Qatar Airways Airbus A350. Photo: Qatar Airways
Qatar’s Civil Aviation Authority (CAA) has become the first Middle Eastern civil aviation regulator to publish new cybersecurity guidelines designed to help mitigate electronic threats and attacks on the nation’s aircraft operators, airports and air traffic control systems.
The agency refers to the new guidelines as a set of recommendations that Qatar’s aviation sector should implement as baseline requirements. CAA specifically identifies its intended audience for the new guidelines to include air traffic control operators, airport authorities and engineers responsible for managing and operating information systems within an airplane.
Several sections of the new guidelines focus specifically on emerging cyber threats to critical aircraft systems and what operators can do to combat them. As an example, operators are instructed to ensure that communications between aircraft and ground-based air traffic control systems are authenticated and encrypted to protect against eavesdropping, jamming, message deletion and message modification.
CAA also notes how the addition of internet connectivity and more advanced forms of in-flight entertainment have opened up aircraft to emerging threats. Six types of attacks are identified as posing a threat to airborne aircraft systems and back-end IT systems for operators in Qatar, including the following:
- Bring Your Own Device
- Distributed Denial of Service and Botnet
- Jamming
- Phishing
- Remote Hijacking
- Wi-Fi-based Attacks
Airlines in Qatar are also instructed by the new guidelines to use IPv6 wherever possible because that version of internet protocol has IPSec encryption built in as a default protection mechanism. Integrated modular avionics systems featured on aircraft should comply with standards such as the ARINC 653 specifications, according to the new guidelines.
“Strictly control the physical access to computer systems or avionics or communication systems abroad an aircraft. Where possible and for critical systems, a principle of four eyes should be used,” the agency said in the newly published guidelines.
CAA’s new aviation cyber guidelines follow the publishing of a similar framework introduced by the European Aviation Safety Agency (EASA) in February. EASA proposed new cybersecurity amendments to the way aircraft electronic networks and systems are certified, requiring manufacturers and operators address threats that can lead to unauthorized access and disruption of electronic information or electronic aircraft system interfaces.
The new guidelines were developed by Qatar’s aviation regulator under recommendations from the International Civil Aviation Organization (ICAO).