‘Cyber-attacks present a clear challenge to the security of the Alliance and could be as harmful to modern societies as a conventional attack. We agreed in Wales that cyber defence is part of NATO’s core task of collective defence. Now, in Warsaw, we reaffirm NATO’s defensive mandate, and recognise cyberspace as a domain of operations in which NATO must defend itself effectively as it does in the air, on the land, and at sea.’1
The world is becoming ever more digitized and societies’ daily activities are ever more dependent on the digitized infrastructure. Cyber is already an integral part of conflicts in today’s world. Contemporary conflicts and future crises are likely to contain a cyber element. NATO operations rely heavily on cyber-enabled networks; therefore, taking cyberspace into consideration when building and maintaining security is an essential requirement. The implications of recognizing cyberspace as its own domain has shifted the Alliance’s focus from one of ‘information assurance’ to one of ‘mission assurance’.
Cyber defence is understood too often as a standalone approach to security and warfare. The Ukrainian crisis has shown cyber defence needs to be integrated into a broader strategic and operational concept. The Ukrainian crisis is a showcase of this kind of strategic integration, called hybrid warfare. The approach combines conventional military forces with information, operations, provocateurs, cyber, and economic measures.
The protection of national aviation systems from cyber threats is a state prerogative and responsibility. However, its international dimension demands the development and implementation of policies, guidelines, and procedures which could facilitate a seamless resilience of the global aviation system.
The global aviation system is one of the most complex and integrated systems of information and communication technology in the world. It is recognized as a critical infrastructure and potential target for cyber-attacks. Cyber-based threats to aviation are evolving and growing, and these threats can come from many sources, including criminal and terrorist groups, foreign nations, insiders, and others. It needs to be understood the growing interconnectivity among information systems presents increasing opportunities for cyber-attacks.
It should also be noted the interdependencies between civil and military aviation users and stakeholders increase the necessity for trust between them as the ability of the Air Traffic Management (ATM) system to defend against cyber-attacks is only as good as the weakest link in the network. Any potential cyber-attack on the ATM system would not only hamper the safe conduct and management of civil and military flights but could also undermine the trust in the overall security and resilience posture of the Alliance and its member States.
This article will describe the cyber defence aspects of aviation, identify NATO’s aviation capabilities and systems potentially vulnerable to cyber-attack, and propose how NATO should defend those capabilities and systems.
Cyber Defence Aspects of Aviation2
NATO operations heavily depend upon freedom of action within the cyberspace domain. Unfortunately, most of the weapons and mission systems in use today were designed for a pre-Internet world. The implicit assumption was our systems would operate in a fundamentally permissive cyberspace environment. Many of our systems were designed decades ago and it is certainly not surprising no one was able to predict the explosive growth and importance of the cyberspace domain. When system architects considered some form of information security for weapons systems, engineers normally assumed border network defences would keep out adversaries so the environment seen by the weapons system would still be permissive and protected within network defences. These implicit assumptions have proven to be false. NATO’s aviation capabilities and systems are no longer safe as the pace of cyber-attacks increases daily across the military, government, and civilian sectors.
Since all modern weapons systems (such as NATO Airborne Early Warning and Alliance Ground Surveillance systems as well as upgraded air and ground legacy systems) exist simultaneously in both the physical (air, land, and sea) and cyberspace domains, cyber-attacks directly affect warfighting systems in the physical domains as well. There are numerous access points through which adversaries can attack these systems via cyberspace. Any physical connection that passes data, or any antenna with a processor behind it, is a potential pathway for an attacker. Obvious examples include maintenance and logistic systems, radios and datalinks, and other systems that connect operators and platforms (i.e. aircraft, pods or weapons). To make things even more complex, these vulnerabilities are not static, but change constantly. Every software update, every new capability, and every new piece of equipment can introduce new vulnerabilities. To increase complexity further, many critical mission dependencies will lie outside military influence in commercial systems. Since the range of vulnerabilities is so overwhelming, we must start by determining what is most important.
NATO’s Aviation Capabilities and Systems
In order to protect NATO capabilities and systems from a cyber-attack, it is important to identify, as a first step, which ones are susceptible to a cyber-attack. The following military capabilities and systems, amongst others, should be taken into account when attempting to identify NATO’s aviation capabilities and systems susceptible to a cyber-attack:
- National capabilities and systems used in NATO operations and missions
- NATO Air Command and Control System (ACCS)
- Navigation Warfare (NAVWAR)
- Digital Aeronautical Flight Information Files
- Air C2 Information Services
- Airborne Early Warning and Control (AEW&C) Systems
- NATO Airlift Management Programme3
- Integrated Air and Missile Defence
- Alliance Ground Surveillance (AGS)
Because of the interdependencies between civil and military aviation systems, a cyber-attack cannot be defended against by either in isolation. An attack on the civilian aviation sector will also affect NATO’s military capabilities and thus requires a comprehensive response. The North American and European ATM systems are in the process of transitioning from radar to satellite-based systems. This change in the civil aviation operational environment is occurring rapidly and significantly, with the development of new advanced technologies and communication systems shifting from manual processes to more efficient automated processes, communications, and storage. These technological developments will increase the capacity of the air traffic control system and improve safety. However, the following civilian capabilities will also raise significant cyber defence concerns and, when interconnected, will impact NATO’s operational capabilities:
- System Wide Information Management (SWIM) and Networks
- Electronic Flight Bags (EFB)
- Global Navigation Satellite Systems (GNSS)
- Aircraft Communications and Reporting System (ACARS)/Controller Pilot Data Link Communications (CPDLC)
- Instrument Landing Systems (ILS)
- Automatic Dependent Surveillance – Broadcast (ADS-B)
- Global Flight Tracking Technologies
Defending NATO’s Aviation Capabilities and Systems4
Before deciding on how NATO should defend its aviation capabilities and systems, it is helpful to categorize cyberspace assets into the following three broad areas:
Traditional IT: includes Internet Protocol router networks as well as IT-based weapons systems including NATO’s Combined Air Operation Centres and other personnel and logistic systems;
Operational Technology (OT): refers to computer-controlled physical processes or other types of control systems such as building automation or Heating, Ventilation and Air Conditioning (HVAC) systems;
Platforms: includes aircraft, ships, tanks, and any other weapon system operated by the Alliance and its members.
