, specifically from the measured acts of
illegal interferences, routed by cyber-attacks were considered back in March 2016 through
AVSECP38.
Till now, the cyber-attacks taking place in this sector have caused limited impact, being
low-levelled; yet the result of such successful attacks on the operations of civil aviation has the
possibilities of resulting in something catastrophic. This is further complicated due to the air
navigation service providers, airlines, airports and other stakeholders (including the cargo agents,
fuel companies, security service providers, and ground handling companies) becoming reliant on
the advanced and modern day computer and IT systems for undertaking their basic operations39.
Aviation system faces such threats from varied sources. The terrorist groups deem Cyber
as a mode of attack; the hacker groups and hackers are scattered and yet have shown the capacity
to deface website and to deny access, on different organizations. Such demonstrations have also
been undertaken by the organized crime groups, which are focused on other industries/ sectors at
present. There is also the case of skilled insiders posing major threat owing to specified
knowledge and them holding valid access to such systems and networks40.
The various laws, Conventions and protocols in this respect are enunciated by
“International Civil Aviation Organization” (ICAO).
ICAO’s Security Manual of 1970s- assist its Member States to take measures for the
prevention of unlawful interference, minimize its effects,
SARPs Annex 17 to the Chicago Convention.
38 International Civil Aviation Organization, Agenda Item 36: Aviation safety and air navigation implementation
support (26 August 2016) <https://www.icao.int/Meetings/a39/Documents/WP/wp_236_rev1_en.pdf >
39 Ibid
40 Ibid
pg. 21
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
ICAO’s USAP- Universal Security Audit Programme41 for the audit of various security
related issues like access control and other safety gaps in such IT based systems.
This was considered as the initial step towards the identification of the possible
cybersecurity risks. In the last few years, there has been effective strengthening of the
present SARPs (“Standards and Recommended Practices”) of ICAO. Further, there has
been also the growth of new recommended practices with regards to the Air Traffic
Network Security also.42
“Internet Corporation for Assigned Names and Numbers (ICANN)”.
United Nations Resolution on Combating the Criminal Misuse of Information
Technologies
Internet Engineering Task Force (IETF).
“United Nations Manual on the Prevention and Control of Computer Related Crime”.
On the request made by the European Civil Aviation Conference, back in the year of
2009, the Aviation Security Panel in addition to the “Working Group on New and
Emerging Threats” took a look into the problems that were presented by the by cyber
security. As a result of this, there were many recommendations43 brought forth, which
included and covered (though were, in no way, limited to) the assessment of cyber-risks
as well as formation of ‘unpredictability’ in the SARPs. These proposals made by the
Committee on Unlawful Interference44, led to the 12th Amendment, and due to the
recommendations given by “Aviation Security Panel, the 14th Amendment, to Annex 17”
came to being applicable during the period of July 2011 and November 2014,
41 ICAO Assembly Resolution A33-1, October 2001, adopted as a part of the Aviation Security Plan of Action,
http://www.icao.int/Meetings/FAL12/Documents/Biernacki.pdf
42 Amendments made in respect of Annexes 6 and 11 of the Chicago Convention as regards to use of standardized
equipment, message handling etc,.
43 Report of the Aviation Security (AVSEC) Panel, Twentieth Meeting, AVSECP/20 at 2.1, April 2009.
44 ICAO Assembly Resolution A36-20, 17th November 2010.
pg. 22
ICAO’s USAP- Universal Security Audit Programme41 for the audit of various security
related issues like access control and other safety gaps in such IT based systems.
This was considered as the initial step towards the identification of the possible
cybersecurity risks. In the last few years, there has been effective strengthening of the
present SARPs (“Standards and Recommended Practices”) of ICAO. Further, there has
been also the growth of new recommended practices with regards to the Air Traffic
Network Security also.42
“Internet Corporation for Assigned Names and Numbers (ICANN)”.
United Nations Resolution on Combating the Criminal Misuse of Information
Technologies
Internet Engineering Task Force (IETF).
“United Nations Manual on the Prevention and Control of Computer Related Crime”.
On the request made by the European Civil Aviation Conference, back in the year of
2009, the Aviation Security Panel in addition to the “Working Group on New and
Emerging Threats” took a look into the problems that were presented by the by cyber
security. As a result of this, there were many recommendations43 brought forth, which
included and covered (though were, in no way, limited to) the assessment of cyber-risks
as well as formation of ‘unpredictability’ in the SARPs. These proposals made by the
Committee on Unlawful Interference44, led to the 12th Amendment, and due to the
recommendations given by “Aviation Security Panel, the 14th Amendment, to Annex 17”
came to being applicable during the period of July 2011 and November 2014,
41 ICAO Assembly Resolution A33-1, October 2001, adopted as a part of the Aviation Security Plan of Action,
http://www.icao.int/Meetings/FAL12/Documents/Biernacki.pdf
42 Amendments made in respect of Annexes 6 and 11 of the Chicago Convention as regards to use of standardized
equipment, message handling etc,.
43 Report of the Aviation Security (AVSEC) Panel, Twentieth Meeting, AVSECP/20 at 2.1, April 2009.
44 ICAO Assembly Resolution A36-20, 17th November 2010.
pg. 22
Cyber Security in Aviation
respectively. At present, Annex 17 covered under Chapter 4 deals with the cyber threats
which inter-alia states that:
“….Each Contracting State must develop measures in order to protect information and
communication technology systems used for civil aviation purposes from interference that may
jeopardize the safety of civil aviation.”
Where there is a non-adherence to the safety or security standards, high changes are that
there would be serious incidents, accidents, and could even result in subsequent black listing,
along with the flights of specified airlines being banned. The black listing process is deemed as
not deemed as arbitrary, irrelevant, or unwarranted when it is based on performance record,
owing to the lives which are at stake. However, such black listings can result in serious damage
being caused to the airline’s reputation and could even deem as a harsh measure, with disastrous
effects. As a result of an airline being blacklisted, it loses the benefits and privileges of forming
legal relationships with government, which could help the airlines in gaining profits and other
incentives.
FAA, US had lowered the rating of India from category 1 to category 2 after assessing
India’s compliance with ICAO standards under its IASA programme in 2014. Because of
the download, new flights could not be added by the Indian airlines to American carriers.
Further, the US based carriers were also restricted as they could not code share with the
Indian based carriers. This particularly proved as a blockage in Jet Airways and Air
India’s expansion plans.
The European Union blacklisted PIA, i.e., Pakistan international Airlines save for the A
310, 747s, and 777s, despite the specified airlines having successfully completed the
intensive safety audit required, as is required in case of airlines seeking the membership
of IATA. Pakistan has been ranked in category – I by the FAA, which denotes that the
nation adapts the utmost safety standards.
FAA has ranked Ukraine in category 2 or below par. Apart from this, the European
Union had banned two of its airlines i.e. Ukrainian Mediterranean and Volare.
The famous rash of accidents, which took place in Indonesia, attracted instantaneous
sanctions from the European Union, resulting in all of the airlines of Indonesia, being
banned. The FAA placed this particular airline under Category 2. However, despite the
pg. 23
respectively. At present, Annex 17 covered under Chapter 4 deals with the cyber threats
which inter-alia states that:
“….Each Contracting State must develop measures in order to protect information and
communication technology systems used for civil aviation purposes from interference that may
jeopardize the safety of civil aviation.”
Where there is a non-adherence to the safety or security standards, high changes are that
there would be serious incidents, accidents, and could even result in subsequent black listing,
along with the flights of specified airlines being banned. The black listing process is deemed as
not deemed as arbitrary, irrelevant, or unwarranted when it is based on performance record,
owing to the lives which are at stake. However, such black listings can result in serious damage
being caused to the airline’s reputation and could even deem as a harsh measure, with disastrous
effects. As a result of an airline being blacklisted, it loses the benefits and privileges of forming
legal relationships with government, which could help the airlines in gaining profits and other
incentives.
FAA, US had lowered the rating of India from category 1 to category 2 after assessing
India’s compliance with ICAO standards under its IASA programme in 2014. Because of
the download, new flights could not be added by the Indian airlines to American carriers.
Further, the US based carriers were also restricted as they could not code share with the
Indian based carriers. This particularly proved as a blockage in Jet Airways and Air
India’s expansion plans.
The European Union blacklisted PIA, i.e., Pakistan international Airlines save for the A
310, 747s, and 777s, despite the specified airlines having successfully completed the
intensive safety audit required, as is required in case of airlines seeking the membership
of IATA. Pakistan has been ranked in category – I by the FAA, which denotes that the
nation adapts the utmost safety standards.
FAA has ranked Ukraine in category 2 or below par. Apart from this, the European
Union had banned two of its airlines i.e. Ukrainian Mediterranean and Volare.
The famous rash of accidents, which took place in Indonesia, attracted instantaneous
sanctions from the European Union, resulting in all of the airlines of Indonesia, being
banned. The FAA placed this particular airline under Category 2. However, despite the
pg. 23
Cyber Security in Aviation
series of crashes taking place in Russia and Brazil, the FAA placed both these nations
under category I.
In 2005, the string of safety lapses resulted in Phuket Airlines of THAI being banned by
France and U.K.
The European Union, because of the 2006 crash, threatened PULKOVO, a high profile
Russian Airlines, with a ban.
Criminals still find civil aviation an attractive target, which makes the duty of protecting
civil aviation, against such acts of illegal interferences a need of the hour. There is a desperate
need of coping with the modern day sophisticated threats, as majority of them are predominantly
technological in nature. Because of their interoperable nature, the creation of complex system, in
this globalized super national world, begs the need for a methodological approach towards
governance of security. Only such measures can allow for the regular monitoring of varied
resources, constant measuring of possible susceptibility and threat levels, and process integration
between physical, IT and logical security, where the goal is to respond to such varied unlawful
interference related acts. In order to do so, there is a need for constant and uninterrupted linkage
between all of the actors present in this system. Both SARPs and ICAOs at international level,
and the national legal frameworks, act as a solid reference term. However, just an on paper
adherence to these rules is not enough, despite the same being a necessity for due diligence
purposes. There is a need to thus, focus on actual adherence of these norms, in order to protect
the human lives on the ground and in the air, along with making certain that the transportation by
air is regular, resilient, continuous, and secure for the general public service.
2.2. Law and bodies in India: IT Act and applicability in Aviation
2.2.1. BCAS
The history of security of aviation in India dates back to the initial period of 1970s, and
more specifically to the year of 1971. This year saw an Indian Airlines aircraft being involved in
a hijacking incident. After this incident, another incident rocked the nation’s airlines, with
another hijacking incident taking place in 1976. This resulted in Pande Committee being formed.
The purpose of this body was to looking into the reasons leading to such hijacking; and to avoid
any repeat of such instances from taking place. Due to the recommendations that had been given
pg. 24
series of crashes taking place in Russia and Brazil, the FAA placed both these nations
under category I.
In 2005, the string of safety lapses resulted in Phuket Airlines of THAI being banned by
France and U.K.
The European Union, because of the 2006 crash, threatened PULKOVO, a high profile
Russian Airlines, with a ban.
Criminals still find civil aviation an attractive target, which makes the duty of protecting
civil aviation, against such acts of illegal interferences a need of the hour. There is a desperate
need of coping with the modern day sophisticated threats, as majority of them are predominantly
technological in nature. Because of their interoperable nature, the creation of complex system, in
this globalized super national world, begs the need for a methodological approach towards
governance of security. Only such measures can allow for the regular monitoring of varied
resources, constant measuring of possible susceptibility and threat levels, and process integration
between physical, IT and logical security, where the goal is to respond to such varied unlawful
interference related acts. In order to do so, there is a need for constant and uninterrupted linkage
between all of the actors present in this system. Both SARPs and ICAOs at international level,
and the national legal frameworks, act as a solid reference term. However, just an on paper
adherence to these rules is not enough, despite the same being a necessity for due diligence
purposes. There is a need to thus, focus on actual adherence of these norms, in order to protect
the human lives on the ground and in the air, along with making certain that the transportation by
air is regular, resilient, continuous, and secure for the general public service.
2.2. Law and bodies in India: IT Act and applicability in Aviation
2.2.1. BCAS
The history of security of aviation in India dates back to the initial period of 1970s, and
more specifically to the year of 1971. This year saw an Indian Airlines aircraft being involved in
a hijacking incident. After this incident, another incident rocked the nation’s airlines, with
another hijacking incident taking place in 1976. This resulted in Pande Committee being formed.
The purpose of this body was to looking into the reasons leading to such hijacking; and to avoid
any repeat of such instances from taking place. Due to the recommendations that had been given
pg. 24
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
by Pande committee, BCAS was formed. BCAS, or the Bureau of Civil Aviation Security is a
specialized security agency, created back in Jan 1978 as being the cell of Directorate General of
Civil Aviation. The training, inspecting, coordinating and monitoring areas of civil aviation
security were developed by BCAS in India. These complied with the Annexure 17 of SARPs.
The government was forced to consider an independent body to look into the aviation
security affairs for the nation, because of the Kanishka tragedy of Air India. This led to BCAS
being translated into an independent body from the first day of April of 1987. This body is
primarily responsible for looking into the measures of safety for both domestic and international
aircrafts (civil) and airports of the nation. CoSCA or the Commissioner of Security (Civil
Aviation) is the head of BCAS. This Indian body is also liable for implementing Annex 17 of the
Chicago Convention, as has been put forth by the ICAO, which ultimately becomes the
responsibility of CoSCA. The other duties of CoSCA include overlooking into the formatting
and the enlargement of nationwide aviation safety related programmes. BCAS covers four key
regional areas, and these are located at Kolkatta, Chennai, Mumbai and Delhi international
airports. In order to align with the duties of BCAS, the employees of airlines are trained in varied
ways, including:
Basic AVSEC Course,
AVSEC Air Cargo Course,
Crisis Management Course,
AVSEC Instructor’s Course,
X-Ray BIS Screener’s Certification,
Auditor’s Course,
AVSEC Management Course,
Profile Screening, Sky Marshall Awareness and
AVSEC Supervisor’s Course.
To further the responsibilities related to aviation security, BCAS has created control
rooms at all the airports. When an emergency type situation crops up, these control rooms come
into play. This assists in thwarting the unauthorized interferences in civil aviation of the nation.
Examples of emergency type situations include explosion threats on aircrafts or unlawful take-
pg. 25
by Pande committee, BCAS was formed. BCAS, or the Bureau of Civil Aviation Security is a
specialized security agency, created back in Jan 1978 as being the cell of Directorate General of
Civil Aviation. The training, inspecting, coordinating and monitoring areas of civil aviation
security were developed by BCAS in India. These complied with the Annexure 17 of SARPs.
The government was forced to consider an independent body to look into the aviation
security affairs for the nation, because of the Kanishka tragedy of Air India. This led to BCAS
being translated into an independent body from the first day of April of 1987. This body is
primarily responsible for looking into the measures of safety for both domestic and international
aircrafts (civil) and airports of the nation. CoSCA or the Commissioner of Security (Civil
Aviation) is the head of BCAS. This Indian body is also liable for implementing Annex 17 of the
Chicago Convention, as has been put forth by the ICAO, which ultimately becomes the
responsibility of CoSCA. The other duties of CoSCA include overlooking into the formatting
and the enlargement of nationwide aviation safety related programmes. BCAS covers four key
regional areas, and these are located at Kolkatta, Chennai, Mumbai and Delhi international
airports. In order to align with the duties of BCAS, the employees of airlines are trained in varied
ways, including:
Basic AVSEC Course,
AVSEC Air Cargo Course,
Crisis Management Course,
AVSEC Instructor’s Course,
X-Ray BIS Screener’s Certification,
Auditor’s Course,
AVSEC Management Course,
Profile Screening, Sky Marshall Awareness and
AVSEC Supervisor’s Course.
To further the responsibilities related to aviation security, BCAS has created control
rooms at all the airports. When an emergency type situation crops up, these control rooms come
into play. This assists in thwarting the unauthorized interferences in civil aviation of the nation.
Examples of emergency type situations include explosion threats on aircrafts or unlawful take-
pg. 25
Cyber Security in Aviation
over of aircrafts, resulting in access to such aircrafts being seized. In such cases, the Central
Committee helps CoSCA. In August 1988, BCAS brought forth computerized system, which
were implemented across the body; and this period saw the introduction of PIC (Photo Identity
Card) System. These were not only brought for international, but for the domestic airports as
well. Practically, there has been cent per cent adoption of these systems in India. The civil
aviation security related programmes of India are also subjected to the USAP covered ICAO
audits.
2.2.2. Legislative history
As covered in the introduction part of this research, the Indian civil aviation, in terms of
its cybersecurity, are regulated through the IT Act of India. Section 2(1) (nb) defines
cybersecurity45. The other legislative instruments working in this context in the nation include
CERT-In Guidelines covered under the IT Act. Before going into the varied laws surrounding
cybersecurity of aviation in India, it is crucial to note the historical background of this.
Initially, there was very limited security in Indian cyber space. The key reason for this
was the lack of awareness and absence of technology required for evolving the proper cyber
security structures. The lack of adequate technology was contributed to the IT controlling
regimes, including the likes of Wassenaar Arrangement46. There was also the fact that the cyber
security policies of the nation were aligned with the sovereign considerations, especially the ones
related to internal security and state sponsored terrorism. Because of the policy objectives being
associated with security and sovereignty issues, the approach towards cybersecurity has been
mostly towards state centred perspectives, instead of being focused towards a nation centred
perspective, which is in interest of broader multi stakeholders, from both economic and social
cyber security aspects.
With the rapid growth of information tech and internet in the nation-taking place in just
the most recent decades, the cybersecurity in aviation was not as refined. This is despite the
45 Information Technology Act 2000, s2(1) (nb)
46 Saikat Datta, INTERNET DEMOCRACY PROJECT, Cyber security, Internet Governance and India's Foreign
Policy: Historical Antecedents (January 2016) < https://internetdemocracy.in/reports /cybersecurity-ig-ifp-saikat-
datta/>
pg. 26
over of aircrafts, resulting in access to such aircrafts being seized. In such cases, the Central
Committee helps CoSCA. In August 1988, BCAS brought forth computerized system, which
were implemented across the body; and this period saw the introduction of PIC (Photo Identity
Card) System. These were not only brought for international, but for the domestic airports as
well. Practically, there has been cent per cent adoption of these systems in India. The civil
aviation security related programmes of India are also subjected to the USAP covered ICAO
audits.
2.2.2. Legislative history
As covered in the introduction part of this research, the Indian civil aviation, in terms of
its cybersecurity, are regulated through the IT Act of India. Section 2(1) (nb) defines
cybersecurity45. The other legislative instruments working in this context in the nation include
CERT-In Guidelines covered under the IT Act. Before going into the varied laws surrounding
cybersecurity of aviation in India, it is crucial to note the historical background of this.
Initially, there was very limited security in Indian cyber space. The key reason for this
was the lack of awareness and absence of technology required for evolving the proper cyber
security structures. The lack of adequate technology was contributed to the IT controlling
regimes, including the likes of Wassenaar Arrangement46. There was also the fact that the cyber
security policies of the nation were aligned with the sovereign considerations, especially the ones
related to internal security and state sponsored terrorism. Because of the policy objectives being
associated with security and sovereignty issues, the approach towards cybersecurity has been
mostly towards state centred perspectives, instead of being focused towards a nation centred
perspective, which is in interest of broader multi stakeholders, from both economic and social
cyber security aspects.
With the rapid growth of information tech and internet in the nation-taking place in just
the most recent decades, the cybersecurity in aviation was not as refined. This is despite the
45 Information Technology Act 2000, s2(1) (nb)
46 Saikat Datta, INTERNET DEMOCRACY PROJECT, Cyber security, Internet Governance and India's Foreign
Policy: Historical Antecedents (January 2016) < https://internetdemocracy.in/reports /cybersecurity-ig-ifp-saikat-
datta/>
pg. 26
Cyber Security in Aviation
seeds of such proliferation being sown during the early 1990s liberalization of Indian economy.
As there was lack of rampant internet and computer use, till the later parts of 1990s, there was no
pressure for the regulatory bodies to think about creation of legislations for regulating the cyber
space. Thus, the overall regulations in cyber space were also delayed. Only in the next decade,
the nation law the overreaching law for regulation of IT in the nation, through the Information
Technology Act, 2000. Even with the formation of this legislation, the real issues of cyber
security were not properly addressed. There was only the introduction and penalization of
hacking incidents.
With the creation of “CERT-in (the Indian Computer Emergency Response Team) in
2004”, the effective measures towards Indian cyber security were taken up properly. There are
annual reports by CERT-in that put forth the data on yearly basis on cyber-attacks. These figures
particularly highlight the rampant growth in the last decade, of such cyber threats ad cyber-
attacks. The context behind the increasing numbers and the need for cybersecurity policy making
has been highlighted through the statistics put in by the government. The data maintained by
NCRB (National Crime Records Bureau) presented for 2015 shows that there were 11,592 cases
registered in 2015 as cybercrimes in the nation47. To focus more on the incidents reported under
IT Act, the rising figures from 2007 to 2011 are of help. These were put at 217 for 2007, 288 for
2008, 420 for 2009, 966 for 2010 and 1,791 for 201148. To make the matters worse, there was a
spike in the incidents that were reported under CERT-In, from a figure of 22,060 in 2010 to a
shoot of 96,383 in 2013. There was an inclusion of incidents of scanning, malicious coding, web
intrusion, spamming, and phishing, amongst the others. The 2016 Annual Report of CERT-In put
the figures of security breach incidents at 8,311 (by January 2015), which was a growth of 5,967
reports in comparison to the last year. The figures clearly resonate the rising problem of
cybercrimes in India.
With the rise the incidents of cyber terrorism at domestic and international levels, during
the ending period of last decade, there was a rise in the need for creating the cybersecurity
47 Shaswati Das, 11,592 cases of cyber crime registered in India in 2015: NCRB (06 April 2017)
<https://www.livemint.com/Politics/ayV9OMPCiNs60cRD0Jv75I/11592-cases-of-cyber-crime-registered-in-India-
in-2015-NCR.html>
48 Ajay Thakur, All You Need To Know About Cyber Laws In India (03 March 2017)
<https://blog.ipleaders.in/need-know-cyber-laws-india/>
pg. 27
seeds of such proliferation being sown during the early 1990s liberalization of Indian economy.
As there was lack of rampant internet and computer use, till the later parts of 1990s, there was no
pressure for the regulatory bodies to think about creation of legislations for regulating the cyber
space. Thus, the overall regulations in cyber space were also delayed. Only in the next decade,
the nation law the overreaching law for regulation of IT in the nation, through the Information
Technology Act, 2000. Even with the formation of this legislation, the real issues of cyber
security were not properly addressed. There was only the introduction and penalization of
hacking incidents.
With the creation of “CERT-in (the Indian Computer Emergency Response Team) in
2004”, the effective measures towards Indian cyber security were taken up properly. There are
annual reports by CERT-in that put forth the data on yearly basis on cyber-attacks. These figures
particularly highlight the rampant growth in the last decade, of such cyber threats ad cyber-
attacks. The context behind the increasing numbers and the need for cybersecurity policy making
has been highlighted through the statistics put in by the government. The data maintained by
NCRB (National Crime Records Bureau) presented for 2015 shows that there were 11,592 cases
registered in 2015 as cybercrimes in the nation47. To focus more on the incidents reported under
IT Act, the rising figures from 2007 to 2011 are of help. These were put at 217 for 2007, 288 for
2008, 420 for 2009, 966 for 2010 and 1,791 for 201148. To make the matters worse, there was a
spike in the incidents that were reported under CERT-In, from a figure of 22,060 in 2010 to a
shoot of 96,383 in 2013. There was an inclusion of incidents of scanning, malicious coding, web
intrusion, spamming, and phishing, amongst the others. The 2016 Annual Report of CERT-In put
the figures of security breach incidents at 8,311 (by January 2015), which was a growth of 5,967
reports in comparison to the last year. The figures clearly resonate the rising problem of
cybercrimes in India.
With the rise the incidents of cyber terrorism at domestic and international levels, during
the ending period of last decade, there was a rise in the need for creating the cybersecurity
47 Shaswati Das, 11,592 cases of cyber crime registered in India in 2015: NCRB (06 April 2017)
<https://www.livemint.com/Politics/ayV9OMPCiNs60cRD0Jv75I/11592-cases-of-cyber-crime-registered-in-India-
in-2015-NCR.html>
48 Ajay Thakur, All You Need To Know About Cyber Laws In India (03 March 2017)
<https://blog.ipleaders.in/need-know-cyber-laws-india/>
pg. 27
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
mechanisms49. This led to amendments in the IT Act in 2008, where the clear definition of role of
CERT-In was put in, along with the introduction of penal actions for cyber threats, which
included the likes of data protection, cyber terrorism and identity theft. With this amendment,
there was finally a recognition given to the “Critical Infrastructure” and the need for their
protection was also highlighted. Yet, there was a delay in the development of proper and
strengthened cybersecurity infrastructure, under the quoted act.
In 2013, the government presented the policy objectives, of the National Cyber Security
Policy. This was done years after the area of cybersecurity was deemed as a concern area, and
yet these objectives have never been updated. After a gap of six years (in 2014) from its
conceptualization, the central agency liable for protection of CII, i.e. NCIIPC, was notified. The
nation still sees tensions between state surveillance and cybersecurity. The government has paid
very little emphasis on strong encryption for easing up surveillance, when dealing with encrypted
communications, which are a crucial part of secure communications. This approach towards
encryption can be highlighted through the draft National Encryption Policy, which has been
precipitated due to the prevalent adoption of encryptions by instant communication techs,
including the likes of Whatsapp50. The draft policy regulated the key sizes and the algorithms,
which could be made use of, for the purpose of encrypted communications. Further, these also
brought forth the regulation of required communication services that were operating in the nation
with regards to the deposition of such “encryption keys” with the Government. The outcomes of
this policy, as well as, its effect of have played a key role in Indian cybersecurity space.
The Indian Telegraphs Act of 188551 is deemed as the closest ancestor of the India based
IT Act. Further, this has been taken as a regulatory basis for taking the communications
infrastructure (including in its ambit is internet as well) under the control of the government.
This also covers the intercepting communication and shutting down networks. The governments
have often made use of this particular law for the purpose of denying the access of internet in the
49 Saikat Datta, INTERNET DEMOCRACY PROJECT, Cyber security, Internet Governance and India's Foreign
Policy: Historical Antecedents (January 2016) < https://internetdemocracy.in/reports /cybersecurity-ig-ifp-saikat-
datta/>
50 Arun Mohan Sukumar, Back to the drawing board (24 September 2015) <https://www.thehindu.com/opinion/op-
ed/arun-mohan-sukumar-on-indias-draft-encryption-policy/article7685128.ece>
51 Indian Telegraphs Act of 1885
pg. 28
mechanisms49. This led to amendments in the IT Act in 2008, where the clear definition of role of
CERT-In was put in, along with the introduction of penal actions for cyber threats, which
included the likes of data protection, cyber terrorism and identity theft. With this amendment,
there was finally a recognition given to the “Critical Infrastructure” and the need for their
protection was also highlighted. Yet, there was a delay in the development of proper and
strengthened cybersecurity infrastructure, under the quoted act.
In 2013, the government presented the policy objectives, of the National Cyber Security
Policy. This was done years after the area of cybersecurity was deemed as a concern area, and
yet these objectives have never been updated. After a gap of six years (in 2014) from its
conceptualization, the central agency liable for protection of CII, i.e. NCIIPC, was notified. The
nation still sees tensions between state surveillance and cybersecurity. The government has paid
very little emphasis on strong encryption for easing up surveillance, when dealing with encrypted
communications, which are a crucial part of secure communications. This approach towards
encryption can be highlighted through the draft National Encryption Policy, which has been
precipitated due to the prevalent adoption of encryptions by instant communication techs,
including the likes of Whatsapp50. The draft policy regulated the key sizes and the algorithms,
which could be made use of, for the purpose of encrypted communications. Further, these also
brought forth the regulation of required communication services that were operating in the nation
with regards to the deposition of such “encryption keys” with the Government. The outcomes of
this policy, as well as, its effect of have played a key role in Indian cybersecurity space.
The Indian Telegraphs Act of 188551 is deemed as the closest ancestor of the India based
IT Act. Further, this has been taken as a regulatory basis for taking the communications
infrastructure (including in its ambit is internet as well) under the control of the government.
This also covers the intercepting communication and shutting down networks. The governments
have often made use of this particular law for the purpose of denying the access of internet in the
49 Saikat Datta, INTERNET DEMOCRACY PROJECT, Cyber security, Internet Governance and India's Foreign
Policy: Historical Antecedents (January 2016) < https://internetdemocracy.in/reports /cybersecurity-ig-ifp-saikat-
datta/>
50 Arun Mohan Sukumar, Back to the drawing board (24 September 2015) <https://www.thehindu.com/opinion/op-
ed/arun-mohan-sukumar-on-indias-draft-encryption-policy/article7685128.ece>
51 Indian Telegraphs Act of 1885
pg. 28
Cyber Security in Aviation
politically unpredictable zones52. However, the application of this law in context of application to
the cyber security issues is still unknown. Before the Indian IT Act was incorporated, the nation
did not have any kind of prevailing criminal law that could address the questions of cyber
security, for instance attacks that specifically targeted computer infrastructure. Apart from this,
the prevailing criminal law had been made use of, for purpose of prosecuting, in the cases of
‘data theft’ that covered the unsanctioned access to computer systems. There have been no noted
events of law court undertaking the interpretation of the common law covered obligation of care
that are covered under the under tort law. Some of such instances include the upkeep of
confidence, along with the others covered generally, including the security of computer resources
and/or data. Although there have been instances of certain support for such duties, in context of
interpreting the tort related to the violation of confidence in the nation53.
Cyber security has progressively materialized as a priority space for the Indian
lawmakers as a result of the consistent safety gaps in the present info structures. This is
companied by the fact that there is the policy agenda of quickly growing digitization in addition
to the increased access to the internet54. Nonetheless, even though the emphasis on evolving the
cybersecurity institutes has seen a growth and the spending too have seen an exponential
growth55, there continues to be an absence of the long-term based allocation of budget in context
of cyber security56. Apart from this, the majority of stakeholders have suggested that the present
allocation of budget is insufficient57.
52 Shruti Dhapola, J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say experts (28
April 2017) <https://indianexpress.com/article/technology/tech-news-technology/jammu-and-kashmir-social-media-
ban-use-of-132-year-old-act-cant-stand-judicial-scrutiny-say-experts-4631775/>
53 ABC v/s Commissioner of Police & Others. W.P.(C.) No. 12730 of 2005 & C.M. Nos. 9505, 13315 of 2005 &
12222 of 2007
54 Aarthi S. Anand, India, the Aadhaar Nation That Isn't Legally Equipped to Handle Its Adverse Effects (08
December 2016) <https://thewire.in/government/aadhaar-privacy-security-legal-framework>
55 Press Information Bureau, Cyber Security (12 December 2014) <http://pib.nic.in/newsite/PrintRelease.aspx?
relid=113218>
56 Ramarko Sengupta, Budget 2017: Will digital India get a cyber-security allocation? (31 January 2019)
<https://factordaily.com/budget-2017-will-digital-india-get-cyber-security-allocation/>
57 S Ronendar Singh, Centre likely to quadruple allocation for ‘Digital India’ (19 January 2018)
<https://www.thehindubusinessline.com/info-tech/centre-likely-to-quadruple-allocation-for-digital-india/
article8241178.ece>
pg. 29
politically unpredictable zones52. However, the application of this law in context of application to
the cyber security issues is still unknown. Before the Indian IT Act was incorporated, the nation
did not have any kind of prevailing criminal law that could address the questions of cyber
security, for instance attacks that specifically targeted computer infrastructure. Apart from this,
the prevailing criminal law had been made use of, for purpose of prosecuting, in the cases of
‘data theft’ that covered the unsanctioned access to computer systems. There have been no noted
events of law court undertaking the interpretation of the common law covered obligation of care
that are covered under the under tort law. Some of such instances include the upkeep of
confidence, along with the others covered generally, including the security of computer resources
and/or data. Although there have been instances of certain support for such duties, in context of
interpreting the tort related to the violation of confidence in the nation53.
Cyber security has progressively materialized as a priority space for the Indian
lawmakers as a result of the consistent safety gaps in the present info structures. This is
companied by the fact that there is the policy agenda of quickly growing digitization in addition
to the increased access to the internet54. Nonetheless, even though the emphasis on evolving the
cybersecurity institutes has seen a growth and the spending too have seen an exponential
growth55, there continues to be an absence of the long-term based allocation of budget in context
of cyber security56. Apart from this, the majority of stakeholders have suggested that the present
allocation of budget is insufficient57.
52 Shruti Dhapola, J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say experts (28
April 2017) <https://indianexpress.com/article/technology/tech-news-technology/jammu-and-kashmir-social-media-
ban-use-of-132-year-old-act-cant-stand-judicial-scrutiny-say-experts-4631775/>
53 ABC v/s Commissioner of Police & Others. W.P.(C.) No. 12730 of 2005 & C.M. Nos. 9505, 13315 of 2005 &
12222 of 2007
54 Aarthi S. Anand, India, the Aadhaar Nation That Isn't Legally Equipped to Handle Its Adverse Effects (08
December 2016) <https://thewire.in/government/aadhaar-privacy-security-legal-framework>
55 Press Information Bureau, Cyber Security (12 December 2014) <http://pib.nic.in/newsite/PrintRelease.aspx?
relid=113218>
56 Ramarko Sengupta, Budget 2017: Will digital India get a cyber-security allocation? (31 January 2019)
<https://factordaily.com/budget-2017-will-digital-india-get-cyber-security-allocation/>
57 S Ronendar Singh, Centre likely to quadruple allocation for ‘Digital India’ (19 January 2018)
<https://www.thehindubusinessline.com/info-tech/centre-likely-to-quadruple-allocation-for-digital-india/
article8241178.ece>
pg. 29
Cyber Security in Aviation
2.2.3. IT Act, 2000
The Indian aviation industry is growing at a fast pace and has set up measures to secure
its critical infrastructure. The particular focus for this has been put through the Information
Technology Act, 200058. The recognition for cybersecurity has been based on the IT Act, and this
act is responsible for establishment of a proper system of protecting the critical infrastructure
information. “Section 70 of the IT Act” defines “Critical Information Infrastructure” as:
“the computer resource, the incapacitation or destruction of which, shall have debilitating
impact on National security, economy, public health or safety.”59
Section 66F of this act covers the punishments for cyber terrorism60. As per this section,
where any of three types of specified activities are undertaken, which results in injuries or death
of any person, or causes great damage to supplies, services, property or disrupts such things,
which are crucial for life of community, would be deemed as an adverse effect over critical
infrastructure. These infrastructures are detailed as protected systems through section 70 of this
act61. This section further states that the any individual who breaches the provisions of the
pertinent sections, would face sentence of up to ten years, coupled with a fine. Section 70B sets
up an “Indian Computer Emergency Response Team” to aid in cases of cyber security incidents,
and other emergency conditions related to cyber security of air traffic control62.
This act contemplated the formation of “National Critical Information Infrastructure
Protection Centre” (NCIIPC) through 16th January 2014-dated Gazette of India notification. The
rules under IT act, in context of NCIIPC state the manner in which its functions are to be
performed. The Charter of NCIIPC sates that the function of this body is to:
“take all necessary measures to facilitate protection of Critical Information Infrastructure, from
unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction,
58 Information Technology Act, 2000
59 Information Technology Act 2000, s70
60 Information Technology Act 2000, s66F
61 Information Technology Act 2000, s70
62 Information Technology Act 2000, s70B
pg. 30
2.2.3. IT Act, 2000
The Indian aviation industry is growing at a fast pace and has set up measures to secure
its critical infrastructure. The particular focus for this has been put through the Information
Technology Act, 200058. The recognition for cybersecurity has been based on the IT Act, and this
act is responsible for establishment of a proper system of protecting the critical infrastructure
information. “Section 70 of the IT Act” defines “Critical Information Infrastructure” as:
“the computer resource, the incapacitation or destruction of which, shall have debilitating
impact on National security, economy, public health or safety.”59
Section 66F of this act covers the punishments for cyber terrorism60. As per this section,
where any of three types of specified activities are undertaken, which results in injuries or death
of any person, or causes great damage to supplies, services, property or disrupts such things,
which are crucial for life of community, would be deemed as an adverse effect over critical
infrastructure. These infrastructures are detailed as protected systems through section 70 of this
act61. This section further states that the any individual who breaches the provisions of the
pertinent sections, would face sentence of up to ten years, coupled with a fine. Section 70B sets
up an “Indian Computer Emergency Response Team” to aid in cases of cyber security incidents,
and other emergency conditions related to cyber security of air traffic control62.
This act contemplated the formation of “National Critical Information Infrastructure
Protection Centre” (NCIIPC) through 16th January 2014-dated Gazette of India notification. The
rules under IT act, in context of NCIIPC state the manner in which its functions are to be
performed. The Charter of NCIIPC sates that the function of this body is to:
“take all necessary measures to facilitate protection of Critical Information Infrastructure, from
unauthorized access, modification, use, disclosure, disruption, incapacitation or destruction,
58 Information Technology Act, 2000
59 Information Technology Act 2000, s70
60 Information Technology Act 2000, s66F
61 Information Technology Act 2000, s70
62 Information Technology Act 2000, s70B
pg. 30
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
through coherent coordination, synergy and raising information security awareness among all
stakeholders.”
Nevertheless, there is a conscious lack of referring to multi stakeholders perceptive,
where there is a restricted reference towards engagement of private sector for human resource
development purposes. To understand the scope of Indian cybersecurity “criticality”, there is a
need to refer to the guidelines of NCIIP, though which the method of assessing and ranking of
sectors’ criticality is provided. There is recognition of factors like safety, public health,
economy, and national security in these guidelines, as being the main considerations for
assessing the criticality of object requiring any protection. There are certain factors used to
determine this critical nature, and these include:
Time Duration: this is important for identifying and categorizing the CII;
Political, Economic, Social and Strategic Values: these denote the significance of the
values;
Criticality Scale: perhaps the most important factor, highlighting delivery, consummation
and access of required services;
Degree of Complementarities: this helps in recognizing if one system’s failure has
capacity of possibly shutting down the other CII, in a manner creating dominos effect;
and
Functionality: this denotes the:
“set of functions, procedure and or capabilities associated with a system or with its constituent
parts and viewed at two levels i.e. Functional Uniqueness and Functional Dependency”
Even though this framework is predominantly focused on the CII’s structural
significance, it also shows the strategic, social, economic and political values as a key point of
consideration to judge the criticality. At present, CII is covered in the following sectors:
Power;
Transportation;
Ministry of Heavy Industries;
Energy;
pg. 31
through coherent coordination, synergy and raising information security awareness among all
stakeholders.”
