Aviation cybercrime is on the rise.
EUROCONTROL’s think paper no 12 on cybersecurity indicates that airlines continue to be an irresistible target for cybercriminals, with around $1 billion a year lost from fraudulent websites alone.
Add to that data theft, card fraud, air miles fraud, phishing, fake invoices and more, and you have a perfect storm for a part of the industry that continues to reel from the pandemic. The Eurocontrol report also states that every week, an aviation actor suffers a ransomware attack somewhere in the world, with big impacts on productivity and business continuity, let alone data loss and/or costly extortion demands paid to restart operations.
Cybercrime was already a reality some years ago. ICAO reviewed its annex 17 on international aviation security to include cybersecurity. EBAA published an information paper noting the new ICAO provisions were inserted into Regulation (EC) N°300/2008 laying down common rules and basic standards on aviation security (Aviation Security Regulation or AVSEC Regulation), which is complemented by Implementing Regulation (EU) 2015 /1998 amended by Implementing Regulation (EU) 2019/1583).
The European Commission developed an Information Note to help Member States and operators in the implementation of the requirements related to cybersecurity. This document contains supporting informative material to be used for the practical implementation of cybersecurity preventive measures. The appropriate national authorities have to establish and implement procedures to share, as appropriate and in a practical and timely manner, relevant information to assist other national authorities and agencies, airport operators, air carriers and other entities concerned, to conduct effective security risk assessment relating to their operations, among other areas, in the sphere of cybersecurity. (extract from the Commission’s information note).
Air carriers, being defined as air transport undertaking holding a valid operating licence or equivalent, must perform a risk assessment and identify the critical security data and systems and protection measures. While the Regulation defines the objectives, the information note provides a helpful description of the requirements but does not dictate the means to achieve the goals. The implementation details are left to Member States and stakeholders. The requirements will enter into force as of January 1st 2022. It was agreed that Member States would disseminate the Commission’s information note with local stakeholders which are in the remit of its scope.
EBAA can also share the information note with its members upon individual request. Would you like to get access to this document, please do not hesitate to contact Vanessa Rullier at vrullier@ebaa.org
Another legislative piece on cybersecurity is under preparation. EASA produced its Opinion, which is ow under discussion with the Member States. Acceptable Means of Compliance (AGM) and Guidance Material (GM) will also be developed. EBAA is involved in the stakeholder consultation process and will review the draft AMC/GM;