While cyber defence experts are familiar with the defence of traditional IT systems and are beginning to focus on the defence of OT, the work on securing platforms has yet to be investigated.
With this in mind, the best way to effectively defend NATO’s aviation capabilities and systems from cyber-attack is through a combination of defence in depth, resiliency, and advanced defence measures. Each approach (further described below) is necessary and none is sufficient on its own. Therefore, NATO and its members should combine them into a coherent whole for maximum effectiveness.
Defence in depth presents multiple barriers that an adversary must get through, provides the initial defence, and blocks most of the less sophisticated attacks. There are several components of a good defence in depth. The first is a border defence to keep out the low-level attacks accomplished by unskilled attackers who use pre-packaged tools to execute them. A good defence should have numerous borders configured to prevent lateral movement, privilege escalation, and exfiltration of sensitive data. Vulnerability management across enterprises is also a good part of defence in depth and defenders should not just close vulnerabilities but also shut down unnecessary processes and applications to eliminate large sections of attack surface.5 Accomplishing this requires effective and secure systems’ engineering that considers cyber defence throughout the design process. For critical systems, an extreme version of defence in depth is an air-gapped system. However, in most cases, ‘air-gapped’ systems are not truly air gapped because updating or changing them requires other systems to be connected to them. Finally, it is worth mentioning many cyber assets need their own defence in depth system and should not have to rely on the defences of a particular host network, as in the case of highly mobile systems like aircraft where operators and maintainers plug into it with different networks.
Resiliency keeps adversaries from achieving their objectives when attacking NATO and Member States’ systems. Resiliency in defending NATO and its members’ aviation systems will require flexibility, reducing attack surfaces, and reacting dynamically to cyber-attacks. A flexible global aviation system will require excess capacity to provide the redundancies associated with flexibility. It will also need to be a heterogeneous system broken down into defensible enclaves. To react dynamically to cyber-attacks, defenders of the global aviation system need to develop better situational awareness of their own networks and develop intelligence capabilities to understand what potential adversaries are planning.
Advanced defence measures make it difficult for an attacker to stay in systems long enough to inflict damage by finding and defeating sophisticated manoeuvring adversaries. It is important to note they do not always imply real-time monitoring and manoeuvre, but may also rely on periodic checks for some types of systems where real-time monitoring is not practical or desirable. Advanced defence measures are composed of three components: manoeuvre forces, sensors, and tools. Manoeuvre forces are the trained personnel needed to successfully implement active defence. They must not only understand traditional IT systems but must also be knowledgeable in OT and platform systems. Developing this manoeuvre force is needed but we must also provide them with the sensors needed to find the hidden cyber attackers. These sensors will need to go beyond standard Intrusion Detection Systems. Once an attack is detected, manoeuvre forces will need the required tools to allow them to defeat the intruder.6
Finally, consideration should be given to aviation safety and the processes that ensure aeronautical products, parts, and appliances are airworthy. Much like the military and civilian systems listed above, the equipment used in airworthiness certifications is also subject to cyber-attacks. Therefore, the cyber defence measures proposed in this paper should also apply to airworthiness processes.
The current changes to the civil aviation operational environment are resulting in highly integrated and interdependent computer and digital networks, both on board aircraft and in air traffic control facilities, which creates inherent security vulnerabilities.
NATO therefore needs to defend its aviation capabilities and systems from cyber-attack through a combination of defence in depth, resiliency, and advanced defence measures. Furthermore, since an attack on civil aviation systems also affects military aviation, a comprehensive solution is required.
As NATO shifts its focus from ‘information assurance’ to ‘mission assurance’, its members should consider categorizing their cyberspace assets as either Traditional Information Technology, Operational Informational Technology, or Platforms in order to better defend them from cyber-attack as proposed in this article.
Currently there is no common vision, strategy, goal, standard, implementation model, or international policy defining cyber defence for aviation. Ensuring a secure aviation system and staying ahead of an evolving cyber threat is a shared responsibility amongst all stakeholders including governments, airlines, airports, and manufacturers.
Next generation and upgraded legacy systems will only add to future cyber defence concerns as they become increasingly network dependent. It will therefore be critical that cyber defence testing be part of the airworthiness certification process for NATO and its member States.