Qatar Issues Aviation Cybersecurity GuidelinesBreach Notification, Information Sharing, Risk Management Stressed
To help avoid disruption of civil aviation operations, the Civil Aviation Authority of Qatar and the Ministry of Communications and Transport have issued cybersecurity guidelines.
CAA's new guidelines suggest organizations develop effective risk management, build a structure to respond to breaches and create a standardized approach to information sharing. The guidelines also recommend reporting breaches to CAA and Qatar CERT within 48 hours.
"The objective behind issuing guidelines is to define the scope of what needs to be protected within the civil aviation framework and assist operators and stakeholders within the aviation sector to improve their cybersecurity posture and build a resilient organization," says Ibrahim Ali Albuainain, aviation security inspection supervisor in the aviation security and facilitation department at the Civil Aviation Authority of Qatar.
Because the aviation industry is adopting new services with internet connectivity on airplanes, it must mitigate the new risks involved, the CAA says.
"An effective risk management framework which can help tackle breaches would depend on the ability of the organizations to assess risk and doing a business impact analysis, and the framework should follow a standard approach at a high level to understand the organizational risk, says U.K.-based Paul Foster, group CIO and CISO at Cyber Innovation Partners, a consultant for the aviation industry.
CAA's guidelines direct all stakeholders in the aviation sector, including the air traffic controllers, airport authorities, information systems managers and CISOs, to apply cybersecurity controls for people, processes and technologies to protect, networks and data from digital attacks.
An effective risk framework, according to CAA, includes:
- Understanding the risk and nature of threats;
- Conducting research and development;
- Communicating the risk and ensure situational awareness;
- Taking the necessary measures to strengthen the defense system and design mitigation strategies.
"The civil aviation sector is very complex and involves many entities, and that is why applying a 'one-size-fits-all' approach doesn't work," Ali Albuainain says. "The biggest challenge is a majority of the new airlines have no structured risk management framework in place, and they have not even appointed a CISO."
Breach Notification and Response
"Enterprises should define a procedure to notify breaches and ensure that the process integrates with the corporate incident management and crisis management process," Ali Albuainain says.
The guidance says organizations must implement an incident management process in line with the National Investigation Agency Policy and report cybersecurity attacks on aircraft systems, maintenance and ground support systems for aircraft, airport information systems to Q-CERT and Civil Aviation Authority within 48 hours of its discovery.
"A business continuity program with data back-up in multi-locations along with a multi-layer monitoring and management tools are essential for an effective breach response mechanism,' says Dr. Jassim Haji, president, Aviation Artificial Intelligence Society, UAE.
"As more organizations in the aviation sector are moving to public or hybrid clouds, it demands structural changes within the organizations to comply with breach disclosure norms," he says.
The aviation authority says it's imperative for CISOs to implement prudent and pragmatic threat monitoring mechanisms.
Sharing threat intelligence is also critical, officials CAA says. It notes that:
- Stakeholders should disclose certain information to regulators in annual reports as well as updates on cyber incidents and malicious attacks.
- Information sharing groups will be created to facilitate communication among CISOs.
Ali Albuainain says the International Civil Aviation Organization is working on creating a standardized approach to information sharing.
CAA and MOTC will facilitate the creation of an information sharing group for the aviation sector open to regulators, airlines and airport operators.
The group will formulate procedures that allow sharing of threat information while protecting potentially sensitive data, Ali Albuainain says. The procedures, he says, should:
- To the extent possible, balance the risks of possibly ineffective sharing against the risks of possibly flawed protection;
- Describe the roles, responsibilities, and authorities (both scope and duration) of all stakeholders;
- Make sure that participating organizations ensure adequate information sharing and tracking procedures that include identification of threat information that can be readily shared with trusted parties.
- Establish processes for reviewing, sanitizing and protecting threat information.
Foster, the consultant, says information should be shared on the types and methods of attacks. Cyberattacks against the aviation environment will only be thwarted, he argues, if the aviation industry improves communications and builds stronger trust.
CAA's new guidelines suggest that organizations embed security in the architecture (systems and networks) by design rather than add-ons put in to mitigate design flaws.
CAA recommends that enterprises:
- Segregate information assets in different segments, or security zones, based on their criticality or aggregate security level, as derived from the information classification exercise.
- Restrict access to information assets to limited and regulated communication channels. It also recommends hiding sensitive information as much as possible, reinforcing the concept of "Security by Obscurity".
- Protect information assets at multiple levels and points using multiple techniques and technologies. The security of the system should be assessed based on the least secured asset in the system - the weakest link.
- Adopt privacy by design in protecting personal information by introducing the right to be forgotten and the right to access information.