Nevertheless, there is a conscious lack of referring to multi stakeholders perceptive,
where there is a restricted reference towards engagement of private sector for human resource
development purposes. To understand the scope of Indian cybersecurity “criticality”, there is a
need to refer to the guidelines of NCIIP, though which the method of assessing and ranking of
sectors’ criticality is provided. There is recognition of factors like safety, public health,
economy, and national security in these guidelines, as being the main considerations for
assessing the criticality of object requiring any protection. There are certain factors used to
determine this critical nature, and these include:
Time Duration: this is important for identifying and categorizing the CII;
Political, Economic, Social and Strategic Values: these denote the significance of the
values;
Criticality Scale: perhaps the most important factor, highlighting delivery, consummation
and access of required services;
Degree of Complementarities: this helps in recognizing if one system’s failure has
capacity of possibly shutting down the other CII, in a manner creating dominos effect;
and
Functionality: this denotes the:
“set of functions, procedure and or capabilities associated with a system or with its constituent
parts and viewed at two levels i.e. Functional Uniqueness and Functional Dependency”
Even though this framework is predominantly focused on the CII’s structural
significance, it also shows the strategic, social, economic and political values as a key point of
consideration to judge the criticality. At present, CII is covered in the following sectors:
Power;
Transportation;
Ministry of Heavy Industries;
Energy;
pg. 31
Cyber Security in Aviation
Banking and financial sector;
Niti Ayog;
Ministry of Home Affairs;
ICT and telecommunications; and
Ministry of External Affairs63.
The IT Act, apart from CII, also permits the declaration of any computer, having a direct
or indirect impact on the facility of CII, as being a protected system, by the appropriate
government. Upon being notified as a “protected system” the CII is given safeguards from any
kind of unlawful disruption or access through stricter regulations; further, it is covered in the
realm of cyber terrorism. This aspect of CII being deemed as “protected systems” has taken place
at different instances. Some of these include the “UIDAI database, the Long Range Identification
and Tracking System, and the TETRA Secured Communications Network”. There has also been
a regulatory concern over the banking and financial systems. Though, the wide meaning of
protected system has led to the objective of identification of special focus on areas requiring
protection being diluted. This includes the example of state governments like Chhattisgarh
Government, loosely interpreting such systems to cover any kind of network ties and computer
systems64.
In the aviation sector, Air traffic Control installations, Airports are the protected system.
In order to focus on critical infrastructure, the Network Traffic Analysis System, or as is
otherwise known as, NeTRA, works on constant monitoring and electronic surveillance. This is
the first major attempt of Indian government and is executed by DRDO (Defence Research and
Development Organisation), focusing on mass surveillance instead of being focused on
individual targets. This system scans the activities taking place on the social networking websites
and scans the chat transcripts and emails, along with the voices on internet traffic. All these
efforts are done towards developing an excellent cyber defence capability. The nation has also
established the National Cyber Security Commission, which is on the lines of the premier Space
63 Saikat Datta, Defending India’s Critical Information Infrastructure (March 2016)
<https://internetdemocracy.in/wp-content/uploads/2016/03/Saikat-Datta-Internet-Democracy-Project-Defending-
Indias-CII.pdf >
64 Divij Joshi, A comparison of legal and regulatory approaches to cyber security in India and the United Kingdom
(2019) <https://cis-india.org/internet-governance/files/india-uk-legal-regulatory-approaches.pdf>
pg. 32
Banking and financial sector;
Niti Ayog;
Ministry of Home Affairs;
ICT and telecommunications; and
Ministry of External Affairs63.
The IT Act, apart from CII, also permits the declaration of any computer, having a direct
or indirect impact on the facility of CII, as being a protected system, by the appropriate
government. Upon being notified as a “protected system” the CII is given safeguards from any
kind of unlawful disruption or access through stricter regulations; further, it is covered in the
realm of cyber terrorism. This aspect of CII being deemed as “protected systems” has taken place
at different instances. Some of these include the “UIDAI database, the Long Range Identification
and Tracking System, and the TETRA Secured Communications Network”. There has also been
a regulatory concern over the banking and financial systems. Though, the wide meaning of
protected system has led to the objective of identification of special focus on areas requiring
protection being diluted. This includes the example of state governments like Chhattisgarh
Government, loosely interpreting such systems to cover any kind of network ties and computer
systems64.
In the aviation sector, Air traffic Control installations, Airports are the protected system.
In order to focus on critical infrastructure, the Network Traffic Analysis System, or as is
otherwise known as, NeTRA, works on constant monitoring and electronic surveillance. This is
the first major attempt of Indian government and is executed by DRDO (Defence Research and
Development Organisation), focusing on mass surveillance instead of being focused on
individual targets. This system scans the activities taking place on the social networking websites
and scans the chat transcripts and emails, along with the voices on internet traffic. All these
efforts are done towards developing an excellent cyber defence capability. The nation has also
established the National Cyber Security Commission, which is on the lines of the premier Space
63 Saikat Datta, Defending India’s Critical Information Infrastructure (March 2016)
<https://internetdemocracy.in/wp-content/uploads/2016/03/Saikat-Datta-Internet-Democracy-Project-Defending-
Indias-CII.pdf >
64 Divij Joshi, A comparison of legal and regulatory approaches to cyber security in India and the United Kingdom
(2019) <https://cis-india.org/internet-governance/files/india-uk-legal-regulatory-approaches.pdf>
pg. 32
Cyber Security in Aviation
Commission and Atomic Energy Commission. However, despite these efforts, there is a need for
National Cyber Security Policy 2013 to be revisited to keep up with the dynamic threat
scenario65.
2.2.4. The National Cyber Security Policy, 2013
Through the quoted policy, the cyber space was articulated as being a common resource
for varied players, which are often difficult to differentiate between; along with for cyber
security to take this into consideration. This policy dictates the varied manners, which allow for
ensuring that cyber security is actually upheld. These methods cover identifying the threats,
sharing of information amidst parties, investigating and coordination of responses. The main goal
of this policy was to shed light over the economic and social importance of safeguarding
personal data, as well as, to protect against the instances of cybercrime, and protecting the
critical infrastructure. Even though this policy has recognized the different aspects of
cybersecurity, it has failed in differentiating between the varied approaches to the nationwide
cyber security, along with being in spelling out the manner in which the government’s aim at
approaching these issues. These include failure in showing the manner in which cyber-attacks or
cyber terrorism is to be responded to, when dealing the critical infrastructure as against a cyber-
attack concerning data theft is dealt with. The other failures include absence of providing
material measures or objectives for attaining cybersecurity.
2.2.5. XII Five Year Plan report on Cyber Security (2017– 2022)
To keep with vague policies, another measure drawn in India is the “XII Five Year Plan
report on Cyber Security”. This plan is applicable for 2017 to 2022, where the focus is on finding
the possible manner through which cybersecurity can be ensured, during the planned period, in a
systematic manner. There has been identification of some clear steps, which can be deemed as
the target deliverables for cyber security. The only sad part is that only a handful of these are
actually operational66.
65 Lt. Gen. Davinder Kumar, India’s Cyber Security: Architecture And Imperatives (09 May 2018)
<https://salute.co.in/indias-cyber-security-architecture-and-imperatives/>
66 Meity, XII five-year plan on information technology sector (2019)
<https://meity.gov.in/writereaddata/files/downloads/Plan_Report_on_Cyber_Security.pdf>
pg. 33
Commission and Atomic Energy Commission. However, despite these efforts, there is a need for
National Cyber Security Policy 2013 to be revisited to keep up with the dynamic threat
scenario65.
2.2.4. The National Cyber Security Policy, 2013
Through the quoted policy, the cyber space was articulated as being a common resource
for varied players, which are often difficult to differentiate between; along with for cyber
security to take this into consideration. This policy dictates the varied manners, which allow for
ensuring that cyber security is actually upheld. These methods cover identifying the threats,
sharing of information amidst parties, investigating and coordination of responses. The main goal
of this policy was to shed light over the economic and social importance of safeguarding
personal data, as well as, to protect against the instances of cybercrime, and protecting the
critical infrastructure. Even though this policy has recognized the different aspects of
cybersecurity, it has failed in differentiating between the varied approaches to the nationwide
cyber security, along with being in spelling out the manner in which the government’s aim at
approaching these issues. These include failure in showing the manner in which cyber-attacks or
cyber terrorism is to be responded to, when dealing the critical infrastructure as against a cyber-
attack concerning data theft is dealt with. The other failures include absence of providing
material measures or objectives for attaining cybersecurity.
2.2.5. XII Five Year Plan report on Cyber Security (2017– 2022)
To keep with vague policies, another measure drawn in India is the “XII Five Year Plan
report on Cyber Security”. This plan is applicable for 2017 to 2022, where the focus is on finding
the possible manner through which cybersecurity can be ensured, during the planned period, in a
systematic manner. There has been identification of some clear steps, which can be deemed as
the target deliverables for cyber security. The only sad part is that only a handful of these are
actually operational66.
65 Lt. Gen. Davinder Kumar, India’s Cyber Security: Architecture And Imperatives (09 May 2018)
<https://salute.co.in/indias-cyber-security-architecture-and-imperatives/>
66 Meity, XII five-year plan on information technology sector (2019)
<https://meity.gov.in/writereaddata/files/downloads/Plan_Report_on_Cyber_Security.pdf>
pg. 33
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
Crimes in cyberspace are identified as being a priority in cyber security policy, and also
in the five year plan. Apart from this, cyber terrorism, data theft, hacking and computer related
crimes are such crimes that can be prosecuted under the varied sections of Indian IT Act, 2000,
or through the Indian Penal Code, which are further operationalized by the law enforcement
bodies. There continues to be a very slight difference amid the cyber-dependant and the cyber-
enabled crimes; in addition to being no precise policy line for the cyber-dependant crimes. There
is also an absence on laws regarding data protection applicable to the administrative authorities.
The reality of the matter is that there is hardly any prominence in law is on safeguarding the
individual personal data, which is usually held by the private parties, as being a key
characteristic of cybersecurity. Instances of consumer and individual data protection vis-à-vis
online services are frequently kept in the dominion of private regulations, which include the ones
regarding contract based remedies.
The main tool, which is actually dedicated towards protection of data, continues to be
thee provision for reasonable practices, as are required under IT Act’s section 43A “body
corporate”. These are read with reference to the Reasonable Security Practices Guidelines,
through which the need for complying with the reasonable security standards has been stated.
These standards have been covered under the varied guidelines, including “ISO 27001
Information Security Management Standard” and include such additional standards with
government support. The national cybersecurity has seen a growing priority for the nation,
including the policies for private sector, society and as government policies. These again rely
upon internet, thereby increasing the need to secure the same. In addition to this, the
cybersecurity framework of the nation shows a clear need for securing the economically and
socially crucial sectors (for example finance, banking, and energy), the cybersecurity of the
nation has been seen as being a crucial aspect of the defence objectives and foreign policy of the
nation. In the same manner, even though the cyber security policies have given
acknowledgement to the range of factors posing threats on “cyber security (including foreign
states, criminals, accidents or natural disasters)”, this policy remains majorly focused over the
organized cyber threats being tackled (including the ones by terrorist groups or foreign states).
These have a capacity of posing national security threats, and therefore these do not see
cybersecurity as being a goal to be attained through a multi-layered approach, where a key focus
pg. 34
Crimes in cyberspace are identified as being a priority in cyber security policy, and also
in the five year plan. Apart from this, cyber terrorism, data theft, hacking and computer related
crimes are such crimes that can be prosecuted under the varied sections of Indian IT Act, 2000,
or through the Indian Penal Code, which are further operationalized by the law enforcement
bodies. There continues to be a very slight difference amid the cyber-dependant and the cyber-
enabled crimes; in addition to being no precise policy line for the cyber-dependant crimes. There
is also an absence on laws regarding data protection applicable to the administrative authorities.
The reality of the matter is that there is hardly any prominence in law is on safeguarding the
individual personal data, which is usually held by the private parties, as being a key
characteristic of cybersecurity. Instances of consumer and individual data protection vis-à-vis
online services are frequently kept in the dominion of private regulations, which include the ones
regarding contract based remedies.
The main tool, which is actually dedicated towards protection of data, continues to be
thee provision for reasonable practices, as are required under IT Act’s section 43A “body
corporate”. These are read with reference to the Reasonable Security Practices Guidelines,
through which the need for complying with the reasonable security standards has been stated.
These standards have been covered under the varied guidelines, including “ISO 27001
Information Security Management Standard” and include such additional standards with
government support. The national cybersecurity has seen a growing priority for the nation,
including the policies for private sector, society and as government policies. These again rely
upon internet, thereby increasing the need to secure the same. In addition to this, the
cybersecurity framework of the nation shows a clear need for securing the economically and
socially crucial sectors (for example finance, banking, and energy), the cybersecurity of the
nation has been seen as being a crucial aspect of the defence objectives and foreign policy of the
nation. In the same manner, even though the cyber security policies have given
acknowledgement to the range of factors posing threats on “cyber security (including foreign
states, criminals, accidents or natural disasters)”, this policy remains majorly focused over the
organized cyber threats being tackled (including the ones by terrorist groups or foreign states).
These have a capacity of posing national security threats, and therefore these do not see
cybersecurity as being a goal to be attained through a multi-layered approach, where a key focus
pg. 34
Cyber Security in Aviation
is put on fulfilling the state and nation based objectives through this policy. Furthermore, the
Indian policies continue their focus on bringing improvements in cyber defensive strategies
instead of being focused on the cyber offensive capability.
2.2.6. NCIIPC Guidelines and CERT-In Rules
There has been some clarity brought towards the varied aspects of cyberspace as a result
of NCIIPC guidelines, which show the need of protecting this space, along with focusing on
identification of environmental and physical threats to cybersecurity, and the safety threats
caused by unintentional software. These rules have also put forth the risk/ threat/ vulnerability
assessment methods, for mapping the possible weak spots in the infrastructure security. In line
with the NCIIPC, the Indian IT Act established CERT-In, as covered earlier, where the key goal
is to respond to the incidents of cybersecurity, specifically in the non-crucial sectors. These rules
help in putting forth the comprehensive threat assessment. The CERT-In Rules define cyber
incidents as:
“any real or suspected adverse event that is likely to cause or causes and offence or
contravention, harm to critical functions and services across the public and private sectors by
impairing the confidentiality, integrity or availability of electronic information, systems, services
or networks resulting in unauthorized access, denial of service or disruption, unauthorized use of
a computer resource, changes to data or information without authorization; or threatens public
safety, undermines public confidence, have a negative effect on the national economy or
diminishes the security posture of the nation”67
These rules have also helped in clear categorization of the threats, as well as have
expressly prioritized them, in the following manner:
Severe natured incidents, including spreading cyber contaminants, DDOS and others, on
the public information infrastructure;
Threats of physical safety of human beings;
Compromising individual accounts on different systems; and
Frequent incidents, including defacing websites and identity thefts.
67 CCA, Notification (27 October 2009) <http://cca.gov.in/cca/sites/default/files/files/gsr782.pdf>
pg. 35
is put on fulfilling the state and nation based objectives through this policy. Furthermore, the
Indian policies continue their focus on bringing improvements in cyber defensive strategies
instead of being focused on the cyber offensive capability.
2.2.6. NCIIPC Guidelines and CERT-In Rules
There has been some clarity brought towards the varied aspects of cyberspace as a result
of NCIIPC guidelines, which show the need of protecting this space, along with focusing on
identification of environmental and physical threats to cybersecurity, and the safety threats
caused by unintentional software. These rules have also put forth the risk/ threat/ vulnerability
assessment methods, for mapping the possible weak spots in the infrastructure security. In line
with the NCIIPC, the Indian IT Act established CERT-In, as covered earlier, where the key goal
is to respond to the incidents of cybersecurity, specifically in the non-crucial sectors. These rules
help in putting forth the comprehensive threat assessment. The CERT-In Rules define cyber
incidents as:
“any real or suspected adverse event that is likely to cause or causes and offence or
contravention, harm to critical functions and services across the public and private sectors by
impairing the confidentiality, integrity or availability of electronic information, systems, services
or networks resulting in unauthorized access, denial of service or disruption, unauthorized use of
a computer resource, changes to data or information without authorization; or threatens public
safety, undermines public confidence, have a negative effect on the national economy or
diminishes the security posture of the nation”67
These rules have also helped in clear categorization of the threats, as well as have
expressly prioritized them, in the following manner:
Severe natured incidents, including spreading cyber contaminants, DDOS and others, on
the public information infrastructure;
Threats of physical safety of human beings;
Compromising individual accounts on different systems; and
Frequent incidents, including defacing websites and identity thefts.
67 CCA, Notification (27 October 2009) <http://cca.gov.in/cca/sites/default/files/files/gsr782.pdf>
pg. 35
Cyber Security in Aviation
There is also the existence of sectoral and state CERTs, which includes navy, army and
airfare; along with other one for railways and banks, known as RailCERT and FinCERT,
respectively. However, there has been a lack of stringent conceptual differentiation between
varied aspects of cybersecurity. These include the classification of varied actors posing a threat
on cyberspace, along with the classification of varied intentions and methods behind the cyber
threats. Likewise, even though the focus areas and sectoral classifications areas are present
within the cyber security framework, there is a very small focus on the development of a
typology that is different from cyber actors and threats, and the development of measures for
tackling these in an appropriate manner. In addition, the CERT-In rules disown all sorts of
responsibility and the resultant accountability for these rules to maintain cyber security or even
for properly responding to it68.
2.2.7. SARPs compliance
The key regulator body, in India, in context of civil aviation is the DGCA (Directorate
General of Civil Aviation). This body works under the administrative control of Ministry of Civil
Aviation. The main goal of this body is to work towards the safety issues. DGCA endeavours to
endorse the safe and well-organized air transportation through rules and hands-on security
oversight system. An ICAO team made an on-site visit and audited the Indian CAA (DGCA) in
December 2012. The ICAO team identified certain deficiencies in the Aviation Safety Oversight
of DGCA. Subsequent to ICAO audit, the US’s FAA, taking cognizance of the ICAO report and
after assessing India’s compliance with ICAO standards under its IASA programme, had
lowered the rating of India from category 1 to category 2. This downgrading to Category 2
means that the nation short falls in the laws and regulations that are essential to oversee air
carriers. These are in context of the minimum international standards or its Civil Aviation
Authority i.e. DGCA (an analogue of US’s FAA for aviation safety matters) is lacking in some
of the areas; the examples of these trained personnel, inspection procedures, technical expertise,
and/ or record keeping.
68 John G. Voeller, Wiley Handbook of Science and Technology for Homeland Security, 4 Volume Set (John Wiley &
Sons, 2010)
pg. 36
There is also the existence of sectoral and state CERTs, which includes navy, army and
airfare; along with other one for railways and banks, known as RailCERT and FinCERT,
respectively. However, there has been a lack of stringent conceptual differentiation between
varied aspects of cybersecurity. These include the classification of varied actors posing a threat
on cyberspace, along with the classification of varied intentions and methods behind the cyber
threats. Likewise, even though the focus areas and sectoral classifications areas are present
within the cyber security framework, there is a very small focus on the development of a
typology that is different from cyber actors and threats, and the development of measures for
tackling these in an appropriate manner. In addition, the CERT-In rules disown all sorts of
responsibility and the resultant accountability for these rules to maintain cyber security or even
for properly responding to it68.
2.2.7. SARPs compliance
The key regulator body, in India, in context of civil aviation is the DGCA (Directorate
General of Civil Aviation). This body works under the administrative control of Ministry of Civil
Aviation. The main goal of this body is to work towards the safety issues. DGCA endeavours to
endorse the safe and well-organized air transportation through rules and hands-on security
oversight system. An ICAO team made an on-site visit and audited the Indian CAA (DGCA) in
December 2012. The ICAO team identified certain deficiencies in the Aviation Safety Oversight
of DGCA. Subsequent to ICAO audit, the US’s FAA, taking cognizance of the ICAO report and
after assessing India’s compliance with ICAO standards under its IASA programme, had
lowered the rating of India from category 1 to category 2. This downgrading to Category 2
means that the nation short falls in the laws and regulations that are essential to oversee air
carriers. These are in context of the minimum international standards or its Civil Aviation
Authority i.e. DGCA (an analogue of US’s FAA for aviation safety matters) is lacking in some
of the areas; the examples of these trained personnel, inspection procedures, technical expertise,
and/ or record keeping.
68 John G. Voeller, Wiley Handbook of Science and Technology for Homeland Security, 4 Volume Set (John Wiley &
Sons, 2010)
pg. 36
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
The audit data of ICAO under its Universal Safety Oversight Audit Programme
highlights that the nation (India) has statistics below the worldwide average in two areas69-
Organization and Air Navigation Services. The downgrade had a great impact on and had
relevance to Indian air carriers, who could not bring more new flights to the US. Apart from this,
the American carriers were not able to code-share with their Indian counterparts. This resulted in
the expansion plans of Jet Airways and Air India being extended. DGCA took the necessary
corrective action arising out of “Universal Safety audit programme (USOAP) of ICAO”. This
indeed resulted in the up gradation of DGCA’s rating back to category 1 in 2015 after a gap of a
year and a quarter. Air Safety Directorate of DGCA that looks into the Safety aspects of Aviation
investigates various incidents, serious incidents and accidents involving Civil aircrafts has its
office at headquarters and regional offices at Delhi, Mumbai, Kolkata, Chennai and Sub regional
office at Hyderabad.
Post ICAO Audit, the Air Safety Directorate of DGCA divested the powers to investigate
serious incidents and accidents. These powers to investigate Accidents and Serious Incidents
have now been vested with an independent investigation agency, namely Aircraft Accident
Investigation Bureau (AAIB). India being a founding member of ICAO has ratified largely all
the conventions to which it is a member and the domestic Air Law in India is guided fully by
ICAO’s SARPs, Conventions etc. Aviation security clause has been placed in all bilateral air
services agreements in pursuance to resolution dated 25th June 1986, of the ICAO. The Central
government delegated its power, vested in it under the Aircraft Act 1934, in 1972, by inserting
Section 5A which authorizes DGCA to “issue directions with regard to various matters viz.,
Aerodromes, maintenance of aircraft, air routes, etc.”
2.2.8. Other measures
The initiatives that the Indian government has taken are focused on the risks posted upon
the critical information infrastructure and on the adoption of relevant security technologies,
training and research, national security, and information security awareness. Because of the
every changing nature of circumstances revolving such cyber threats, there is a need for such
69 Based on 2013 progress evaluation data of ICAO’s USOAP.
pg. 37
The audit data of ICAO under its Universal Safety Oversight Audit Programme
highlights that the nation (India) has statistics below the worldwide average in two areas69-
Organization and Air Navigation Services. The downgrade had a great impact on and had
relevance to Indian air carriers, who could not bring more new flights to the US. Apart from this,
the American carriers were not able to code-share with their Indian counterparts. This resulted in
the expansion plans of Jet Airways and Air India being extended. DGCA took the necessary
corrective action arising out of “Universal Safety audit programme (USOAP) of ICAO”. This
indeed resulted in the up gradation of DGCA’s rating back to category 1 in 2015 after a gap of a
year and a quarter. Air Safety Directorate of DGCA that looks into the Safety aspects of Aviation
investigates various incidents, serious incidents and accidents involving Civil aircrafts has its
office at headquarters and regional offices at Delhi, Mumbai, Kolkata, Chennai and Sub regional
office at Hyderabad.
Post ICAO Audit, the Air Safety Directorate of DGCA divested the powers to investigate
serious incidents and accidents. These powers to investigate Accidents and Serious Incidents
have now been vested with an independent investigation agency, namely Aircraft Accident
Investigation Bureau (AAIB). India being a founding member of ICAO has ratified largely all
the conventions to which it is a member and the domestic Air Law in India is guided fully by
ICAO’s SARPs, Conventions etc. Aviation security clause has been placed in all bilateral air
services agreements in pursuance to resolution dated 25th June 1986, of the ICAO. The Central
government delegated its power, vested in it under the Aircraft Act 1934, in 1972, by inserting
Section 5A which authorizes DGCA to “issue directions with regard to various matters viz.,
Aerodromes, maintenance of aircraft, air routes, etc.”
2.2.8. Other measures
The initiatives that the Indian government has taken are focused on the risks posted upon
the critical information infrastructure and on the adoption of relevant security technologies,
training and research, national security, and information security awareness. Because of the
every changing nature of circumstances revolving such cyber threats, there is a need for such
69 Based on 2013 progress evaluation data of ICAO’s USOAP.
pg. 37
Cyber Security in Aviation
actions to be strengthened, continued, and refined regularly. Some of the other measures adopted
in this context include:
The growing use and applicability of digital signature certificates in varied areas taking
place.
National Crisis Management Plan has also been drawn with the purpose of refuting the
cyber-attacks and cyber terrorism and this plan is annually updated.
In order to undertake security audits, Security Auditors have been empanelled70.
There are few other domestic laws, which help India curbing civil aviation security
issues.
Aircraft Act,1934,
Aircraft Rules 1937,
Anti-Hijacking Act,1982- repealed
Suppression of Unlawful Acts against Security of Civil Aviation Act, 1982,
Airports Authority of India Act,1994 as modified by Amendment Act 2003,
National Airports Authority Act, 1985.
Majority of states have accepted the conventions put forth by ICAO. Included in these
member states is India. In 1975, the Convention for offences and some other Acts committed on-
board aircraft, as is commonly known as the “Tokyo Convention, 1963”, was ratified. The
Kanishka incident in 1985 compelled ICAO to insert “Model Aviation Security Clause” in the
“Bilateral Air Services Agreement” with the two nations of UK and Canada and this was done in
1988 and in 1991, respectively. There was protuberant delay in time amid the national laws and
worldwide conventions espoused by India to control this evil. India, keeping pace with time
repealed the Anti-hijacking act of 1982 and enacted Anti-hijacking Act 2016 as per its
commitment to Beijing Convention of 2010.
70 Meity, XII five-year plan on information technology sector (2019)
<https://meity.gov.in/writereaddata/files/downloads/Plan_Report_on_Cyber_Security.pdf>
pg. 38
actions to be strengthened, continued, and refined regularly. Some of the other measures adopted
in this context include:
The growing use and applicability of digital signature certificates in varied areas taking
place.
National Crisis Management Plan has also been drawn with the purpose of refuting the
cyber-attacks and cyber terrorism and this plan is annually updated.
In order to undertake security audits, Security Auditors have been empanelled70.
There are few other domestic laws, which help India curbing civil aviation security
issues.
Aircraft Act,1934,
Aircraft Rules 1937,
Anti-Hijacking Act,1982- repealed
Suppression of Unlawful Acts against Security of Civil Aviation Act, 1982,
Airports Authority of India Act,1994 as modified by Amendment Act 2003,
National Airports Authority Act, 1985.
Majority of states have accepted the conventions put forth by ICAO. Included in these
member states is India. In 1975, the Convention for offences and some other Acts committed on-
board aircraft, as is commonly known as the “Tokyo Convention, 1963”, was ratified. The
Kanishka incident in 1985 compelled ICAO to insert “Model Aviation Security Clause” in the
“Bilateral Air Services Agreement” with the two nations of UK and Canada and this was done in
1988 and in 1991, respectively. There was protuberant delay in time amid the national laws and
worldwide conventions espoused by India to control this evil. India, keeping pace with time
repealed the Anti-hijacking act of 1982 and enacted Anti-hijacking Act 2016 as per its
commitment to Beijing Convention of 2010.
70 Meity, XII five-year plan on information technology sector (2019)
<https://meity.gov.in/writereaddata/files/downloads/Plan_Report_on_Cyber_Security.pdf>
pg. 38
Cyber Security in Aviation
2.3. International Scenario: Law and bodies in US and applicability in Aviation
There are a range of principal legislations and regulatory bodies, which are working in
regulation of civil aviation in US. Some of these have been covered below:
DOT or the US Department of Transportation, is the US government’s federal cabinet
department;
FAA or the Federal Aviation Authority is the national agency, which has been given the
power of regulating US civil aviation’s every aspect that covers the commercial space
transportation as well;
NTSB or the National Transportation Safety Board, being an independent government
agency in US, has the responsibility of investigation the accidents taking place in civil
aviation.
DHS, or the Department of Homeland Security of US, works through two key bodies, i.e.
CBP (Customs and Border Protection) and TSA (Transportation Security
Administrations). The airport security is on TSA’s shoulders, which works in association
with CBP. The latter is the DHS’s largest federal law enforcement agency, which screens
the employees and airline passengers at the airports;
Title 49 of USC (United States Code), enacted by US Congress, named Transportation;
Title 49 of CFR (Code of Federal Regulations), issued by DOT and DHS, named
Transportation; and
Title 14 of CFR, issued by FAA, named Aeronautics and Space.
The air safety in US is administered by the FAA, which had been created through the
“Federal Aviation Act of 1958”. FAA had been codified under the “49 USC Subtitle VII”,
covering four main business areas. The first one is airports, where the responsibility is towards
optimization of capacity, condition and safety of national airport system. This is presented
through 14 CFR Part 139. The next is air traffic organization, where the responsibility is related
to air traffic safety. This is presented through 14 CFR Parts 71 and 77. The third one in this
context is aviation safety, where the responsibilities relate to ensuring the airworthiness, approval
and certification of aircraft. This is in addition to the certification of all mechanics, pilots and the
other such safety related professions. This is presented through 14 CFR Parts 21, 25, 33, 61, 91,
pg. 39
2.3. International Scenario: Law and bodies in US and applicability in Aviation
There are a range of principal legislations and regulatory bodies, which are working in
regulation of civil aviation in US. Some of these have been covered below:
DOT or the US Department of Transportation, is the US government’s federal cabinet
department;
FAA or the Federal Aviation Authority is the national agency, which has been given the
power of regulating US civil aviation’s every aspect that covers the commercial space
transportation as well;
NTSB or the National Transportation Safety Board, being an independent government
agency in US, has the responsibility of investigation the accidents taking place in civil
aviation.
DHS, or the Department of Homeland Security of US, works through two key bodies, i.e.
CBP (Customs and Border Protection) and TSA (Transportation Security
Administrations). The airport security is on TSA’s shoulders, which works in association
with CBP. The latter is the DHS’s largest federal law enforcement agency, which screens
the employees and airline passengers at the airports;
Title 49 of USC (United States Code), enacted by US Congress, named Transportation;
Title 49 of CFR (Code of Federal Regulations), issued by DOT and DHS, named
Transportation; and
Title 14 of CFR, issued by FAA, named Aeronautics and Space.
The air safety in US is administered by the FAA, which had been created through the
“Federal Aviation Act of 1958”. FAA had been codified under the “49 USC Subtitle VII”,
covering four main business areas. The first one is airports, where the responsibility is towards
optimization of capacity, condition and safety of national airport system. This is presented
through 14 CFR Part 139. The next is air traffic organization, where the responsibility is related
to air traffic safety. This is presented through 14 CFR Parts 71 and 77. The third one in this
context is aviation safety, where the responsibilities relate to ensuring the airworthiness, approval
and certification of aircraft. This is in addition to the certification of all mechanics, pilots and the
other such safety related professions. This is presented through 14 CFR Parts 21, 25, 33, 61, 91,
pg. 39
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
121, 125, and 135. The last one in this context is the “Office of Commercial Space
Transportation”, where the responsibility relates to protection of interests of US, public and
property, particularly during the re-entry or launch of any commercial aircraft71.
In order to be aligned with the international standards, all of the major “multilateral
aviation treaties” have been signed by US. These include:
Chicago Convention72
Warsaw Convention73
Tokyo Convention74
Montreal Convention75
Montreal Protocol No. 4, regarding amendments in the Warsaw Convention, as have been
modified through 1955 Hague Protocol
Capetown Convention76
Aircraft Equipment Protocol77, and
Convention on the International Recognition of Rights in Aircraft.
When it comes to the application of these treaties and conventions, the state and federal
courts both have been given the power and jurisdiction over the issues related to interpretation of
treaties. The court has to look into the pre-emptiveness of provisions of treaty in consideration
with the local laws (including state, federal and statutory laws). The US Supreme Court has the
subjective decisions regarding enforcement of Montreal Convention. This was seen in the case of
“El Al Israel Airlines, Ltd. v. Tsui Yuan Tseng, 525 U.S. 155 (1999)”78. In this seminal global
aviation case, where the court upheld the pre-emptive impact on the law laws of treaties of US,
including the Montreal Convention. Even though both Warsaw Convention and Montreal
71 ICLG, USA: Aviation Law 2019 (2019 <https://iclg.com/practice-areas/aviation-laws-and-regulations/usa>
72 Convention on International Civil Aviation
73 Convention for the Unification of certain rules relating to international carriage by air
74 Convention on Offences and Certain Other Acts Committed on Board Aircraft
75 Convention for the Unification of Certain Rules for International Carriage by Air
76 Convention on International Interests in Mobile Equipment
77 Protocol on Matters Specific to Aircraft Equipment
78 El Al Israel Airlines, Ltd. v. Tsui Yuan Tseng, 525 U.S. 155 (1999)
pg. 40
121, 125, and 135. The last one in this context is the “Office of Commercial Space
Transportation”, where the responsibility relates to protection of interests of US, public and
property, particularly during the re-entry or launch of any commercial aircraft71.
In order to be aligned with the international standards, all of the major “multilateral
aviation treaties” have been signed by US. These include:
Chicago Convention72
Warsaw Convention73
Tokyo Convention74
Montreal Convention75
Montreal Protocol No. 4, regarding amendments in the Warsaw Convention, as have been
modified through 1955 Hague Protocol
Capetown Convention76
Aircraft Equipment Protocol77, and
Convention on the International Recognition of Rights in Aircraft.
When it comes to the application of these treaties and conventions, the state and federal
courts both have been given the power and jurisdiction over the issues related to interpretation of
treaties. The court has to look into the pre-emptiveness of provisions of treaty in consideration
with the local laws (including state, federal and statutory laws). The US Supreme Court has the
subjective decisions regarding enforcement of Montreal Convention. This was seen in the case of
“El Al Israel Airlines, Ltd. v. Tsui Yuan Tseng, 525 U.S. 155 (1999)”78. In this seminal global
aviation case, where the court upheld the pre-emptive impact on the law laws of treaties of US,
including the Montreal Convention. Even though both Warsaw Convention and Montreal
71 ICLG, USA: Aviation Law 2019 (2019 <https://iclg.com/practice-areas/aviation-laws-and-regulations/usa>
72 Convention on International Civil Aviation
73 Convention for the Unification of certain rules relating to international carriage by air
74 Convention on Offences and Certain Other Acts Committed on Board Aircraft
75 Convention for the Unification of Certain Rules for International Carriage by Air
76 Convention on International Interests in Mobile Equipment
77 Protocol on Matters Specific to Aircraft Equipment
78 El Al Israel Airlines, Ltd. v. Tsui Yuan Tseng, 525 U.S. 155 (1999)
pg. 40
Cyber Security in Aviation
Convention has been a focus point of many lawsuits, there are still handful case law
interpretations of the Cape Town Convention and Geneva Convention.
As a result of the “Intelligence Reform and Terrorism Prevention Act of 2004 (49 USC
§ 114)”, along with the “Secure Flight Program (49 CFR 1540 and 1560)”, the flight operating
airlines, coming in or going out of US, for the purpose of security screening, were required to
collected the PNR (passenger name records). This included details on the passenger like date of
birth, gender and full name. The privacy of consumers is also protected by DOT though 49 USC
§ 41712. Even though there are no specific laws that are regulating the data breach or loss of
consumer data in aviation industry, these measures of DOT do help passengers in case of privacy
related issues. This could result in the airlines being fined up to an amount of $27,500 for each of
such violations. The year of 2018 saw the introduction of a bill names “Aircraft Avionics
Systems Cybersecurity Act” by the US Congress. This bill required FAA to proper pay heed to
the concerns of cybersecurity in context of the aircraft avionics system, and this covered the
varied software components79.
The very nature of the risks faced by aviation industry has changed drastically in the
recent history. One of such examples is that of US, where the notion of ADS-B ‘spoofing’ has
attained considerable attention. This is a technology in which the position of aircraft is
determined on its own through the use of satellites. After this, the information is broadcasted
through radio frequency in an unencrypted manner. This allows possibility of a negative actor to
broadcast details of hypothetical aircraft covering apparent or obvious concerns regarding
safety80. Within the industry, lot of efforts are being put to gain better understanding on this and
for guarding against any possible attacks. NATS is particularly supportive of more developments
of this technology, and expects to include this as a key part of its operations in coming time. At
present, there are different ways available to determine the position of aircraft, in order to avoid
reliance on single sourced information81.
79 ICLG, USA: Aviation Law 2019 (2019 <https://iclg.com/practice-areas/aviation-laws-and-regulations/usa>
80 Sarina Houston, How ADS-B Works: A Look at the Foundation of NextGen (25 December 2017)
<https://www.thebalancecareers.com/how-ads-b-works-a-look-at-the-foundation-of-nextgen-282559>
81 Gavin Walker, Laying the foundations for the future of Air Traffic Management in the UK (04 January 2018)
<https://nats.aero/blog/author/gavinwalker/>
pg. 41
Convention has been a focus point of many lawsuits, there are still handful case law
interpretations of the Cape Town Convention and Geneva Convention.
