Is the attack affecting the airworthiness, the safety of flight, or (just) the business?
I believe this is the key question for many cybersecurity in aviation professional and for sure this is the key questions for me @EASA.
Is the TA2541 group activity a big concern for aviation?
I would love to read your comments on this.
Good question. To my opinion they can be independent or not, subject to the attack path and target. There are several possible combinations, for example, a disruption of an IT infrastructure may impact the operations without effect on the airworthiness or the safety.
According to the researchers, the participants of the group TA2541 have very low qualifications, care little about the secrecy of their actions,often use ready-made malware and have been operating since 2017 from Nigeria. So, i believe that their target is to gain money with random and to expose the company, rather to occur safety issues.
Probably business has always been considered the main cyber actor goal, but if we push the concept to cyber war we need to consider the safety of flight as well. Nowaday, moreover, being some technology available at a very low price on the market (I meant for example Software Defined Radios) an relevant knowledge available on public domains, we need to consired that some malicius actor could act also for bravery demonstration affecting again the safety of the flight. I'm quite surprised that no incident (as far as I know) has been recorded and identified with this last cause. I think that differently form other sectors someone can leverage the fact that the Aviation sector has a big inertia in changing and retro fitting something that has been designed thinking in a trusted environment is quite a challenge.
EASA NPA 2019-01 "Aircraft Cybersecurity" published on 2019-02-22 offered a very good perspective on the intent of CS 25.1319 with a good example when safety is not affected but there are other business impacts (such as to privacy/confidentiality in that case):
"The term ‘intentional unauthorised electronic interaction (IUEI)’ was developed jointly by RTCA and EUROCAE (see the definition and scope of IUEI in Eurocae ED-203A, Section 2.1). The term ‘adverse effects on the safety of the aeroplane’ limits the scope of this provision to security breaches that impact on the safety and airworthiness of the aeroplane and its operation, rather than security breaches that may impact on the systems that have no safety effect on the aeroplane. For example, while the manufacturer and the operator may have real concerns about protecting a device that is used to process passenger credit cards and securing passenger information, EASA does not regard this as being subject to review and approval as part of the certification of the system, but instead as something that the operator or manufacturer would address as part of its business practices and responsibilities to the customer. "
A-ISAC offers good insight into the aviation-targeted activities of TA2451. For example, some A-ISAC members have blocked phishing attempts from TA2541 with an Airbus spoofed email address.
You are not allowed to comment on content in a group you are not member of.
Cybersecurity