ICAO Council President Salvatore Sciacchitano addressed the UAE’s High Level Conference on Cybersecurity in Civil Aviation. The address was among a variety of activities he undertook during a mission to Dubai last week.
A new agreement signed by government officials from the Minister of United Arab Emirates (UAE) Cabinet Affairs and the International Civil Aviation Organization will form a new ICAO-UAE partnership to improve aviation cybersecurity strategy and policy for aviation stakeholders in the Middle East.
The agreement was signed during an ICAO mission to the UAE last week, where ICAO Council President Salvatore Sciacchitano addressed the UAE’s “High Level Conference on Cybersecurity in Civil Aviation,” which is held as part of the annual World Government Summit in Dubai. In his speech, Sciacchitano highlighted the presence of some of the legacy systems and networks that comprise what he describes as the backbone of aviation’s “information architecture” or “system of systems.”
“Legacy systems most especially can contain outdated hardware and software that is not always easy to replace. They also can pose inherent security vulnerabilities, being unable to accommodate latest security and encryption best practices,” Sciacchitano said.
While the pandemic led to a historic decrease in the annual volume of passenger-carrying airline flights between 2020 and 2021, a report from Eurocontrol’s new cybersecurity data collection initiative showed a major rise in the number of cyber attacks reported to the agency by aviation companies based in Europe. Several recent cyber attacks that have caused disruption to airlines, airports, and aviation service providers have also shown how large of a target the system of systems is for hackers and bad actors.
In February, Swissport, an airport ground services provider with operations at 285 airports in 45 countries, reported a ransomware attack that took some of its main information sharing systems temporarily offline. Newsweek published an article last year showing how the personal data of more than 4 million passengers was compromised in a cyber attack targeting several airlines that operate in the Asia Pacific region including Air India, Malaysia Airlines, Singapore Airlines, and Finnair.
“The pandemic has also fostered a significant public expectation for touch-less technologies to make their future traveller experience healthier and safer, meaning that we face an entire new wave of compartmentalized digitalization, and still further system-of-systems vulnerabilities arising,” Sciacchitano said in his speech.
The UAE-ICAO aviation cybersecurity agreement will focus on collaboration between the two sides that fosters knowledge and information sharing leading to “accelerators, innovation in future civil aviation, and cybersecurity,” according to ICAO's announcement of the new agreement. ICAO’s agreement with the UAE government is the agency’s latest progress on standardizing the way the global aviation industry responds to and regulates cyber attacks against aviation assets.
The agency adopted Assembly Resolution A40-10—Addressing Cybersecurity in Civil Aviation, during the 40th Session of the ICAO Assembly that calls upon ICAO member-states to implement the ICAO Aviation Cybersecurity Strategy, first published in October 2019. Sciacchitano also advocated in his speech for more ICAO member-states to adopt the Beijing Convention and Protocol of 2010 to establish a global legal framework for dealing with "cyberattacks on international civil aviation as crimes."
“In addition, ICAO has been developing an international aviation trust framework to support the cybersecurity and cyber resilience of civil aviation in the air navigation domain,” Sciacchitano said. “This is a very important project, probably the most important of recent years, to support the secure global exchange of digital aviation information, and will include procedures, technical specifications, and guidance material supporting current and future global network requirements.”