As a result of the “Intelligence Reform and Terrorism Prevention Act of 2004 (49 USC
§ 114)”, along with the “Secure Flight Program (49 CFR 1540 and 1560)”, the flight operating
airlines, coming in or going out of US, for the purpose of security screening, were required to
collected the PNR (passenger name records). This included details on the passenger like date of
birth, gender and full name. The privacy of consumers is also protected by DOT though 49 USC
§ 41712. Even though there are no specific laws that are regulating the data breach or loss of
consumer data in aviation industry, these measures of DOT do help passengers in case of privacy
related issues. This could result in the airlines being fined up to an amount of $27,500 for each of
such violations. The year of 2018 saw the introduction of a bill names “Aircraft Avionics
Systems Cybersecurity Act” by the US Congress. This bill required FAA to proper pay heed to
the concerns of cybersecurity in context of the aircraft avionics system, and this covered the
varied software components79.
The very nature of the risks faced by aviation industry has changed drastically in the
recent history. One of such examples is that of US, where the notion of ADS-B ‘spoofing’ has
attained considerable attention. This is a technology in which the position of aircraft is
determined on its own through the use of satellites. After this, the information is broadcasted
through radio frequency in an unencrypted manner. This allows possibility of a negative actor to
broadcast details of hypothetical aircraft covering apparent or obvious concerns regarding
safety80. Within the industry, lot of efforts are being put to gain better understanding on this and
for guarding against any possible attacks. NATS is particularly supportive of more developments
of this technology, and expects to include this as a key part of its operations in coming time. At
present, there are different ways available to determine the position of aircraft, in order to avoid
reliance on single sourced information81.
79 ICLG, USA: Aviation Law 2019 (2019 <https://iclg.com/practice-areas/aviation-laws-and-regulations/usa>
80 Sarina Houston, How ADS-B Works: A Look at the Foundation of NextGen (25 December 2017)
<https://www.thebalancecareers.com/how-ads-b-works-a-look-at-the-foundation-of-nextgen-282559>
81 Gavin Walker, Laying the foundations for the future of Air Traffic Management in the UK (04 January 2018)
<https://nats.aero/blog/author/gavinwalker/>
pg. 41
Cyber Security in Aviation
Cyber-threat has been clearly defined by the US Department of Homeland Security as
being any kind of identified efforts, which is focused towards manipulation, impairment,
exfiltration, or gaining access to availability, confidentiality, integrity, or security of data, its
application, or of a federal system, where there is a clear lack of legal authority to doing so. As
covered earlier, cyber-threats can be both intentional and unintentional. Apart from this, they can
be targeted/ non-targeted, can be sourced from different parts, and includes acts like information
warfare or espionage being undertaken by foreign nations, criminals, virus writers, disgruntled
contractors, disgruntled employees (working within the organisation), and hackers.
Critical infrastructure, as per section 2 of “Executive Order -- Improving Critical
Infrastructure Cybersecurity” presented on 12th Feb 2013 of US president refers to the assets and
systems, which are vital to the nation, and are present in both virtual and physical form82.
Further, the destruction or incapacity of such assets could result in a devastating impact over the
economic security of the nation, the national security, and over the health and safety of the
public. This definition also resonated under the Critical Infrastructures Protection Act of 200183.
There is, at present, a multibillion-dollar overhauling being done of the US based ATC
system by the Federal Aviation Administration. This has been labelled as NextGen, or the “Next
Generation Air Transportation System”, and is set to be highly automated. NextGen would rely
on the GPS, instead of the erstwhile radar, for attaining location of planes. Further, the designing
of this has been done in a manner to allow the pilots and controllers of air traffic to pack more
helicopters and planes, with an eye on drones in the skies. However, this has raised the concerns
amongst a number of computer security experts, owing to the view that NextGen is not only
insecure, but is also susceptible to hackers. With the present system of radar being replaced by
the new system, the automatic dependence over ADS-B or surveillance-broadcast does actualize
this concern. This is because the planes would be equipped with GPS, which would send little
radio broadcasts across the globe, highlighting where they are and also their identity. With
NextGen coming in a phased manner in next eight years, where the focus is for the planes to use
82 Section 2- Executive Order -- Improving Critical Infrastructure Cybersecurity dated February 12, 2013
83 Critical Infrastructures Protection Act of 2001
pg. 42
Cyber-threat has been clearly defined by the US Department of Homeland Security as
being any kind of identified efforts, which is focused towards manipulation, impairment,
exfiltration, or gaining access to availability, confidentiality, integrity, or security of data, its
application, or of a federal system, where there is a clear lack of legal authority to doing so. As
covered earlier, cyber-threats can be both intentional and unintentional. Apart from this, they can
be targeted/ non-targeted, can be sourced from different parts, and includes acts like information
warfare or espionage being undertaken by foreign nations, criminals, virus writers, disgruntled
contractors, disgruntled employees (working within the organisation), and hackers.
Critical infrastructure, as per section 2 of “Executive Order -- Improving Critical
Infrastructure Cybersecurity” presented on 12th Feb 2013 of US president refers to the assets and
systems, which are vital to the nation, and are present in both virtual and physical form82.
Further, the destruction or incapacity of such assets could result in a devastating impact over the
economic security of the nation, the national security, and over the health and safety of the
public. This definition also resonated under the Critical Infrastructures Protection Act of 200183.
There is, at present, a multibillion-dollar overhauling being done of the US based ATC
system by the Federal Aviation Administration. This has been labelled as NextGen, or the “Next
Generation Air Transportation System”, and is set to be highly automated. NextGen would rely
on the GPS, instead of the erstwhile radar, for attaining location of planes. Further, the designing
of this has been done in a manner to allow the pilots and controllers of air traffic to pack more
helicopters and planes, with an eye on drones in the skies. However, this has raised the concerns
amongst a number of computer security experts, owing to the view that NextGen is not only
insecure, but is also susceptible to hackers. With the present system of radar being replaced by
the new system, the automatic dependence over ADS-B or surveillance-broadcast does actualize
this concern. This is because the planes would be equipped with GPS, which would send little
radio broadcasts across the globe, highlighting where they are and also their identity. With
NextGen coming in a phased manner in next eight years, where the focus is for the planes to use
82 Section 2- Executive Order -- Improving Critical Infrastructure Cybersecurity dated February 12, 2013
83 Critical Infrastructures Protection Act of 2001
pg. 42
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
ADS-B by 2020 in planes for entering crowded US airspace, the need for securing this critical
infrastructure is raised manifolds84.
In a report published in January 2015, the US Government Accountability Office
highlighted varied vulnerabilities in the air traffic control system of “Federal Aviation
Administration”. As per this office, the highlighted shortfalls lay a threat over the ability of the
agency to ensure that the NAS or the national airspace system runs in an uninterrupted and safe
manner. This report particularly highlighted the failed attempts of FAA in dealing with exposure
to cyber-attacks, especially because they pose a threat over the national security. The
“Parliamentary Committee for the Security of the Republic” or is otherwise known as “Comitato
parlamentare per la sicurezza della Repubblica (COPASIR)” has highlighted examples on
possible attacks on ATC as a result of persistent use of information technology. USA has brought
the Presidential Directive 7 on domestic security, and this is related to the nation’s National
Infrastructure Protection Plan.
USA, the nation, has been making constant efforts in strengthening its aviation
cybersecurity. This is the reason for the nation constantly bringing in new plans to work towards
this direction. This is what led to the TSA announcing the Cybersecurity Roadmap. While
unveiling this roadmap, it was, for the very first time, made it very clear that the direct oversight
of cybersecurity was part of TSS (Transportation Systems Sector) for all the seven sectors. These
sectors are highway and motor carrier, mass transit and passenger rail, postal and shipping,
freight rail, pipeline systems, maritime, and aviation. This roadmap covered the urgent threats,
which made the underlying infrastructure susceptible to varied risks, which stemmed from cyber
and physical hazards and threats. There was finally an acknowledgement of equal risks being
allocated to both the cyber and physical factors. This roadmap was not limited to domestic
oversight only, and was deemed as the second major global aviation security attempt since the
September 2011 attacks. DoD too brought forth a Cybersecurity Strategy, whereby the ambit for
cybersecurity was extended for protection of privately owned critical infrastructure sectors85.
84 Steve Henn, Could The New Air Traffic Control System Be Hacked? (14 August 2012)
<https://www.npr.org/sections/alltechconsidered/2012/08/16/158758161/could-the-new-air-traffic-control-system-
be-hacked >
85 Norma M. Krayem, New TSA Cybersecurity Roadmap Articulates Clear Aviation Sector Requirements (10
December 2018) <https://www.lexology.com/library/detail.aspx?g=2c7cf912-4804-48b0-9d0d-ad7753621c76>
pg. 43
ADS-B by 2020 in planes for entering crowded US airspace, the need for securing this critical
infrastructure is raised manifolds84.
In a report published in January 2015, the US Government Accountability Office
highlighted varied vulnerabilities in the air traffic control system of “Federal Aviation
Administration”. As per this office, the highlighted shortfalls lay a threat over the ability of the
agency to ensure that the NAS or the national airspace system runs in an uninterrupted and safe
manner. This report particularly highlighted the failed attempts of FAA in dealing with exposure
to cyber-attacks, especially because they pose a threat over the national security. The
“Parliamentary Committee for the Security of the Republic” or is otherwise known as “Comitato
parlamentare per la sicurezza della Repubblica (COPASIR)” has highlighted examples on
possible attacks on ATC as a result of persistent use of information technology. USA has brought
the Presidential Directive 7 on domestic security, and this is related to the nation’s National
Infrastructure Protection Plan.
USA, the nation, has been making constant efforts in strengthening its aviation
cybersecurity. This is the reason for the nation constantly bringing in new plans to work towards
this direction. This is what led to the TSA announcing the Cybersecurity Roadmap. While
unveiling this roadmap, it was, for the very first time, made it very clear that the direct oversight
of cybersecurity was part of TSS (Transportation Systems Sector) for all the seven sectors. These
sectors are highway and motor carrier, mass transit and passenger rail, postal and shipping,
freight rail, pipeline systems, maritime, and aviation. This roadmap covered the urgent threats,
which made the underlying infrastructure susceptible to varied risks, which stemmed from cyber
and physical hazards and threats. There was finally an acknowledgement of equal risks being
allocated to both the cyber and physical factors. This roadmap was not limited to domestic
oversight only, and was deemed as the second major global aviation security attempt since the
September 2011 attacks. DoD too brought forth a Cybersecurity Strategy, whereby the ambit for
cybersecurity was extended for protection of privately owned critical infrastructure sectors85.
84 Steve Henn, Could The New Air Traffic Control System Be Hacked? (14 August 2012)
<https://www.npr.org/sections/alltechconsidered/2012/08/16/158758161/could-the-new-air-traffic-control-system-
be-hacked >
85 Norma M. Krayem, New TSA Cybersecurity Roadmap Articulates Clear Aviation Sector Requirements (10
December 2018) <https://www.lexology.com/library/detail.aspx?g=2c7cf912-4804-48b0-9d0d-ad7753621c76>
pg. 43
Cyber Security in Aviation
2.3. International Scenario: Law and bodies in Euro Control and applicability in
Aviation
The backbone of European Union aviation safety system is covered under the common
safety rules. These put form a uniform level of requirements, meant for the aviation personnel,
operators and manufacturers. This helps in facilitation of products flow, along with the flow of
services and person in internal market, as well as, allows for the safety certificates mutual
recognition, reduction of the administrative workload and burden for the industry and for the
national authorities. The very first set of new generation aviation safety rules were adopted in
2002 by the European Union and these were based on the Regulation (EC) No 1592/200286.
Along with this, the European aviation’s safety system cornerstone was also established, which
is the “European Aviation Safety Agency (EASA)”. The maintenance, airworthiness,
environmental certification of aeronautical products and licensing and training of technicians and
mechanics in aeronautical department was set up through the initial set of these rules.
As a result of Regulation (EC) No 216/200887, brought forth in 2008, EASA’s common
aviation safety rules, and its associated duties were extended by EU to the aircrew training and
licensing, and to aircraft operations. The very next year saw the adoption of second extension of
such common rules, which clearly covered the provision of air traffic management and air
navigation services, and safety aspects of aerodrome operations, through “Regulation (EC) No
1108/2009”88. The European Commission adopts the aviation safety rules based on the technical
opinions, which are issues by EASA. The commission is responsible for the proper execution of
such rules and EASA provides its assistance in this context, as it undertakes inspections on
regular basis for all the Member States. Where the detected safety deficiencies are not corrected,
86 “Regulation (EC) No 1592/2002 of the European Parliament and of the Council of 15 July 2002 on common rules
in the field of civil aviation and establishing a European Aviation Safety Agency (Text with EEA relevance)”
87 “Regulation (EC) No 216/2008 of the European Parliament and of the Council of 20 February 2008 on common
rules in the field of civil aviation and establishing a European Aviation Safety Agency, and repealing Council
Directive 91/670/EEC, Regulation (EC) No 1592/2002 and Directive 2004/36/EC (Text with EEA relevance)”
88 “Regulation (EC) No 1108/2009 of the European Parliament and of the Council of 21 October 2009 amending
Regulation (EC) No 216/2008 in the field of aerodromes, air traffic management and air navigation services and
repealing Directive 2006/23/EC (Text with EEA relevance)”
pg. 44
2.3. International Scenario: Law and bodies in Euro Control and applicability in
Aviation
The backbone of European Union aviation safety system is covered under the common
safety rules. These put form a uniform level of requirements, meant for the aviation personnel,
operators and manufacturers. This helps in facilitation of products flow, along with the flow of
services and person in internal market, as well as, allows for the safety certificates mutual
recognition, reduction of the administrative workload and burden for the industry and for the
national authorities. The very first set of new generation aviation safety rules were adopted in
2002 by the European Union and these were based on the Regulation (EC) No 1592/200286.
Along with this, the European aviation’s safety system cornerstone was also established, which
is the “European Aviation Safety Agency (EASA)”. The maintenance, airworthiness,
environmental certification of aeronautical products and licensing and training of technicians and
mechanics in aeronautical department was set up through the initial set of these rules.
As a result of Regulation (EC) No 216/200887, brought forth in 2008, EASA’s common
aviation safety rules, and its associated duties were extended by EU to the aircrew training and
licensing, and to aircraft operations. The very next year saw the adoption of second extension of
such common rules, which clearly covered the provision of air traffic management and air
navigation services, and safety aspects of aerodrome operations, through “Regulation (EC) No
1108/2009”88. The European Commission adopts the aviation safety rules based on the technical
opinions, which are issues by EASA. The commission is responsible for the proper execution of
such rules and EASA provides its assistance in this context, as it undertakes inspections on
regular basis for all the Member States. Where the detected safety deficiencies are not corrected,
86 “Regulation (EC) No 1592/2002 of the European Parliament and of the Council of 15 July 2002 on common rules
in the field of civil aviation and establishing a European Aviation Safety Agency (Text with EEA relevance)”
87 “Regulation (EC) No 216/2008 of the European Parliament and of the Council of 20 February 2008 on common
rules in the field of civil aviation and establishing a European Aviation Safety Agency, and repealing Council
Directive 91/670/EEC, Regulation (EC) No 1592/2002 and Directive 2004/36/EC (Text with EEA relevance)”
88 “Regulation (EC) No 1108/2009 of the European Parliament and of the Council of 21 October 2009 amending
Regulation (EC) No 216/2008 in the field of aerodromes, air traffic management and air navigation services and
repealing Directive 2006/23/EC (Text with EEA relevance)”
pg. 44
Cyber Security in Aviation
enforcement actions can be undertaken. This can also lead to the certificates’ mutual recognition
being suspended, or even imposition of penalties on the certificate holders.
The discussions regarding the formation of a safety body for EU, dates back to be early
time of 1996. However, the establishment of EASA took some time, and only in 2002 was it
created as being a self-standing community body. EASA was initially started in Brussels;
though, in 2003, it moved to Cologne. EASA, through the years, is constituted as the soul of
aviation safety system in EU. Through the changes of regulations, which EASA has seen, it is
built upon the cooperation and experience of the Joint Aviation Authorities (JAA). These JAA
were the former group of EU based aviation regulators, which in July 2009, ended their
activities.
As stated earlier, EASA provides the required technical expertise to the Commission, and
also assists the Commission in exercising the regulatory and legislative tasks. The technical
opinions are prepared by the agency, which are created on basis of Commission’s legislative
proposals. Amongst the other responsibilities of EASA is the duty of carrying standardized
inspections for monitoring applicability of EU legislations in a uniform manner, in the member
states, along with making the requisite suggestions to the Commission. Instead of giving the duty
of issuing certificates to member states, it is given to the EASA. One of the examples of this
includes the responsibility of aircraft type certification being in hands of EASA, along with the
same certifications for the other aeronautical products as well. EASA also has the power of
issuing certificates to third country located organizations. However, there has been issuance of
individual certificates to aircrafts, by the member states, under monitoring of EASA, along with
the same being done for majority of personnel and organisations in such territories. Such
certifications that have been based on laws of EU and have been issued in compliance of such
laws, are deemed as valid in all member states of EU. This helps in ensuring uniform safety
levels for travellers, along with presenting a uniform playing field for the operators89.
Air transport is a crucial sector for the European economic sector. As per the 2010
figures, it contributed to 1.5% of GDP of EU, at € 220 billion. There were nearly sixteen
thousand air traffic controllers, with 65 control centers. This momentous magnitude led to EU
89 EU, European Aviation Safety Rules (2019) <https://ec.europa.eu/transport/modes/air/safety/safety-rules_en>
pg. 45
enforcement actions can be undertaken. This can also lead to the certificates’ mutual recognition
being suspended, or even imposition of penalties on the certificate holders.
The discussions regarding the formation of a safety body for EU, dates back to be early
time of 1996. However, the establishment of EASA took some time, and only in 2002 was it
created as being a self-standing community body. EASA was initially started in Brussels;
though, in 2003, it moved to Cologne. EASA, through the years, is constituted as the soul of
aviation safety system in EU. Through the changes of regulations, which EASA has seen, it is
built upon the cooperation and experience of the Joint Aviation Authorities (JAA). These JAA
were the former group of EU based aviation regulators, which in July 2009, ended their
activities.
As stated earlier, EASA provides the required technical expertise to the Commission, and
also assists the Commission in exercising the regulatory and legislative tasks. The technical
opinions are prepared by the agency, which are created on basis of Commission’s legislative
proposals. Amongst the other responsibilities of EASA is the duty of carrying standardized
inspections for monitoring applicability of EU legislations in a uniform manner, in the member
states, along with making the requisite suggestions to the Commission. Instead of giving the duty
of issuing certificates to member states, it is given to the EASA. One of the examples of this
includes the responsibility of aircraft type certification being in hands of EASA, along with the
same certifications for the other aeronautical products as well. EASA also has the power of
issuing certificates to third country located organizations. However, there has been issuance of
individual certificates to aircrafts, by the member states, under monitoring of EASA, along with
the same being done for majority of personnel and organisations in such territories. Such
certifications that have been based on laws of EU and have been issued in compliance of such
laws, are deemed as valid in all member states of EU. This helps in ensuring uniform safety
levels for travellers, along with presenting a uniform playing field for the operators89.
Air transport is a crucial sector for the European economic sector. As per the 2010
figures, it contributed to 1.5% of GDP of EU, at € 220 billion. There were nearly sixteen
thousand air traffic controllers, with 65 control centers. This momentous magnitude led to EU
89 EU, European Aviation Safety Rules (2019) <https://ec.europa.eu/transport/modes/air/safety/safety-rules_en>
pg. 45
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
taking proper steps towards safeguarding the ATC. This was done through the
EUROCONTROL Mission. Through the “European Organization for the Safety of Air
Navigation”, efforts were made to integrate and harmonize the Air Navigation Services in
Europe, with the purpose of forming unified “Air Traffic Management” System for both the civil
and the military users. This was done with the purpose of attaining orderly, safe, and expeditious
economic flow of traffic across Europe. EUROCONTROL has been nominated as the Network
Manager for Europe and this act as the central unit for managing air traffic flow. It also supports
the placement of all technology-based improvements in the ATM network of Europe. Apart from
this, it also implements the contingency plans and the security management system, along with
presiding over the operations of EACCC, i.e. European Aviation Crisis Coordination Cell90.
European Centre for Cyber Security in Aviation One of the enablers identified in the
EASA Cyber-Security in Aviation project, and roadmap, is a “European Centre for Cyber
Security in Aviation (ECCSA)”. This will help meet the roadmap’s four identified objectives:
Situational Awareness, Readiness & Resilience, Reactiveness, and Cyber-Security Promotion.
This Aviation Computer Emergency Response Team (CERT) will both establish an aviation-
focused cross-sectorial risk landscape and coordinate prevention of threat scenarios and response
to future attacks. It is currently being set up, with ENISA’s CERT-EU platform being used, and
the start of pilot operations is planned for January 2017. Full operation is expected from
November 2017. It is intended as a clearinghouse for (confidential) incident information that
builds on existing safety reporting. Note that the scope of this is all of aviation91.
Because of the increase demand in air traffic, the “Single European Sky” was brought
forth in 1999. Through these, two packages were brought forth, for regulating Functional
Airspace Blocks, new technologies, interoperability regulations, and SESAR. SESAR is the
programme, which modernized the air traffic management system for Europe92. The following
image highlights the Cyber and CNS integration:
90 Antonio Nogueras, Air Traffic Management moving into European Critical Infrastructure (29 March 2012) <
http://www.motia.eu/webfm_send/85.pdf >
91 EASA, EASA cooperate with CERT-EU on cybersecurity (14 February 2017)
<https://www.easa.europa.eu/newsroom-and-events/news/easa-cooperate-cert-eu-cybersecurity>
92 Antonio Nogueras, Air Traffic Management moving into European Critical Infrastructure (29 March 2012) <
http://www.motia.eu/webfm_send/85.pdf >
pg. 46
taking proper steps towards safeguarding the ATC. This was done through the
EUROCONTROL Mission. Through the “European Organization for the Safety of Air
Navigation”, efforts were made to integrate and harmonize the Air Navigation Services in
Europe, with the purpose of forming unified “Air Traffic Management” System for both the civil
and the military users. This was done with the purpose of attaining orderly, safe, and expeditious
economic flow of traffic across Europe. EUROCONTROL has been nominated as the Network
Manager for Europe and this act as the central unit for managing air traffic flow. It also supports
the placement of all technology-based improvements in the ATM network of Europe. Apart from
this, it also implements the contingency plans and the security management system, along with
presiding over the operations of EACCC, i.e. European Aviation Crisis Coordination Cell90.
European Centre for Cyber Security in Aviation One of the enablers identified in the
EASA Cyber-Security in Aviation project, and roadmap, is a “European Centre for Cyber
Security in Aviation (ECCSA)”. This will help meet the roadmap’s four identified objectives:
Situational Awareness, Readiness & Resilience, Reactiveness, and Cyber-Security Promotion.
This Aviation Computer Emergency Response Team (CERT) will both establish an aviation-
focused cross-sectorial risk landscape and coordinate prevention of threat scenarios and response
to future attacks. It is currently being set up, with ENISA’s CERT-EU platform being used, and
the start of pilot operations is planned for January 2017. Full operation is expected from
November 2017. It is intended as a clearinghouse for (confidential) incident information that
builds on existing safety reporting. Note that the scope of this is all of aviation91.
Because of the increase demand in air traffic, the “Single European Sky” was brought
forth in 1999. Through these, two packages were brought forth, for regulating Functional
Airspace Blocks, new technologies, interoperability regulations, and SESAR. SESAR is the
programme, which modernized the air traffic management system for Europe92. The following
image highlights the Cyber and CNS integration:
90 Antonio Nogueras, Air Traffic Management moving into European Critical Infrastructure (29 March 2012) <
http://www.motia.eu/webfm_send/85.pdf >
91 EASA, EASA cooperate with CERT-EU on cybersecurity (14 February 2017)
<https://www.easa.europa.eu/newsroom-and-events/news/easa-cooperate-cert-eu-cybersecurity>
92 Antonio Nogueras, Air Traffic Management moving into European Critical Infrastructure (29 March 2012) <
http://www.motia.eu/webfm_send/85.pdf >
pg. 46
Cyber Security in Aviation
(Source: MOTIA, 201293)
There are some general cybersecurity measures as well, which find their way in civil
aviation protection for European areas. This includes the “General Data Protection Regulation
(Regulation (EU) 2016/679)”94. This regulation is related to protection of personal data of
individuals. The other important directive in this context is the “Network and Information
Security (NIS) Directive (2016/1148)”, adopted back in July 201695. There is also the existing
European Standard of EN 16495, which is the information security for organizations that support
93 Ibid
94 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)”
95 “Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for
a high common level of security of network and information systems across the Union”
pg. 47
(Source: MOTIA, 201293)
There are some general cybersecurity measures as well, which find their way in civil
aviation protection for European areas. This includes the “General Data Protection Regulation
(Regulation (EU) 2016/679)”94. This regulation is related to protection of personal data of
individuals. The other important directive in this context is the “Network and Information
Security (NIS) Directive (2016/1148)”, adopted back in July 201695. There is also the existing
European Standard of EN 16495, which is the information security for organizations that support
93 Ibid
94 “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)”
95 “Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for
a high common level of security of network and information systems across the Union”
pg. 47
Cyber Security in Aviation
civil aviation. This covers the basic principles and guidelines, covering implementation of
information security management system, in line with the ISO 27002. However, changes on
realigning EN 16495 to ISO 27002 have started, as a result of the latest version of this standards
series (ISO 27000) not being aligned with it. The NEASCOG (NATO EUROCONTROL ATM
Security Coordinating Group) is another noteworthy step under the EUROCONTROL, where the
focus is on ATM security96.
There has also been the formation of ECSCG (European Cyber security for aviation
Standards Coordination Group) to respond to coordinate the aeronautical cybersecurity
development in a harmonized and coordinated manner. This is amongst the most recent steps
taken in aviation cybersecurity. The very first meeting of this group took place in Saint-Denis,
France on 30th October 2018. The focus remains on coordinating the aviation cybersecurity, by
this joint coordinated advisory group, particularly in terms of standardization activities. One of
its specific focuses is on activities to be coordinated, from the EASA and EU, along with the
other market driven standards. ECSCG would primarily deliver the EU cybersecurity
standardization RDP (Rolling Development Plan); along with provide proper modes of
identifying and discussing the overlaps and gaps, as well as, given feedbacks for improving the
overall coordination, to the contributing organizations, for development of standards97.
96 Industry Consultation Body, Industry Developments in ATM Cyber-Security (October 2016) <http://www.icb-
portal.eu/phocadownload/other_output/Industry%20Developments%20in%20ATM%20Cyber-Security
%20Issue.pdf>
97 EUROCAE, The European Cyber security for aviation Standards Coordination Group (2019)
<https://www.eurocae.net/about-us/ecscg/>
pg. 48
civil aviation. This covers the basic principles and guidelines, covering implementation of
information security management system, in line with the ISO 27002. However, changes on
realigning EN 16495 to ISO 27002 have started, as a result of the latest version of this standards
series (ISO 27000) not being aligned with it. The NEASCOG (NATO EUROCONTROL ATM
Security Coordinating Group) is another noteworthy step under the EUROCONTROL, where the
focus is on ATM security96.
There has also been the formation of ECSCG (European Cyber security for aviation
Standards Coordination Group) to respond to coordinate the aeronautical cybersecurity
development in a harmonized and coordinated manner. This is amongst the most recent steps
taken in aviation cybersecurity. The very first meeting of this group took place in Saint-Denis,
France on 30th October 2018. The focus remains on coordinating the aviation cybersecurity, by
this joint coordinated advisory group, particularly in terms of standardization activities. One of
its specific focuses is on activities to be coordinated, from the EASA and EU, along with the
other market driven standards. ECSCG would primarily deliver the EU cybersecurity
standardization RDP (Rolling Development Plan); along with provide proper modes of
identifying and discussing the overlaps and gaps, as well as, given feedbacks for improving the
overall coordination, to the contributing organizations, for development of standards97.
96 Industry Consultation Body, Industry Developments in ATM Cyber-Security (October 2016) <http://www.icb-
portal.eu/phocadownload/other_output/Industry%20Developments%20in%20ATM%20Cyber-Security
%20Issue.pdf>
97 EUROCAE, The European Cyber security for aviation Standards Coordination Group (2019)
<https://www.eurocae.net/about-us/ecscg/>
pg. 48
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
Chapter 3: Pillars of Aviation
Aviation industry is in a key makeover phase to reach the predicted societal, air traffic, and
business demands. As touched upon in the introduction part of this research, there are three
pillars of Aviation and these are ATC, airlines, and airports. These three pillars combined form
the aviation sector, and therefore, it becomes crucial to safeguard all the three aspects properly, if
the aviation industry is to be kept safe from cyber threats of present age. To keep pace with the
demands, the aviation industry too has become heavily dependent on Avionics, modern Radar
systems, weather Radars, AWACs, Mode C transponders, ADS-B, GPS system and an array of
entertainment systems for the facilitation of passengers, especially the first and business class
passengers and thus working in a space so called as Cyber space. The cyber space is defined as
intangible mixture of networking, computing, and software; further, the same has been applied
for the join performance of functions. As a result of the enhanced growth in cyber space and
cloud computing, huge bulk of information can be transmitted easily, which necessitates new
agreements to be ratified and for cooperative efforts amid the different space, for securing the
cyber space, and also for regulation of such information exchange.
For a hacker or cyber terrorist, there are varied attack points, including the from aircraft
manufacture and from its equipment and in different stages of operation; to the Air Navigation
Service Provider, and to the Airport Service Provider. Cyber terrorism has the power of targeting
the electronic system of organizations, and it does not matter whether states, individuals or
corporations undertake the same. Any electronic system, which designs or develops software and
hardware, used in air traffic control systems and airports can be made a target. Cyber terrorism
could even target such industries, which take part in aircraft construction or the construction of
its part, irrespective of these constructions being taken place for military or civil use.98
Aviation sector is presently a very critical and lucrative target for the state sponsored
cyber warfare initiatives and for the hackers. The disruption of operations of any airport BAS
(Building Automation System) is a matter of few hours, resulting in loss of millions of dollars in
airlines and even for the related vendors. In addition to this, the air transport covers highly
98 Abeyratne Ruwantissa,‘ Cyber Terrorism and Aviation—National and International Responses’, Journal of
Transportation Security, 2011, Vol.4 (4), at pp.342.
pg. 49
Chapter 3: Pillars of Aviation
Aviation industry is in a key makeover phase to reach the predicted societal, air traffic, and
business demands. As touched upon in the introduction part of this research, there are three
pillars of Aviation and these are ATC, airlines, and airports. These three pillars combined form
the aviation sector, and therefore, it becomes crucial to safeguard all the three aspects properly, if
the aviation industry is to be kept safe from cyber threats of present age. To keep pace with the
demands, the aviation industry too has become heavily dependent on Avionics, modern Radar
systems, weather Radars, AWACs, Mode C transponders, ADS-B, GPS system and an array of
entertainment systems for the facilitation of passengers, especially the first and business class
passengers and thus working in a space so called as Cyber space. The cyber space is defined as
intangible mixture of networking, computing, and software; further, the same has been applied
for the join performance of functions. As a result of the enhanced growth in cyber space and
cloud computing, huge bulk of information can be transmitted easily, which necessitates new
agreements to be ratified and for cooperative efforts amid the different space, for securing the
cyber space, and also for regulation of such information exchange.
For a hacker or cyber terrorist, there are varied attack points, including the from aircraft
manufacture and from its equipment and in different stages of operation; to the Air Navigation
Service Provider, and to the Airport Service Provider. Cyber terrorism has the power of targeting
the electronic system of organizations, and it does not matter whether states, individuals or
corporations undertake the same. Any electronic system, which designs or develops software and
hardware, used in air traffic control systems and airports can be made a target. Cyber terrorism
could even target such industries, which take part in aircraft construction or the construction of
its part, irrespective of these constructions being taken place for military or civil use.98
Aviation sector is presently a very critical and lucrative target for the state sponsored
cyber warfare initiatives and for the hackers. The disruption of operations of any airport BAS
(Building Automation System) is a matter of few hours, resulting in loss of millions of dollars in
airlines and even for the related vendors. In addition to this, the air transport covers highly
98 Abeyratne Ruwantissa,‘ Cyber Terrorism and Aviation—National and International Responses’, Journal of
Transportation Security, 2011, Vol.4 (4), at pp.342.
pg. 49
Cyber Security in Aviation
complicated operations, which arrange and guide a range of critical systems, which includes air
fleet management, AOC (Airline Operations Centre) networks, APRON and tarmac operations,
surveillance, luggage and goods management and ATM (Air Traffic Management) among the
other things. The complexities of these systems, makes securing them a critical task.
(Source: Luca Barba, 201899)
The table below puts forth a simplified list covering threats, which have the capacity of
affecting the aviation industry, along with highlighting the possible impact of it.
Agents Threats Impacts
Competitor / Hacktivist Ground side systems being
attacked (example baggage
handling)
ATM services being blocked
due to service disruption,
resulting in crisis state
Competitor / Hacktivist Attacks on passenger
management systems or
Services at airport being
99 Luca Barba, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
pg. 50
complicated operations, which arrange and guide a range of critical systems, which includes air
fleet management, AOC (Airline Operations Centre) networks, APRON and tarmac operations,
surveillance, luggage and goods management and ATM (Air Traffic Management) among the
other things. The complexities of these systems, makes securing them a critical task.
(Source: Luca Barba, 201899)
The table below puts forth a simplified list covering threats, which have the capacity of
affecting the aviation industry, along with highlighting the possible impact of it.
Agents Threats Impacts
Competitor / Hacktivist Ground side systems being
attacked (example baggage
handling)
ATM services being blocked
due to service disruption,
resulting in crisis state
Competitor / Hacktivist Attacks on passenger
management systems or
Services at airport being
99 Luca Barba, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
pg. 50
Cyber Security in Aviation
HVAC (Heating, Ventilation,
and Air Conditioning) systems
disrupted
Cyber Criminal Passenger management
networks or commercial
networks being attacked
Direct financial losses
Disgruntled Employee Making sale of unauthorized
access
Issues of confidentially and
privacy, along with triggering
Advanced Persistent Threat’s
lateral movement
Foreign State Takeover or DDoS
(distributed denial-of-service)
of ATM Support Systems
Camouflaged malicious
operations, along with
incidents due to the
misguiding of surface objects
Hacker Compromising public faced
host for using it as a mode of
gaining access
Camouflaged malicious
operations, along with theft of
personal data
Terrorist Landing aids or NAV
disruption, GPS spoofing,
datalink networks sabotage,
ADS-B spoofing
Diversion of traffic to varied
flight space, possible
catastrophic attacks like 9/11,
fight cancellations or delays
Terrorist Violating landing queues
monitoring or vehicle routing
system
Camouflaged malicious
operations, along with use of
bad data to result in outages or
pg. 51
HVAC (Heating, Ventilation,
and Air Conditioning) systems
disrupted
Cyber Criminal Passenger management
networks or commercial
networks being attacked
Direct financial losses
Disgruntled Employee Making sale of unauthorized
access
Issues of confidentially and
privacy, along with triggering
Advanced Persistent Threat’s
lateral movement
Foreign State Takeover or DDoS
(distributed denial-of-service)
of ATM Support Systems
Camouflaged malicious
operations, along with
incidents due to the
misguiding of surface objects
Hacker Compromising public faced
host for using it as a mode of
gaining access
Camouflaged malicious
operations, along with theft of
personal data
Terrorist Landing aids or NAV
disruption, GPS spoofing,
datalink networks sabotage,
ADS-B spoofing
Diversion of traffic to varied
flight space, possible
catastrophic attacks like 9/11,
fight cancellations or delays
Terrorist Violating landing queues
monitoring or vehicle routing
system
Camouflaged malicious
operations, along with use of
bad data to result in outages or
pg. 51
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
incidents
The increased digitalization has brought new vulnerabilities and threats, which are
inevitable. Further, these can be managed through improving the threat detection solutions and
visibility. One of the suggested measures is the Defense in Depth strategy. This basically is a
multi-layered defence system, which is distributed across the network. The same can be
explained through the below given image. It is expected that such constant measures would assist
the cyberspace to be more secure to the threats highlighted earlier.
(Source: Luca Barba, 2018100)
3.1. Cybersecurity in ATC
3.1.1. ATC and threats looming around it
The Air Transport sector has seen digital technologies gaining lot of traction, as they
have a major impact over the passenger and flight safety. The air traffic management is
increasingly becoming a data driven force, which makes it crucial for it to be properly
safeguarded. The Network Manager function of Euro control has the responsibility for taking
care of the ATM in forty three nations, and in order to fulfil its objectives of protecting the
information systems from any and all kinds of cyber threats, has adopted outside help. One of
100 Luca Barba, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
pg. 52
incidents
The increased digitalization has brought new vulnerabilities and threats, which are
inevitable. Further, these can be managed through improving the threat detection solutions and
visibility. One of the suggested measures is the Defense in Depth strategy. This basically is a
multi-layered defence system, which is distributed across the network. The same can be
explained through the below given image. It is expected that such constant measures would assist
the cyberspace to be more secure to the threats highlighted earlier.
(Source: Luca Barba, 2018100)
3.1. Cybersecurity in ATC
3.1.1. ATC and threats looming around it
The Air Transport sector has seen digital technologies gaining lot of traction, as they
have a major impact over the passenger and flight safety. The air traffic management is
increasingly becoming a data driven force, which makes it crucial for it to be properly
safeguarded. The Network Manager function of Euro control has the responsibility for taking
care of the ATM in forty three nations, and in order to fulfil its objectives of protecting the
information systems from any and all kinds of cyber threats, has adopted outside help. One of
100 Luca Barba, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
pg. 52
Cyber Security in Aviation
this outside assistance is provided by Thales to modernize the air transport sector, and to help in
developing five markets of space, defence, security, ground transportation and aerospace101.
