18
DEC
2017

The European Union Cybersecurity agency, ENISA, in Interview

On Air, Issue 18: Partnership in cybersecurity

The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe, what is your role?

ENISA, the European Union Cybersecurity agency, is a center of expertise that supports Member States in enhancing their cybersecurity posture. ENISA is facilitating the MS in the implementation of relevant regulation (NIS Directive, eIDas regulation, Article 13a etc); is investing on national capabilities through trainings and exercises (e.g. Cyber Europe, Cybersecurity Challenge) and finally is providing guidelines on the most important emerging technical topics (e.g. Blockchain, IoT security). 

In 2016, ENISA published a study on "Securing smart airports" providing airport decision makers and security personnel with a start-up kit to prevent possible attacks and implement available good practices, in order to secure passengers and operations.  In 2017, ENISA is cooperating with EASA on building cyber security awareness in aviation. In this respect, EASA, the European Aviation Safety Agency, in collaboration with ENISA, hosted the first ENISA training on cybersecurity in aviation on the 20th and 21st of November in Brussels. ENISA’s future work in the field aims in enhancing the security and resilience of air transport in Europe together with all relevant key stakeholders and agencies.

You are also taking part to the foundation of the European Centre for Cybersecurity in Aviation, what is your role there and in aviation in general? 

ENISA is strengthening cyber security in all Critical Sectors (energy, transport, finance health etc) providing guidelines to all MS and bringing stakeholders together to share information. Specifically, for Aviation, ENISA is a member of the Executive Committee and Technical Advisory Committee together with other 30 Representatives from EU-Level Institutions, EASA Member States, Aviation Industry Associations and observers from ICAO, FAA and AIA.

In general, we can summarize our activities in aviation as follows:

  • Support aviation stakeholders: 2016 ENISA report on threat modelling and security measures for airports and relevant stakeholders “Securing smart airports”. 
    ENISA aims to help airports making use of integrated Internet of Things (IoT) components on top of the legacy infrastructure. These airports are implementing these new smart components to offer travellers a portfolio of services that spans from self or automatic check-in, baggage & document check, flight booking management and way finding services to automated border control and security checks. These components while enhancing the user experience, they also pave the way for new attack vectors and expose airport assets to a larger attack surface. The goal is to provide an easy and comprehensive guide for airport decision makers to implement available good practices, in order to secure passengers and operations. 
     
  • Knowledge and capacity building: Trainings
    EASA, the European Aviation Safety Agency, in collaboration with ENISA, the European Union Agency for Network and Information Security, hosted the first ENISA training on cybersecurity in aviation on the 20th and 21st of November in Brussels. The main goal of the training is to inform aviation IT security experts on the latest cyber threats, on the handling of cyber incidents and provide a starting point for the challenges ahead. So ENISA is building capacity in the sectors.  
     
  • Sharing of Information and Reporting: Support EA-ISAC, ECCSA and NIS Directive implementation
    We are currently supporting the creation of the European Aviation ISAC (EA-ISAC) which will provide a platform for cyber security information exchange across Europe. Moreover, ENISA is currently mapping the existing information sharing activities and can support with the extensive expertise in the field (studies, training, etc). 
     
  • Policy Implementation: The Network and Information Security Directive
    The NIS Directive was published in June 2016; all MS should implement it by May 2018. The specific provisions include the implementation of baseline security measures and incident notification for the operators of essential services. The Aviation sector covers specifically:
    • Air carriers
    • Airport managing bodies, core airports and entities operating ancillary installations contained within airports
    • Traffic management control operators providing air traffic control (ATC) services.

In 2017 we are supporting all stakeholders involved in the implementation process of upcoming NIS Directive and accordingly providing input to the Cooperation Group. ENISA can collaborate by focusing its ongoing efforts for NISD implementation in the direction of the transport stakeholders’ needs.

What is the extent of the cooperation between ENISA and EASA?

ENISA is a member of the Executive Committee and Technical Advisory Committee together with other 30 Representatives from EU-Level Institutions, EASA Member States, Aviation Industry Associations and observers from ICAO, FAA and AIA. We currently assisting EASA, for Collaboration of the NIS Directive and Aviation cybersecurity, with: 

  • Overview of ENISA NIS Directive current activities in support of the cooperation group
  • understanding EASA Aviation cybersecurity needs and possible synergies
  • supporting their capacity building 

The goal is to synergize with EASA and promote Cybersecurity Awareness and Preparedness in the aviation sector. ENISA is a knowledge partner of EASA and aims to bring cybersecurity expertise to EASA in order to meet the needs of future challenges and streamline future efforts.

What are the main challenges faced by the Aviation sector as far as cyber security is concerned?

Cyber security is something new for the Aviation sector. Primarily stakeholders need to conjugate safety (where maturity is high) with cybersecurity. As the attack vector is widening, the aviation sector should prepare for upcoming more sophisticated attacks and hybrid threats. 

From the organisational perspective the Aviation sector need to invest more on raising the next generation of aviation cyber security experts and on promoting a wide spread culture of cybersecurity awareness in all areas of air transport. 

ENISA’s future work in the field, aims in developing the security and resilience of air transport in Europe together with all relevant key stakeholders and agencies. In the context of the NIS Directive , ENISA will assist Member States and the European Commission by providing expertise and advice, as well as developing and facilitating the exchange of good practices, with the ultimate goal to enable higher level of security for Europe’s air transport infrastructure.