Cybersecurity in the commercial and private aviation



Security and cybersecurity in the commercial and private aviation

The 1944 Convention on International Civil Aviation established the core principles of international transport by air, and led to the creation of the International Civil Aviation Organization (ICAO). ICAO’s core mandate, then as today, was to help States in achieving the highest possible degree of uniformity in civil aviation regulations, standards, procedures, and organization.

The U.S. government invited 55 States to attend an International Civil Aviation Conference in Chicago in 1944. Delegates travelled to Chicago, even from countries that were still occupied. They attended the Chicago Conference, and by its conclusion on 7 December, 1944, 52 of them had signed the Convention on International Civil Aviation, known then and today as the Chicago Convention.

Today, ICAO is funded and directed by 193 national governments. The stipulations ICAO standards contain never supersede the primacy of national regulatory requirements. It is always the local, national regulations which are enforced in, and by, sovereign states, and which must be legally adhered to by air operators making use of applicable airspace and airports.

The most important legislative function performed by ICAO is the formulation and adoption of Standards and Recommended Practices (SARPs) for international civil aviation.

The measures taken by ICAO to prevent and suppress all acts of unlawful interference against civil aviation throughout the world is of critical importance to the future of civil aviation. SARPs for international aviation security were first adopted by the ICAO Council in March 1974, and designated as Annex 17 to the Chicago Convention.

In 2021, the ICAO Council approved a new structure to address cybersecurity across the Organization. The new structure consists of a Cybersecurity Panel that reports to the Council’s Aviation Security Committee, an Ad-Hoc Cybersecurity Coordination Committee that reports to the Council, and an expert group dedicated to the International Aviation Trust Framework.

ICAO revised its Cybersecurity Action Plan and produced guidance material to support States and stakeholders in addressing cybersecurity and cyber resilience in civil aviation (Guidance on Traffic Light Protocol, Cybersecurity Policy Guidance and Guidance on Cybersecurity Culture in Civil Aviation).

In line with its cybersecurity training road map, ICAO continues to support States in the development of human resources and capacities needed to manage cybersecurity and cyber resilience in civil aviation. In 2021, ICAO launched its first cybersecurity and cyber resilience course entitled “Foundations of Aviation Cybersecurity Leadership and Technical Management”, which was developed in partnership with Embry-Riddle Aeronautical University. In partnership with EUROCONTROL, ICAO developed a second course addressing classical and cybersecurity aspects of ATM security.

The ICAO training programs are the most important in the industry. Cyber Risk GmbH, a private company incorporated in Horgen, Switzerland, is not affiliated or connected to the ICAO in any way. Cyber Risk GmbH is offering training programs in some difficult areas, like the new NIS 2 Directive of the European Union that changes the compliance requirements of many entities in the aviation industry, and programs that assist the Board of Directors and the CEO to understand cybersecurity challenges.

The Board of Directors and the CEO of entities in the aviation industry must understand that they are high value targets. For them, standard security awareness programs are not going to suffice. The way they are being targeted is anything but standard or usual. They are the recipients of the most sophisticated, tailored attacks, including state-sponsored attacks. These are attacks that are often well planned, well crafted, and employ advanced psychological techniques able to sway a target towards a desired (compromising) behavior without raising any alarms.

Countries expand their global intelligence footprint to better support their growing political, economic, and security interests around the world, increasingly challenging existing alliances and partnerships. They employ an array of tools, especially influence campaigns, to advance their interests or undermine the interests of other countries. They turn a power vacuum into an opportunity.

Countries use proxies (state-sponsored groups, organizations, organized crime, etc.) as a way to accomplish national objectives while limiting cost, reducing the risk of direct conflict, and maintaining plausible deniability.

With plausible deniability, even if the target country is able to attribute an attack to an actor, it is unable to provide evidence that a link exists between the actor and the country that sponsors the attack.


Our training programs

Cybersecurity training for the commercial and private aviation

Cybersecurity training for the Board of Directors and the CEO in the commercial and private aviation

NIS 2 Directive Training for the commercial and private aviation