These days, the cyber-attacks taking place on the aviation industry, have become a key
issue of concern, as has been a key focus of this discussion. Cyberspace puts forth a cheap haven
for undertaking varied disruptive activities, which leads to the inference that hackers consider
aviation sector as their key target. Apart from this, the low risks associated with this makes it
easier for cyber terrorism to replace hijackers and bombers, thereby becoming the leading option
for attaching aviation industry. One of the most complex and integrated mode of Information and
Communication Technology, i.e. ICT is hosting. This, when coupled with the increased inter
connectivity, results in growth of threats on aviation industry from multiple fronts hiding behind
anonymity. The actors of such cyber threats focus over malicious intent, physical damage,
political motivations, hactivist national, financial gains and theft of personal data. In short, by
adopting an informed risk cybersecurity roadmap that is attained by analysing the threats,
thereby strengthening the resilience of aviation industry against cyber threats, takes the centre-
stage102. A depiction of communication attacks on ATM system is presented below:
101 Thales, Eurocontrol Chooses Thales For Cybersecurity And Digitalisation Of Air Traffic Services (28 May 2018)
<https://www.thalesgroup.com/en/worldwide/security/press-release/eurocontrol-chooses-thales-cybersecurity-and-
digitalisation-air>
102 Dan Virgillito, Cyber Threat Analysis for the Aviation Industry (26 February 2015)
<https://resources.infosecinstitute.com/cyber-threat-analysis-aviation-industry/#gref >
pg. 53
this outside assistance is provided by Thales to modernize the air transport sector, and to help in
developing five markets of space, defence, security, ground transportation and aerospace101.
These days, the cyber-attacks taking place on the aviation industry, have become a key
issue of concern, as has been a key focus of this discussion. Cyberspace puts forth a cheap haven
for undertaking varied disruptive activities, which leads to the inference that hackers consider
aviation sector as their key target. Apart from this, the low risks associated with this makes it
easier for cyber terrorism to replace hijackers and bombers, thereby becoming the leading option
for attaching aviation industry. One of the most complex and integrated mode of Information and
Communication Technology, i.e. ICT is hosting. This, when coupled with the increased inter
connectivity, results in growth of threats on aviation industry from multiple fronts hiding behind
anonymity. The actors of such cyber threats focus over malicious intent, physical damage,
political motivations, hactivist national, financial gains and theft of personal data. In short, by
adopting an informed risk cybersecurity roadmap that is attained by analysing the threats,
thereby strengthening the resilience of aviation industry against cyber threats, takes the centre-
stage102. A depiction of communication attacks on ATM system is presented below:
101 Thales, Eurocontrol Chooses Thales For Cybersecurity And Digitalisation Of Air Traffic Services (28 May 2018)
<https://www.thalesgroup.com/en/worldwide/security/press-release/eurocontrol-chooses-thales-cybersecurity-and-
digitalisation-air>
102 Dan Virgillito, Cyber Threat Analysis for the Aviation Industry (26 February 2015)
<https://resources.infosecinstitute.com/cyber-threat-analysis-aviation-industry/#gref >
pg. 53
Cyber Security in Aviation
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019103)
As a result of the computer systems available both on-board and off board, the rampant
usage of data networks, coupled with navigation systems, data breaches and cyber-attacks are
deemed as the top most growing threats for this sector. Some of the prominent threats that the
aviation industry faces include the following:
Phishing attacks: These are the most successful ones, working against the aviation
industry. Centre for Security, i.e. CIS, had reported for last year that 75 US airports had
been targeted. The nature of these threats qualified under advanced persistent threats,
meaning unauthorized individuals/ groups attaining access to network of the
organization. The root cause of this attack was put as the public document that covered
the emails of target airports.
Jamming attacks: When a ghost flight is injected in air traffic control system by an
attacker, with the purpose of altering mapping and projection of airplanes, or that of
deleting the position from the radar screen, it is deemed as jamming attacks. As these
attacks compromise the very accuracy of the data, which is provided to the aircraft
management, these attacks, have a big negative impact.
Remote hijacking: The hackers are able to attack or control, the on-board systems and
flights remotely because of the security flaws in ICT, contributing to such attacks. The
Flight Management System was shown to be attacked by a hacker, which showed how
the varied elements like surveillance systems, engine and fuel systems, aircraft displays,
engine and fuel systems, and the others, could be easily manipulated.
DDoS and Botnet attacks: There is a growing popularity of Distributed-denial-of-service
attacks with the purpose of undertaking different malware injection activities. Through
such measures, the hackers use botnets of the networks, which have been compromise,
for flooding the ATC and other crucial systems related to traffic, resulting in the
platforms crashing entirely. At such instances, the attackers, with the threat of disrupting
flight control and management systems, often ask for ransom amount. A depiction of
such attacks is presented below:
103 Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzal, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
pg. 54
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019103)
As a result of the computer systems available both on-board and off board, the rampant
usage of data networks, coupled with navigation systems, data breaches and cyber-attacks are
deemed as the top most growing threats for this sector. Some of the prominent threats that the
aviation industry faces include the following:
Phishing attacks: These are the most successful ones, working against the aviation
industry. Centre for Security, i.e. CIS, had reported for last year that 75 US airports had
been targeted. The nature of these threats qualified under advanced persistent threats,
meaning unauthorized individuals/ groups attaining access to network of the
organization. The root cause of this attack was put as the public document that covered
the emails of target airports.
Jamming attacks: When a ghost flight is injected in air traffic control system by an
attacker, with the purpose of altering mapping and projection of airplanes, or that of
deleting the position from the radar screen, it is deemed as jamming attacks. As these
attacks compromise the very accuracy of the data, which is provided to the aircraft
management, these attacks, have a big negative impact.
Remote hijacking: The hackers are able to attack or control, the on-board systems and
flights remotely because of the security flaws in ICT, contributing to such attacks. The
Flight Management System was shown to be attacked by a hacker, which showed how
the varied elements like surveillance systems, engine and fuel systems, aircraft displays,
engine and fuel systems, and the others, could be easily manipulated.
DDoS and Botnet attacks: There is a growing popularity of Distributed-denial-of-service
attacks with the purpose of undertaking different malware injection activities. Through
such measures, the hackers use botnets of the networks, which have been compromise,
for flooding the ATC and other crucial systems related to traffic, resulting in the
platforms crashing entirely. At such instances, the attackers, with the threat of disrupting
flight control and management systems, often ask for ransom amount. A depiction of
such attacks is presented below:
103 Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzal, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
pg. 54
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019104)
WiFi based attacks: The Active Consultants of IOA have identified weaknesses in on-
board systems, which enable attackers in using the inflight entertainment system or the
WiFi signal to hack the avionics equipment of planes, and for disrupting/ modifying
satellite communications. One view is that after such attacks, with remote control, the
planes could be landed in a successful manner. It just requires a framework of codes, by
such actors, to get inside the system of planes and to override the security measures105.
Air traffic control, in its basic sense, refers to the regional and interconnected systems,
through which different functions like on ground traffic control, runway lighting control,
separation and routing, and radar control are undertaken. Under ATC, cyber security acts as a
critical infrastructure. This is due to the world being entangled in sophisticated and deceitful
cyber threat landscape at present. The adversaries are often targeting different organizations,
which has now translated to attacks on critical infrastructure. Particularly in the world of hyper-
connected Internet of Things (IoT), the ease of devices being interconnected to all kinds of
104 Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzal, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
105 Ibid
pg. 55
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019104)
WiFi based attacks: The Active Consultants of IOA have identified weaknesses in on-
board systems, which enable attackers in using the inflight entertainment system or the
WiFi signal to hack the avionics equipment of planes, and for disrupting/ modifying
satellite communications. One view is that after such attacks, with remote control, the
planes could be landed in a successful manner. It just requires a framework of codes, by
such actors, to get inside the system of planes and to override the security measures105.
Air traffic control, in its basic sense, refers to the regional and interconnected systems,
through which different functions like on ground traffic control, runway lighting control,
separation and routing, and radar control are undertaken. Under ATC, cyber security acts as a
critical infrastructure. This is due to the world being entangled in sophisticated and deceitful
cyber threat landscape at present. The adversaries are often targeting different organizations,
which has now translated to attacks on critical infrastructure. Particularly in the world of hyper-
connected Internet of Things (IoT), the ease of devices being interconnected to all kinds of
104 Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzal, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
105 Ibid
pg. 55
Cyber Security in Aviation
networks, increases the chances of such threats. At the time when the airports are trying to
modernize their critical functions, the evolving landscape of IoT poses a threat over the ATC
systems. A possible cyber-attack on ATC systems could result in physical processes like airport
runway lighting and radar controls being misused. This requires proper measures to ensure that
such instances do not take place106. This discussion highlights some of the global laws, which
work in this context, and would cover some global instances, to show the gravity of this threat.
Under the general legal framework, cyber security has received particular consideration
in “Security to the Chicago Convention Annex 17”. This states that every contracting state needs
to create the measures for protecting ICT systems, which are used for civil aviation, from any
kind of interference, when it has the capability of hampering its safety. The guidance relating to
the application of SARPs, i.e. Standards and Recommended Practices covered in Annex 17, are
covered under “Aviation Security Manual (Doc 8973 – Restricted) and the Air Traffic
Management Security Manual (Doc. 9985 - Restricted)”. The significance of management of air
traffic towards aviation security process can be established through the latest changes made to
this annex. These modifications include the measure regarding cyber-threats. Further, these also
oblige the states in making certain that the facilities and infrastructure are proper protecting,
while at the same time, the security programmes are harmonized based on the national lawful
frameworks. There has been a noted trend in the ATM, i.e. air traffic management system, at two
levels. These include the ones in air navigation service providers and the other at the
international level. These trends point towards the rising information sharing and towards the
creation of joint and shared situational awareness for broad range of stakeholders of this
industry. Even though this enables the rise in operational efficiency and increases productivity, it
brings with it, the growing possibilities of cyber-attacks. This is coupled with the present and
next generation systems like SESAR and NextGen, which increase the cyber-attacks
vulnerability, owing to the demand for more information being shared. This is majorly due to the
increase usage of commercial IT, computing infrastructures, shared networks, and network-based
architectures and operations107.
106 Jon Stanford, Air Traffic Control and Industrial Control Systems in the Age of Cybersecurity Threats (15 July
2016) <https://www.hstoday.us/channels/federal-state-local/air-traffic-control-and-industrial-control-systems-in-the-
age-of-cybersecurity-threats/>
pg. 56
networks, increases the chances of such threats. At the time when the airports are trying to
modernize their critical functions, the evolving landscape of IoT poses a threat over the ATC
systems. A possible cyber-attack on ATC systems could result in physical processes like airport
runway lighting and radar controls being misused. This requires proper measures to ensure that
such instances do not take place106. This discussion highlights some of the global laws, which
work in this context, and would cover some global instances, to show the gravity of this threat.
Under the general legal framework, cyber security has received particular consideration
in “Security to the Chicago Convention Annex 17”. This states that every contracting state needs
to create the measures for protecting ICT systems, which are used for civil aviation, from any
kind of interference, when it has the capability of hampering its safety. The guidance relating to
the application of SARPs, i.e. Standards and Recommended Practices covered in Annex 17, are
covered under “Aviation Security Manual (Doc 8973 – Restricted) and the Air Traffic
Management Security Manual (Doc. 9985 - Restricted)”. The significance of management of air
traffic towards aviation security process can be established through the latest changes made to
this annex. These modifications include the measure regarding cyber-threats. Further, these also
oblige the states in making certain that the facilities and infrastructure are proper protecting,
while at the same time, the security programmes are harmonized based on the national lawful
frameworks. There has been a noted trend in the ATM, i.e. air traffic management system, at two
levels. These include the ones in air navigation service providers and the other at the
international level. These trends point towards the rising information sharing and towards the
creation of joint and shared situational awareness for broad range of stakeholders of this
industry. Even though this enables the rise in operational efficiency and increases productivity, it
brings with it, the growing possibilities of cyber-attacks. This is coupled with the present and
next generation systems like SESAR and NextGen, which increase the cyber-attacks
vulnerability, owing to the demand for more information being shared. This is majorly due to the
increase usage of commercial IT, computing infrastructures, shared networks, and network-based
architectures and operations107.
106 Jon Stanford, Air Traffic Control and Industrial Control Systems in the Age of Cybersecurity Threats (15 July
2016) <https://www.hstoday.us/channels/federal-state-local/air-traffic-control-and-industrial-control-systems-in-the-
age-of-cybersecurity-threats/>
pg. 56
Cyber Security in Aviation
As against the historical practices, the sharing of information in ATM systems of futures
was not to be restricted to point based communications and was rather focused towards making
use of the open system architecture, as well as, the internet based information flow. Yet, there
has been a noticed trend towards the growing usage of present technologies, which have growing
interoperability among systems, coupled with improvements being brought in productivity
through automation108.
The aforementioned trend is not just restricted to ATM, and its applicability can actually
be seen for improving effectiveness of present operations by applying IT, and for allowing newer
modes of operating. Once information is allowed to be shared rapidly amongst different systems
and humans, as is needed, different benefits are attained. However, these benefits come bearing
risks with it. As a result of the increase in use of IT, there is a greater exposure of the cyber-
attacks. This is a very serious threat, which is also very real one. ANSPs are required to create
and implement strategies for securing, and have to make plans for making certain that the
mission operations are continued, irrespective of the looming threat. In order to transform the
global performance of ATM, and for making certain the safety and efficiency being attained
towards seamless airspace across the globe, there is a need for the global ATM systems to meet
the clear security expectations and requirements. This is specifically covered under the “Global
Air Traffic Management Operational Concept (ICAO Doc. 9854)”. Under this, a clear definition
for a globally harmonized, integrated and interoperable ATM system has been provided109.
This is defined in the context of safeguarding against the threats, which are born from the
intentional acts like that of terrorism and even the unintentional ones like that of a natural
disaster or human errors, that have the capability of impacting individuals, aircrafts or ground
installations. A key expectation is proper security for the citizens and community of ATM. Thus,
there is a need for the ATM system to work towards security, and the system related information
to be properly safeguarded against any and all threats related to security. The risk management
107 CANSO, CANSO Cyber Security and Risk Assessment Guide (June 2014)
<https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk%20Assessment
%20Guide.pdf >
108 Ibid
109 Ibid
pg. 57
As against the historical practices, the sharing of information in ATM systems of futures
was not to be restricted to point based communications and was rather focused towards making
use of the open system architecture, as well as, the internet based information flow. Yet, there
has been a noticed trend towards the growing usage of present technologies, which have growing
interoperability among systems, coupled with improvements being brought in productivity
through automation108.
The aforementioned trend is not just restricted to ATM, and its applicability can actually
be seen for improving effectiveness of present operations by applying IT, and for allowing newer
modes of operating. Once information is allowed to be shared rapidly amongst different systems
and humans, as is needed, different benefits are attained. However, these benefits come bearing
risks with it. As a result of the increase in use of IT, there is a greater exposure of the cyber-
attacks. This is a very serious threat, which is also very real one. ANSPs are required to create
and implement strategies for securing, and have to make plans for making certain that the
mission operations are continued, irrespective of the looming threat. In order to transform the
global performance of ATM, and for making certain the safety and efficiency being attained
towards seamless airspace across the globe, there is a need for the global ATM systems to meet
the clear security expectations and requirements. This is specifically covered under the “Global
Air Traffic Management Operational Concept (ICAO Doc. 9854)”. Under this, a clear definition
for a globally harmonized, integrated and interoperable ATM system has been provided109.
This is defined in the context of safeguarding against the threats, which are born from the
intentional acts like that of terrorism and even the unintentional ones like that of a natural
disaster or human errors, that have the capability of impacting individuals, aircrafts or ground
installations. A key expectation is proper security for the citizens and community of ATM. Thus,
there is a need for the ATM system to work towards security, and the system related information
to be properly safeguarded against any and all threats related to security. The risk management
107 CANSO, CANSO Cyber Security and Risk Assessment Guide (June 2014)
<https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk%20Assessment
%20Guide.pdf >
108 Ibid
109 Ibid
pg. 57
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
related to security needs to be such where it balances the members’ requirements for the ATM
community. These are related to the attaining access to these systems, while safeguarding them
at the same time. In case of possible threats to use of aircrafts or to the aircrafts, the ATM has to
put forth the authorities, which have the responsibility regarding proper information and
assistance110.
The US airspace has been no different, and as per the GAO (Government Accountability
Office) of US, the commercial ATC systems of the nation are prone to cyber security threats at
the hands of hackers. Even though the US FAA towards protection of ATC has taken steps
systems from such cyber warfare threats, there continue to be major security control weaknesses.
These have a possible of threatening the ability of FAA towards making certain the uninterrupted
and safe operations of NAS (National airspace system). These are majorly due to computers
controlling ATC boundaries, authenticating users, granting access, encryption of sensitive data,
and the FAA systems’ monitoring. This is coupled with the shortfalls in boundary protection
controls amidst the operational NAS and less-secure systems111.
There is still lack of information security programs to be implemented across FAA. There
is a lack of leaders of FAA testing the security controls properly, so as to assure that they were
safely operational, as is the intention. They also fail in resolving the identified security
weaknesses in a time based manner, and even in properly test planning or completing these, for
restoring the system operations in case of disaster or disruption. There is lack of sufficient access
to the group responsible for responding to NAS system, and for incident detection, in context of
network sensors or security logs over operational network. This ultimately results in the ability
of detecting and responding to the security incidents of the FAA getting limited, resulting in
mission critical systems being affected112.
There has been lack of a proper integrated approach for managing such risks as per GAO
investigators. Even though there has been creation of a steering committee of cybersecurity for
managing the cyber threats and risks, they fail in establishing proper information security
110 Ibid
111 John Keller, U.S. air traffic control computers vulnerable to hackers and other cyber security threats, GAO says
(09 March 2015) <https://www.militaryaerospace.com/articles/2015/03/atc-cyber-security.html>
112 Ibid
pg. 58
related to security needs to be such where it balances the members’ requirements for the ATM
community. These are related to the attaining access to these systems, while safeguarding them
at the same time. In case of possible threats to use of aircrafts or to the aircrafts, the ATM has to
put forth the authorities, which have the responsibility regarding proper information and
assistance110.
The US airspace has been no different, and as per the GAO (Government Accountability
Office) of US, the commercial ATC systems of the nation are prone to cyber security threats at
the hands of hackers. Even though the US FAA towards protection of ATC has taken steps
systems from such cyber warfare threats, there continue to be major security control weaknesses.
These have a possible of threatening the ability of FAA towards making certain the uninterrupted
and safe operations of NAS (National airspace system). These are majorly due to computers
controlling ATC boundaries, authenticating users, granting access, encryption of sensitive data,
and the FAA systems’ monitoring. This is coupled with the shortfalls in boundary protection
controls amidst the operational NAS and less-secure systems111.
There is still lack of information security programs to be implemented across FAA. There
is a lack of leaders of FAA testing the security controls properly, so as to assure that they were
safely operational, as is the intention. They also fail in resolving the identified security
weaknesses in a time based manner, and even in properly test planning or completing these, for
restoring the system operations in case of disaster or disruption. There is lack of sufficient access
to the group responsible for responding to NAS system, and for incident detection, in context of
network sensors or security logs over operational network. This ultimately results in the ability
of detecting and responding to the security incidents of the FAA getting limited, resulting in
mission critical systems being affected112.
There has been lack of a proper integrated approach for managing such risks as per GAO
investigators. Even though there has been creation of a steering committee of cybersecurity for
managing the cyber threats and risks, they fail in establishing proper information security
110 Ibid
111 John Keller, U.S. air traffic control computers vulnerable to hackers and other cyber security threats, GAO says
(09 March 2015) <https://www.militaryaerospace.com/articles/2015/03/atc-cyber-security.html>
112 Ibid
pg. 58
Cyber Security in Aviation
practices. Particularly, there is a lack of clear demarcation in responsibilities and roles of FAA
officials in context of information security for NAS or even an update over the strategic plan for
information security required for reflecting upon the growing reliance on computer networks.
Thus, until the time proper security measures are taken up by FAA, to remove these weaknesses,
the ATC system of USA continues to be a target of avoidable security risks. This is the reason
why GAO has made seventeen recommendations to FAA for implementation of information
security program in the agency, and for creating an integrated approach for managing these
risks113.
3.1.2. Major events in Air Traffic control
To show the reality of the cyber-attacks situation in ATC, some of the past incidents have
been covered in this segment.
2006: In July, American FAA was forced to shut down a number of ATC systems
specifically in Alaska, due to cyber-attacks.
The VHF and HF communication between an ATC and crew are neither secure nor
encrypted thus readily available for various forms of Cyber-attacks and may make air
services haywire.
2013: At the Derby Con, a white-hat114 demonstrated that with equipment worth just
$2000, that the ghost planes could be introduced into the Air Traffic Controller’s
Situation Data Display (SDD screen) to cause chaos, simply because of lack of
verification process to determine the source of messages and lack of authentication
process.
By 2020, ADS-B , a surveillance technology will be replacing radar as the primary means
of tracking aircraft and will be a compulsory requirement on the majority of aircraft. In
India, several airports are equipped with ADS-B like Lucknow, Nagpur etc. and work on
many more is in progress. Being a data infrastructure, it will provide traffic and weather
information, offering better communication between the aircraft and air traffic control.
113 Ibid
114 Deepika Jeyakodi, Cyber security in civil aviation (2015) The Aviation & Space Journal 14(4)
pg. 59
practices. Particularly, there is a lack of clear demarcation in responsibilities and roles of FAA
officials in context of information security for NAS or even an update over the strategic plan for
information security required for reflecting upon the growing reliance on computer networks.
Thus, until the time proper security measures are taken up by FAA, to remove these weaknesses,
the ATC system of USA continues to be a target of avoidable security risks. This is the reason
why GAO has made seventeen recommendations to FAA for implementation of information
security program in the agency, and for creating an integrated approach for managing these
risks113.
3.1.2. Major events in Air Traffic control
To show the reality of the cyber-attacks situation in ATC, some of the past incidents have
been covered in this segment.
2006: In July, American FAA was forced to shut down a number of ATC systems
specifically in Alaska, due to cyber-attacks.
The VHF and HF communication between an ATC and crew are neither secure nor
encrypted thus readily available for various forms of Cyber-attacks and may make air
services haywire.
2013: At the Derby Con, a white-hat114 demonstrated that with equipment worth just
$2000, that the ghost planes could be introduced into the Air Traffic Controller’s
Situation Data Display (SDD screen) to cause chaos, simply because of lack of
verification process to determine the source of messages and lack of authentication
process.
By 2020, ADS-B , a surveillance technology will be replacing radar as the primary means
of tracking aircraft and will be a compulsory requirement on the majority of aircraft. In
India, several airports are equipped with ADS-B like Lucknow, Nagpur etc. and work on
many more is in progress. Being a data infrastructure, it will provide traffic and weather
information, offering better communication between the aircraft and air traffic control.
113 Ibid
114 Deepika Jeyakodi, Cyber security in civil aviation (2015) The Aviation & Space Journal 14(4)
pg. 59
Cyber Security in Aviation
However, until date, the ADS-B system remains unprotected and vulnerable to cyber-
attacks.
There were some malware-related security breaches taking place in India in its banking
ATMs. Owing to this, different banks, including YES Bank, Axis Bank, ICICI Bank, HDFC
Bank, and State Bank of India (SBI), had to block millions of debit cards as these had been
compromised115. Because of such attacks, ICCAIA, CANSO, ACI, IATA, and ICAO came
together in December 2014 to sign an action plan catering to cybersecurity in civil aviation, just
to fight off these cyber criminals, hackers, hacktivists and other terrorists working in cyber
security disruption. These include terrorist organizations like Al-Qaeda and ISIS116.
As Western democracies ramp up their rhetoric against Russia, White House officials
said Thursday that Russia has hacked or at least targeted U.S. infrastructure, including aviation
systems. The Washington Post reported in March 2018 that these new hacking claims are the
strongest condemnation yet of claimed Russian attempts to erode Western values and technical
infrastructure. Without being specific, officials in the FBI, Department of Homeland Security
and intelligence agencies said Russia broke into computer systems and conducted “network
reconnaissance” of critical control elements, then made an attempt to hide their footprints by
erasing the signs of this hacking117.
The DHS said the Russian effort was part of a “multi-stage intrusion” to hack U.S. cyber
resources across a range of economic sectors, including industrial and government infrastructure.
Although it’s not known how vulnerable it is, the U.S. air traffic system depends on multiple
data systems of variable vintage. Earlier this year, The Associated Press reported that Russians
targeted the major United States based aerospace companies, which included the likes of
Lockheed Martin, Boeing and Raytheon by penetrating, email networks used by employees
through phishing schemes118.
115 Ibid
116 At 22
117 The Japan Times, Russian hacking of U.S. infrastructure included aviation (17 March 2018)
<https://www.japantimes.co.jp/news/2018/03/17/world/russian-hacking-u-s-infrastructure-included-aviation/
#.W925SJMzbIU >
pg. 60
However, until date, the ADS-B system remains unprotected and vulnerable to cyber-
attacks.
There were some malware-related security breaches taking place in India in its banking
ATMs. Owing to this, different banks, including YES Bank, Axis Bank, ICICI Bank, HDFC
Bank, and State Bank of India (SBI), had to block millions of debit cards as these had been
compromised115. Because of such attacks, ICCAIA, CANSO, ACI, IATA, and ICAO came
together in December 2014 to sign an action plan catering to cybersecurity in civil aviation, just
to fight off these cyber criminals, hackers, hacktivists and other terrorists working in cyber
security disruption. These include terrorist organizations like Al-Qaeda and ISIS116.
As Western democracies ramp up their rhetoric against Russia, White House officials
said Thursday that Russia has hacked or at least targeted U.S. infrastructure, including aviation
systems. The Washington Post reported in March 2018 that these new hacking claims are the
strongest condemnation yet of claimed Russian attempts to erode Western values and technical
infrastructure. Without being specific, officials in the FBI, Department of Homeland Security
and intelligence agencies said Russia broke into computer systems and conducted “network
reconnaissance” of critical control elements, then made an attempt to hide their footprints by
erasing the signs of this hacking117.
The DHS said the Russian effort was part of a “multi-stage intrusion” to hack U.S. cyber
resources across a range of economic sectors, including industrial and government infrastructure.
Although it’s not known how vulnerable it is, the U.S. air traffic system depends on multiple
data systems of variable vintage. Earlier this year, The Associated Press reported that Russians
targeted the major United States based aerospace companies, which included the likes of
Lockheed Martin, Boeing and Raytheon by penetrating, email networks used by employees
through phishing schemes118.
115 Ibid
116 At 22
117 The Japan Times, Russian hacking of U.S. infrastructure included aviation (17 March 2018)
<https://www.japantimes.co.jp/news/2018/03/17/world/russian-hacking-u-s-infrastructure-included-aviation/
#.W925SJMzbIU >
pg. 60
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
3.2. Cybersecurity in Airlines
Airplanes are deemed as the urbane system of engineering comprising of multifaceted
system of mechanisms, which include ground control systems, avionics, air navigation service
providers, sensors, communication links, and a base system, among the other things. These
components and communiqué links are prone to cyber-attacks like spoofing hacking, jamming
etc. This may lead to several problems. This includes an ‘unauthorized remote access to aircraft
avionics systems;’119 especially in case of fresher planes like the Boeing 787 Dreamliner and the
long haul based Airbus models like A380 and A350120. Along with this, there is a possibility of
an attack, which may be on the whole system or on distinct mechanisms, or for manipulating
systems in order to undertake some kind of physical attacks.
There have been some real life instances in this context as well. There was the grounding
of all the flights of US airliner i.e. United Airlines reportedly after bogus flight plans appeared in
its system, in 2015.121 The others include:
A Cyber-attack on the ground operation system of an International airline i.e. Polish
airline LOT, thereby desisting LOT to create flight plans (FPL) and all the departing
flights from Poland (Warsaw) came to be at halt, in 2015.122
In 2013, a hacker named, Hugo Teso, demonstrated123 how to gain remote access into the
cockpit system, gain control and remotely programme flights from the ground using a
simple application and off-the-shelf electronic equipment.124 This demonstration urged
not only governmental organizations but also several IT Security Analysts to investigate
the vulnerability of aircraft to cyber-attacks.
118 AVWeb, DHS: Russia Hacking U.S. ATC? (15 March 2018) <https://www.avweb.com/avwebflash/news/DHS-
Russia-Hacking-US-ATC-230447-1.html>
119 ‘FAA Needs a More Comprehensive Approach to Address Cyber security As Agency Transitions to NextGen,’
Report of the U.S.Government Accountability Office, GAO-15-370, http://www.gao.gov/assets/670/669627.pdf
120 Ibid.
121 ‘Security Experts Warn Airlines Face Threat of Cyber Attacks’, Sydney Morning Herald, July 6, 2015.
122 ‘Polish Airline, Hit By Cyber Attack, Says All Carriers Are At Risk’, Reuters, June 22, 2015, Warsaw/Frankfurt.
123 Black Box Security Conference, 2013, Amsterdam.
124 Flight Management System and Simon App
pg. 61
3.2. Cybersecurity in Airlines
Airplanes are deemed as the urbane system of engineering comprising of multifaceted
system of mechanisms, which include ground control systems, avionics, air navigation service
providers, sensors, communication links, and a base system, among the other things. These
components and communiqué links are prone to cyber-attacks like spoofing hacking, jamming
etc. This may lead to several problems. This includes an ‘unauthorized remote access to aircraft
avionics systems;’119 especially in case of fresher planes like the Boeing 787 Dreamliner and the
long haul based Airbus models like A380 and A350120. Along with this, there is a possibility of
an attack, which may be on the whole system or on distinct mechanisms, or for manipulating
systems in order to undertake some kind of physical attacks.
There have been some real life instances in this context as well. There was the grounding
of all the flights of US airliner i.e. United Airlines reportedly after bogus flight plans appeared in
its system, in 2015.121 The others include:
A Cyber-attack on the ground operation system of an International airline i.e. Polish
airline LOT, thereby desisting LOT to create flight plans (FPL) and all the departing
flights from Poland (Warsaw) came to be at halt, in 2015.122
In 2013, a hacker named, Hugo Teso, demonstrated123 how to gain remote access into the
cockpit system, gain control and remotely programme flights from the ground using a
simple application and off-the-shelf electronic equipment.124 This demonstration urged
not only governmental organizations but also several IT Security Analysts to investigate
the vulnerability of aircraft to cyber-attacks.
118 AVWeb, DHS: Russia Hacking U.S. ATC? (15 March 2018) <https://www.avweb.com/avwebflash/news/DHS-
Russia-Hacking-US-ATC-230447-1.html>
119 ‘FAA Needs a More Comprehensive Approach to Address Cyber security As Agency Transitions to NextGen,’
Report of the U.S.Government Accountability Office, GAO-15-370, http://www.gao.gov/assets/670/669627.pdf
120 Ibid.
121 ‘Security Experts Warn Airlines Face Threat of Cyber Attacks’, Sydney Morning Herald, July 6, 2015.
122 ‘Polish Airline, Hit By Cyber Attack, Says All Carriers Are At Risk’, Reuters, June 22, 2015, Warsaw/Frankfurt.
123 Black Box Security Conference, 2013, Amsterdam.
124 Flight Management System and Simon App
pg. 61
Cyber Security in Aviation
The 2011 capture of a drone by Iran is still one of the most controversial cyber incidents,
wherein it was alleged that an RQ 170 Sentinel was brought down by the Iranian Armed
Forces' electronic warfare unit.125 Following this incident there were several estimations
on the possibility of cyber hijack of aircraft.
Subsequently, in July 2012, Todd Humphreys, demonstrated in his ‘Statement on the
Vulnerability of Civil Unmanned Aerial Vehicles and Other Systems to Civil GPS
Spoofing’,126 the ability to hijack an Unmanned Aerial Vehicle (UAV) by GPS Spoofing.
This was established by remotely tricking127 the aircraft, from a distance of a half mile
away, into a commanded dive that was only aborted 10 feet above the ground to prevent
it from crashing.
The disappearance of the MH370 flight had also raised questions on the possibility of
cyber-jacking as the possibility of all transponders being switched off to relay location
signals despite having state-of the-art communication and reporting system was doubted
by several cyber experts. This was triggered by Boeing’s request earlier in 2014 to the
FAA to incorporate changes to its aircraft designs citing security reasons, as there was a
possibility of its in-flight entertainment systems being connected to other critical systems
of the aircraft.128
Cyber-attacks can crash a plane and the airlines often fall short in taking the requisite
measure to stop this. Planes fall from the sky for several reasons, including storms,
engine failure, terrorism and pilot errors, but there is a strong speculation that one of the
reasons of such happenings is cyber-hacking. Airlines are not sharing any such notion,
but they are giving the issue a top priority.
125 ‘Iran shows off captured US drone’, The Telegraph (UK), Dec 8, 2011, ‘Obama says U.S. has asked Iran to return
drone aircraft’, CNN Wire Staff, 2011, ‘Iran says it built copy of captured U.S. drone’, CNN International, May 12,
2014.
126 Submitted to the Subcommittee on Oversight, Investigations, and Management of the House Committee on
Homeland Security
127 Katia Moskvitch, Are drones the next target for hackers? (06 February 2014)
<http://www.bbc.com/future/story/20140206-can-drones-be-hacked>
128 Dr.Sally Leivesley, British anti-terrorist expert and former Home Office Scientific Adviser, News Report to The
Express, March 14, 2014.
pg. 62
The 2011 capture of a drone by Iran is still one of the most controversial cyber incidents,
wherein it was alleged that an RQ 170 Sentinel was brought down by the Iranian Armed
Forces' electronic warfare unit.125 Following this incident there were several estimations
on the possibility of cyber hijack of aircraft.
Subsequently, in July 2012, Todd Humphreys, demonstrated in his ‘Statement on the
Vulnerability of Civil Unmanned Aerial Vehicles and Other Systems to Civil GPS
Spoofing’,126 the ability to hijack an Unmanned Aerial Vehicle (UAV) by GPS Spoofing.
This was established by remotely tricking127 the aircraft, from a distance of a half mile
away, into a commanded dive that was only aborted 10 feet above the ground to prevent
it from crashing.
The disappearance of the MH370 flight had also raised questions on the possibility of
cyber-jacking as the possibility of all transponders being switched off to relay location
signals despite having state-of the-art communication and reporting system was doubted
by several cyber experts. This was triggered by Boeing’s request earlier in 2014 to the
FAA to incorporate changes to its aircraft designs citing security reasons, as there was a
possibility of its in-flight entertainment systems being connected to other critical systems
of the aircraft.128
Cyber-attacks can crash a plane and the airlines often fall short in taking the requisite
measure to stop this. Planes fall from the sky for several reasons, including storms,
engine failure, terrorism and pilot errors, but there is a strong speculation that one of the
reasons of such happenings is cyber-hacking. Airlines are not sharing any such notion,
but they are giving the issue a top priority.
125 ‘Iran shows off captured US drone’, The Telegraph (UK), Dec 8, 2011, ‘Obama says U.S. has asked Iran to return
drone aircraft’, CNN Wire Staff, 2011, ‘Iran says it built copy of captured U.S. drone’, CNN International, May 12,
2014.
126 Submitted to the Subcommittee on Oversight, Investigations, and Management of the House Committee on
Homeland Security
127 Katia Moskvitch, Are drones the next target for hackers? (06 February 2014)
<http://www.bbc.com/future/story/20140206-can-drones-be-hacked>
128 Dr.Sally Leivesley, British anti-terrorist expert and former Home Office Scientific Adviser, News Report to The
Express, March 14, 2014.
pg. 62
Cyber Security in Aviation
Airlines and airports worldwide will spend an estimated $33 billion in 2017 as additional
investments in cloud services and cyber-security, in the view of SITA, which is an international
specialist in the field of communications of air transport. Globally, the airports would be
spending nearly 5% of their proceeds for up gradation of their cloud applications and IT systems.
Additionally, the airlines internationally would be spending a total of $24.3bn, or 3.3% of their
proceeds, on cloud services and cyber-security. “70 per cent of airlines and 88 per cent of
airports will either increase their investments in cyber-security and cloud services next year or
keep their investments at the same level as it is now,”. “Cyber-attacks are a very real threat in the
highly interwoven air transport industry so building solid defenses is essential,” said Ilya Gutlin,
President, Air Travel Solutions at SITA129. SITA130 said, “more than 90 percent of world airlines
and airports identified cyber-security as their top priority.”
As per the industry regulator IATA131, if the travelers were to preserve trust in the
aviation system, it was crucial that the industry protected itself against the cyber-attacks. “The
countless entry points and interfaces make it vulnerable to cyber security threats. Moreover,
many of those systems are outdated and were never designed to counter modern cybercrime,”
said IATA132 in 2017. “Making the reporting of cyber-attacks mandatory is perhaps the most
critical of all. If an attack isn’t reported, then other airlines and partners in the aviation value
chain cannot use it to improve their defenses.” IATA133 says that “when attacks go unreported by
airlines, the risks grow in nature: when other airlines are similarly hit, they are not able to do a
proper risk assessment”. “A hack is a one-time event. One opening, exploited once. System
defenses, on the contrary, must work every second of every day. If you only consider prevention,
attacking is simple, defending is hard.” In the interlocked world, cyber-security is deemed as the
cost of undertaking business.
129 SITA’s report
130 Société Internationale de Télécommunications Aéronautiques’s (SITA) report
131 IATA report
132 ibid
133 ibid
pg. 63
Airlines and airports worldwide will spend an estimated $33 billion in 2017 as additional
investments in cloud services and cyber-security, in the view of SITA, which is an international
specialist in the field of communications of air transport. Globally, the airports would be
spending nearly 5% of their proceeds for up gradation of their cloud applications and IT systems.
Additionally, the airlines internationally would be spending a total of $24.3bn, or 3.3% of their
proceeds, on cloud services and cyber-security. “70 per cent of airlines and 88 per cent of
airports will either increase their investments in cyber-security and cloud services next year or
keep their investments at the same level as it is now,”. “Cyber-attacks are a very real threat in the
highly interwoven air transport industry so building solid defenses is essential,” said Ilya Gutlin,
President, Air Travel Solutions at SITA129. SITA130 said, “more than 90 percent of world airlines
and airports identified cyber-security as their top priority.”
As per the industry regulator IATA131, if the travelers were to preserve trust in the
aviation system, it was crucial that the industry protected itself against the cyber-attacks. “The
countless entry points and interfaces make it vulnerable to cyber security threats. Moreover,
many of those systems are outdated and were never designed to counter modern cybercrime,”
said IATA132 in 2017. “Making the reporting of cyber-attacks mandatory is perhaps the most
critical of all. If an attack isn’t reported, then other airlines and partners in the aviation value
chain cannot use it to improve their defenses.” IATA133 says that “when attacks go unreported by
airlines, the risks grow in nature: when other airlines are similarly hit, they are not able to do a
proper risk assessment”. “A hack is a one-time event. One opening, exploited once. System
defenses, on the contrary, must work every second of every day. If you only consider prevention,
attacking is simple, defending is hard.” In the interlocked world, cyber-security is deemed as the
cost of undertaking business.
