In June, some 900 European cybersecurity specialists from 30 countries sprang into action when an ordinary day at the airport turned into mayhem: automated check-in machines displayed "system failure", check-in counter computers packed up, smartphone travel apps stopped working, baggage claim shut down, departure boards read all flights "cancelled". Queues, queues, queues, and half of flights grounded.
Using digital and hybrid attacks, a radical group had taken control of critical airport systems to feed propaganda through digital channels – but it was all, of course, an exercise.
Organised by ENISA, the Athens-based EU agency for network and information security, the two-day event featured real life-inspired technical and non-technical incidents designed to escalate into a crisis at organisational, local, national and European levels. It was the latest in an eight-year series of "Cyber Europe" exercises designed to develop the EU co-operation mechanisms needed to respond to large-scale cyber incidents.
As ENISA executive director Udo Helmbrecht put it, evolving technology has paid huge dividends to aviation but also brought new threats. And, he says: "European countries and organisations working together as one entity is the modern response to borderless cyber threats."
These threats are confined neither to civil aviation nor to Europe. The New York Times report on an October US Government Audit Office review of military cybersecurity was headlined: "New US weapons systems are a hacker's bonanza, investigators find."
Defence planners acknowledge the seriousness of the cyber problem; NATO now recognises five domains of operations – land, air, sea, space and cyberspace – and maintains cyber rapid reaction teams on 24h standby. This year's NATO summit in Brussels agreed to establish a new Cyberspace Operations Centre.
In his keynote address to last month’s Cybertech Europe conference in Rome in September, Leonardo chief executive Alessandro Profumo called for NATO to consider investment in cybersecurity to be included in member states' 2% of GDP defence spending target.
Profumo detailed the scale of a cyber challenge that stems from a "rapid digitalisation" of many domains of our lives; globally, 2017 saw at least 1,227 "serious cyberattacks" and the global cybersecurity market – in which Leonardo is a serious player – is booming, expected to grow in value from some €120 billion ($138 billion) last year to €180 billion in 2018.
He called for European member states and institutions "to work alongside technology providers and end users to understand the best way to jointly respond", and praised the European Commission’s September decision to establish a European Cyber Competence Centre.
Leonardo itself clearly takes the cybersecurity issue seriously. Profumo pointed to its opening, earlier in September, of a training academy in Lincoln, in the UK, to train specialists in cyber and electromagnetic activities. Just a few days after the Rome conference, Leonardo announced the establishment of a new cybersecurity division.
But to make sense of the cyber threat, take a step back and consider the technical and social changes creating this new environment. Several presentations to Cybertech Europe suggested a useful way to think about the problem: it exists at the point where "IT meets OT"; that is, where information technology and operating technology such as sensors and activators come together to turn data and communications into real-world action.
That IT-OT interface means huge benefits but also a security threat escalation. Eva Chen, who heads internet content security company Trend Micro, spoke of a "superconnected world" with no national or company boundaries – and 20 billion connected devices for hackers to attack.
The military cyber challenge was summed up by Brig Gen Francesco Vestito, chief of Italy’s joint cyber operations command. The hacker, he said, "meets us at the junction between IT and operations technology".
National defence interests, he added, suggest that the military should, if possible, build its own control systems, to be sure it controls what it wants to control rather than be reliant on what a commercial supplier can provide.
However, he said, 85% of cyber systems today are supplied commercially. And the cyber world evolves fast: "There is a new platform every three years! It's not like building an aeroplane that lasts for 20."
Ultimately, said Vestito, the key to deterrence is attribution of every input. The old adage: "if it ain't, broke don't fix it" fails in cyberspace – because if it's working OK, "somebody is on to you!"
Realistically, Vestito's concerns about reliance on commercial suppliers need to meet Profumo's call for states to work alongside technology providers and end users. Speaking to FlightGlobal on the Cybertech sidelines, Leonardo’s security and information systems division vice-president for sales technical support, Alessandro Menna, said the company is working with the European Aviation Safety Agency, national air navigation service providers and other European-level stakeholders on a "blueprint" project to ensure at least future systems are "cybersecure by design".
Meanwhile, he added, as a platform provider, the company is designing its own platforms with security built in, and striving to make legacy systems retrofittable.
Critically, collaboration between commercial, state and defence players may be more than economically pragmatic. Leonardo offers clients access to a "threat intelligence platfor", a proactive scheme to identify and predict attempted attacks.
Menna describes this an artificial intelligence-based open-source tool that lets Leonardo data scientists provide risk management strategies. "The goal is to make our clients more difficult to penetrate."
Menna believes no individual company working on its own could match the warning and deterrence power of this network. Time, he said, is critical in combating cyber threats. A few minutes advantage to an attacker can be huge, so airports, power stations, or factories must be able to recognise an attack and respond immediately.
Another old adage is that no battle plan survives contact with the enemy. But, the value of a co-ordinated, collaborative approach may have been demonstrated by ENISA in its June airport attack exercise. Summing up, ENISA observes: "In the end, the participants were able to mitigate the incidents [promptly] and effectively. This shows the European cybersecurity sector has matured over the last few years and the actors are much more prepared."
Source: Flight International