As the U.S. aviation sector, with help from foreign companies, works
to establish its own Information Sharing and Analysis Center to better
deal with cyber threats, a leading industry group has issued a framework
for cybersecurity designed to spur common standards and a change in
"culture."
The aviation industry's efforts are attracting widespread attention because of the critical role the sector plays in the economy and the international implications of a cyber attack.
The "framework for aviation cybersecurity" was issued on Aug. 13 by the American Institute of Aeronautics and Astronautics, which bills itself as the "world's largest technical society dedicated to the global aerospace profession." AIAA President-Elect Jim Albaugh said in a statement that he hopes "the world's aviation community implements the framework proposed in this paper, to better safeguard and ensure the future of aviation. Only a vigilant, unified, and coordinated approach will allow us to craft the best possible defenses against the sophisticated and ever-evolving range of threats we face."
Although it goes unmentioned by name in the paper, the developing Information Sharing and Analysis Center (ISAC) for the aviation industry fits squarely in AIAA's call for increased cooperation on cyber threats and incident response, according to Michael Garrett, Boeing's director of aviation security, who helped write the paper. Garrett is also co-chair of a working group charged with setting up the ISAC.
"It is important that government and industry share threat and mitigation data to increase the speed at which threats are mitigated across the aviation system," the framework asserts. "The Critical Infrastructure Partnership Advisory Council (CIPAC) is an existing means for U.S. government and industry stakeholders to address sensitive aviation security issues. Aviation cyber threats are also global in nature with international ramifications. Therefore, there must be mechanisms in place to exchange data with the international aviation community."
Garrett said the working group, chartered under CIPAC, meets once a month to discuss the ISAC, which he says is expected to be up and running by the end of 2014, if not sooner.
"The ISAC is the biggest piece," Garrett said. The working group involves airplane makers, airlines, airports and other interested parties -- including Airbus and other major foreign aircraft manufacturers. "In concept it's easy," he added, but getting all of the key players together "takes a little bit of time."
Meanwhile, Garrett said the AIAA framework -- released at a major conference sponsored by the association -- has so far been met with a "quite positive" reaction. The document, he added, is a "draft plan" that has "resonated as a good starting point" for an industry that sees itself as vulnerable to the usual array of cyber threats to its information and financial systems -- and one that has the unique challenge of protecting airplanes in flight from cyber attacks.
Global economic impact
"Aviation's global economic impact (direct, indirect, induced, and tourism catalytic) is estimated at $2.2 trillion or 3.5% of global gross domestic product (GDP)," the framework states. "Disruption to this flow can result in significant economic and social disruption that would ripple across the globe, as demonstrated in the aftermath to the attacks of September 11, 2001. We now remain vigilant to adversaries who seek to disrupt the global economy by attacking aviation's critical infrastructure."
To that end, the framework calls on the aviation industry to deeply involve itself in public-private partnerships designed to develop common standards for cybersecurity. Citing the National Institute of Standards and Technology, which is leading the development of a cybersecurity framework called for by the Obama administration, AIAA says "Constructive participation in these activities is important to ensuring that aviation's unique requirements are considered when developing the standards."
More broadly, AIAA wants the industry to modify its "culture" to put cyber threats on par with other safety concerns. And it urges cyber vigilance across the board, from research and development and early design work to all aspects of the operational systems that underpin all of what commercial aviation is and does.
In some ways, the aviation industry framework echoes the language used in NIST's draft framework, released last week. AIAA wants the industry to help "ensure that government and industry work together" in coordinating "national aviation cybersecurity strategies, policies and plans." This would entail a private-public sector partnership involving "business continuity elements" for the sector, as well as "rapid incident response teams."
"To encourage the aviation community to fully address the risk of cyber attacks, incentives must be tied to the solution," the AIAA framework states. "There must be clear benefits to implementing new security measures. The balance between market-based approaches and force of law incentives needs to be understood. An incentive-based approach may be the only way to get the market to create the behaviors that will secure critical infrastructure."
Garrett added that the aviation sector, like other critical infrastructure-related industries, remains concerned about "over-regulation" in the cybersecurity area. Noting existing standards already in use by many in the industry, Garrett says "you don't want to regulate in areas where it's not required." -- Dan Dupont
http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/aviation-industry-issues-cybersecurity-framework-eyes-info-sharing-center/menu-id-1075.html?S=LI#!