129 SITA’s report
130 Société Internationale de Télécommunications Aéronautiques’s (SITA) report
131 IATA report
132 ibid
133 ibid
pg. 63
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
As per Eur Activ134, which is an online site that covers the EU policies, there is a fear on
the possibility of the terrorists making use of a laptop for purpose of crashing the planes or for
disappearing them from the radar screens. “We have to be prepared always for the worst,” “Luc
Tytgat, Director of Strategy and Safety Management at the European Aviation Safety Agency
(EASA) “135, an EU agency. Tytgat said “aviation systems were subject to an average of 1,000
attacks each month. According to JLT136 group, a global insurance provider, it said in a 2017
report that the number of reported aviation data breaches doubled during 2012-2015, compared
to 2008-2011”. “On average, 78,000 records were compromised per airline between 2012 and
2015. Some 58 per cent of breaches in that period were the result of hacking,” JLT137 said.
“Airlines are also exposed to potentially costly disruption to their daily operations as a result of
attacks or system outages. This can result in lost revenues, additional expenses, disgruntled
customers and reputational damage.”138
As per one of the reports covering incident of August 2016 “a power cut crashed Delta
Air Lines’s check-in system, causing long delays and the cancellation of 2,300 flights. The
outage was estimated to cost the company $150 million. More recently in May 2017, British
Airways owner IAG SA said a power outage led to the cancellation of hundreds of flights and
cost approximately $102 million in lost revenue as well as the expense of accommodating, re-
booking and compensating thousands of passengers. At least 75,000 travelers found themselves
grounded over three days from May 27, as the U.K. carrier’s information-technology systems
crashed. Japan’s All Nippon Airways, Southwest Airlines, in the US and British Airways, all
suffered technical incidents that caused severe delays and cancellations during 2016, according
to JLT139. Cyber-attacks have also been known to cause disruption to airline operations. In 2015,
for example, 1,400 passengers with Poland’s national carrier, LOT, suffered delays, due to a
134 Enactive- an online site’s report
135 EASA’s report.
136 JLT – global insurer’s report
137 ibid
138 ibid
139 ibid
pg. 64
As per Eur Activ134, which is an online site that covers the EU policies, there is a fear on
the possibility of the terrorists making use of a laptop for purpose of crashing the planes or for
disappearing them from the radar screens. “We have to be prepared always for the worst,” “Luc
Tytgat, Director of Strategy and Safety Management at the European Aviation Safety Agency
(EASA) “135, an EU agency. Tytgat said “aviation systems were subject to an average of 1,000
attacks each month. According to JLT136 group, a global insurance provider, it said in a 2017
report that the number of reported aviation data breaches doubled during 2012-2015, compared
to 2008-2011”. “On average, 78,000 records were compromised per airline between 2012 and
2015. Some 58 per cent of breaches in that period were the result of hacking,” JLT137 said.
“Airlines are also exposed to potentially costly disruption to their daily operations as a result of
attacks or system outages. This can result in lost revenues, additional expenses, disgruntled
customers and reputational damage.”138
As per one of the reports covering incident of August 2016 “a power cut crashed Delta
Air Lines’s check-in system, causing long delays and the cancellation of 2,300 flights. The
outage was estimated to cost the company $150 million. More recently in May 2017, British
Airways owner IAG SA said a power outage led to the cancellation of hundreds of flights and
cost approximately $102 million in lost revenue as well as the expense of accommodating, re-
booking and compensating thousands of passengers. At least 75,000 travelers found themselves
grounded over three days from May 27, as the U.K. carrier’s information-technology systems
crashed. Japan’s All Nippon Airways, Southwest Airlines, in the US and British Airways, all
suffered technical incidents that caused severe delays and cancellations during 2016, according
to JLT139. Cyber-attacks have also been known to cause disruption to airline operations. In 2015,
for example, 1,400 passengers with Poland’s national carrier, LOT, suffered delays, due to a
134 Enactive- an online site’s report
135 EASA’s report.
136 JLT – global insurer’s report
137 ibid
138 ibid
139 ibid
pg. 64
Cyber Security in Aviation
DDoS (Distributed Denial-of-Service) attack against it. JLT140 said hackers could access aircraft
flight controls and air traffic systems, and security experts and penetration testers identified
vulnerabilities in aircraft systems.”
“One claimed that he repeatedly hacked a US passenger plane via the entertainment
system, and was able to manipulate the plane’s engines in-flight. Another boasted that he could
take over an aircraft’s steering system using a mobile phone,” said JLT141. There is a question on
the possibility of preventing such attacks with this sense of foreboding. Aviation industry being
highly dependent on latest technologies, avionics, radars etc. they are susceptible to cyber-
attacks at any point of their operations. This may lead to loss of life of the passengers, loss of
property, work force, a psychological fear in the mind of public that it is better to travel by other
mode of transport than by air.
3.3. Cybersecurity in Airports/Aerodromes
There were sporadic outages experienced regarding the GPS Ground based Augmentation
System, in 2009, at the Newark Liberty International Airport; and these are used for purpose of
accuracy approach landing. The ground stations experienced interference of signal, 300 feet
away, on daily basis, at around the same time. This led to the FAA’s discovering regarding the
cause of this outrange being the GPS jammer, which was made use of by a truck driver for
avoiding the tracking by his employer.142 The dependence on open civilian GPS continues to be a
key issue of concern because of such reasons. This is because the aviation industry has seen a
major shift from the custom of old-styled radar based guidance and identification systems, to the
ones, which are based on automation and satellite navigation.143
2008: August of 2008 saw Madrid-Bajaras airport of Spain being attacked by Trojan in
one of the computer systems of the nation. This resulted in blocking of reception and that
140 ibid
141 ibid
142 Emilio Iasiello, ‘Aviation and Cyber Security: Getting Ahead of the Threat’, Aerospace America, July-August
2013 at pp. 24.
143 Example., U.S’s NextGen Automatic Dependent Surveillance–Broadcast (ADS-B)
pg. 65
DDoS (Distributed Denial-of-Service) attack against it. JLT140 said hackers could access aircraft
flight controls and air traffic systems, and security experts and penetration testers identified
vulnerabilities in aircraft systems.”
“One claimed that he repeatedly hacked a US passenger plane via the entertainment
system, and was able to manipulate the plane’s engines in-flight. Another boasted that he could
take over an aircraft’s steering system using a mobile phone,” said JLT141. There is a question on
the possibility of preventing such attacks with this sense of foreboding. Aviation industry being
highly dependent on latest technologies, avionics, radars etc. they are susceptible to cyber-
attacks at any point of their operations. This may lead to loss of life of the passengers, loss of
property, work force, a psychological fear in the mind of public that it is better to travel by other
mode of transport than by air.
3.3. Cybersecurity in Airports/Aerodromes
There were sporadic outages experienced regarding the GPS Ground based Augmentation
System, in 2009, at the Newark Liberty International Airport; and these are used for purpose of
accuracy approach landing. The ground stations experienced interference of signal, 300 feet
away, on daily basis, at around the same time. This led to the FAA’s discovering regarding the
cause of this outrange being the GPS jammer, which was made use of by a truck driver for
avoiding the tracking by his employer.142 The dependence on open civilian GPS continues to be a
key issue of concern because of such reasons. This is because the aviation industry has seen a
major shift from the custom of old-styled radar based guidance and identification systems, to the
ones, which are based on automation and satellite navigation.143
2008: August of 2008 saw Madrid-Bajaras airport of Spain being attacked by Trojan in
one of the computer systems of the nation. This resulted in blocking of reception and that
140 ibid
141 ibid
142 Emilio Iasiello, ‘Aviation and Cyber Security: Getting Ahead of the Threat’, Aerospace America, July-August
2013 at pp. 24.
143 Example., U.S’s NextGen Automatic Dependent Surveillance–Broadcast (ADS-B)
pg. 65
Cyber Security in Aviation
of activating alarm messages from flight No. 5022. This in turn caused collision of the
plane and loss of 154 lives on board.
2009: This February attack resulted in 48,000 personal files of FAA being accessed by
hackers.
2010: The Iranian Nuclear establishment was attacked in this year, followed by attacks
like BadBios/ Operation Shady rat and Strunext taking place in different parts across the
globe. These posted a constant threat and increased the critical infrastructure’s
vulnerability.
2011: Three engineers, in June of this year, were blamed for interrupting the computer
services, resulting in flight delays and heavy check-ins.
2013: The Sabiha Gökçen and Istanbul Ataturk’s airports passport control systems were
blocked in July, due to the cyber-attack, in turn resulting in many flight delays.
2013: Centre for Internet Security recorded 75 American airports being attacked as a
result of the prolonger campaigns of spear phishing. 2014: The infamous disappearance
of Malaysia Airlines flight MH370 in March, from the tracking radar, coupled with the
Boeing 777-200ER being given up are also attributed to cyber wrongdoings. The
uncertainty around these events suggested that these planes were commandeered through
USB drive or mobile phone; though, this theory has been rejected by Boeing and is yet to
be proven. The investigation which was covered in a 495-page report provided that the
aircraft controls were possibly manipulated wilfully, so as to take the flight off course;
though, the actual responsible person could not be identified by the investigators. At the
same time, this report also highlighted the varied mistakes, which were made by the ATC
of Kuala Lumpur. There was a clear failure on part of controllers of ATC in initiating the
standard emergency phases, coupled with the fact that there was no record that any action
was undertaken for alerting the air force or even for keeping a constant watch over the
radar displays for signs of this flight144.
144 Reuters, Malaysia civil aviation chief resigns over MH370 lapses (31 July 2018)
<https://in.reuters.com/article/malaysiaairlines-mh370-resignation/malaysia-civil-aviation-chief-resigns-over-
mh370-lapses-idINKBN1KL0KI>
pg. 66
of activating alarm messages from flight No. 5022. This in turn caused collision of the
plane and loss of 154 lives on board.
2009: This February attack resulted in 48,000 personal files of FAA being accessed by
hackers.
2010: The Iranian Nuclear establishment was attacked in this year, followed by attacks
like BadBios/ Operation Shady rat and Strunext taking place in different parts across the
globe. These posted a constant threat and increased the critical infrastructure’s
vulnerability.
2011: Three engineers, in June of this year, were blamed for interrupting the computer
services, resulting in flight delays and heavy check-ins.
2013: The Sabiha Gökçen and Istanbul Ataturk’s airports passport control systems were
blocked in July, due to the cyber-attack, in turn resulting in many flight delays.
2013: Centre for Internet Security recorded 75 American airports being attacked as a
result of the prolonger campaigns of spear phishing. 2014: The infamous disappearance
of Malaysia Airlines flight MH370 in March, from the tracking radar, coupled with the
Boeing 777-200ER being given up are also attributed to cyber wrongdoings. The
uncertainty around these events suggested that these planes were commandeered through
USB drive or mobile phone; though, this theory has been rejected by Boeing and is yet to
be proven. The investigation which was covered in a 495-page report provided that the
aircraft controls were possibly manipulated wilfully, so as to take the flight off course;
though, the actual responsible person could not be identified by the investigators. At the
same time, this report also highlighted the varied mistakes, which were made by the ATC
of Kuala Lumpur. There was a clear failure on part of controllers of ATC in initiating the
standard emergency phases, coupled with the fact that there was no record that any action
was undertaken for alerting the air force or even for keeping a constant watch over the
radar displays for signs of this flight144.
144 Reuters, Malaysia civil aviation chief resigns over MH370 lapses (31 July 2018)
<https://in.reuters.com/article/malaysiaairlines-mh370-resignation/malaysia-civil-aviation-chief-resigns-over-
mh370-lapses-idINKBN1KL0KI>
pg. 66
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
2014: In the last month, the Iranian hackers were accused by Cylance company for
undertaking a planned attack on airports and airlines system of nations like USA, South
Korea, Saudi Arabia, and Pakistan.
2015: In February, many malware were discovered in FAA personnel email accounts.
However, the agency denied these attacks.
2015: In April, as a result of the cyber-attacks in bank accounts, Ryanair airlines had to
bear a loss of approximately 3 million pounds.
2015: June of this year saw the Polish national airline network being attacked, which in
turn resulted in ten flights being grounded, along with another ten being delayed. This
attach also resulted in the system responsible for creating flight plans being
compromised.
2016: The Korean transport system was disrupted, along with the Swiss Water Company
and American DAM. There was a growth of big attacks in this very year on healthcare,
and this contributed to growth of 63%145.
A more detailed discussion on cybersecurity in airports/aerodromes is covered in the next
chapter.
145 ExamPariksha, Cyber Security in India – Preparedness, Threats and Challenges (2018)
<https://exampariksha.com/cyber-security-india-preparedness-threats-challenges/>
pg. 67
2014: In the last month, the Iranian hackers were accused by Cylance company for
undertaking a planned attack on airports and airlines system of nations like USA, South
Korea, Saudi Arabia, and Pakistan.
2015: In February, many malware were discovered in FAA personnel email accounts.
However, the agency denied these attacks.
2015: In April, as a result of the cyber-attacks in bank accounts, Ryanair airlines had to
bear a loss of approximately 3 million pounds.
2015: June of this year saw the Polish national airline network being attacked, which in
turn resulted in ten flights being grounded, along with another ten being delayed. This
attach also resulted in the system responsible for creating flight plans being
compromised.
2016: The Korean transport system was disrupted, along with the Swiss Water Company
and American DAM. There was a growth of big attacks in this very year on healthcare,
and this contributed to growth of 63%145.
A more detailed discussion on cybersecurity in airports/aerodromes is covered in the next
chapter.
145 ExamPariksha, Cyber Security in India – Preparedness, Threats and Challenges (2018)
<https://exampariksha.com/cyber-security-india-preparedness-threats-challenges/>
pg. 67
Cyber Security in Aviation
Chapter 4: Aerodromes/Airports
Airports have been amongst the topic targets of those who seek to cause high level of
damage and disruption. With the airports, aiming to become smart and connected, cyber security
is becoming a key area of concern. This is because the current approaches of airports are not
matured enough to attain cyber security. Even though there is a raised awareness regarding the
significance of mitigating and managing such threats/ risks, there is a long way to go before
proper protection is developed. Agreed that total protection can never be attained, but this
journey is far from over. There has been a range of attacks, on airports, in the past, as touched
upon in the previous chapter as well that highlight the failure of cybersecurity measures in
airports. These can also be elucidated through the leading headlines regarding cyber security
breaches in airports across the globe.
(Source: Luca Barba, 2018146)
146 Luca Barba, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
pg. 68
Chapter 4: Aerodromes/Airports
Airports have been amongst the topic targets of those who seek to cause high level of
damage and disruption. With the airports, aiming to become smart and connected, cyber security
is becoming a key area of concern. This is because the current approaches of airports are not
matured enough to attain cyber security. Even though there is a raised awareness regarding the
significance of mitigating and managing such threats/ risks, there is a long way to go before
proper protection is developed. Agreed that total protection can never be attained, but this
journey is far from over. There has been a range of attacks, on airports, in the past, as touched
upon in the previous chapter as well that highlight the failure of cybersecurity measures in
airports. These can also be elucidated through the leading headlines regarding cyber security
breaches in airports across the globe.
(Source: Luca Barba, 2018146)
146 Luca Barba, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
pg. 68
Cyber Security in Aviation
As per one of the studies conducted in January this year, airports can be classified in
three categories, i.e., basic airports, agile airports, and smart airports. The first one are ones safe
away from digital environment, the second one are adapting to changes of digital world, and the
last category is exploiting the full potential of the maturing and emerging IoT (Internet of things)
technologies. Smart airports are data driven, and properly networked, thereby providing better
travel experience, and are even focused towards higher levels of safety of passengers, along with
working towards securing general public and operators. As per the survey conducted for this
study, there were 16% basic airports, 56% agile airports and 28% smart airports across USA and
Europe. The IoT application in smart airports highlights the level of integration of technology in
present day airports147.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019148)
This survey also highlighted the practices, which had been adopted by the airports
towards safeguarding their systems.
147 Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzal, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
148 Ibid
pg. 69
As per one of the studies conducted in January this year, airports can be classified in
three categories, i.e., basic airports, agile airports, and smart airports. The first one are ones safe
away from digital environment, the second one are adapting to changes of digital world, and the
last category is exploiting the full potential of the maturing and emerging IoT (Internet of things)
technologies. Smart airports are data driven, and properly networked, thereby providing better
travel experience, and are even focused towards higher levels of safety of passengers, along with
working towards securing general public and operators. As per the survey conducted for this
study, there were 16% basic airports, 56% agile airports and 28% smart airports across USA and
Europe. The IoT application in smart airports highlights the level of integration of technology in
present day airports147.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019148)
This survey also highlighted the practices, which had been adopted by the airports
towards safeguarding their systems.
147 Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzal, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
148 Ibid
pg. 69
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019149)
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019150)
149 Ibid
150 Ibid
pg. 70
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019149)
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019150)
149 Ibid
150 Ibid
pg. 70
Cyber Security in Aviation
There are many ways, in which the cyber security threats are presented before the airport
authorities. These are majorly the ones holding malicious or intentional actions. The malicious
intent is used to compromise information technology assets for performing elevation of privilege
attacks. Such attacks result in security incidents to the likes of violation of integrity,
confidentiality and availability. The key cybersecurity threats in context of IoT application for
the smart airports can be classified as network and communication attacks, social and phishing
attacks, misuse of authorization, malicious software, and tampering with airport smart devices151.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019152)
Studies have revealed that the smart airports cover complicated wired campus networks,
as a result of which the access to data is allowed through the tertiary and secondary distribution
levels. Since such airports incorporate the artificial intelligence systems in their day to day
functions, they become susceptible to such network malicious attacks. This is also because of
permitting the maintenance personnel and employees to make use of their BYOD (Bring Your
Own Device), which is owned by such employees only. Apart from this, the ATM and aviation
systems have seen a rise in the IP connection use for enhancing the interoperability and
efficiency, resulting in unauthorized individuals attaining the access.
Experiments done in research have depicted that a malevolent employee or such a
passenger can access the systems of aircraft and can also influence the integrity of system, where
such individual is equipped with a malware infected smart device. There is also a possibility of
such attacks being undertaken through installation of malware in the intranet or website of the
airport, particularly when the devices of airport users are infected. This presents an excellent
151 Ibid
152 Ibid
pg. 71
There are many ways, in which the cyber security threats are presented before the airport
authorities. These are majorly the ones holding malicious or intentional actions. The malicious
intent is used to compromise information technology assets for performing elevation of privilege
attacks. Such attacks result in security incidents to the likes of violation of integrity,
confidentiality and availability. The key cybersecurity threats in context of IoT application for
the smart airports can be classified as network and communication attacks, social and phishing
attacks, misuse of authorization, malicious software, and tampering with airport smart devices151.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019152)
Studies have revealed that the smart airports cover complicated wired campus networks,
as a result of which the access to data is allowed through the tertiary and secondary distribution
levels. Since such airports incorporate the artificial intelligence systems in their day to day
functions, they become susceptible to such network malicious attacks. This is also because of
permitting the maintenance personnel and employees to make use of their BYOD (Bring Your
Own Device), which is owned by such employees only. Apart from this, the ATM and aviation
systems have seen a rise in the IP connection use for enhancing the interoperability and
efficiency, resulting in unauthorized individuals attaining the access.
Experiments done in research have depicted that a malevolent employee or such a
passenger can access the systems of aircraft and can also influence the integrity of system, where
such individual is equipped with a malware infected smart device. There is also a possibility of
such attacks being undertaken through installation of malware in the intranet or website of the
airport, particularly when the devices of airport users are infected. This presents an excellent
151 Ibid
152 Ibid
pg. 71
Cyber Security in Aviation
opportunity for the mischievous attackers to attain access to the critical information system and
network of the airport as a result of the infected devices. A depiction of this is given in the image
below. Such an attack was undertaken in September 2016 at Vienna Airport, in which the
computers of employees and computer services were infected with the malware153.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019154)
It has been noticed that the airline companies have a habit of fostering the use of CUPPS
(Common Use Passenger Processing System), in order to facilitate work on 24*7/ 7 days a week
basis. This is for their customer support and allows for check-ins and passenger control processes
to be sped up, through the use of automated smart devices. With the check-in infrastructures that
are self-serving being installed at the present age, their use and sharing by varied airlines, as well
as, with the third parties that have started undertaking these common services too. It is worth
noting here that most of these devices are commonly run by using proprietary software,
operation systems or firmware. Even though these leverage the intranet connectivity in order to
153 Ibid
154 Ibid
pg. 72
opportunity for the mischievous attackers to attain access to the critical information system and
network of the airport as a result of the infected devices. A depiction of this is given in the image
below. Such an attack was undertaken in September 2016 at Vienna Airport, in which the
computers of employees and computer services were infected with the malware153.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019154)
It has been noticed that the airline companies have a habit of fostering the use of CUPPS
(Common Use Passenger Processing System), in order to facilitate work on 24*7/ 7 days a week
basis. This is for their customer support and allows for check-ins and passenger control processes
to be sped up, through the use of automated smart devices. With the check-in infrastructures that
are self-serving being installed at the present age, their use and sharing by varied airlines, as well
as, with the third parties that have started undertaking these common services too. It is worth
noting here that most of these devices are commonly run by using proprietary software,
operation systems or firmware. Even though these leverage the intranet connectivity in order to
153 Ibid
154 Ibid
pg. 72
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
access solely the content to the servers of companies, these do provide, quite often, the remote
management functionalities. Further, these are subjected to tampering attacks owing to them
being exposed in the public spaces155. The image presented below covers an attack scenario.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019156)
These types of attacks have the possibility of affecting the varied SCADA equipment and
airport systems, including the access to power distribution systems and air-conditioning, and
baggage handling, as these are widely distributed across the entire infrastructure of airports.
Historically, these systems had been air gapped; though now they have progressed to being
interdependent and networked. Hence, the smart airports become more prone to be the victim of
this type of tampering attacks, as a result of these airports adopting the IoT technologies. One of
the examples of airports being victim to such attacks includes Los Angeles Airport. This airport
has seen a range of cyber incidents in recent history, which are majorly related to the malware
targeting networked baggage system157.
155 Ibid
156 Ibid
157 Ibid
pg. 73
access solely the content to the servers of companies, these do provide, quite often, the remote
management functionalities. Further, these are subjected to tampering attacks owing to them
being exposed in the public spaces155. The image presented below covers an attack scenario.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019156)
These types of attacks have the possibility of affecting the varied SCADA equipment and
airport systems, including the access to power distribution systems and air-conditioning, and
baggage handling, as these are widely distributed across the entire infrastructure of airports.
Historically, these systems had been air gapped; though now they have progressed to being
interdependent and networked. Hence, the smart airports become more prone to be the victim of
this type of tampering attacks, as a result of these airports adopting the IoT technologies. One of
the examples of airports being victim to such attacks includes Los Angeles Airport. This airport
has seen a range of cyber incidents in recent history, which are majorly related to the malware
targeting networked baggage system157.
155 Ibid
156 Ibid
157 Ibid
pg. 73
Cyber Security in Aviation
Nowadays, the digital surveillance systems are integrated in new manners for speeding
up the processes at airport and for threat detection. This includes new thermal imaging scanning
devices, RFID (radio frequency identification) tags for purpose of tracking, and intelligence
CCTV (closed-circuit television) programs, which help in identification of unusual behaviour,
and devices for purpose of detecting chemical substances. CCTV and digital surveillance
developments covering modern day video analytics for increasing the effectiveness and
functionality of access control systems and CCTV for solving the integral issues caused due to
the magnitude of size of airports and that of their perimeters. There is an increasing
interdependence and interconnectivity of the CCTV systems with the other airport information
systems, which brings in the additional vectors of attack owing to this interconnectivity. Hence,
these systems are often exposed to akin susceptibilities, as is the case with networked devices
and computers. In particular, the weak network security allows the attackers to get an easy
backdoor entry, thereby permitting them to abuse the software flaws that can in turn allow these
attackers to attain unlawful and unsanctioned access158. This is depicted in the diagram covered
below.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019159)
There is also the possibility of malware being uploaded at the time of patching up, as a
result of association with a compromised employees, which are deemed as insider threats. Owing
158 Ibid
159 Ibid
pg. 74
Nowadays, the digital surveillance systems are integrated in new manners for speeding
up the processes at airport and for threat detection. This includes new thermal imaging scanning
devices, RFID (radio frequency identification) tags for purpose of tracking, and intelligence
CCTV (closed-circuit television) programs, which help in identification of unusual behaviour,
and devices for purpose of detecting chemical substances. CCTV and digital surveillance
developments covering modern day video analytics for increasing the effectiveness and
functionality of access control systems and CCTV for solving the integral issues caused due to
the magnitude of size of airports and that of their perimeters. There is an increasing
interdependence and interconnectivity of the CCTV systems with the other airport information
systems, which brings in the additional vectors of attack owing to this interconnectivity. Hence,
these systems are often exposed to akin susceptibilities, as is the case with networked devices
and computers. In particular, the weak network security allows the attackers to get an easy
backdoor entry, thereby permitting them to abuse the software flaws that can in turn allow these
attackers to attain unlawful and unsanctioned access158. This is depicted in the diagram covered
below.
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019159)
There is also the possibility of malware being uploaded at the time of patching up, as a
result of association with a compromised employees, which are deemed as insider threats. Owing
158 Ibid
159 Ibid
pg. 74
Cyber Security in Aviation
to the fruitful attack on CCTV systems, the attackers are able to observe all of the tangible
airport infrastructures160.
The disgruntled business associates, employees or contractors, who have access
credentials in their possession, can misuse their authorization privileges, and as stated earlier, act
as an insider threat, where the goal is to steal the information for benefit of another organization
or for their personal gains. Apart from this, the intruders can attain the required access to the
network of airport, through the use of APT (Advanced Persistent Threat)161. This is depicted
below.
160 Ibid
161 Ibid
pg. 75
to the fruitful attack on CCTV systems, the attackers are able to observe all of the tangible
airport infrastructures160.
The disgruntled business associates, employees or contractors, who have access
credentials in their possession, can misuse their authorization privileges, and as stated earlier, act
as an insider threat, where the goal is to steal the information for benefit of another organization
or for their personal gains. Apart from this, the intruders can attain the required access to the
network of airport, through the use of APT (Advanced Persistent Threat)161. This is depicted
below.
160 Ibid
161 Ibid
pg. 75
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019162)
The situation stated above becomes worse as these attackers remain in these systems
unnoticed for long time, escalating the sanctioned privileges. The sole purpose of such APT
attack is to monitor the activity on the network, and to steal the data, instead of merely causing
damage to the company or to the network. In order to maintain the access to such targeted
networks, and not even being discovered, requires the use of advanced methods by the threat
actors. Some of the method used by these threat actors involves sophisticated evasion techniques
and constantly redrafting malicious code to evade exposure. The complexities of some of the
162 Ibid
pg. 76
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019162)
The situation stated above becomes worse as these attackers remain in these systems
unnoticed for long time, escalating the sanctioned privileges. The sole purpose of such APT
attack is to monitor the activity on the network, and to steal the data, instead of merely causing
damage to the company or to the network. In order to maintain the access to such targeted
networks, and not even being discovered, requires the use of advanced methods by the threat
actors. Some of the method used by these threat actors involves sophisticated evasion techniques
and constantly redrafting malicious code to evade exposure. The complexities of some of the
162 Ibid
pg. 76
Cyber Security in Aviation
APTs are so much that they necessitate over the clock supervisors for maintaining and restoring
the compromised software and systems, within the targeted network.
With regards to information security, social engineering is deemed as the mental
manipulation of individuals towards revealing private information or for accomplishment of
certain actions. This is deemed as a confidence trick for material gathering, system access, or
fraud. Typically, there is use of phishing undertaken by instant messaging or email spoofing that
often results in users being director to enter their personal data or info at fake websites, which are
quite similar to the authentic ones. The communications and social engineering stemming from
banks, IT administrators, social web sites or online payment processors are usually made use of,
for purpose of luring the victims. One of such scenario attacks is presented below.
pg. 77
APTs are so much that they necessitate over the clock supervisors for maintaining and restoring
the compromised software and systems, within the targeted network.
With regards to information security, social engineering is deemed as the mental
manipulation of individuals towards revealing private information or for accomplishment of
certain actions. This is deemed as a confidence trick for material gathering, system access, or
fraud. Typically, there is use of phishing undertaken by instant messaging or email spoofing that
often results in users being director to enter their personal data or info at fake websites, which are
quite similar to the authentic ones. The communications and social engineering stemming from
banks, IT administrators, social web sites or online payment processors are usually made use of,
for purpose of luring the victims. One of such scenario attacks is presented below.
pg. 77
Cyber Security in Aviation
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019163)
There is an option available before the companies to install filtering capabilities;
however, the phishing emails still are able to find their way through these filters. The reason for
this lies in the fact that the phishers can make use of the images, as a replacement of text, which
makes their detection harder for the anti-phishing filters. Hackers often spoof the email sender
address from majority of services and companies, which tricks the recipients in to forming the
perception that the malicious message is from a trusted source. Apart from this, the evil-twins is
a famous phishing technique, which allows the phishers into creating fake wireless networks,
163 Ibid
pg. 78
(Source: Georgia Lykou, Argiro Anagnostopoulou, and Dimitris Gritzalis, 2019163)
There is an option available before the companies to install filtering capabilities;
however, the phishing emails still are able to find their way through these filters. The reason for
this lies in the fact that the phishers can make use of the images, as a replacement of text, which
makes their detection harder for the anti-phishing filters. Hackers often spoof the email sender
address from majority of services and companies, which tricks the recipients in to forming the
perception that the malicious message is from a trusted source. Apart from this, the evil-twins is
a famous phishing technique, which allows the phishers into creating fake wireless networks,
163 Ibid
pg. 78
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
which in appearance are quote similar to the authenticated public networks. This is often a
problem at airports. When a person logs in to such bogus networks, the fraudsters are able to
capture the credit card information and/or the passwords164.
4.1. Case Study: Application of security measures at leading airport
Cyberbit undertook a case study on the unique cybersecurity challenge, posted by one of
the ten busiest airports across the globe. The focus of this study was a crucial regional passenger
hub and transhipment centre. It had over fifty thousand employees and hundreds of flight
operators to varied destinations globally. This airport had many OT networks and SCADA
systems to cover airport operations’ each aspect. This included baggage handling and check-in,
and even the manner in with air conditioning and electricity generation was handled at the
airport165. The OT system of this airport is depicted below:
164 Ibid
165 Cyberbit, Cybersecurity for International Airport (October 2018)
<https://www.cyberbit.com/wp-content/resources/uploads/2018/10/11094212/Airport-Cybersecurity-Cyberbit-
SCADAShield-Case-Study.pdf>
pg. 79
which in appearance are quote similar to the authenticated public networks. This is often a
problem at airports. When a person logs in to such bogus networks, the fraudsters are able to
capture the credit card information and/or the passwords164.
4.1. Case Study: Application of security measures at leading airport
Cyberbit undertook a case study on the unique cybersecurity challenge, posted by one of
the ten busiest airports across the globe. The focus of this study was a crucial regional passenger
hub and transhipment centre. It had over fifty thousand employees and hundreds of flight
operators to varied destinations globally. This airport had many OT networks and SCADA
systems to cover airport operations’ each aspect. This included baggage handling and check-in,
and even the manner in with air conditioning and electricity generation was handled at the
airport165. The OT system of this airport is depicted below:
164 Ibid
165 Cyberbit, Cybersecurity for International Airport (October 2018)
<https://www.cyberbit.com/wp-content/resources/uploads/2018/10/11094212/Airport-Cybersecurity-Cyberbit-
SCADAShield-Case-Study.pdf>
pg. 79
Cyber Security in Aviation
(Source: Cyberbit, 2018166)
The analysis undertaken on the case study airport highlighted that the IT and OT
networks of this airport, as is the case with majority of critical infrastructure organizations, were
by design insecure, as these had been primarily built with the objective of ensuring availability,
instead of being created with an aim of being secure. The result of this was flat architecture,
minute internal differentiation/ demarcations, patching not being a priority and absence of
166 Ibid
pg. 80
(Source: Cyberbit, 2018166)
The analysis undertaken on the case study airport highlighted that the IT and OT
networks of this airport, as is the case with majority of critical infrastructure organizations, were
by design insecure, as these had been primarily built with the objective of ensuring availability,
instead of being created with an aim of being secure. The result of this was flat architecture,
minute internal differentiation/ demarcations, patching not being a priority and absence of
166 Ibid
pg. 80
Cyber Security in Aviation
authentication controls. As is the case with all the key airports, this airport has many OT based
assets and has many protocols put in place, which include the following:
Siemens baggage handling;
AirTrain (FMSS);
Climate control;
Electricity generation and control;
Luggage carousel;
SITA/ARINC (international protocol for information);
Inductive Automation’s Ignition SCADA;
Live Datamart business rules engines;
StreamBase Complex Event Processing (CEP);
TIBCO Enterprise Service Bus (ESB); and
TIBCO Fast Data technology stack167.
All of the key transportation hubs hold high valued target, when it comes to the cyber
attackers who are often sponsored by nation states or are motivated by financial gains. The most
menace creating threat is deemed as the APT, which stands for advanced persistent threats. The
APT allows the hackers to attain access to network, and in them staying inside such networks,
without being detected. This is possible for extended period of time, where such hackers can
undertake surreptitious data collection and reconnaissance. When such happens, the majorly
complex, interconnected and high-distributed airport operational computing environment is left
with a number of security blind spots, which are an invitation for the potential attackers.
Included in these are the routers and switches that are usually supplied by the top most vendors.
The hackers often attack these vendors; apart from this, the hackers also target the OT systems
and infrastructure running legacy operating systems. This is because these systems are left
exposed to internet through online maintenance channels and VPN168.
In order to map, monitor and constantly safeguard the OT based networks against the
cyber threats, the case study airport selected the SCADAShield platform of Cyberbit. In this
167 Ibid
168 Ibid
pg. 81
authentication controls. As is the case with all the key airports, this airport has many OT based
assets and has many protocols put in place, which include the following:
Siemens baggage handling;
AirTrain (FMSS);
Climate control;
Electricity generation and control;
Luggage carousel;
SITA/ARINC (international protocol for information);
Inductive Automation’s Ignition SCADA;
Live Datamart business rules engines;
StreamBase Complex Event Processing (CEP);
TIBCO Enterprise Service Bus (ESB); and
TIBCO Fast Data technology stack167.
All of the key transportation hubs hold high valued target, when it comes to the cyber
attackers who are often sponsored by nation states or are motivated by financial gains. The most
menace creating threat is deemed as the APT, which stands for advanced persistent threats. The
APT allows the hackers to attain access to network, and in them staying inside such networks,
without being detected. This is possible for extended period of time, where such hackers can
undertake surreptitious data collection and reconnaissance. When such happens, the majorly
complex, interconnected and high-distributed airport operational computing environment is left
with a number of security blind spots, which are an invitation for the potential attackers.
Included in these are the routers and switches that are usually supplied by the top most vendors.
The hackers often attack these vendors; apart from this, the hackers also target the OT systems
and infrastructure running legacy operating systems. This is because these systems are left
exposed to internet through online maintenance channels and VPN168.
In order to map, monitor and constantly safeguard the OT based networks against the
cyber threats, the case study airport selected the SCADAShield platform of Cyberbit. In this
167 Ibid
168 Ibid
pg. 81
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
context, the very first step, which had to be done, was to leverage the network mapping
capabilities of SCADAShield towards creation of a latest map of all of the network assets.
Through this visualization, the network managers were able to gain an understanding regarding
all of the OT and IT touch points. This also allowed for them to identify the varied vulnerable
aspects, including insecure protocols, configuration issues, unpatched devices and unidentified
hosts. This allowed the airport to attain swift and deeper visibility, as well as, granular insights in
the OT based assets. These assets include software versions, types, roles, OS, models and
vendors. Through the mapping, it was clearly highlighted that OT/IT touch points were
important. This meant that any sort of attack that came from any sort of infected IT endpoint
(including the likes of workstation being infected as a result of an employee being sent a
phishing email), could have a grave and immediate threat over the mission critical OT networks
as well.
(Source: Cyberbit, 2018169)
In order to conduct a proper and extensive vulnerability audit, the SCADAShield was
used by the airport. Under this process, various steps were taken, including identification of
169 Ibid
pg. 82
context, the very first step, which had to be done, was to leverage the network mapping
capabilities of SCADAShield towards creation of a latest map of all of the network assets.
Through this visualization, the network managers were able to gain an understanding regarding
all of the OT and IT touch points. This also allowed for them to identify the varied vulnerable
aspects, including insecure protocols, configuration issues, unpatched devices and unidentified
hosts. This allowed the airport to attain swift and deeper visibility, as well as, granular insights in
the OT based assets. These assets include software versions, types, roles, OS, models and
vendors. Through the mapping, it was clearly highlighted that OT/IT touch points were
important. This meant that any sort of attack that came from any sort of infected IT endpoint
(including the likes of workstation being infected as a result of an employee being sent a
phishing email), could have a grave and immediate threat over the mission critical OT networks
as well.
(Source: Cyberbit, 2018169)
In order to conduct a proper and extensive vulnerability audit, the SCADAShield was
used by the airport. Under this process, various steps were taken, including identification of
169 Ibid
pg. 82
Cyber Security in Aviation
suspicious traffic, old system versions, unencrypted protocols, and unpatched systems, along
with undertaking remediation prioritization and risk assessment.
(Source: Cyberbit, 2018170)
After this, Cyberbit remediated the issues, which had been presented before it.
SCADAShield was able to patch the high-risk assets, segregate the networks as per Purdue
Model for Control Hierarchy, strengthen the vulnerable protocols and assets, and upgrade the
outdated versions, without interrupting the operations. Apart from this SCADAShield puts forth
constant scanning and also enforces and binds the operational and network policies
automatically. This allowed the airport to have a constant security monitoring, where the zero
day attacks can be detected, could easily monitor the risk levels, and was also able to enable the
present network change management of OT to adhere to high levels of security.
