The Nigerian aviation industry’s growth over the years has been on a downward trajectory inspite of the indicative huge spend in technology and digitalization across the aviation ecosystem giving rise to the increasing reliance on technology and digital systems. However, these investments in technology also bring along cybersecurity risks that could significantly impact the industry’s operations and reputation. As cyber threats evolve in sophistication and frequency, it is imperative for the industry to adopt robust cybersecurity measures to safeguard critical infrastructure, data, and passenger safety.
“You are under attack”, it sounds so threateningly right; however, everyone: individuals, organizations and governments may never know it but we are all potentially under cyber-attack. Interestingly with the multiplicity of users of the internet and numerous digital systems and devices there are users who believe that they can’t be attacked or that staying offline makes them not vulnerable. Unfortunately, the fact that an evidence of an attack or a compromise has not been discovered does not indicate cyber safety. Essentially it’s either “you are compromised or have been compromised”, or probably “you don’t even know that you have been compromised” and thirdly “Those who will be compromised”. Remember Hackers have their motivation for cyber-attack and that determines who and what their target of interest is. So not being a target of interest at any point in time doesn’t make the individual or entity less vulnerable to cyber-attacks.
Aviation Cybersecurity can be defined as the prevention of and/or reaction to deliberate malicious acts undertaken via cyber means to either compromise an aircraft’s systems or any air transport system directly or indirectly where those systems play a key role in the wider aviation system while Aviation Cyber Jacking is hacking into an airplane computer system or taking control of an aircraft or an air transport system or infrastructure without authorization.
According to former IATA Director General Tony Tyler at an event in 2014: “Aviation relies on computer systems extensively in ground and flight operations and air traffic management, and we know we are a target,” With this in mind it behoves the Aviation industry globally and in Nigeria to put in place a cyber defence mechanism that will protect aviation infrastructure and people.
The Aviation industry infrastructure and systems ab-inito didn’t have security by design architecture or framework having been operating as a closed system and in a silo mode with limited interconnectedness where that is in place. That era is laden with aging systems, not globally network-centric, had limited concern with security and operated security by obscurity mode with limited bandwidth to support security measures amongst others.
The driving force for the aviation industry embracing automation, digital and satellite technologies is the massive efficiencies, effectiveness and scalability benefits it presents. In this new era these Aviation Technology Drivers include: Smart systems, IoT devices, Cloud infrastructures, Bigdata, Robotics, Satellite Systems, AI, 3D/4D, AR/VR, Drones and Blockchain, etc; while the benefits and usage are spread across the entire industry domains such as Regulatory Management Systems, Aircraft IP networks of flights , Airport Information Systems, Common Use Passenger Processing System (CUPPS), Automated MRO Systems, Fuelling Systems, Security surveillance and Screening Systems, Weather Observation Systems, Digital Air Traffic Controls (ATCs) and Traffic Management Systems and Electronic Flight Bags. Others include Flight-By-Wire Systems, In-flight Interface Devices, Flight History Servers, Fleet and Route Planning Systems, Passenger Reservation Systems, Frequent Flyer or Loyalty Programs , Ticket Booking Portals, Cargo Handling and Shipping, Access, Departures and Passport Control Systems and Cabin Crew devices amongst others.
The aviation industry over the past decade has been incrementally transiting towards digital transformation and Network Centric Operations like SWIM with a focus on cyber security enabling the interconnectedness and interdependence of Aviation Systems, enhanced information sharing and collaboration with its attendant benefits and associated cyber security risks to the industry.
However, the significant role the aviation industry plays in both the global and national economies informs the need to pay serious attention to cybersecurity threats. The industry enables international trade, tourism, and investment; provides reliable, safe, and efficient transportation network to 2.6 billion passengers annually and about 48 million tons of freight; contributes an estimated 3.5% to the global Gross Domestic Product worth $2.2trillion and supporting about 56.6 million direct and indirect jobs globally according to the International Civil Aviation Organization.