"framework for aviation cybersecurity": http://insidecybersecurity.com/iwpfile.html?file=pdf13/cs08302013_AIAA_Cyber_Framework.pdf
The aviation industry's efforts are attracting widespread attention because of the critical role the sector plays in the economy and the international implications of a cyber attack.
The "framework for aviation cybersecurity" was issued on Aug. 13 by the American Institute of Aeronautics and Astronautics, which bills itself as the "world's largest technical society dedicated to the global aerospace profession." AIAA President-Elect Jim Albaugh said in a statement that he hopes "the world's aviation community implements the framework proposed in this paper, to better safeguard and ensure the future of aviation. Only a vigilant, unified, and coordinated approach will allow us to craft the best possible defenses against the sophisticated and ever-evolving range of threats we face."
Although it goes unmentioned by name in the paper, the developing Information Sharing and Analysis Center (ISAC) for the aviation industry fits squarely in AIAA's call for increased cooperation on cyber threats and incident response, according to Michael Garrett, Boeing's director of aviation security, who helped write the paper. Garrett is also co-chair of a working group charged with setting up the ISAC.
"It is important that government and industry share threat and mitigation data to increase the speed at which threats are mitigated across the aviation system," the framework asserts. "The Critical Infrastructure Partnership Advisory Council (CIPAC) is an existing means for U.S. government and industry stakeholders to address sensitive aviation security issues. Aviation cyber threats are also global in nature with international ramifications. Therefore, there must be mechanisms in place to exchange data with the international aviation community."
Garrett said the working group, chartered under CIPAC, meets once a month to discuss the ISAC, which he says is expected to be up and running by the end of 2014, if not sooner.
"The ISAC is the biggest piece," Garrett said. The working group involves airplane makers, airlines, airports and other interested parties -- including Airbus and other major foreign aircraft manufacturers. "In concept it's easy," he added, but getting all of the key players together "takes a little bit of time."
Meanwhile, Garrett said the AIAA framework -- released at a major conference sponsored by the association -- has so far been met with a "quite positive" reaction. The document, he added, is a "draft plan" that has "resonated as a good starting point" for an industry that sees itself as vulnerable to the usual array of cyber threats to its information and financial systems -- and one that has the unique challenge of protecting airplanes in flight from cyber attacks.
Global economic impact
"Aviation's global economic impact (direct, indirect, induced, and tourism catalytic) is estimated at $2.2 trillion or 3.5% of global gross domestic product (GDP)," the framework states. "Disruption to this flow can result in significant economic and social disruption that would ripple across the globe, as demonstrated in the aftermath to the attacks of September 11, 2001. We now remain vigilant to adversaries who seek to disrupt the global economy by attacking aviation's critical infrastructure."
To that end, the framework calls on the aviation industry to deeply involve itself in public-private partnerships designed to develop common standards for cybersecurity. Citing the National Institute of Standards and Technology, which is leading the development of a cybersecurity framework called for by the Obama administration, AIAA says "Constructive participation in these activities is important to ensuring that aviation's unique requirements are considered when developing the standards."
More broadly, AIAA wants the industry to modify its "culture" to put cyber threats on par with other safety concerns. And it urges cyber vigilance across the board, from research and development and early design work to all aspects of the operational systems that underpin all of what commercial aviation is and does.
In some ways, the aviation industry framework echoes the language used in NIST's draft framework, released last week. AIAA wants the industry to help "ensure that government and industry work together" in coordinating "national aviation cybersecurity strategies, policies and plans." This would entail a private-public sector partnership involving "business continuity elements" for the sector, as well as "rapid incident response teams."
"To encourage the aviation community to fully address the risk of cyber attacks, incentives must be tied to the solution," the AIAA framework states. "There must be clear benefits to implementing new security measures. The balance between market-based approaches and force of law incentives needs to be understood. An incentive-based approach may be the only way to get the market to create the behaviors that will secure critical infrastructure."
Garrett added that the aviation sector, like other critical infrastructure-related industries, remains concerned about "over-regulation" in the cybersecurity area. Noting existing standards already in use by many in the industry, Garrett says "you don't want to regulate in areas where it's not required." -- Dan Dupont
http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/aviation-industry-issues-cybersecurity-framework-eyes-info-sharing-center/menu-id-1075.html?S=LI#!
"framework for aviation cybersecurity": http://insidecybersecurity.com/iwpfile.html?file=pdf13/cs08302013_AIAA_Cyber_Framework.pdf