As a result of SCADAShield, the airport was able to safeguard against the cyber threats.
This was done through monitoring OT networks, forming alerts regarding the possible security
threats, and by properly safeguarding against the non-security related operational
malfunctioning. As the entire airport network was properly visible, covering processes, assets
and communications, SCADAShield allowed for considerable and measurable improvement in
170 Ibid
pg. 83
suspicious traffic, old system versions, unencrypted protocols, and unpatched systems, along
with undertaking remediation prioritization and risk assessment.
(Source: Cyberbit, 2018170)
After this, Cyberbit remediated the issues, which had been presented before it.
SCADAShield was able to patch the high-risk assets, segregate the networks as per Purdue
Model for Control Hierarchy, strengthen the vulnerable protocols and assets, and upgrade the
outdated versions, without interrupting the operations. Apart from this SCADAShield puts forth
constant scanning and also enforces and binds the operational and network policies
automatically. This allowed the airport to have a constant security monitoring, where the zero
day attacks can be detected, could easily monitor the risk levels, and was also able to enable the
present network change management of OT to adhere to high levels of security.
As a result of SCADAShield, the airport was able to safeguard against the cyber threats.
This was done through monitoring OT networks, forming alerts regarding the possible security
threats, and by properly safeguarding against the non-security related operational
malfunctioning. As the entire airport network was properly visible, covering processes, assets
and communications, SCADAShield allowed for considerable and measurable improvement in
170 Ibid
pg. 83
Cyber Security in Aviation
the mass transportation management of the airport for check-in, routing and other measures
including baggage handling171.
4.2. Case Study: Hacking of websites
A group of hackers attacked the Vietnam Airlines website on 29th July 2016, where the on
flight information screens at two of the biggest airports of Vietnam posted derogatory messages
against the Philippines and Vietnam. These two airports were “Noi Bai International Airport”
and “Tan Son Nhat International Airport”, and this hacker group was suspected to be originated
from China. The reason for this was the derogatory message was in context of the two nations’
territorial row in South China Sea, against China172. The Permanent Court of Arbitration, on 12th
July 2016, ruled against China, in favour of the Philippines regarding the dispute in South China
Sea173. These hackers were doubted to be 1937CN. This particular group is amongst the bigger
hacker groups of China, and has a history of hacking websites of the Philippines and Viet Nam in
2015 and 2013, respectively174.
This attack covered the personal information of 410,000 clients becoming compromised.
The stolen data was later on leaked on the internet. The fact that this data covered VIP membeers
of one of the schemes of Vietnam Airlines, i.e. Lotusmiles, covering their addresses, names and
birthdays, made the matter worse. These types of politically motivated attacks are the area of
concern for cybersecurity in aviation. This attack also resulted in the speaker systems and flight
information displays at both of the international airports becoming affected. Apart from the
intercepted screens portraying derogatory messages, the website of Vietnam Airlines was
replaced with same picture that depicted the displays of airlines. The matter was made severe due
to the concerns raised by banks, as the said leaked information of Lotusmiles members covered
171 Ibid
172 The Guardian, Flight information screens in two Vietnam airports hacked (09 July 2016)
<https://www.theguardian.com/world/2016/jul/29/flight-information-screens-in-two-vietnam-airports-hacked>
173 The Republic of the Philippines v. The People’s Republic of China (PCA case number 2013–19)
174 Reuters, Hackers hit Vietnam airports with South China Sea messages (29 July 2016)
<https://www.reuters.com/article/us-vietnam-hacking-idUSKCN1091YL>
pg. 84
the mass transportation management of the airport for check-in, routing and other measures
including baggage handling171.
4.2. Case Study: Hacking of websites
A group of hackers attacked the Vietnam Airlines website on 29th July 2016, where the on
flight information screens at two of the biggest airports of Vietnam posted derogatory messages
against the Philippines and Vietnam. These two airports were “Noi Bai International Airport”
and “Tan Son Nhat International Airport”, and this hacker group was suspected to be originated
from China. The reason for this was the derogatory message was in context of the two nations’
territorial row in South China Sea, against China172. The Permanent Court of Arbitration, on 12th
July 2016, ruled against China, in favour of the Philippines regarding the dispute in South China
Sea173. These hackers were doubted to be 1937CN. This particular group is amongst the bigger
hacker groups of China, and has a history of hacking websites of the Philippines and Viet Nam in
2015 and 2013, respectively174.
This attack covered the personal information of 410,000 clients becoming compromised.
The stolen data was later on leaked on the internet. The fact that this data covered VIP membeers
of one of the schemes of Vietnam Airlines, i.e. Lotusmiles, covering their addresses, names and
birthdays, made the matter worse. These types of politically motivated attacks are the area of
concern for cybersecurity in aviation. This attack also resulted in the speaker systems and flight
information displays at both of the international airports becoming affected. Apart from the
intercepted screens portraying derogatory messages, the website of Vietnam Airlines was
replaced with same picture that depicted the displays of airlines. The matter was made severe due
to the concerns raised by banks, as the said leaked information of Lotusmiles members covered
171 Ibid
172 The Guardian, Flight information screens in two Vietnam airports hacked (09 July 2016)
<https://www.theguardian.com/world/2016/jul/29/flight-information-screens-in-two-vietnam-airports-hacked>
173 The Republic of the Philippines v. The People’s Republic of China (PCA case number 2013–19)
174 Reuters, Hackers hit Vietnam airports with South China Sea messages (29 July 2016)
<https://www.reuters.com/article/us-vietnam-hacking-idUSKCN1091YL>
pg. 84
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
their financial information, as these members had made use of the bank card to undertake the
transactions with this airline175.
Consequent to this incident, the Vietnam Airlines website, even at present time, covers a
clause regarding the customer privacy notice. This clearly states that in a situation of the data
being breached, the company will follow the GDPR of EU, and that the affected clients would be
contacted on urgent basis. There are also designated data protection officer (DOP) and data
controller with the airlines, as a result of these attacks176.
4.3. Case Study: Unsecured data
For not being successful in safeguarding the personal sensitive information, a fine of
£120,000 was imposed on Heathrow Airport. This happened due to an employee of the airport
losing a memory stick, which covered all this protected information. This penalty was imposed
by the ICO (“Information Commissioner’s Office”), after a probe was initiated into the data,
which had been, in October 2017, being downloaded by a member of public, upon coming across
this memory stick177. There were files that covered the type of identification that was required for
attaining access to restricted areas, maps depicting CCTC camera locations, and timetable of
security patrols. There were other files covering safeguards and routes for foreign dignitaries and
cabinet ministers, along with the details of ultrasound radar system, which was being used for
purpose of scanning the runways, as well as the perimeter fence. There were also maps
presenting the escape shafts and maintenance tunnels, liking the airport to Heathrow Express
train line178.
This stick covered a training video, in which there were personal details of ten
individuals, including their passport numbers, names, and date of birth, along with the details of
175 Cristina Lago, The biggest data breaches in the ASEAN region (30 January 2019)
<https://www.cio.com/article/3293060/the-biggest-data-breaches-in-the-asean-region.html?
action=profile_completion&page=2#toc-8>
176 Ibid
177 Joseph Archer, Heathrow Airport fined £120,000 for 'serious' data breach (08 October 2018)
<https://www.telegraph.co.uk/technology/2018/10/08/heathrow-airport-fined-120000-serious-data-breach/>
178 Warwick Ashford, Heathrow to probe leak of security files (30 October 2017)
<https://www.computerweekly.com/news/450429079/Heathrow-to-probe-leak-of-security-files>
pg. 85
their financial information, as these members had made use of the bank card to undertake the
transactions with this airline175.
Consequent to this incident, the Vietnam Airlines website, even at present time, covers a
clause regarding the customer privacy notice. This clearly states that in a situation of the data
being breached, the company will follow the GDPR of EU, and that the affected clients would be
contacted on urgent basis. There are also designated data protection officer (DOP) and data
controller with the airlines, as a result of these attacks176.
4.3. Case Study: Unsecured data
For not being successful in safeguarding the personal sensitive information, a fine of
£120,000 was imposed on Heathrow Airport. This happened due to an employee of the airport
losing a memory stick, which covered all this protected information. This penalty was imposed
by the ICO (“Information Commissioner’s Office”), after a probe was initiated into the data,
which had been, in October 2017, being downloaded by a member of public, upon coming across
this memory stick177. There were files that covered the type of identification that was required for
attaining access to restricted areas, maps depicting CCTC camera locations, and timetable of
security patrols. There were other files covering safeguards and routes for foreign dignitaries and
cabinet ministers, along with the details of ultrasound radar system, which was being used for
purpose of scanning the runways, as well as the perimeter fence. There were also maps
presenting the escape shafts and maintenance tunnels, liking the airport to Heathrow Express
train line178.
This stick covered a training video, in which there were personal details of ten
individuals, including their passport numbers, names, and date of birth, along with the details of
175 Cristina Lago, The biggest data breaches in the ASEAN region (30 January 2019)
<https://www.cio.com/article/3293060/the-biggest-data-breaches-in-the-asean-region.html?
action=profile_completion&page=2#toc-8>
176 Ibid
177 Joseph Archer, Heathrow Airport fined £120,000 for 'serious' data breach (08 October 2018)
<https://www.telegraph.co.uk/technology/2018/10/08/heathrow-airport-fined-120000-serious-data-breach/>
178 Warwick Ashford, Heathrow to probe leak of security files (30 October 2017)
<https://www.computerweekly.com/news/450429079/Heathrow-to-probe-leak-of-security-files>
pg. 85
Cyber Security in Aviation
nearly fifty of the airport’s aviation security staff. Initially it was claimed that the memory stick
covered the travel itinerary of the Queen as well, but this was never confirmed by the ICO. This
stick covered over thousand files but the drive was neither password protected or encrypted. The
person who came across this drive viewed this information at a library. Later on, this stick was
passed to national newspaper where the copies of this data were taken, before this drive was
returned to Heathrow Airport179.
Out of the 6,500 staff members of this airport, only 2% of the staff had been trained in
protection of data. Apart from this, there was a common culture of widespread practice of the
staff where they downloaded sensitive data on their memory sticks. As per the investigation
undertaken by ICO, this was a clear breach of company’s own policy. The airport was required
to keep data protection on its agenda, but the investigation revealed a range of shortfalls in
training, vision and corporate standards. This issue was deemed as a data protection, and it was
clear from the procedures and policies undertaken by the airport, that the information entrusted
upon them was not taken care of, nor was proper steps taken to reduce these susceptibilities to
the personal data. The company was fined based on the erstwhile rules, where the maximum
amount, which can be awarded as a penalty, was restricted to £500,000. Had this airport been
penalized based on the latest provisions of GDPR, the maximum penalty could have been
airport’s 4% global revenues, which is around £17 million. After this incident, the airport not
only reported the case to police, but also monitored the dark web and internet very closely. There
were strict actions taken to strengthen the policies and processes180.
4.4. Case Study: Hacking computer systems
Vietnam has not only been at the receiving end of cybersecurity breach; its people have
also been involved in undertaking such cyber-attacks at others. One of the skilled hackers from
Vietnam, broke into the computer systems of Perth Airport, and stole the building plans and
sensitive security details. As per one of the articles published in The West Australian, Le Duc
Hoang Hai was the Vietnamese individual, who had made use of a third party contractor
179 Joseph Archer, Heathrow Airport fined £120,000 for 'serious' data breach (08 October 2018)
<https://www.telegraph.co.uk/technology/2018/10/08/heathrow-airport-fined-120000-serious-data-breach/>
180 Ibid
pg. 86
nearly fifty of the airport’s aviation security staff. Initially it was claimed that the memory stick
covered the travel itinerary of the Queen as well, but this was never confirmed by the ICO. This
stick covered over thousand files but the drive was neither password protected or encrypted. The
person who came across this drive viewed this information at a library. Later on, this stick was
passed to national newspaper where the copies of this data were taken, before this drive was
returned to Heathrow Airport179.
Out of the 6,500 staff members of this airport, only 2% of the staff had been trained in
protection of data. Apart from this, there was a common culture of widespread practice of the
staff where they downloaded sensitive data on their memory sticks. As per the investigation
undertaken by ICO, this was a clear breach of company’s own policy. The airport was required
to keep data protection on its agenda, but the investigation revealed a range of shortfalls in
training, vision and corporate standards. This issue was deemed as a data protection, and it was
clear from the procedures and policies undertaken by the airport, that the information entrusted
upon them was not taken care of, nor was proper steps taken to reduce these susceptibilities to
the personal data. The company was fined based on the erstwhile rules, where the maximum
amount, which can be awarded as a penalty, was restricted to £500,000. Had this airport been
penalized based on the latest provisions of GDPR, the maximum penalty could have been
airport’s 4% global revenues, which is around £17 million. After this incident, the airport not
only reported the case to police, but also monitored the dark web and internet very closely. There
were strict actions taken to strengthen the policies and processes180.
4.4. Case Study: Hacking computer systems
Vietnam has not only been at the receiving end of cybersecurity breach; its people have
also been involved in undertaking such cyber-attacks at others. One of the skilled hackers from
Vietnam, broke into the computer systems of Perth Airport, and stole the building plans and
sensitive security details. As per one of the articles published in The West Australian, Le Duc
Hoang Hai was the Vietnamese individual, who had made use of a third party contractor
179 Joseph Archer, Heathrow Airport fined £120,000 for 'serious' data breach (08 October 2018)
<https://www.telegraph.co.uk/technology/2018/10/08/heathrow-airport-fined-120000-serious-data-breach/>
180 Ibid
pg. 86
Cyber Security in Aviation
credentials to attain unlawful access to the computer system of the airport in March 2016.
Alastair MacGibbon, the cybersecurity adviser of the erstwhile Australian Prime Minister,
Malcolm Turnbull, broke the news regarding significant amount of data related to physical
security and building schematics of airport buildings being stolen. However, it was also clarified
that Hai did not access any radar, or other such systems lined to operations of aircraft, thereby
the public travelling was safeguarded. This does beg the question on what the situation would
have been, in case Hai had accessed these systems, where the public travel would have been
placed under severe risk181.
The Perth Airport perceived this security breach; thereafter, the cybersecurity centre of
the Federal Government, located at Canberra, was passed on the information of this breach. As
the hack was found to be originated from Vietnam, the intervention of Vietnamese police was
taken by the Australian Federal Police, which ultimately led to arrest of Hai. Hai had not only
hacked Perth Airport, but the websites and infrastructure of Vietnam as well, including their
online military newspaper, banks and telecommunication. However, Perth was the only
Australian target of Hai. This near miss incident could have resulted in catastrophe due to the
nature of sensitive information that was tapped in. Thankfully, the Perth Airport staff took the
quick and swift actions, resulting in the catastrophe being averted. Since this incident, Perth
Airport has increased their investments towards additional security measures, and have further
infused $2m [AUD] for this purpose. For his actions, Hai was sentenced to four years of jail, in
first week of December 2017, by the Vietnamese military court182.
4.5. Case Study: Indian perspective
The passengers of IGI (Indra Gandhi International) Airport were left stranded on 29th July
2011, and the flights on Terminal 3 of Delhi were delayed. Instead of automated check-ins the
same had to be done manually for the flights. DIAL (Delhi International Airport Limited)
claimed that this was merely a back end server glitch. This incident covered 50 flights being
181 Nick Butterly, ‘Significant amount’ of sensitive security data stolen in Perth Airport hacking (11 Dec 2017)
<https://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-stolen-in-perth-airport-hacking-ng-
b88686393z>
182 Warwick Ashford, Perth airport security plans stolen by Vietnamese hacker (11 Dec 2017)
<https://www.computerweekly.com/news/450431587/Perth-airport-security-plans-stolen-by-Vietnamese-hacker>
pg. 87
credentials to attain unlawful access to the computer system of the airport in March 2016.
Alastair MacGibbon, the cybersecurity adviser of the erstwhile Australian Prime Minister,
Malcolm Turnbull, broke the news regarding significant amount of data related to physical
security and building schematics of airport buildings being stolen. However, it was also clarified
that Hai did not access any radar, or other such systems lined to operations of aircraft, thereby
the public travelling was safeguarded. This does beg the question on what the situation would
have been, in case Hai had accessed these systems, where the public travel would have been
placed under severe risk181.
The Perth Airport perceived this security breach; thereafter, the cybersecurity centre of
the Federal Government, located at Canberra, was passed on the information of this breach. As
the hack was found to be originated from Vietnam, the intervention of Vietnamese police was
taken by the Australian Federal Police, which ultimately led to arrest of Hai. Hai had not only
hacked Perth Airport, but the websites and infrastructure of Vietnam as well, including their
online military newspaper, banks and telecommunication. However, Perth was the only
Australian target of Hai. This near miss incident could have resulted in catastrophe due to the
nature of sensitive information that was tapped in. Thankfully, the Perth Airport staff took the
quick and swift actions, resulting in the catastrophe being averted. Since this incident, Perth
Airport has increased their investments towards additional security measures, and have further
infused $2m [AUD] for this purpose. For his actions, Hai was sentenced to four years of jail, in
first week of December 2017, by the Vietnamese military court182.
4.5. Case Study: Indian perspective
The passengers of IGI (Indra Gandhi International) Airport were left stranded on 29th July
2011, and the flights on Terminal 3 of Delhi were delayed. Instead of automated check-ins the
same had to be done manually for the flights. DIAL (Delhi International Airport Limited)
claimed that this was merely a back end server glitch. This incident covered 50 flights being
181 Nick Butterly, ‘Significant amount’ of sensitive security data stolen in Perth Airport hacking (11 Dec 2017)
<https://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-stolen-in-perth-airport-hacking-ng-
b88686393z>
182 Warwick Ashford, Perth airport security plans stolen by Vietnamese hacker (11 Dec 2017)
<https://www.computerweekly.com/news/450431587/Perth-airport-security-plans-stolen-by-Vietnamese-hacker>
pg. 87
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
impacted owing to failure of CUPPS, as the domain was not working for around twelve hours.
Further, it was restored only when ARINC, FIAL and Wipro intervened. Even though no flights
had to be cancelled, several of them were delayed by around half an hour.
Upon the investigation of CBI (Central Bureau of Investigation) of India, this simple
technical failure was a virus attack on the system. A case was registered under the Indian IT Act
where the investigations revealed that a malicious code was used, and that too from an unknown
remote location, resulting in the failure of CUPPS. As per CBI, this was triggered through some
scripts on system, which pointed towards the involvement of experts holding detailed and
expertise knowledge regarding these systems, along with holding the intent of crippling these
systems. As this was deemed as a type of cyber-attack, CBI looked for the responsible
individuals, resulting in case being filed against unidentified people. CBI also concluded that
there were major security lapses183.
There were reports of other such incidents as well. As per one of such reports, a server
covering 148 domains of airports of India (including Trivandrum and Cochin), were hacked by
Pakistani cyber criminals. These individuals were identified as being Pak Cyber Attackers,
named Kashmiri Cheetah184.
The Indian airlines have still not integrated their cyber security as is required to be done
in business plan. This is despite the fact that the bulk of carriers deem this very matter as a key-
leveled urgency. Yet, cyber security continues to be a space that is reserved for main IT
investment by every Indian airline. This is as per the “2016 India IT Trends Benchmark report”,
which had been released by the SITA in December 2016. The Geneva-based SITA is a primary
actor in the information technology and air transport solutions. As per them, there has been a
certain level of progress made in terms of evolving the cybersecurity plans during just the last
three years. As per one of their reports, even though the bulk of Indian based airlines deem
cybersecurity as a key-leveled urgency, there is still lack of the same level of development as is
183 Manan Kakkar, CBI believes cyber attack led to IGI airport's technical problems in June (25 September 2011)
<https://www.zdnet.com/article/cbi-believes-cyber-attack-led-to-igi-airports-technical-problems-in-june/>
184 Surbhi Gloria Singh, 2016: Major cyber attacks across the globe (30 December 2016) <https://www.business-
standard.com/article/technology/2016-a-year-for-hackers-spies-know-major-cyber-attacks-across-the-globe-
116122800341_1.html>
pg. 88
impacted owing to failure of CUPPS, as the domain was not working for around twelve hours.
Further, it was restored only when ARINC, FIAL and Wipro intervened. Even though no flights
had to be cancelled, several of them were delayed by around half an hour.
Upon the investigation of CBI (Central Bureau of Investigation) of India, this simple
technical failure was a virus attack on the system. A case was registered under the Indian IT Act
where the investigations revealed that a malicious code was used, and that too from an unknown
remote location, resulting in the failure of CUPPS. As per CBI, this was triggered through some
scripts on system, which pointed towards the involvement of experts holding detailed and
expertise knowledge regarding these systems, along with holding the intent of crippling these
systems. As this was deemed as a type of cyber-attack, CBI looked for the responsible
individuals, resulting in case being filed against unidentified people. CBI also concluded that
there were major security lapses183.
There were reports of other such incidents as well. As per one of such reports, a server
covering 148 domains of airports of India (including Trivandrum and Cochin), were hacked by
Pakistani cyber criminals. These individuals were identified as being Pak Cyber Attackers,
named Kashmiri Cheetah184.
The Indian airlines have still not integrated their cyber security as is required to be done
in business plan. This is despite the fact that the bulk of carriers deem this very matter as a key-
leveled urgency. Yet, cyber security continues to be a space that is reserved for main IT
investment by every Indian airline. This is as per the “2016 India IT Trends Benchmark report”,
which had been released by the SITA in December 2016. The Geneva-based SITA is a primary
actor in the information technology and air transport solutions. As per them, there has been a
certain level of progress made in terms of evolving the cybersecurity plans during just the last
three years. As per one of their reports, even though the bulk of Indian based airlines deem
cybersecurity as a key-leveled urgency, there is still lack of the same level of development as is
183 Manan Kakkar, CBI believes cyber attack led to IGI airport's technical problems in June (25 September 2011)
<https://www.zdnet.com/article/cbi-believes-cyber-attack-led-to-igi-airports-technical-problems-in-june/>
184 Surbhi Gloria Singh, 2016: Major cyber attacks across the globe (30 December 2016) <https://www.business-
standard.com/article/technology/2016-a-year-for-hackers-spies-know-major-cyber-attacks-across-the-globe-
116122800341_1.html>
pg. 88
Cyber Security in Aviation
the case with the international airlines, in which 28% have fully integrated this in the business
plans of the company already. This is still not done by any of the airlines in India. This particular
report provided some significant statistics to bring this matter to clarity185.
In comparison to the airlines’ position three years ago in terms of their readiness to deal
with the cyber threats, in 2016 around one fourth of the Indian airlines were prepared to deal
with the cyber threats. This figure, three in 2013 stood at zero. The remaining three fourth of the
Indian airlines confess to being in the early stage of development plans only. Another area
gaining concern and significance from Indian airlines is the security around mobile as the nation
was found to be lagging behind. This was because of the fact that only one fourth has
implemented a specified cybersecurity initiative in this context, as compared to two fifths of the
global airlines doing the same. As far as the airports were concerned, three years ago, bulks of
airports, i.e. three fifths of these were just building out their critical defenses. In comparison to
this, in 2016, these airports were considerably more prepared to deal with the common threats.
Furthermore, around 14% airports had prepared themselves to deal with any kind of Cyber
threat186.
4.6. Case law: R v Daniel Devereux
A 30 year old Daniel Devereux was accused of hacking the websites of Norwich hospital
and Norfolk back in September of 2015. Just two months after this, he hacked into the Norwich
Airport. In November 2015, BBC Radio Norfolk was contacted. This person was a man who
identified himself as “His Royal Gingerness” claiming the Norwich Airport website hack. The
sole purpose, as per him, was to show the vulnerability of this airport187. Upon an investigation
185 Economic Times, 'Airlines yet to integrate cyber security with business plans' (16 December 2016)
<https://economictimes.indiatimes.com/industry/transportation/airlines-/-aviation/airlines-yet-to-integrate-cyber-
security-with-business-plans/articleshow/56020992.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst>
186 Ibid
187 BBC, Norwich hospital and airport cyber-attack: Man charged (24 May 2017) <https://www.bbc.com/news/uk-
england-norfolk-40028225>
pg. 89
the case with the international airlines, in which 28% have fully integrated this in the business
plans of the company already. This is still not done by any of the airlines in India. This particular
report provided some significant statistics to bring this matter to clarity185.
In comparison to the airlines’ position three years ago in terms of their readiness to deal
with the cyber threats, in 2016 around one fourth of the Indian airlines were prepared to deal
with the cyber threats. This figure, three in 2013 stood at zero. The remaining three fourth of the
Indian airlines confess to being in the early stage of development plans only. Another area
gaining concern and significance from Indian airlines is the security around mobile as the nation
was found to be lagging behind. This was because of the fact that only one fourth has
implemented a specified cybersecurity initiative in this context, as compared to two fifths of the
global airlines doing the same. As far as the airports were concerned, three years ago, bulks of
airports, i.e. three fifths of these were just building out their critical defenses. In comparison to
this, in 2016, these airports were considerably more prepared to deal with the common threats.
Furthermore, around 14% airports had prepared themselves to deal with any kind of Cyber
threat186.
4.6. Case law: R v Daniel Devereux
A 30 year old Daniel Devereux was accused of hacking the websites of Norwich hospital
and Norfolk back in September of 2015. Just two months after this, he hacked into the Norwich
Airport. In November 2015, BBC Radio Norfolk was contacted. This person was a man who
identified himself as “His Royal Gingerness” claiming the Norwich Airport website hack. The
sole purpose, as per him, was to show the vulnerability of this airport187. Upon an investigation
185 Economic Times, 'Airlines yet to integrate cyber security with business plans' (16 December 2016)
<https://economictimes.indiatimes.com/industry/transportation/airlines-/-aviation/airlines-yet-to-integrate-cyber-
security-with-business-plans/articleshow/56020992.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst>
186 Ibid
187 BBC, Norwich hospital and airport cyber-attack: Man charged (24 May 2017) <https://www.bbc.com/news/uk-
england-norfolk-40028225>
pg. 89
Cyber Security in Aviation
being launched in this matter, Devereux was charged under Section 1 of the Computer Misuse
Act188. This particular section is related to the unauthorized accessing of computing material189.
The estimate of this airport breach was put at £40,000. As a result of this, the case was
presented before the court, R v Daniel Devereux Norwich Crown Court 16 June 2017190. Due to
his videos posted online, and sent to staff through email, IT experts easily tracked him down. As
per Devereux, it only took him around 2-3 minutes to undertake each of the hacks. Further, he
credited his friend known by the name of “Muslim Electronic Army” for posting a message on
the website of the airport claiming that there was a bomb at this airport191. Even though his
defence was being a white hat hacker, where his intent was non-malicious, it did not go down
well with the crown. This was because the bookings, departure boards and arrivals were severely
affected, as the website of the airport was down for 3 days192. Due to the guilty plea, he was
sentenced to 32 weeks in prison. Along with this, the court issued a Criminal Behaviour Order
against him, barring Devereux from owning any kind of internet enabled device until such time
he followed stringent rules for five years, along with paid £150 as being a victim surcharge193.
188 Computer Misuse Act, 1990
189 Computer Misuse Act 1990, s1
190 R v Daniel Devereux Norwich Crown Court 16 June 2017
191 BBC, Norwich airport and hospital cyber-attack: Man admits guilt (25 May 2017)
<https://www.bbc.com/news/uk-england-norfolk-40047908>
192 BBC, Norwich airport and hospital cyber-hacker 'His Royal Gingerness' jailed (16 June2017)
<https://www.bbc.com/news/uk-england-norfolk-40307003>
193 Computer Evidence, Computer Misuse Act 1990 cases (2019)
<http://www.computerevidence.co.uk/Cases/CMA.htm>
pg. 90
being launched in this matter, Devereux was charged under Section 1 of the Computer Misuse
Act188. This particular section is related to the unauthorized accessing of computing material189.
The estimate of this airport breach was put at £40,000. As a result of this, the case was
presented before the court, R v Daniel Devereux Norwich Crown Court 16 June 2017190. Due to
his videos posted online, and sent to staff through email, IT experts easily tracked him down. As
per Devereux, it only took him around 2-3 minutes to undertake each of the hacks. Further, he
credited his friend known by the name of “Muslim Electronic Army” for posting a message on
the website of the airport claiming that there was a bomb at this airport191. Even though his
defence was being a white hat hacker, where his intent was non-malicious, it did not go down
well with the crown. This was because the bookings, departure boards and arrivals were severely
affected, as the website of the airport was down for 3 days192. Due to the guilty plea, he was
sentenced to 32 weeks in prison. Along with this, the court issued a Criminal Behaviour Order
against him, barring Devereux from owning any kind of internet enabled device until such time
he followed stringent rules for five years, along with paid £150 as being a victim surcharge193.
188 Computer Misuse Act, 1990
189 Computer Misuse Act 1990, s1
190 R v Daniel Devereux Norwich Crown Court 16 June 2017
191 BBC, Norwich airport and hospital cyber-attack: Man admits guilt (25 May 2017)
<https://www.bbc.com/news/uk-england-norfolk-40047908>
192 BBC, Norwich airport and hospital cyber-hacker 'His Royal Gingerness' jailed (16 June2017)
<https://www.bbc.com/news/uk-england-norfolk-40307003>
193 Computer Evidence, Computer Misuse Act 1990 cases (2019)
<http://www.computerevidence.co.uk/Cases/CMA.htm>
pg. 90
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
Chapter 5: Findings and Comparative Analysis
In the discussion undertaken in the previous two chapters, the varied laws applicable in
context of aviation industry, in India, US and Europe were highlighted, along with the analysis of
the manner in which cybersecurity becomes a necessity for protecting ATC, Airlines and
Airports. The objective of this research was to bring clarity to the legal standing of the three
regions, where the different approaches taken by these, in context of pillars of aviation had to be
established. In order to meet the objectives of this study, a detailed analysis was carried out
where it was highlighted how the three pillars are threatened by modern day cyber-attacks. These
included denial of service attacks through Botnets, ATM systems being attacked through
communication attacks, CUPPS being affected resulting in delayed services, the authorizations
with APT being misused, social engineered attacks, and various other modes. In order to depict
the reality and possibility of these attacks, the actual case studies where these attacks were
undertaken were also discussed. Some of these attacks resulted in civil cases, while some led to
the intervention of military courts, holding the individuals liable for their misdeeds.
The discussion undertaken into the laws of US, Europe and India highlighted one key
fact. This was that there are more measures undertaken in Europe and US in context of aviation
cybersecurity, in comparison to India. Cybersecurity became a regulatory priority of Europe and
US way before it become the same in Indian context. Public internet arrived in India, just two
decades ago. At present, the nation has amongst the largest numbers of internet users. With the
Indian government recently making a push towards digital India, and towards adoption of
cashless economy, the dream of India being a Digital Society is about to be actualized. However,
with this growth in digital dependency, the need for securing the Indian cyber space has
increased. This is particularly in the backdrop of the major part of Indian internet users being
beginner level, in terms of being aware of secure practices while making use of this digital
world.
Possibly, this is the reason for the frameworks and policies of Europe and US being more
refined and defined as compared to India. This is resonated in the fact that as per the Global
ranking in Global Cybersecurity Index 2018, US was at 2nd place, European nations like UK,
France, Lithuania, and Estonia holding the other top four spots (1st, 3rd, 4th and 5th, respectively),
pg. 91
Chapter 5: Findings and Comparative Analysis
In the discussion undertaken in the previous two chapters, the varied laws applicable in
context of aviation industry, in India, US and Europe were highlighted, along with the analysis of
the manner in which cybersecurity becomes a necessity for protecting ATC, Airlines and
Airports. The objective of this research was to bring clarity to the legal standing of the three
regions, where the different approaches taken by these, in context of pillars of aviation had to be
established. In order to meet the objectives of this study, a detailed analysis was carried out
where it was highlighted how the three pillars are threatened by modern day cyber-attacks. These
included denial of service attacks through Botnets, ATM systems being attacked through
communication attacks, CUPPS being affected resulting in delayed services, the authorizations
with APT being misused, social engineered attacks, and various other modes. In order to depict
the reality and possibility of these attacks, the actual case studies where these attacks were
undertaken were also discussed. Some of these attacks resulted in civil cases, while some led to
the intervention of military courts, holding the individuals liable for their misdeeds.
The discussion undertaken into the laws of US, Europe and India highlighted one key
fact. This was that there are more measures undertaken in Europe and US in context of aviation
cybersecurity, in comparison to India. Cybersecurity became a regulatory priority of Europe and
US way before it become the same in Indian context. Public internet arrived in India, just two
decades ago. At present, the nation has amongst the largest numbers of internet users. With the
Indian government recently making a push towards digital India, and towards adoption of
cashless economy, the dream of India being a Digital Society is about to be actualized. However,
with this growth in digital dependency, the need for securing the Indian cyber space has
increased. This is particularly in the backdrop of the major part of Indian internet users being
beginner level, in terms of being aware of secure practices while making use of this digital
world.
Possibly, this is the reason for the frameworks and policies of Europe and US being more
refined and defined as compared to India. This is resonated in the fact that as per the Global
ranking in Global Cybersecurity Index 2018, US was at 2nd place, European nations like UK,
France, Lithuania, and Estonia holding the other top four spots (1st, 3rd, 4th and 5th, respectively),
pg. 91
Cyber Security in Aviation
whilst India attained the 47th rank194. These are rankings based on measures adopted by
companies in context of their internal commitment towards cybersecurity. As per reports, Estonia
has shown interest in assisting India regarding their cybersecurity195. This is possible due to the
cybersecurity in Estonia being better than that of Indian counterpart. However, one thing worth
noting here is that all three jurisdictions have been unsuccessful in adapting swiftly to the rapid
changing technologies. Moreover, there is a noted trend of developing more bodies/ institutions
and legislations in US and Europe, rather than actually creating cybersecurity measures, which
can thwart the futuristic threats. India fails in both these areas196.
A comparison of policies of cybersecurity of the three jurisdictions reflected many
common threads in certain areas and was majorly different in other context. The reason for the
difference in approach is due to the varied circumstances in US and Europe, in comparison to
India. Nonetheless, despite the major haps in context of historic access to resources and
technology deployment towards protection of cyber space, in the last two decades, India has
raised its emphasis on cybersecurity being a key policy issue. The Indian counterparts have fairly
developed systems and processes, and they have considered cybersecurity as a policy concern
since way before than India did. This is the reason for the European and US based cybersecurity
frameworks being much more cohesive and comprehensive in comparison to India. The use of
Global Cybersecurity Index does strengthen that the cybersecurity of India, in comparison to the
other two jurisdictions is significantly far off in terms of development and commitment.
There is a major focus on the national security for all of these three jurisdictions,
particularly where organized actors posed the threat. All three have created a progressive road
map for holistically addressing cyber security, through such nation-based policies for
cybersecurity. However, there continues to be major gaps in the actualization of cybersecurity
194 ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-
EV5_print_2.pdf>
195 Kalyan Parbat, Estonia open to assist India on cyber security (13 July 2018)
<https://economictimes.indiatimes.com/news/defence/estonia-open-to-assist-india-on-cyber-security/articleshow/
60726974.cms>
196 ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-
EV5_print_2.pdf>
pg. 92
whilst India attained the 47th rank194. These are rankings based on measures adopted by
companies in context of their internal commitment towards cybersecurity. As per reports, Estonia
has shown interest in assisting India regarding their cybersecurity195. This is possible due to the
cybersecurity in Estonia being better than that of Indian counterpart. However, one thing worth
noting here is that all three jurisdictions have been unsuccessful in adapting swiftly to the rapid
changing technologies. Moreover, there is a noted trend of developing more bodies/ institutions
and legislations in US and Europe, rather than actually creating cybersecurity measures, which
can thwart the futuristic threats. India fails in both these areas196.
A comparison of policies of cybersecurity of the three jurisdictions reflected many
common threads in certain areas and was majorly different in other context. The reason for the
difference in approach is due to the varied circumstances in US and Europe, in comparison to
India. Nonetheless, despite the major haps in context of historic access to resources and
technology deployment towards protection of cyber space, in the last two decades, India has
raised its emphasis on cybersecurity being a key policy issue. The Indian counterparts have fairly
developed systems and processes, and they have considered cybersecurity as a policy concern
since way before than India did. This is the reason for the European and US based cybersecurity
frameworks being much more cohesive and comprehensive in comparison to India. The use of
Global Cybersecurity Index does strengthen that the cybersecurity of India, in comparison to the
other two jurisdictions is significantly far off in terms of development and commitment.
There is a major focus on the national security for all of these three jurisdictions,
particularly where organized actors posed the threat. All three have created a progressive road
map for holistically addressing cyber security, through such nation-based policies for
cybersecurity. However, there continues to be major gaps in the actualization of cybersecurity
194 ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-
EV5_print_2.pdf>
195 Kalyan Parbat, Estonia open to assist India on cyber security (13 July 2018)
<https://economictimes.indiatimes.com/news/defence/estonia-open-to-assist-india-on-cyber-security/articleshow/
60726974.cms>
196 ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-
EV5_print_2.pdf>
pg. 92
Cyber Security in Aviation
measures. For example, Indian cybersecurity initiatives are limped as a result of recurring and
fixed budget allocations. The focus of European nations and UK is larger towards multi
stakeholders and adopts a collaborative approach. A key point of shortfall in Indian context is the
lack of development of typology of threat, as against the US typology. Data protection is still
missing in Indian policies. The focus of India, as a nation, in on defensive cyber skills, while the
other two jurisdictions emphasize on offensive cyber skills197.
All the three jurisdictions have key civil society and industry stakeholders. Though when
it comes to companies focused towards cybersecurity, the Indian counterparts fall short in having
robust cybersecurity society. Further, the focus of civil society and industry stakeholders is more
profound in development of policies as well. A noteworthy point is that there are proper
structures and programmes in these jurisdictions that aim towards skill development. The
European and USA individuals are more focused towards creating cybersecurity awareness, in
comparison to India. Despite this, the strength of India in emergency responses, through CERT-
In and specific protection provided to critical infrastructure through CIIPC do strengthen the
Indian aviation. Yet, Indian still lacks a centralized coordinating organization, which could
further work towards strengthening of Indian cybersecurity sphere.