The Guidebook on Best Practices for Airport Cybersecurity, Airport Cooperative Research Program, Report 140 (Feb. 2015) posits that “Cybersecurity has become a cost of doing business for aviation. Aviation Industry can afford it; it is a matter of how much and what sacrifices they are willing to make.”
The severity of successful Cyber-attacks or exploits of aviation infrastructure and systems can be from simple to sophisticated attacks ranging from website defacement or catastrophic failure or compromise of mission safety critical systems to financial loss, reputational damage and collateral damage including loss of lives. A study by Cybersecurity Ventures predicted that by the end of 2023 cyber-crime would cost aviation industry $15 billion.
The nature of the cyber threat is complex, global, and constantly changing, carried out remotely and can be difficult to trace with the tendency to cause significant collateral damage to the industry. Cyber-attacks include Information Warfare, Cyber Espionage, Cyber Crime, Cracking, Hacktivism, and Cyber Terror while the threat actors comprise of Nation States, Cybercriminals, Terrorist Groups, Thrill-Seekers, Insider Threats, Script Kiddies and Hacktivists focusing on relevant target of interest using appropriate methods.
There has been several aviation cyber-attacks across the world – airlines, airports, air traffic management systems, etc, such as:
- The March 2023 powerful and effective cyberattack on the Russian Federal Air Transport Agency (Rosaviatsia) infrastructure that took place on Saturday morning erasing all documents, files, aircraft registration data and mails from the servers. In total, about 65 terabytes of data was erased, the agency’s official website (favt.ru) went down too.
- An attack on the internet in 2006 that forced the US Federal Aviation Administration (FAA) to shut down some of its air traffic control (ATC) systems in Alaska.
- The crash of Spanair flight 5022, a McDonnell Douglas MD82, just after take-off in Madrid- Barajas Airport on 20 August 2008, killing 154 people, where the Civil Aviation Accident and Incident Investigation Commission of Spain reported that the crash occurred because the central computer system used for monitoring technical problems on board the aircraft was infected with malware
In view of the potential impact of successful Aviation cyber exploits the global aviation community via the International Civil Aviation Organization (ICAO) and its partners are addressing cybersecurity and cyber resilience in civil aviation by i) Cybersecurity enshrined in ICAO SARPs Annex 17; ii) ICAO Assembly resolutions: A39-19 – Addressing Cybersecurity in Civil Aviation of 2016, A40-10 – Addressing Cybersecurity in Civil Aviation, and A41-19 – Addressing Cybersecurity in Civil Aviation of 2022; iii) ICAO Expert Groups, Strategies, Action Plan, Guidance Materials, Trust Framework and Capacity Building.
This is to support and encourage contracting States based on ICAO decisions in developing measures after due risk assessment that will protect critical Aviation information and communications technology systems from unauthorised access and interference as well as mandate entities with or responsible for the implementation of various aspects of the national civil aviation security programme to identify their critical information and communications technology systems, including threats and vulnerabilities, and develop protective measures to include, security by design, supply chain security, network separation, and remote access control, as appropriate.
As the global Aviation Community continue their efforts towards cybersecurity it is important that we transition to cyber resilience which basically brings business continuity, information systems security and organizational resilience together. We need to create a cyber resilient aviation industry driven by appropriate cyber resilience strategy. This is so vital because it is much more holistic than focusing on cybersecurity whose approach currently is siloed and it speaks to measuring value at risk and integrating cyber insurance in the defence layer decision making process of the organization.
Cybersecurity Challenges in the Nigerian Aviation Industry
The Nigeria Aviation Industry much like other Aviation environments across the world does have its own fair share of cybersecurity challenges:
- Legacy Systems: Within the Nigeria Aviation Ecosystem exists outdated and unsupported systems that can pose significant cybersecurity risks, as they may lack essential security updates and patches.