The hypothesis for this research was that the US System/European System guides the
Indian Cybersecurity. This can be easily resonated in the efforts undertaken by India in the
varied steps taken by it (as discussed in this chapter). To prove this further, the support of multi
stakeholder model in international forums for internet governance has to be seen. This is because
the advocacy of India for this model was a considerably recent development, and fails in being a
generic focus on sovereign issues. In stark comparison, USA and Europe has been proactive
approaches in engagement of such multi stakeholder model, in context of cybersecurity.
Bilateralism is deemed as a critical foreign policy tool by India for its concerns of
cybersecurity198. Whilst India focuses on bilateral partnerships and soft ties primarily, USA
supports Budapest Convention on Cybercrime, where the focus is on binding the international
commitments199.
197 Ibid
198 Ibid
pg. 93
measures. For example, Indian cybersecurity initiatives are limped as a result of recurring and
fixed budget allocations. The focus of European nations and UK is larger towards multi
stakeholders and adopts a collaborative approach. A key point of shortfall in Indian context is the
lack of development of typology of threat, as against the US typology. Data protection is still
missing in Indian policies. The focus of India, as a nation, in on defensive cyber skills, while the
other two jurisdictions emphasize on offensive cyber skills197.
All the three jurisdictions have key civil society and industry stakeholders. Though when
it comes to companies focused towards cybersecurity, the Indian counterparts fall short in having
robust cybersecurity society. Further, the focus of civil society and industry stakeholders is more
profound in development of policies as well. A noteworthy point is that there are proper
structures and programmes in these jurisdictions that aim towards skill development. The
European and USA individuals are more focused towards creating cybersecurity awareness, in
comparison to India. Despite this, the strength of India in emergency responses, through CERT-
In and specific protection provided to critical infrastructure through CIIPC do strengthen the
Indian aviation. Yet, Indian still lacks a centralized coordinating organization, which could
further work towards strengthening of Indian cybersecurity sphere.
The hypothesis for this research was that the US System/European System guides the
Indian Cybersecurity. This can be easily resonated in the efforts undertaken by India in the
varied steps taken by it (as discussed in this chapter). To prove this further, the support of multi
stakeholder model in international forums for internet governance has to be seen. This is because
the advocacy of India for this model was a considerably recent development, and fails in being a
generic focus on sovereign issues. In stark comparison, USA and Europe has been proactive
approaches in engagement of such multi stakeholder model, in context of cybersecurity.
Bilateralism is deemed as a critical foreign policy tool by India for its concerns of
cybersecurity198. Whilst India focuses on bilateral partnerships and soft ties primarily, USA
supports Budapest Convention on Cybercrime, where the focus is on binding the international
commitments199.
197 Ibid
198 Ibid
pg. 93
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
There is prioritization of security concerns in context of the civil liberties concerns that
makes it clear on the manner in which these jurisdictions address the surveillance and
cybersecurity issues. There are stronger judicial oversight mechanisms for intercepting and
monitoring cybersecurity communications in US as compared to India. This is because the Indian
oversight mechanisms are majorly with the executive branch. This helps in proving the second
hypothesis of this discussion, which covered that there is fundamental difference in approaches
to Safety of Cyber Security Infrastructure, in Aviation, in India/US and Europe. From the
inferences drawn by Indian cybersecurity laws, from adherence to SARPs or to the other
guidance of ICAO, along with learning from others, it becomes clear that the Indian laws are
more imitative and reactive. As against this, USA and European nations act as lead, through
brining in original and proactive measures. Despite taking inference from US and other
international nations, the cybersecurity laws of India are not as strengthened and were quite
delayed. This meant that even though the inspiration was taken from others (making Indian laws
imitative) these have not been proactive to strengthen the aviation cybersecurity200.
Another interesting fact, which works in favour of India, is that Indian cyberspace has
been considerably safeguarded from attacks. In simpler terms, as much as the aviation industry in
Europe and US has been attacked, there are hardly any similar or repeated instances in India.
This does raises an eyebrow of the actual strengthened systems of European and US
cybersecurity, where all the hundreds of measures taken by these two nations, fall short in
actually fulfilling the purpose for which they were created, i.e. safeguarding the aviation
cyberspace. This certainly does not mean that Indian cyberspace is protected. Nevertheless, when
a statement is made on the reactiveness and proactive-ness of the Europe and US cyber laws,
such recurrent instances put a question mark over the actual strength of the measures adopted in
these jurisdictions. A key point of similarity in the cybersecurity domain of Europe, India and
USA is in the adherence of policies and suggestions put forth by the ICAO. This is possibly,
because avoidance of ICAO’s polices is not an option for any nation. There are proper laws in all
199 Council of Europe, US support to the Budapest Convention (25 September 2018)
<https://www.coe.int/en/web/cybercrime/-/us-support-to-the-budapest-convention>
200 ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-
EV5_print_2.pdf>
pg. 94
There is prioritization of security concerns in context of the civil liberties concerns that
makes it clear on the manner in which these jurisdictions address the surveillance and
cybersecurity issues. There are stronger judicial oversight mechanisms for intercepting and
monitoring cybersecurity communications in US as compared to India. This is because the Indian
oversight mechanisms are majorly with the executive branch. This helps in proving the second
hypothesis of this discussion, which covered that there is fundamental difference in approaches
to Safety of Cyber Security Infrastructure, in Aviation, in India/US and Europe. From the
inferences drawn by Indian cybersecurity laws, from adherence to SARPs or to the other
guidance of ICAO, along with learning from others, it becomes clear that the Indian laws are
more imitative and reactive. As against this, USA and European nations act as lead, through
brining in original and proactive measures. Despite taking inference from US and other
international nations, the cybersecurity laws of India are not as strengthened and were quite
delayed. This meant that even though the inspiration was taken from others (making Indian laws
imitative) these have not been proactive to strengthen the aviation cybersecurity200.
Another interesting fact, which works in favour of India, is that Indian cyberspace has
been considerably safeguarded from attacks. In simpler terms, as much as the aviation industry in
Europe and US has been attacked, there are hardly any similar or repeated instances in India.
This does raises an eyebrow of the actual strengthened systems of European and US
cybersecurity, where all the hundreds of measures taken by these two nations, fall short in
actually fulfilling the purpose for which they were created, i.e. safeguarding the aviation
cyberspace. This certainly does not mean that Indian cyberspace is protected. Nevertheless, when
a statement is made on the reactiveness and proactive-ness of the Europe and US cyber laws,
such recurrent instances put a question mark over the actual strength of the measures adopted in
these jurisdictions. A key point of similarity in the cybersecurity domain of Europe, India and
USA is in the adherence of policies and suggestions put forth by the ICAO. This is possibly,
because avoidance of ICAO’s polices is not an option for any nation. There are proper laws in all
199 Council of Europe, US support to the Budapest Convention (25 September 2018)
<https://www.coe.int/en/web/cybercrime/-/us-support-to-the-budapest-convention>
200 ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-Index-
EV5_print_2.pdf>
pg. 94
Cyber Security in Aviation
these jurisdictions, with number of regulatory bodies and classification of role of each body,
being a point of divergence; this is particularly for US and Euro control having a higher number
of regulatory bodies, in comparison to India as a counterpart. Another critical point worth noting
at this point is that the laws of India are not as much differentiated or segregated, for the three
pillars of aviation, as is the case with the counterparts of Europe and USA.
pg. 95
these jurisdictions, with number of regulatory bodies and classification of role of each body,
being a point of divergence; this is particularly for US and Euro control having a higher number
of regulatory bodies, in comparison to India as a counterpart. Another critical point worth noting
at this point is that the laws of India are not as much differentiated or segregated, for the three
pillars of aviation, as is the case with the counterparts of Europe and USA.
pg. 95
Cyber Security in Aviation
Chapter 6: Conclusion
The discussion undertaken in the previous parts of this discussion highlighted a crucial
point of worry for the modern day aviation industry. The increasing use of technology, and the
increasing reliance on it, by varied individuals and organizations, in different facets of life,
brings with the inherent cyber threat risks. Cybersecurity in aviation was not a matter of key
interest or even concern until the last few decades. However, the advent of internet brought with
it the magnitude and plethora of risks. No industry is safe from these threats; and the nature of
aviation industry makes these threats even more critical. The previous segments attempted to
cover a handful of these threats. Aviation industry has been at the entry point of technological
innovations, particularly due to the increase in number of users. This requires enhancements in
infrastructure in order to support this growth and for the smooth transition of these services. In
context of aviation, cybersecurity becomes a key enabler regarding safety.
The research undertaken for this thesis elaborated the key role that is played varied
international bodies, in civil aviation context. The most important one is the role of ICAO, which
is the chief agency working towards emphasizing on need of securing cyberspace. It brought
forth the measures like SARPs and PANS. Annex 17 brings with it the different measures like
4.9 that relate specifically to cyber threats. It constantly takes up the efforts to promote
cybersecurity through different conferences and educates the different stakeholders regarding the
risks in aviation, owing to cyber space.
India has seen the reliance on digital modes, a lot late as compared to its international
counterparts. This is the reason why it has been considerably behind the nations like US and the
other European nations, in adopting cybersecurity measures. This is again the reason for delay in
its cybersecurity measures towards civil aviation sector. The key body working in this context in
the nation is BCAS that looks into the aviation security affairs. There are measures like control
rooms and training to employees. The main legislative instrument protecting the Indian
cyberspace is Information Technology Act of 2005. The legislative history of the nation, covered
under the chapter 2, helped in attaining clarity at the different measures taken in Indian cyber
space, which led to this space being properly secured. The measures like CERT-In, NCIIPC,
NeTRA, National Cyber Security Policy, “XII Five Year Plan report on Cyber Security”, and the
pg. 96
Chapter 6: Conclusion
The discussion undertaken in the previous parts of this discussion highlighted a crucial
point of worry for the modern day aviation industry. The increasing use of technology, and the
increasing reliance on it, by varied individuals and organizations, in different facets of life,
brings with the inherent cyber threat risks. Cybersecurity in aviation was not a matter of key
interest or even concern until the last few decades. However, the advent of internet brought with
it the magnitude and plethora of risks. No industry is safe from these threats; and the nature of
aviation industry makes these threats even more critical. The previous segments attempted to
cover a handful of these threats. Aviation industry has been at the entry point of technological
innovations, particularly due to the increase in number of users. This requires enhancements in
infrastructure in order to support this growth and for the smooth transition of these services. In
context of aviation, cybersecurity becomes a key enabler regarding safety.
The research undertaken for this thesis elaborated the key role that is played varied
international bodies, in civil aviation context. The most important one is the role of ICAO, which
is the chief agency working towards emphasizing on need of securing cyberspace. It brought
forth the measures like SARPs and PANS. Annex 17 brings with it the different measures like
4.9 that relate specifically to cyber threats. It constantly takes up the efforts to promote
cybersecurity through different conferences and educates the different stakeholders regarding the
risks in aviation, owing to cyber space.
India has seen the reliance on digital modes, a lot late as compared to its international
counterparts. This is the reason why it has been considerably behind the nations like US and the
other European nations, in adopting cybersecurity measures. This is again the reason for delay in
its cybersecurity measures towards civil aviation sector. The key body working in this context in
the nation is BCAS that looks into the aviation security affairs. There are measures like control
rooms and training to employees. The main legislative instrument protecting the Indian
cyberspace is Information Technology Act of 2005. The legislative history of the nation, covered
under the chapter 2, helped in attaining clarity at the different measures taken in Indian cyber
space, which led to this space being properly secured. The measures like CERT-In, NCIIPC,
NeTRA, National Cyber Security Policy, “XII Five Year Plan report on Cyber Security”, and the
pg. 96
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
like, have protected the Indian cyberspace in a successful manner. A key negative regarding the
Indian cybersecurity laws are that they are not proactive. These measures are adopted by taking
reference from the international cyberspace. Even though this is not a negative point, it does
show that the reliance is always on others, to take the required steps in protecting the civil
aviation cyber space. Moreover, there are just a handful of measures, in terms of legislative
instruments and bodies, working in context of aviation cybersecurity.
The discussion also highlighted the varied bodies and legislative instruments working in
US, which are focused on the same thing. The role of FAA and DOT takes centre stage in the
aviation cybersecurity for the nation. As is the case with India, there is a legislative instrument
Federal Aviation Act of 1958 that works towards securing the air space in US. This is
accompanies by varied parts of Code of Federal Regulations and that of United States Code,
working in this context. USA is also aligned with various international conventions and has been
a signatory to major multilateral aviation treaties. Included in these are the “Tokyo Convention,
Chicago Convention, Montreal Convention, and Warsaw Convention”, amongst the others. The
US Department of Homeland Security takes calculated measures, in thwarting the cyber threats.
Further, it has defined this term, to bring clarity on what can make someone liable. Measures like
NextGen and COPASIR are adopted to protect the critical aviation infrastructure. The recent
efforts of Cybersecurity Roadmap and Cybersecurity Strategy are examples of constant efforts
undertaken by USA, to ensure that all the cyber risks are kept at bay.
As is the case with USA, Europe too has many regulations and legislative instruments
safeguarding the aviation sector of this region. EASA regulate the cyberspace certifications and
licensing to keep a check on the technicians and mechanics in aeronautical department. The
regulations put forth in this context, have been constantly updated. The examples of this include
the transition from “Regulation (EC) No 1592/2002 to Regulation (EC) No 216/2008 to
Regulation (EC) No 1108/2009”. EASA undertakes standardized inspections for monitoring
applicability of EU legislations in a uniform manner. The measures taken in Europe through
Euro control are the most noteworthy ones. EUROCONTROL has been nominated as the
Network Manager for Europe and this act as the central unit for managing air traffic flow. The
bodies like EACCC, ECSCG and ECCSA, along with the adopted ENISA’s CERT-EU, SESAR,
pg. 97
like, have protected the Indian cyberspace in a successful manner. A key negative regarding the
Indian cybersecurity laws are that they are not proactive. These measures are adopted by taking
reference from the international cyberspace. Even though this is not a negative point, it does
show that the reliance is always on others, to take the required steps in protecting the civil
aviation cyber space. Moreover, there are just a handful of measures, in terms of legislative
instruments and bodies, working in context of aviation cybersecurity.
The discussion also highlighted the varied bodies and legislative instruments working in
US, which are focused on the same thing. The role of FAA and DOT takes centre stage in the
aviation cybersecurity for the nation. As is the case with India, there is a legislative instrument
Federal Aviation Act of 1958 that works towards securing the air space in US. This is
accompanies by varied parts of Code of Federal Regulations and that of United States Code,
working in this context. USA is also aligned with various international conventions and has been
a signatory to major multilateral aviation treaties. Included in these are the “Tokyo Convention,
Chicago Convention, Montreal Convention, and Warsaw Convention”, amongst the others. The
US Department of Homeland Security takes calculated measures, in thwarting the cyber threats.
Further, it has defined this term, to bring clarity on what can make someone liable. Measures like
NextGen and COPASIR are adopted to protect the critical aviation infrastructure. The recent
efforts of Cybersecurity Roadmap and Cybersecurity Strategy are examples of constant efforts
undertaken by USA, to ensure that all the cyber risks are kept at bay.
As is the case with USA, Europe too has many regulations and legislative instruments
safeguarding the aviation sector of this region. EASA regulate the cyberspace certifications and
licensing to keep a check on the technicians and mechanics in aeronautical department. The
regulations put forth in this context, have been constantly updated. The examples of this include
the transition from “Regulation (EC) No 1592/2002 to Regulation (EC) No 216/2008 to
Regulation (EC) No 1108/2009”. EASA undertakes standardized inspections for monitoring
applicability of EU legislations in a uniform manner. The measures taken in Europe through
Euro control are the most noteworthy ones. EUROCONTROL has been nominated as the
Network Manager for Europe and this act as the central unit for managing air traffic flow. The
bodies like EACCC, ECSCG and ECCSA, along with the adopted ENISA’s CERT-EU, SESAR,
pg. 97
Cyber Security in Aviation
GDPR, “Network and Information Security (NIS) Directive”, NEASCOG and the like are just a
few of bodies and frameworks working in this direction.
The comparison between the laws of India and the measures taken by other two regions
clarify that the two jurisdictions are more active in protecting their cyber space, as it is older in
comparison to the Indian space. One point worth noting here is that there are a lot of similarities
in the laws of these regions and in the role played by varied regulatory bodies. The goal of all
these remain the same, i.e. protecting the aviation pillars from the modern day cyber threats,
which are often state sponsored and/or maliciously motivated. There are intelligence instructions
for these jurisdictions that continue to be deeply involved in cybersecurity. Though, the
difference continues to be in the objectives, aims and threats of cybersecurity policies in these
three jurisdictions. The discussion did highlight this. One of the examples of this was the range
of policy measures that were diversified in US and European context, but were more contracted
in Indian space. Another example was the frequency of cyber space aviation incidents in terms of
attacks in US and European context, which were a lot higher as compared to India. The multi
stakeholder principles in Indian context were not as much recognized as was present in
international context. Also, the Indian approach is soft towards incentivizing the businesses to
embrace security best practices, without essentially assigning stern guidelines.
There was a commonality of the basic measures of cyber security infrastructure in the
three jurisdictions. These included the critical information protection and creation of emergency
response agencies. Apart from this, there were many divergent institutes conducting dissimilar
directives on cybersecurity. This does present with it, the possibility of overlapping, creating a
hurdle in ensuring accountability. Thus, there is a need to mandate sharing of information among
the varied departments, both nationally and internationally, for smooth transactions. This is
because such information sharing would allow common threats to be identified and unified
measures to be adopted to eliminate them. There is also the notion of Indian approach towards
international cybercrime to be help up owing to diplomatic reasons. This approach needs to be
revisited and Indian needs to consider being more accepting to the international commitments, to
allow for a larger degree of cooperation to investigate into the cyber threats. The cybersecurity of
India is not properly based on fundamental principles, as is the case with US and Europe. This
helped in proving the hypothesis of this discussion correct that the US System/European System
pg. 98
GDPR, “Network and Information Security (NIS) Directive”, NEASCOG and the like are just a
few of bodies and frameworks working in this direction.
The comparison between the laws of India and the measures taken by other two regions
clarify that the two jurisdictions are more active in protecting their cyber space, as it is older in
comparison to the Indian space. One point worth noting here is that there are a lot of similarities
in the laws of these regions and in the role played by varied regulatory bodies. The goal of all
these remain the same, i.e. protecting the aviation pillars from the modern day cyber threats,
which are often state sponsored and/or maliciously motivated. There are intelligence instructions
for these jurisdictions that continue to be deeply involved in cybersecurity. Though, the
difference continues to be in the objectives, aims and threats of cybersecurity policies in these
three jurisdictions. The discussion did highlight this. One of the examples of this was the range
of policy measures that were diversified in US and European context, but were more contracted
in Indian space. Another example was the frequency of cyber space aviation incidents in terms of
attacks in US and European context, which were a lot higher as compared to India. The multi
stakeholder principles in Indian context were not as much recognized as was present in
international context. Also, the Indian approach is soft towards incentivizing the businesses to
embrace security best practices, without essentially assigning stern guidelines.
There was a commonality of the basic measures of cyber security infrastructure in the
three jurisdictions. These included the critical information protection and creation of emergency
response agencies. Apart from this, there were many divergent institutes conducting dissimilar
directives on cybersecurity. This does present with it, the possibility of overlapping, creating a
hurdle in ensuring accountability. Thus, there is a need to mandate sharing of information among
the varied departments, both nationally and internationally, for smooth transactions. This is
because such information sharing would allow common threats to be identified and unified
measures to be adopted to eliminate them. There is also the notion of Indian approach towards
international cybercrime to be help up owing to diplomatic reasons. This approach needs to be
revisited and Indian needs to consider being more accepting to the international commitments, to
allow for a larger degree of cooperation to investigate into the cyber threats. The cybersecurity of
India is not properly based on fundamental principles, as is the case with US and Europe. This
helped in proving the hypothesis of this discussion correct that the US System/European System
pg. 98
Cyber Security in Aviation
guides the Indian Cyber Security. This also helped in establishing the other hypothesis of this
discussion correct that there is a fundamental difference in approaches to Safety of Cyber
Security Infrastructure, in Aviation, in India/US and Europe.
In order to highlight the need and significance of protecting the aviation cyber space, the
different threats looming on the three pillars of aviation, i.e. ATC, airlines and airports were
discussed. This also included the discussion on actual cyber-attacks, which brought the three
pillars to stand still, albeit for short durations. To bring the discussion close to reality, the manner
in which the common day devices are manipulated to carry out malicious activities were also
highlighted. The particular demand of the aviation industry, led to the rampant reliance on
technology. The use of CCTVs, GPS systems, weather radars and CUPPS, brought forth open
targets for the malicious hackers. The varied charts, figures and tables given in the discussion
highlighted these very measures. The denial of service attacks through botnets, overtaking of
HVAC systems, misuse through BYOD, screens and websites of airports, and ground system
attacks are some of the measures, which can lead to disruption of aviation services.
The “phishing attacks, jamming attacks, remote attacks, and Wi-Fi based attacks” act a
particular risk factor in air traffic control. There is a possibility of radar controls and airport
runway lighting being misused due to the possible cyber-attack on ATC systems. Under ATC,
cyber security acts as a critical infrastructure. This is due to the world being entangled in
sophisticated and deceitful cyber threat landscape at present. The adversaries are often targeting
different organizations, which has now translated to attacks on critical infrastructure. This is the
reason why so many measures are undertaken to protect this pillar of aviation, as have been
elucidated in detail in the previous segments. Yet, there have been many instances where the
ATC was attacked be it the 2006 system shutdown of Alaska ATC systems, or the white-hat
Derby Con demonstration showing vulnerabilities of the adopted systems. The terrorist
interferences like that of ISIS and state sponsored wrongdoings like hacking of US infrastructure
by Russia are just a few of examples of how unsafe the ATC is, despite the varied legislative
instruments being put in place and the bodies working in this regard.
The airlines have also faced similar threats. Further, they are insecure due to being
present in this digitalized world. As is the case with ATC, the airlines too have faced the burn of
pg. 99
guides the Indian Cyber Security. This also helped in establishing the other hypothesis of this
discussion correct that there is a fundamental difference in approaches to Safety of Cyber
Security Infrastructure, in Aviation, in India/US and Europe.
In order to highlight the need and significance of protecting the aviation cyber space, the
different threats looming on the three pillars of aviation, i.e. ATC, airlines and airports were
discussed. This also included the discussion on actual cyber-attacks, which brought the three
pillars to stand still, albeit for short durations. To bring the discussion close to reality, the manner
in which the common day devices are manipulated to carry out malicious activities were also
highlighted. The particular demand of the aviation industry, led to the rampant reliance on
technology. The use of CCTVs, GPS systems, weather radars and CUPPS, brought forth open
targets for the malicious hackers. The varied charts, figures and tables given in the discussion
highlighted these very measures. The denial of service attacks through botnets, overtaking of
HVAC systems, misuse through BYOD, screens and websites of airports, and ground system
attacks are some of the measures, which can lead to disruption of aviation services.
The “phishing attacks, jamming attacks, remote attacks, and Wi-Fi based attacks” act a
particular risk factor in air traffic control. There is a possibility of radar controls and airport
runway lighting being misused due to the possible cyber-attack on ATC systems. Under ATC,
cyber security acts as a critical infrastructure. This is due to the world being entangled in
sophisticated and deceitful cyber threat landscape at present. The adversaries are often targeting
different organizations, which has now translated to attacks on critical infrastructure. This is the
reason why so many measures are undertaken to protect this pillar of aviation, as have been
elucidated in detail in the previous segments. Yet, there have been many instances where the
ATC was attacked be it the 2006 system shutdown of Alaska ATC systems, or the white-hat
Derby Con demonstration showing vulnerabilities of the adopted systems. The terrorist
interferences like that of ISIS and state sponsored wrongdoings like hacking of US infrastructure
by Russia are just a few of examples of how unsafe the ATC is, despite the varied legislative
instruments being put in place and the bodies working in this regard.
The airlines have also faced similar threats. Further, they are insecure due to being
present in this digitalized world. As is the case with ATC, the airlines too have faced the burn of
pg. 99
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
cyber-attacks, including 9/11 attacks, and questions being raised on the disappearance of the
MH370 flight. With the major spending towards the investments in cybersecurity, things are
expected to get better. However, the motivations and knowledge enhancement of the miscreants
are also on the rise, thereby putting the constant efforts taken in this context, in jeopardy. The
industry regulator IATA has constantly voiced the need of integrating the information globally to
curb the cyber threats; however, this has not been very successful until now. The airports are not
far from its other two counterparts. This is because the airports too have faced similar problems.
There is a dedicated discussion in this thesis on the varied types of threats faced by the airports
due to the advancement of technology. This too included the incidents of cybersecurity breach
that actually took place. The discussion of case study of one of the leading imports of the world
highlighted that even their systems were not fully secured. The discussion on incrimination of
Daniel Devereux highlighted the punishment aspect, where the wrongdoer was criminally
indicted and was awarded 32 weeks in prison by Norwich Crown Court.
Thus, this discussion was successful in fulfilling the objectives of this research. This is
because of the detailed discussion undertaken towards highlighting the threats faced by aviation
industry, particularly from a cybersecurity point of view. Further, the various rules, regulations,
laws and regulatory bodies, working constantly towards one or other aspect of the civil aviation
industry also brought forth clarity regarding the legal standing of aviation laws in Europe, India
and United States. A comparative legal analysis revealed various similarities and deviations of
these jurisdictions. This analysis helped in answering the research questions as well, which
proved that the laws of India are reactive and imitative and that the cybersecurity laws of United
States and European regions are proactive and original. This is possibly because of the delayed
entry of Indian measures towards cybersecurity, whilst the other regions being front leaders in
this context. The next chapter covers the future based suggestions, which could help India in
becoming more proactive towards the aviation cybersecurity.
pg. 100
cyber-attacks, including 9/11 attacks, and questions being raised on the disappearance of the
MH370 flight. With the major spending towards the investments in cybersecurity, things are
expected to get better. However, the motivations and knowledge enhancement of the miscreants
are also on the rise, thereby putting the constant efforts taken in this context, in jeopardy. The
industry regulator IATA has constantly voiced the need of integrating the information globally to
curb the cyber threats; however, this has not been very successful until now. The airports are not
far from its other two counterparts. This is because the airports too have faced similar problems.
There is a dedicated discussion in this thesis on the varied types of threats faced by the airports
due to the advancement of technology. This too included the incidents of cybersecurity breach
that actually took place. The discussion of case study of one of the leading imports of the world
highlighted that even their systems were not fully secured. The discussion on incrimination of
Daniel Devereux highlighted the punishment aspect, where the wrongdoer was criminally
indicted and was awarded 32 weeks in prison by Norwich Crown Court.
Thus, this discussion was successful in fulfilling the objectives of this research. This is
because of the detailed discussion undertaken towards highlighting the threats faced by aviation
industry, particularly from a cybersecurity point of view. Further, the various rules, regulations,
laws and regulatory bodies, working constantly towards one or other aspect of the civil aviation
industry also brought forth clarity regarding the legal standing of aviation laws in Europe, India
and United States. A comparative legal analysis revealed various similarities and deviations of
these jurisdictions. This analysis helped in answering the research questions as well, which
proved that the laws of India are reactive and imitative and that the cybersecurity laws of United
States and European regions are proactive and original. This is possibly because of the delayed
entry of Indian measures towards cybersecurity, whilst the other regions being front leaders in
this context. The next chapter covers the future based suggestions, which could help India in
becoming more proactive towards the aviation cybersecurity.
pg. 100
Cyber Security in Aviation
Chapter 7: Suggestions
It is undeniable that the threat of cybersecurity is constantly growing. It has actually
become an industry in itself, where the key concern is on the family lives of the people getting
affected and the businesses increasingly affected as a result of technology. With the increased
connectivity forecasted in future, for the real world devices, covering robots, planes and cars, the
boundaries between physical and virtual security will be blurred. With rise in knowledge and
skills, cybercrimes are set to become the tool of companies, activities and governments, and can
even come out to be a disruptive hobby.
Even though the industry can take steps towards developing secure and robust systems
and towards minimizing the risks in their supply chains, the devices and standards’ proliferation
would make the securing of assets a very hard task. This makes it more significant for the
industry to adopt pro-active approach towards this issue, where the standards are harmonized and
prevention measures (along with detection strategies) are developed, which go beyond their own
systems, to cater to the risks brought by cargo and passengers. This is because the technology-
laden cargo and passengers pose as an additional target that is beyond the control of the industry.
This has led to IATA recommending the need for creating a mechanism for information
exchange, for the airlines, in order to share the cybersecurity threats information. This is a key
issue, which forces the union of industry data across the supply chain, along with the same for
the governments, to truly manage this risk201.
The shortfalls highlighted in the previous segments, regarding the Indian aviation
cybersecurity measures, present the future steps that can be taken by the nation, to further
strengthen its stand. It has already been stated that the cybersecurity threats in aviation are set to
get complex in 2019, making it critical for the industry to guard itself against instances like cyber
espionage. This particularly requires the organizations to build up their perimeter defences and
posture. It is time that the organizations moved towards enhancement of the capabilities of
201 IATA, Future Of The Airline Industry 2035 (2018) <https://www.iata.org/policy/Documents/iata-future-airline-
industry.pdf>
pg. 101
Chapter 7: Suggestions
It is undeniable that the threat of cybersecurity is constantly growing. It has actually
become an industry in itself, where the key concern is on the family lives of the people getting
affected and the businesses increasingly affected as a result of technology. With the increased
connectivity forecasted in future, for the real world devices, covering robots, planes and cars, the
boundaries between physical and virtual security will be blurred. With rise in knowledge and
skills, cybercrimes are set to become the tool of companies, activities and governments, and can
even come out to be a disruptive hobby.
Even though the industry can take steps towards developing secure and robust systems
and towards minimizing the risks in their supply chains, the devices and standards’ proliferation
would make the securing of assets a very hard task. This makes it more significant for the
industry to adopt pro-active approach towards this issue, where the standards are harmonized and
prevention measures (along with detection strategies) are developed, which go beyond their own
systems, to cater to the risks brought by cargo and passengers. This is because the technology-
laden cargo and passengers pose as an additional target that is beyond the control of the industry.
This has led to IATA recommending the need for creating a mechanism for information
exchange, for the airlines, in order to share the cybersecurity threats information. This is a key
issue, which forces the union of industry data across the supply chain, along with the same for
the governments, to truly manage this risk201.
The shortfalls highlighted in the previous segments, regarding the Indian aviation
cybersecurity measures, present the future steps that can be taken by the nation, to further
strengthen its stand. It has already been stated that the cybersecurity threats in aviation are set to
get complex in 2019, making it critical for the industry to guard itself against instances like cyber
espionage. This particularly requires the organizations to build up their perimeter defences and
posture. It is time that the organizations moved towards enhancement of the capabilities of
201 IATA, Future Of The Airline Industry 2035 (2018) <https://www.iata.org/policy/Documents/iata-future-airline-
industry.pdf>
pg. 101
Cyber Security in Aviation
adopted technologies; and took the requisite steps to reach a higher position in the cybersecurity
maturity curve202.
As reported by Nassco, PwC and Data Security Council of India have projected that by
end of 2025, the cybersecurity market of India would be at $35 billion. This is the reason why
the future of military forces of India and that of civil space in context of aviation becomes crucial
for DRDO. This is the reason why development of skilled professionals in cybersecurity gains
significance. Steps taken in this context include the capacity enhancement in this context being
provided through Master’s courses in DIT Pune and NIT Kurukshetra. Aeronautical Society of
India (Hyderabad Chapter) has also emphasized towards need for developing a stronger
academic and industry based focus203.
There are still some pending regulatory/legislative changes, along with possible
development areas, which affect the Indian aviation industry. It is crucial that these areas are
worked at on urgent basis. There is a need to bring in a new regulator, i.e. the Civil Aviation
Authority, to replace DGCA. This authority needs to be given the financial autonomy, as well as,
power of addressing the issues related to environment regulations and consumer protection.
There is a need to complete the proposals of government in next three financial years, which
include constructing 18 Greenfield airports, 17 highways cum airstrips, reviving the fifty
unnerved, and also the underserved airstrips. There is also a need for revving the air service
agreement with different nations, along with initiating regional connectivity scheme. The long
prolonged collaboration of Rajiv Gandhi National Aviation University’s Executive Development
Program with the US-India Cooperation Program for promotion of skill development in context
of senior leadership is the need of the hour. There is also a need to cover the gap regarding the
aviation sector’s demand for trained individuals204.
202 BusinessLine, Aviation sector, supply chain industry could witness cyber attacks in 2019 (15 November 2018)
<https://www.thehindubusinessline.com/info-tech/aviation-sector-supply-chain-industry-could-witness-cyber-
attacks-in-2019/article25505000.ece>
203 M Somasekhar, In India, Cyber Security market to grow to $35 billion by 2025 (09 October 2018)
<https://www.thehindubusinessline.com/info-tech/in-india-cyber-security-market-to-grow-to-35-billion-by-2025/
article25170051.ece>
204 ICLG, India: Aviation Law 2019 (2019) <https://iclg.com/practice-areas/aviation-laws-and-regulations/india>
pg. 102
adopted technologies; and took the requisite steps to reach a higher position in the cybersecurity
maturity curve202.
As reported by Nassco, PwC and Data Security Council of India have projected that by
end of 2025, the cybersecurity market of India would be at $35 billion. This is the reason why
the future of military forces of India and that of civil space in context of aviation becomes crucial
for DRDO. This is the reason why development of skilled professionals in cybersecurity gains
significance. Steps taken in this context include the capacity enhancement in this context being
provided through Master’s courses in DIT Pune and NIT Kurukshetra. Aeronautical Society of
India (Hyderabad Chapter) has also emphasized towards need for developing a stronger
academic and industry based focus203.
There are still some pending regulatory/legislative changes, along with possible
development areas, which affect the Indian aviation industry. It is crucial that these areas are
worked at on urgent basis. There is a need to bring in a new regulator, i.e. the Civil Aviation
Authority, to replace DGCA. This authority needs to be given the financial autonomy, as well as,
power of addressing the issues related to environment regulations and consumer protection.
There is a need to complete the proposals of government in next three financial years, which
include constructing 18 Greenfield airports, 17 highways cum airstrips, reviving the fifty
unnerved, and also the underserved airstrips. There is also a need for revving the air service
agreement with different nations, along with initiating regional connectivity scheme. The long
prolonged collaboration of Rajiv Gandhi National Aviation University’s Executive Development
Program with the US-India Cooperation Program for promotion of skill development in context
of senior leadership is the need of the hour. There is also a need to cover the gap regarding the
aviation sector’s demand for trained individuals204.
202 BusinessLine, Aviation sector, supply chain industry could witness cyber attacks in 2019 (15 November 2018)
<https://www.thehindubusinessline.com/info-tech/aviation-sector-supply-chain-industry-could-witness-cyber-
attacks-in-2019/article25505000.ece>
203 M Somasekhar, In India, Cyber Security market to grow to $35 billion by 2025 (09 October 2018)
<https://www.thehindubusinessline.com/info-tech/in-india-cyber-security-market-to-grow-to-35-billion-by-2025/
article25170051.ece>
204 ICLG, India: Aviation Law 2019 (2019) <https://iclg.com/practice-areas/aviation-laws-and-regulations/india>
pg. 102
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
There is a dire need of adopting the DGCA issued Requirements for Operation of Civil
remotely Piloted Aircraft Systems. The India based MRO industry is likely to gain expertise and
expanding with regarding to complete MRO Venture hosted by Thailand. The need for this
venture is particularly because of the fast-paced growth of the Indian commercial aviation
market. The planned Open Sky Air Service Agreement of the government based on the National
Civil Aviation Policy 2016, reciprocally with the SAARC nations, and such territories that are
beyond the five thousand-kilometre radius from New Delhi, needs to be taken up and
implemented at the earliest. This can be deemed as a step towards integration of information with
far-fetched airports as well; thereby assisting in adoption of recommendations given by IATA205.
Until recently, the DGCA had placed prohibitions on the drone use in India, owing to
security and privacy concerns. The previous attempts in this context by the civil aviation
regulator to create a proper framework for governing their operations were dealt in a criticized
manner, thereby resulting it never attaining fruition. Though 2014 saw DGCA bringing forth a
public notice whereby many approvals were enlisted, which were required for the civil
applicability of the unmanned aircraft vehicles. This was coupled by the issuance of draft
guidelines in 2016 and 2017 as well. Even though these rafts were not given the requisite effect,
these did present the intention of the government to allow the use of UAV’s for recreational and
civil purpose in the coming time. The National Drone Policy brought the legalization of drones
from 01st December 2018 in India, thereby requiring advanced steps to be taken by airports to
secure airports against possible hacking of these devices206. Thus, the need for taking specific
UAV based cybersecurity is also a key area of concern for the civil aviation of India.
205 Ibid
206 Ibid
pg. 103
There is a dire need of adopting the DGCA issued Requirements for Operation of Civil
remotely Piloted Aircraft Systems. The India based MRO industry is likely to gain expertise and
expanding with regarding to complete MRO Venture hosted by Thailand. The need for this
venture is particularly because of the fast-paced growth of the Indian commercial aviation
market. The planned Open Sky Air Service Agreement of the government based on the National
Civil Aviation Policy 2016, reciprocally with the SAARC nations, and such territories that are
beyond the five thousand-kilometre radius from New Delhi, needs to be taken up and
implemented at the earliest. This can be deemed as a step towards integration of information with
far-fetched airports as well; thereby assisting in adoption of recommendations given by IATA205.
Until recently, the DGCA had placed prohibitions on the drone use in India, owing to
security and privacy concerns. The previous attempts in this context by the civil aviation
regulator to create a proper framework for governing their operations were dealt in a criticized
manner, thereby resulting it never attaining fruition. Though 2014 saw DGCA bringing forth a
public notice whereby many approvals were enlisted, which were required for the civil
applicability of the unmanned aircraft vehicles. This was coupled by the issuance of draft
guidelines in 2016 and 2017 as well. Even though these rafts were not given the requisite effect,
these did present the intention of the government to allow the use of UAV’s for recreational and
civil purpose in the coming time. The National Drone Policy brought the legalization of drones
from 01st December 2018 in India, thereby requiring advanced steps to be taken by airports to
secure airports against possible hacking of these devices206. Thus, the need for taking specific
UAV based cybersecurity is also a key area of concern for the civil aviation of India.
205 Ibid
206 Ibid
pg. 103
Cyber Security in Aviation
Bibliography
ABC v/s Commissioner of Police & Others. W.P.(C.) No. 12730 of 2005 & C.M. Nos. 9505,
13315 of 2005 & 12222 of 2007
Amendments made in respect of Annexes 6 and 11 of the Chicago Convention as regards to use
of standardized equipment, message handling etc,.
Anand AS, India, the Aadhaar Nation That Isn't Legally Equipped to Handle Its Adverse Effects
(08 December 2016) <https://thewire.in/government/aadhaar-privacy-security-legal-framework>
Archer J, Heathrow Airport fined £120,000 for 'serious' data breach (08 October 2018)
<https://www.telegraph.co.uk/technology/2018/10/08/heathrow-airport-fined-120000-serious-
data-breach/>
Ashford W, Heathrow to probe leak of security files (30 October 2017)
<https://www.computerweekly.com/news/450429079/Heathrow-to-probe-leak-of-security-files>
Ashford W, Perth airport security plans stolen by Vietnamese hacker (11 Dec 2017)
<https://www.computerweekly.com/news/450431587/Perth-airport-security-plans-stolen-by-
Vietnamese-hacker>
AVWeb, DHS: Russia Hacking U.S. ATC? (15 March 2018)
<https://www.avweb.com/avwebflash/news/DHS-Russia-Hacking-US-ATC-230447-1.html>
Barba L, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
BBC, Norwich airport and hospital cyber-attack: Man admits guilt (25 May 2017)
<https://www.bbc.com/news/uk-england-norfolk-40047908>
BBC, Norwich airport and hospital cyber-hacker 'His Royal Gingerness' jailed (16 June2017)
<https://www.bbc.com/news/uk-england-norfolk-40307003>
BBC, Norwich hospital and airport cyber-attack: Man charged (24 May 2017)
<https://www.bbc.com/news/uk-england-norfolk-40028225>
pg. 104
Bibliography
ABC v/s Commissioner of Police & Others. W.P.(C.) No. 12730 of 2005 & C.M. Nos. 9505,
13315 of 2005 & 12222 of 2007
Amendments made in respect of Annexes 6 and 11 of the Chicago Convention as regards to use
of standardized equipment, message handling etc,.
Anand AS, India, the Aadhaar Nation That Isn't Legally Equipped to Handle Its Adverse Effects
(08 December 2016) <https://thewire.in/government/aadhaar-privacy-security-legal-framework>
Archer J, Heathrow Airport fined £120,000 for 'serious' data breach (08 October 2018)
<https://www.telegraph.co.uk/technology/2018/10/08/heathrow-airport-fined-120000-serious-
data-breach/>
Ashford W, Heathrow to probe leak of security files (30 October 2017)
<https://www.computerweekly.com/news/450429079/Heathrow-to-probe-leak-of-security-files>
Ashford W, Perth airport security plans stolen by Vietnamese hacker (11 Dec 2017)
<https://www.computerweekly.com/news/450431587/Perth-airport-security-plans-stolen-by-
Vietnamese-hacker>
AVWeb, DHS: Russia Hacking U.S. ATC? (15 March 2018)
<https://www.avweb.com/avwebflash/news/DHS-Russia-Hacking-US-ATC-230447-1.html>
Barba L, Improving ICS Cybersecurity for Aviation (02 November 2018)
<https://www.secmatters.com/blog/improving-ics-cyber-security-for-aviation>
BBC, Norwich airport and hospital cyber-attack: Man admits guilt (25 May 2017)
<https://www.bbc.com/news/uk-england-norfolk-40047908>
BBC, Norwich airport and hospital cyber-hacker 'His Royal Gingerness' jailed (16 June2017)
<https://www.bbc.com/news/uk-england-norfolk-40307003>
BBC, Norwich hospital and airport cyber-attack: Man charged (24 May 2017)
<https://www.bbc.com/news/uk-england-norfolk-40028225>
pg. 104
Cyber Security in Aviation
Berm A, When Reality Hits: From WW II to the New World Order (FriesenPress, 2014)
BusinessLine, Aviation sector, supply chain industry could witness cyber attacks in 2019 (15
November 2018) <https://www.thehindubusinessline.com/info-tech/aviation-sector-supply-
chain-industry-could-witness-cyber-attacks-in-2019/article25505000.ece>
Butterly N, ‘Significant amount’ of sensitive security data stolen in Perth Airport hacking (11
Dec 2017) <https://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-
stolen-in-perth-airport-hacking-ng-b88686393z>
CANSO, CANSO Cyber Security and Risk Assessment Guide (June 2014)
<https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk
%20Assessment%20Guide.pdf >
CCA, Notification (27 October 2009) <http://cca.gov.in/cca/sites/default/files/files/gsr782.pdf>
Computer Evidence, Computer Misuse Act 1990 cases (2019)
<http://www.computerevidence.co.uk/Cases/CMA.htm>
Computer Misuse Act, 1990
Convention for the Unification of Certain Rules for International Carriage by Air
Convention for the Unification of certain rules relating to international carriage by air
Convention on International Civil Aviation
Convention on International Interests in Mobile Equipment
Convention on Offences and Certain Other Acts Committed on Board Aircraft
Council of Europe, US support to the Budapest Convention (25 September 2018)
<https://www.coe.int/en/web/cybercrime/-/us-support-to-the-budapest-convention>
Critical Infrastructures Protection Act of 2001
pg. 105
Berm A, When Reality Hits: From WW II to the New World Order (FriesenPress, 2014)
BusinessLine, Aviation sector, supply chain industry could witness cyber attacks in 2019 (15
November 2018) <https://www.thehindubusinessline.com/info-tech/aviation-sector-supply-
chain-industry-could-witness-cyber-attacks-in-2019/article25505000.ece>
Butterly N, ‘Significant amount’ of sensitive security data stolen in Perth Airport hacking (11
Dec 2017) <https://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-
stolen-in-perth-airport-hacking-ng-b88686393z>
CANSO, CANSO Cyber Security and Risk Assessment Guide (June 2014)
<https://www.canso.org/sites/default/files/CANSO%20Cyber%20Security%20and%20Risk
%20Assessment%20Guide.pdf >
CCA, Notification (27 October 2009) <http://cca.gov.in/cca/sites/default/files/files/gsr782.pdf>
Computer Evidence, Computer Misuse Act 1990 cases (2019)
<http://www.computerevidence.co.uk/Cases/CMA.htm>
Computer Misuse Act, 1990
Convention for the Unification of Certain Rules for International Carriage by Air
Convention for the Unification of certain rules relating to international carriage by air
Convention on International Civil Aviation
Convention on International Interests in Mobile Equipment
Convention on Offences and Certain Other Acts Committed on Board Aircraft
Council of Europe, US support to the Budapest Convention (25 September 2018)
<https://www.coe.int/en/web/cybercrime/-/us-support-to-the-budapest-convention>
Critical Infrastructures Protection Act of 2001
pg. 105
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
Cyberbit, Cybersecurity for International Airport (October 2018)
<https://www.cyberbit.com/wp-content/resources/uploads/2018/10/11094212/Airport-
Cybersecurity-Cyberbit-SCADAShield-Case-Study.pdf>
Das S, 11,592 cases of cyber crime registered in India in 2015: NCRB (06 April 2017)
<https://www.livemint.com/Politics/ayV9OMPCiNs60cRD0Jv75I/11592-cases-of-cyber-crime-
registered-in-India-in-2015-NCR.html>
Datta S, Defending India’s Critical Information Infrastructure (March 2016)
<https://internetdemocracy.in/wp-content/uploads/2016/03/Saikat-Datta-Internet-Democracy-
Project-Defending-Indias-CII.pdf >
Datta S, INTERNET DEMOCRACY PROJECT, Cyber security, Internet Governance and India's
Foreign Policy: Historical Antecedents (January 2016) < https://internetdemocracy.in/reports
/cybersecurity-ig-ifp-saikat-datta/>
Dhapola S, J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say
experts (28 April 2017) <https://indianexpress.com/article/technology/tech-news-technology/
jammu-and-kashmir-social-media-ban-use-of-132-year-old-act-cant-stand-judicial-scrutiny-say-
experts-4631775/>
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union
Dunbar D and Reagan B, Debunking 9/11 Myths: Why Conspiracy Theories Can't Stand Up to
the Facts : Includes New Findings on World Trade Center Building 7 (Hearst Books, 2011)
EASA, EASA cooperate with CERT-EU on cybersecurity (14 February 2017)
<https://www.easa.europa.eu/newsroom-and-events/news/easa-cooperate-cert-eu-cybersecurity>
Economic Times, 'Airlines yet to integrate cyber security with business plans' (16 December
2016) <https://economictimes.indiatimes.com/industry/transportation/airlines-/-aviation/airlines-
yet-to-integrate-cyber-security-with-business-plans/articleshow/56020992.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst>
pg. 106
Cyberbit, Cybersecurity for International Airport (October 2018)
<https://www.cyberbit.com/wp-content/resources/uploads/2018/10/11094212/Airport-
Cybersecurity-Cyberbit-SCADAShield-Case-Study.pdf>
Das S, 11,592 cases of cyber crime registered in India in 2015: NCRB (06 April 2017)
<https://www.livemint.com/Politics/ayV9OMPCiNs60cRD0Jv75I/11592-cases-of-cyber-crime-
registered-in-India-in-2015-NCR.html>
Datta S, Defending India’s Critical Information Infrastructure (March 2016)
<https://internetdemocracy.in/wp-content/uploads/2016/03/Saikat-Datta-Internet-Democracy-
Project-Defending-Indias-CII.pdf >
Datta S, INTERNET DEMOCRACY PROJECT, Cyber security, Internet Governance and India's
Foreign Policy: Historical Antecedents (January 2016) < https://internetdemocracy.in/reports
/cybersecurity-ig-ifp-saikat-datta/>
Dhapola S, J&K social media ban: Use of 132-year-old Act can’t stand judicial scrutiny, say
experts (28 April 2017) <https://indianexpress.com/article/technology/tech-news-technology/
jammu-and-kashmir-social-media-ban-use-of-132-year-old-act-cant-stand-judicial-scrutiny-say-
experts-4631775/>
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union
Dunbar D and Reagan B, Debunking 9/11 Myths: Why Conspiracy Theories Can't Stand Up to
the Facts : Includes New Findings on World Trade Center Building 7 (Hearst Books, 2011)
EASA, EASA cooperate with CERT-EU on cybersecurity (14 February 2017)
<https://www.easa.europa.eu/newsroom-and-events/news/easa-cooperate-cert-eu-cybersecurity>
Economic Times, 'Airlines yet to integrate cyber security with business plans' (16 December
2016) <https://economictimes.indiatimes.com/industry/transportation/airlines-/-aviation/airlines-
yet-to-integrate-cyber-security-with-business-plans/articleshow/56020992.cms?
utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst>
pg. 106
Cyber Security in Aviation
El Al Israel Airlines, Ltd. v. Tsui Yuan Tseng, 525 U.S. 155 (1999)
EU, European Aviation Safety Rules (2019)
<https://ec.europa.eu/transport/modes/air/safety/safety-rules_en>
EUROCAE, The European Cyber security for aviation Standards Coordination Group (2019)
<https://www.eurocae.net/about-us/ecscg/>
ExamPariksha, Cyber Security in India – Preparedness, Threats and Challenges (2018)
<https://exampariksha.com/cyber-security-india-preparedness-threats-challenges/>
Example., U.S’s NextGen Automatic Dependent Surveillance–Broadcast (ADS-B)
FAA Needs a More Comprehensive Approach to Address Cyber security As Agency Transitions
to NextGen,’ Report of the U.S.Government Accountability Office, GAO-15-370,
http://www.gao.gov/assets/670/669627.pdf
Geib A, Cybercrime Could Cost Companies US$5.2 Trillion Over Next Five Years, According to
New Research from Accenture (17 January 2019)
<https://www.apnews.com/ac9bb114045c49c59089abae155045e4>
Haass JC, Sampigethaya K, and Capezzuto V, ‘Aviation and Cybersecurity: Opportunities for
Applied Research’ (2016) TR News (304) <http://commons.erau.edu/publication/299>
Henn S, Could The New Air Traffic Control System Be Hacked? (14 August 2012)
<https://www.npr.org/sections/alltechconsidered/2012/08/16/158758161/could-the-new-air-
traffic-control-system-be-hacked >
Houston S, How ADS-B Works: A Look at the Foundation of NextGen (25 December 2017)
<https://www.thebalancecareers.com/how-ads-b-works-a-look-at-the-foundation-of-nextgen-
282559>
Iasiello E, ‘Aviation and Cyber Security: Getting Ahead of the Threat’, Aerospace America,
July-August 2013 at pp. 24.
pg. 107
El Al Israel Airlines, Ltd. v. Tsui Yuan Tseng, 525 U.S. 155 (1999)
EU, European Aviation Safety Rules (2019)
<https://ec.europa.eu/transport/modes/air/safety/safety-rules_en>
EUROCAE, The European Cyber security for aviation Standards Coordination Group (2019)
<https://www.eurocae.net/about-us/ecscg/>
ExamPariksha, Cyber Security in India – Preparedness, Threats and Challenges (2018)
<https://exampariksha.com/cyber-security-india-preparedness-threats-challenges/>
Example., U.S’s NextGen Automatic Dependent Surveillance–Broadcast (ADS-B)
FAA Needs a More Comprehensive Approach to Address Cyber security As Agency Transitions
to NextGen,’ Report of the U.S.Government Accountability Office, GAO-15-370,
http://www.gao.gov/assets/670/669627.pdf
Geib A, Cybercrime Could Cost Companies US$5.2 Trillion Over Next Five Years, According to
New Research from Accenture (17 January 2019)
<https://www.apnews.com/ac9bb114045c49c59089abae155045e4>
Haass JC, Sampigethaya K, and Capezzuto V, ‘Aviation and Cybersecurity: Opportunities for
Applied Research’ (2016) TR News (304) <http://commons.erau.edu/publication/299>
Henn S, Could The New Air Traffic Control System Be Hacked? (14 August 2012)
<https://www.npr.org/sections/alltechconsidered/2012/08/16/158758161/could-the-new-air-
traffic-control-system-be-hacked >
Houston S, How ADS-B Works: A Look at the Foundation of NextGen (25 December 2017)
<https://www.thebalancecareers.com/how-ads-b-works-a-look-at-the-foundation-of-nextgen-
282559>
Iasiello E, ‘Aviation and Cyber Security: Getting Ahead of the Threat’, Aerospace America,
July-August 2013 at pp. 24.
pg. 107
Cyber Security in Aviation
IATA, Aviation Cyber Security Toolkit (2019)
<https://www.iata.org/publications/store/Pages/aviation-cyber-security-toolkit.aspx>
IATA, Future Of The Airline Industry 2035 (2018)
<https://www.iata.org/policy/Documents/iata-future-airline-industry.pdf>
IATA, Remarks of Tony Tyler at the IATA 22nd AVSEC World in Istanbul (05 November 2013)
<https://www.iata.org/pressroom/speeches/Pages/2013-11-05-01.aspx>
ICAO Assembly Resolution A33-1, October 2001, adopted as a part of the Aviation Security
Plan of Action, http://www.icao.int/Meetings/FAL12/Documents/Biernacki.pdf
ICAO Assembly Resolution A36-20, 17th November 2010.
ICAO Doc. 7300/8
ICAO, Annual Report of the ICAO Council: 2014 (2014) <https://www.icao.int/annual-report-
2014/Pages/default.aspx>
ICAO’s Assembly Resolution A35-14
ICLG, India: Aviation Law 2019 (2019) <https://iclg.com/practice-areas/aviation-laws-and-
regulations/india>
ICLG, USA: Aviation Law 2019 (2019 <https://iclg.com/practice-areas/aviation-laws-and-
regulations/usa>
IEEE, Airline CyberSecurity (2019) <http://sites.ieee.org/ocs-cssig/?page_id=875>
Indian Telegraphs Act of 1885
Industry Consultation Body, Industry Developments in ATM Cyber-Security (October 2016)
<http://www.icb-portal.eu/phocadownload/other_output/Industry%20Developments%20in
%20ATM%20Cyber-Security%20Issue.pdf>
Information Technology Act, 2000
pg. 108
IATA, Aviation Cyber Security Toolkit (2019)
<https://www.iata.org/publications/store/Pages/aviation-cyber-security-toolkit.aspx>
IATA, Future Of The Airline Industry 2035 (2018)
<https://www.iata.org/policy/Documents/iata-future-airline-industry.pdf>
IATA, Remarks of Tony Tyler at the IATA 22nd AVSEC World in Istanbul (05 November 2013)
<https://www.iata.org/pressroom/speeches/Pages/2013-11-05-01.aspx>
ICAO Assembly Resolution A33-1, October 2001, adopted as a part of the Aviation Security
Plan of Action, http://www.icao.int/Meetings/FAL12/Documents/Biernacki.pdf
ICAO Assembly Resolution A36-20, 17th November 2010.
ICAO Doc. 7300/8
ICAO, Annual Report of the ICAO Council: 2014 (2014) <https://www.icao.int/annual-report-
2014/Pages/default.aspx>
ICAO’s Assembly Resolution A35-14
ICLG, India: Aviation Law 2019 (2019) <https://iclg.com/practice-areas/aviation-laws-and-
regulations/india>
ICLG, USA: Aviation Law 2019 (2019 <https://iclg.com/practice-areas/aviation-laws-and-
regulations/usa>
IEEE, Airline CyberSecurity (2019) <http://sites.ieee.org/ocs-cssig/?page_id=875>
Indian Telegraphs Act of 1885
Industry Consultation Body, Industry Developments in ATM Cyber-Security (October 2016)
<http://www.icb-portal.eu/phocadownload/other_output/Industry%20Developments%20in
%20ATM%20Cyber-Security%20Issue.pdf>
Information Technology Act, 2000
pg. 108
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Cyber Security in Aviation
International Civil Aviation Organization, Agenda Item 36: Aviation safety and air navigation
implementation support (26 August 2016)
<https://www.icao.int/Meetings/a39/Documents/WP/wp_236_rev1_en.pdf >
Iran shows off captured US drone’, The Telegraph (UK), Dec 8, 2011, ‘Obama says U.S. has
asked Iran to return drone aircraft’, CNN Wire Staff, 2011, ‘Iran says it built copy of captured
U.S. drone’, CNN International, May 12, 2014.
ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-
Index-EV5_print_2.pdf>
Jeyakodi D, Cyber security in civil aviation (2015) The Aviation & Space Journal 14(4)
Joshi D, A comparison of legal and regulatory approaches to cyber security in India and the
United Kingdom (2019) <https://cis-india.org/internet-governance/files/india-uk-legal-
regulatory-approaches.pdf>
Kakkar M, CBI believes cyber attack led to IGI airport's technical problems in June (25
September 2011) <https://www.zdnet.com/article/cbi-believes-cyber-attack-led-to-igi-airports-
technical-problems-in-june/>
Keller J, U.S. air traffic control computers vulnerable to hackers and other cyber security
threats, GAO says (09 March 2015) <https://www.militaryaerospace.com/articles/2015/03/atc-
cyber-security.html>
Krayem NM, New TSA Cybersecurity Roadmap Articulates Clear Aviation Sector Requirements
(10 December 2018) <https://www.lexology.com/library/detail.aspx?g=2c7cf912-4804-48b0-
9d0d-ad7753621c76>
Kumar GD, India’s Cyber Security: Architecture And Imperatives (09 May 2018)
<https://salute.co.in/indias-cyber-security-architecture-and-imperatives/>
pg. 109
International Civil Aviation Organization, Agenda Item 36: Aviation safety and air navigation
implementation support (26 August 2016)
<https://www.icao.int/Meetings/a39/Documents/WP/wp_236_rev1_en.pdf >
Iran shows off captured US drone’, The Telegraph (UK), Dec 8, 2011, ‘Obama says U.S. has
asked Iran to return drone aircraft’, CNN Wire Staff, 2011, ‘Iran says it built copy of captured
U.S. drone’, CNN International, May 12, 2014.
ITU, Global Cybersecurity Index (GCI) 2018 (2018)
<https://www.itu.int/en/ITU-D/Cybersecurity/Documents/draft-18-00706_Global-Cybersecurity-
Index-EV5_print_2.pdf>
Jeyakodi D, Cyber security in civil aviation (2015) The Aviation & Space Journal 14(4)
Joshi D, A comparison of legal and regulatory approaches to cyber security in India and the
United Kingdom (2019) <https://cis-india.org/internet-governance/files/india-uk-legal-
regulatory-approaches.pdf>
Kakkar M, CBI believes cyber attack led to IGI airport's technical problems in June (25
September 2011) <https://www.zdnet.com/article/cbi-believes-cyber-attack-led-to-igi-airports-
technical-problems-in-june/>
Keller J, U.S. air traffic control computers vulnerable to hackers and other cyber security
threats, GAO says (09 March 2015) <https://www.militaryaerospace.com/articles/2015/03/atc-
cyber-security.html>
Krayem NM, New TSA Cybersecurity Roadmap Articulates Clear Aviation Sector Requirements
(10 December 2018) <https://www.lexology.com/library/detail.aspx?g=2c7cf912-4804-48b0-
9d0d-ad7753621c76>
Kumar GD, India’s Cyber Security: Architecture And Imperatives (09 May 2018)
<https://salute.co.in/indias-cyber-security-architecture-and-imperatives/>
pg. 109
Cyber Security in Aviation
Lago C, The biggest data breaches in the ASEAN region (30 January 2019)
<https://www.cio.com/article/3293060/the-biggest-data-breaches-in-the-asean-region.html?
action=profile_completion&page=2#toc-8>
Leivesley S, British anti-terrorist expert and former Home Office Scientific Adviser, News
Report to The Express, March 14, 2014.
Lykou G, Anagnostopoulou A, and Gritzal D, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
Meity, XII five-year plan on information technology sector (2019)
<https://meity.gov.in/writereaddata/files/downloads/Plan_Report_on_Cyber_Security.pdf>
Moskvitch K, Are drones the next target for hackers? (06 February 2014)
<http://www.bbc.com/future/story/20140206-can-drones-be-hacked>
Munger H, Cyber threats in aviation The sky’s the limit? (17 September 2018)
<https://www.munichre.com/topics-online/en/digitalisation/cyber/cyber-threats-in-
aviation.html>
Nogueras A, Air Traffic Management moving into European Critical Infrastructure (29 March
2012) < http://www.motia.eu/webfm_send/85.pdf >
Parbat K, Estonia open to assist India on cyber security (13 July 2018)
<https://economictimes.indiatimes.com/news/defence/estonia-open-to-assist-india-on-cyber-
security/articleshow/60726974.cms>
Polish Airline, Hit By Cyber Attack, Says All Carriers Are At Risk’, Reuters, June 22, 2015,
Warsaw/Frankfurt.
Press Information Bureau, Cyber Security (12 December 2014)
<http://pib.nic.in/newsite/PrintRelease.aspx?relid=113218>
Procedures for Air Navigation Services-Air Traffic Management (PANS-ATM), Doc.4444.
pg. 110
Lago C, The biggest data breaches in the ASEAN region (30 January 2019)
<https://www.cio.com/article/3293060/the-biggest-data-breaches-in-the-asean-region.html?
action=profile_completion&page=2#toc-8>
Leivesley S, British anti-terrorist expert and former Home Office Scientific Adviser, News
Report to The Express, March 14, 2014.
Lykou G, Anagnostopoulou A, and Gritzal D, Smart Airport Cybersecurity: Threat Mitigation
and Cyber Resilience Controls (2019) 19(1) Sensors (Basel) <10.3390/s19010019>
Meity, XII five-year plan on information technology sector (2019)
<https://meity.gov.in/writereaddata/files/downloads/Plan_Report_on_Cyber_Security.pdf>
Moskvitch K, Are drones the next target for hackers? (06 February 2014)
<http://www.bbc.com/future/story/20140206-can-drones-be-hacked>
Munger H, Cyber threats in aviation The sky’s the limit? (17 September 2018)
<https://www.munichre.com/topics-online/en/digitalisation/cyber/cyber-threats-in-
aviation.html>
Nogueras A, Air Traffic Management moving into European Critical Infrastructure (29 March
2012) < http://www.motia.eu/webfm_send/85.pdf >
Parbat K, Estonia open to assist India on cyber security (13 July 2018)
<https://economictimes.indiatimes.com/news/defence/estonia-open-to-assist-india-on-cyber-
security/articleshow/60726974.cms>
Polish Airline, Hit By Cyber Attack, Says All Carriers Are At Risk’, Reuters, June 22, 2015,
Warsaw/Frankfurt.
Press Information Bureau, Cyber Security (12 December 2014)
<http://pib.nic.in/newsite/PrintRelease.aspx?relid=113218>
Procedures for Air Navigation Services-Air Traffic Management (PANS-ATM), Doc.4444.
pg. 110
Cyber Security in Aviation
Proceedings of the International Civil Aviation Conference, Chicago, Illinois, 1 November-7
Dec1944
Protocol on Matters Specific to Aircraft Equipment
PwC, Aviation perspectives 2016 special report series: Cybersecurity and the airline industry
(2016) <https://www.pwc.com/us/en/industrial-products/publications/assets/pwc-airline-
industry-perspectives-cybersecurity.pdf>
PwC, Getting clear of the clouds Will the upward trajectory continue? (2018)
<https://www.pwc.es/es/publicaciones/transporte/pwc_2015_global_airline_ceo_survey.pdf>
PwC, Tailwinds 2017 airline industry trends (2017)
<https://www.pwc.fr/fr/assets/files/pdf/2017/12/2017-tailwinds-airline-industry-trends-pwc.pdf>
R v Daniel Devereux Norwich Crown Court 16 June 2017
Regulation (EC) No 1108/2009 of the European Parliament and of the Council of 21 October
2009 amending Regulation (EC) No 216/2008 in the field of aerodromes, air traffic management
and air navigation services and repealing Directive 2006/23/EC (Text with EEA relevance)
Regulation (EC) No 1592/2002 of the European Parliament and of the Council of 15 July 2002
on common rules in the field of civil aviation and establishing a European Aviation Safety
Agency (Text with EEA relevance)
Regulation (EC) No 216/2008 of the European Parliament and of the Council of 20 February
2008 on common rules in the field of civil aviation and establishing a European Aviation Safety
Agency, and repealing Council Directive 91/670/EEC, Regulation (EC) No 1592/2002 and
Directive 2004/36/EC (Text with EEA relevance)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(Text with EEA relevance)
pg. 111
Proceedings of the International Civil Aviation Conference, Chicago, Illinois, 1 November-7
Dec1944
Protocol on Matters Specific to Aircraft Equipment
PwC, Aviation perspectives 2016 special report series: Cybersecurity and the airline industry
(2016) <https://www.pwc.com/us/en/industrial-products/publications/assets/pwc-airline-
industry-perspectives-cybersecurity.pdf>
PwC, Getting clear of the clouds Will the upward trajectory continue? (2018)
<https://www.pwc.es/es/publicaciones/transporte/pwc_2015_global_airline_ceo_survey.pdf>
PwC, Tailwinds 2017 airline industry trends (2017)
<https://www.pwc.fr/fr/assets/files/pdf/2017/12/2017-tailwinds-airline-industry-trends-pwc.pdf>
R v Daniel Devereux Norwich Crown Court 16 June 2017
Regulation (EC) No 1108/2009 of the European Parliament and of the Council of 21 October
2009 amending Regulation (EC) No 216/2008 in the field of aerodromes, air traffic management
and air navigation services and repealing Directive 2006/23/EC (Text with EEA relevance)
Regulation (EC) No 1592/2002 of the European Parliament and of the Council of 15 July 2002
on common rules in the field of civil aviation and establishing a European Aviation Safety
Agency (Text with EEA relevance)
Regulation (EC) No 216/2008 of the European Parliament and of the Council of 20 February
2008 on common rules in the field of civil aviation and establishing a European Aviation Safety
Agency, and repealing Council Directive 91/670/EEC, Regulation (EC) No 1592/2002 and
Directive 2004/36/EC (Text with EEA relevance)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(Text with EEA relevance)
pg. 111
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Cyber Security in Aviation
Report of the Aviation Security (AVSEC) Panel, Twentieth Meeting, AVSECP/20 at 2.1, April
2009.
Reuters, Hackers hit Vietnam airports with South China Sea messages (29 July 2016)
<https://www.reuters.com/article/us-vietnam-hacking-idUSKCN1091YL>
Reuters, Malaysia civil aviation chief resigns over MH370 lapses (31 July 2018)
<https://in.reuters.com/article/malaysiaairlines-mh370-resignation/malaysia-civil-aviation-chief-
resigns-over-mh370-lapses-idINKBN1KL0KI>
Rhoades DL, Evolution of International Aviation: Phoenix Rising (Routledge, 2016)
Ruwantissa A,‘ Cyber Terrorism and Aviation—National and International Responses’, Journal
of Transportation Security, 2011, Vol.4 (4), at pp.342.
Section 2- Executive Order -- Improving Critical Infrastructure Cybersecurity dated February 12,
2013
Section 4.9.1 of ICAO Annex 17 to the Convention on International Civil Aviation under title
“Measures relating to cyber threats” pg. 4-5
Section 4.9.2 of ICAO Annex 17 to the Convention on International Civil Aviation under title
“Measures relating to cyber threats” pg. 4-5
Security Experts Warn Airlines Face Threat of Cyber Attacks’, Sydney Morning Herald, July 6,
2015.
Sengupta R, Budget 2017: Will digital India get a cyber-security allocation? (31 January 2019)
<https://factordaily.com/budget-2017-will-digital-india-get-cyber-security-allocation/>
Singh SG, 2016: Major cyber attacks across the globe (30 December 2016)
<https://www.business-standard.com/article/technology/2016-a-year-for-hackers-spies-know-
major-cyber-attacks-across-the-globe-116122800341_1.html>
pg. 112
Report of the Aviation Security (AVSEC) Panel, Twentieth Meeting, AVSECP/20 at 2.1, April
2009.
Reuters, Hackers hit Vietnam airports with South China Sea messages (29 July 2016)
<https://www.reuters.com/article/us-vietnam-hacking-idUSKCN1091YL>
Reuters, Malaysia civil aviation chief resigns over MH370 lapses (31 July 2018)
<https://in.reuters.com/article/malaysiaairlines-mh370-resignation/malaysia-civil-aviation-chief-
resigns-over-mh370-lapses-idINKBN1KL0KI>
Rhoades DL, Evolution of International Aviation: Phoenix Rising (Routledge, 2016)
Ruwantissa A,‘ Cyber Terrorism and Aviation—National and International Responses’, Journal
of Transportation Security, 2011, Vol.4 (4), at pp.342.
Section 2- Executive Order -- Improving Critical Infrastructure Cybersecurity dated February 12,
2013
Section 4.9.1 of ICAO Annex 17 to the Convention on International Civil Aviation under title
“Measures relating to cyber threats” pg. 4-5
Section 4.9.2 of ICAO Annex 17 to the Convention on International Civil Aviation under title
“Measures relating to cyber threats” pg. 4-5
Security Experts Warn Airlines Face Threat of Cyber Attacks’, Sydney Morning Herald, July 6,
2015.
Sengupta R, Budget 2017: Will digital India get a cyber-security allocation? (31 January 2019)
<https://factordaily.com/budget-2017-will-digital-india-get-cyber-security-allocation/>
Singh SG, 2016: Major cyber attacks across the globe (30 December 2016)
<https://www.business-standard.com/article/technology/2016-a-year-for-hackers-spies-know-
major-cyber-attacks-across-the-globe-116122800341_1.html>
pg. 112
Cyber Security in Aviation
Singh SR, Centre likely to quadruple allocation for ‘Digital India’ (19 January 2018)
<https://www.thehindubusinessline.com/info-tech/centre-likely-to-quadruple-allocation-for-
digital-india/article8241178.ece>
Somasekhar M, In India, Cyber Security market to grow to $35 billion by 2025 (09 October
2018) <https://www.thehindubusinessline.com/info-tech/in-india-cyber-security-market-to-grow-
to-35-billion-by-2025/article25170051.ece>
Stander A and Ophoff J, ‘Cyber security in civil aviation’ (2016)Imam Journal of Applied
Sciences <http://www.e-ijas.org/temp/ImamJApplSci1123-1857601_050936.pdf>
Stanford J, Air Traffic Control and Industrial Control Systems in the Age of Cybersecurity
Threats (15 July 2016) <https://www.hstoday.us/channels/federal-state-local/air-traffic-control-
and-industrial-control-systems-in-the-age-of-cybersecurity-threats/>
Strohmeier M, Security in Next Generation Air Traffic Communication Networks (2016)
<https://www.bcs.org/upload/pdf/security-air-traffic.pdf>
Submitted to the Subcommittee on Oversight, Investigations, and Management of the House
Committee on Homeland Security
Sukumar AM, Back to the drawing board (24 September 2015)
<https://www.thehindu.com/opinion/op-ed/arun-mohan-sukumar-on-indias-draft-encryption-
policy/article7685128.ece>
Thakur A, All You Need To Know About Cyber Laws In India (03 March 2017)
<https://blog.ipleaders.in/need-know-cyber-laws-india/>
Thales, Eurocontrol Chooses Thales For Cybersecurity And Digitalisation Of Air Traffic
Services (28 May 2018)
<https://www.thalesgroup.com/en/worldwide/security/press-release/eurocontrol-chooses-thales-
cybersecurity-and-digitalisation-air>
The 2013 progress evaluation data of ICAO’s USOAP
pg. 113
Singh SR, Centre likely to quadruple allocation for ‘Digital India’ (19 January 2018)
<https://www.thehindubusinessline.com/info-tech/centre-likely-to-quadruple-allocation-for-
digital-india/article8241178.ece>
Somasekhar M, In India, Cyber Security market to grow to $35 billion by 2025 (09 October
2018) <https://www.thehindubusinessline.com/info-tech/in-india-cyber-security-market-to-grow-
to-35-billion-by-2025/article25170051.ece>
Stander A and Ophoff J, ‘Cyber security in civil aviation’ (2016)Imam Journal of Applied
Sciences <http://www.e-ijas.org/temp/ImamJApplSci1123-1857601_050936.pdf>
Stanford J, Air Traffic Control and Industrial Control Systems in the Age of Cybersecurity
Threats (15 July 2016) <https://www.hstoday.us/channels/federal-state-local/air-traffic-control-
and-industrial-control-systems-in-the-age-of-cybersecurity-threats/>
Strohmeier M, Security in Next Generation Air Traffic Communication Networks (2016)
<https://www.bcs.org/upload/pdf/security-air-traffic.pdf>
Submitted to the Subcommittee on Oversight, Investigations, and Management of the House
Committee on Homeland Security
Sukumar AM, Back to the drawing board (24 September 2015)
<https://www.thehindu.com/opinion/op-ed/arun-mohan-sukumar-on-indias-draft-encryption-
policy/article7685128.ece>
Thakur A, All You Need To Know About Cyber Laws In India (03 March 2017)
<https://blog.ipleaders.in/need-know-cyber-laws-india/>
Thales, Eurocontrol Chooses Thales For Cybersecurity And Digitalisation Of Air Traffic
Services (28 May 2018)
<https://www.thalesgroup.com/en/worldwide/security/press-release/eurocontrol-chooses-thales-
cybersecurity-and-digitalisation-air>
The 2013 progress evaluation data of ICAO’s USOAP
pg. 113
Cyber Security in Aviation
The Guardian, Flight information screens in two Vietnam airports hacked (09 July 2016)
<https://www.theguardian.com/world/2016/jul/29/flight-information-screens-in-two-vietnam-
airports-hacked>
The Japan Times, Russian hacking of U.S. infrastructure included aviation (17 March 2018)
<https://www.japantimes.co.jp/news/2018/03/17/world/russian-hacking-u-s-infrastructure-
included-aviation/#.W925SJMzbIU >
The Republic of the Philippines v. The People’s Republic of China (PCA case number 2013–19)
Virgillito D, Cyber Threat Analysis for the Aviation Industry (26 February 2015)
<https://resources.infosecinstitute.com/cyber-threat-analysis-aviation-industry/#gref>
Voeller JG, Wiley Handbook of Science and Technology for Homeland Security, 4 Volume Set
(John Wiley & Sons, 2010)
Walker G, Laying the foundations for the future of Air Traffic Management in the UK (04
January 2018) <https://nats.aero/blog/author/gavinwalker/>
Weber L, ‘Chicago Convention’, in R Bernhardt (ed.), Encyclopedia of Public International
Law, Vol. I, (1992) p.571.
Whittaker Z, Data breaches to cost global economy $2 trillion by 2019 (12 May 2015)
<https://www.zdnet.com/article/data-breaches-to-cost-2-trillion-by-2019/>
pg. 114
The Guardian, Flight information screens in two Vietnam airports hacked (09 July 2016)
<https://www.theguardian.com/world/2016/jul/29/flight-information-screens-in-two-vietnam-
airports-hacked>
The Japan Times, Russian hacking of U.S. infrastructure included aviation (17 March 2018)
<https://www.japantimes.co.jp/news/2018/03/17/world/russian-hacking-u-s-infrastructure-
included-aviation/#.W925SJMzbIU >
The Republic of the Philippines v. The People’s Republic of China (PCA case number 2013–19)
Virgillito D, Cyber Threat Analysis for the Aviation Industry (26 February 2015)
<https://resources.infosecinstitute.com/cyber-threat-analysis-aviation-industry/#gref>
Voeller JG, Wiley Handbook of Science and Technology for Homeland Security, 4 Volume Set
(John Wiley & Sons, 2010)
Walker G, Laying the foundations for the future of Air Traffic Management in the UK (04
January 2018) <https://nats.aero/blog/author/gavinwalker/>
Weber L, ‘Chicago Convention’, in R Bernhardt (ed.), Encyclopedia of Public International
Law, Vol. I, (1992) p.571.
Whittaker Z, Data breaches to cost global economy $2 trillion by 2019 (12 May 2015)
<https://www.zdnet.com/article/data-breaches-to-cost-2-trillion-by-2019/>
pg. 114
1 out of 115
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.