- Insider Threats: There is high risk of insider threats challenge due to the several labour infractions in the industry that may lead to employees or other trusted individuals with access to critical systems inadvertently or maliciously jeopardizing.
- Third-party Risks: Partners, vendors, and contractors who have access to aviation systems can become an entry point for cyber attackers due to lack of appropriate background checks.
- Lack of Awareness and Training: Insufficient awareness and cybersecurity training among aviation staff can lead to inadvertent security breaches.
- Resource Constraints: Limited budget allocation for cybersecurity measures may hinder the implementation of robust security protocols.
- Skill Shortages: Lack of adequate Cybersecurity professionals within the Aviation Ecosystem
- Success depends on many stakeholders: Unwillingness to share data necessary for system-wide risk management
- Governance and Risk Framework: Lack of publicly available cyber governance and risk framework for compliance purposes
- Physical Vs Logical Security Issue: A lack of separation between physical (Avsec) and Logical Security (cybersecurity)
- Lack of trust and Information Sharing: There is lack of trust that inhibits information sharing on cybersecurity issues amongst stakeholders.
Cybersecurity Risks in the Nigerian Aviation Industry
Potential risks associated with Cybersecurity threats include
- Data Breaches: Safety compromise and damage of the industry’s reputation can occur in the event of theft or unauthorized access to sensitive passenger information and flight data.
- Disruption of Operations: Flight schedules and operations could be disrupted with Cyber-attacks targeted at critical systems, such as air traffic control or reservation systems, leading to in some cases significant financial losses.
- Ransomware Attacks: Aviation operations can be paralysed in the event of ransomware attack until a ransom is paid, leading to operational downtime and potential data loss.
- Intellectual Property Theft: Theft of intellectual property can result in economic losses and hinder industry innovation.
Mitigation Strategies
Mitigating and responding to Cybersecurity threats and attack requires an Aviation industry multi stakeholder collaboration and cooperation. The following key action points should be practiced.
- Adopt a 360-degree mechanism of Top Down and Bottom-Up approach
- Risk Assessment
- Security Awareness and enlightenment Training
- Regular Software Updates
- Network Security
- Incident Response Plan
- Collaboration and Information Sharing
- Separate the safety critical networks from general business networks with relevant security infrastructure
- Closely monitor machines that automate mission safety critical processes
- Use application whitelisting, Monitor and log all activities on the network
- Implement strong physical security for access to mission safety critical networks
Regulatory Compliance
The Nigeria Civil Aviation Authority (NCAA) is the competent entity to oversight Aviation Cyber security in line with its ICAO mandate, its establishment Act of the National Assembly and NCAR and to ensure the eco system compliance with the Cyber Security core metrics of Confidentiality, Integrity, Availability and Non-Repudiation. NCAA should therefore establish and enforce robust cybersecurity regulations for the aviation industry, including data protection, to ensure that all stakeholders adhere to the highest cybersecurity standards and practice. This should include the following:
- Domestication of the ICAO cyber security programmes
- Development of guidelines and standards in NCAR
- Cyber Security should be part of NCASP.
- Undertake regular Cyber Risk assessment of the Aviation Ecosystem.
- Encourage Information sharing & Incident response
- Conduct necessary research and development
- Establishment of a multi stakeholder Aviation
- Computer Emergency Response Team (AviCERT) domiciled in NCAA as done in other Aviation climes like the EATM-CERT (European Air Traffic Management Computer Emergency Response Team).
Conclusion
Nigeria has made substantial progress in its Aviation Cyber security posture by the development of strategies, guidance materials, etc by NCAA for Cybersecurity protection across the eco system.
Securing Nigeria’s aviation industry against cyber threats is a complex and ongoing process that requires cooperation among all stakeholders by prompting cyber hygiene. By recognizing the risks, implementing strong mitigation strategies, and promoting a cybersecurity-aware culture, the Nigerian aviation industry can safeguard its critical assets and maintain passenger safety and trust in the digital era where the organizations are cyber secure, and the people cyber safe.