通往网络弹性航空业的途径.docx

《通往网络弹性航空业的途径.docx》由会员分享，可在线阅读，更多相关《通往网络弹性航空业的途径.docx（34页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、Images: Getty ImagesContentsForeword3Preface4Executive summary51 State of play in the COVID-19 era61.1 Evolving risk profile and cyberthreat landscape71.2 Taking stock of key industry initiatives92 Barriers to increasing cyber resilience across the industry102.1 Underinvestment in cyber resilience c

2、apabilities112.2 Increased complexity of the value chain with12ambiguous accountability2.3 Fragmented approach at governance and policy levels132.4 Lack of visibility and transparency across the supply chain143 Recommended pathways towards cyber resilience153.1 Recommendations at international level

3、173.2 Recommendations at national level213.3 Recommendations at organizational level22Conclusion25Appendix26Glossary28Acknowledgements29Contributors31Endnotes32 2021 World Economic Forum. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, i

4、ncluding photocopying and recording, or by any information storage and retrieval system.Although aviation stakeholders are determined to achieve higher cyber resilience levels, their efforts are hindered by various organizational, technical and regulatory barriers. Overcoming these barriers will req

5、uire a holistic, systematic and collaborative approach by multiple stakeholders in the public and private sector.Businesses, governments and civil societies have already spearheaded many initiatives to build cyber resilience, but they are limited in scope, often isolated and disconnected. To ensure

6、better international alignment and coordination of strategic efforts in the area of cyber resilience, the ICAO established the Secretariat Study Group on Cybersecurity in 2017. It then developed the Aviation Cybersecurity Strategy for the civil aviation sector, as well as a Cybersecurity Action Plan

7、 to help states and stakeholders implement the strategy (in 201 99 and 2020 respectively). The Group also provides a forum for states and concerned stakeholders to globally harmonize the aviation sectors approach to cybersecurity and cyber resilience.FIGURE 3 Barriers to cybersecurity and cyber resi

8、lienceFragmented approach at governance and policy levelsLack of visibility and transparency across the supply chainUnderinvestment in cyber resilience capabilitiesIncreased complexity of the value chain and ambiguous accountabilitySource: Deloitte2.1 Underinvestment in cyber resilience capabilities

9、The COVID-19 pandemic has created an unprecedented existential crisis for the aviation sector. As restrictions continue, the prolonged decline in air travel demand has impelled aviation organizations to maintain a minimum operational level and reprioritize their investments and resources to “keep th

10、e lights on”.The rapid transition to remote working, workforce downsizing and changes in operating models have increased the need for greater vigilance and attention to adversarial cyber activities. Aviation businesses are faced with a dilemma: while exposure to cyberattacks remain high with a broad

11、er, more complex and more complicated attack surface, their ability to fund and resource cybersecurity defence has come under tremendous pressure. These businesses have to strike a delicate balance between operational, financial and cybersecurity risks to achieve long-term growth, prosperity and res

12、ilience for their organization and industry.The high success rate of social-engineering scams such as phishing reveals a growing divide: between increased sophistication and attack capabilities on one side, and low cyber literacy of employees and lack of defence capabilities on the other. This prese

13、nts a major risk for organizations.Cost-saving and accelerated technology implementation have enabled operational continuity, but also brought new risks. Such rapid digital transformation can lead to insufficient attention to cybersecurity, as defence is regarded as a non- essential component.Figure

14、 3 (previous page) illustrates that a proactive implementation of controls will, in the long term, be more beneficial when an adverse event occurs. Rushed technological implementations and budgetary restraints, however, may tempt organizations to take a reactive stance towards cyber resilience. As t

15、he digital ecosystem continues to transform, the accumulated technical deficit and security risks will become increasingly difficult and costly to manage - even more so if cyber resilience is regarded as a retroactive consideration. Without continuous investment and commitment to cyber resilience, o

16、rganizations will be more vulnerable to cyberattacks and thus more likely to endure reputational, financial, operational and safety impacts.2.2 Increased complexity of the value chain with ambiguous accountabilityThe high success rate of social engineering scams such as phishing reveals a growing di

17、vide: between increased sophistication and attack capabilities on one side, and low cyber literacy of employees and lack of defence capabilities on the other.The aviation ecosystem is characterized by a high level of interconnectivity and interdependence. Each actor, direct or indirect, plays an imp

18、ortant role: supplying products, operating and integrating them, and maintaining the system as a whole, as well as its subsystems. Therefore, the aviation industry is often referred to as a system of systems(SoS).1In most cases, the industrys different sub-systems were designed, integrated, operated

19、 and managed by different organizations independently of each other, and evolved at their own pace without a clear understanding of the whole architecture. Different systems must be capable of working autonomously, while ensuring interoperability and integration with all interconnected systems to ma

20、intain efficient operation and overall cyber resilience.This leads to ambiguous accountability. As supply and value chains become more complex, measures must also evolve beyond securing individual systems. A static approach will not suffice; industry players need to address their individual, as well

21、 as shared responsibilities to secure the ecosystem.Harnessing emerging technologies brings tremendous potential: more operational efficiency, better data-driven decisions, and better overall customer experience and satisfaction. With these great technologies comes greater risks, too. Physical and d

22、igital entities are becoming increasingly connected - from critical infrastructure assets, to people and data, to technologies that include biometrics, artificial intelligence (Al), machine learning and the Internet of Things (loT). Increased digitalization of aviation and information systems is als

23、o continuing at pace, as the sector seeks to increase airspace capacity and throughput.11As highlighted in the World Economic Forums report of November 2020: Future Series:Cybersecurity, emerging technology and systemic risk, the increased complexity, pace, scale and the interdependence of technolog

24、ical trends overwhelm the current cyber defences of enterprises. The report urges business leaders to plan more strategically for emerging risk so they can ensure that the organizations delivering the most critical infrastructures do not suffer failures that are catastrophic for societies.12At the c

25、utting edge of this issue is the ICAO Trust Framework Study Group (TFSG). The TFSG aims to securely and digitally connect aviation assets and units around the globe to facilitate informationsharing for multiple purposes, including real-time traffic management. Airports are also increasingly connecte

26、d and digitized, with many services having remote or wireless connections, including accesscontrol and airside systems, such as maintenance, tugs and high-speed wireless between aircraft and docking gate. All of these digitized services exist against a backdrop of complex airport management and acco

27、untability, making it difficult to holistically define and defend an attack surface.Many such services - spanning aircraft, ATM and airport increasingly rely on space-based assets for their operations, which range from data transfer and communications to positioning, navigation and timing (PNT).13 A

28、s legacy and analogue systems are replaced by spacebased capabilities, their cybersecurity and resilience must increasingly be scrutinized.The use of 5G networks is also expected to rapidly grow across the aviation sector. In 2021 the estimated 5G market in aviation will be worth $500 million, with

29、projected growth to $3.9 billion by 2026. 5G will likely become a ubiquitous means of communication across every aspect of the aviation sector, with advantages based on size (connectivity at chip level*), low-power requirements andflexibility. But 5G prevents several cybersecurity challenges. The Eu

30、ropean Network and Information Security Cooperation group asserts that: 5G will increase the overall attack surface and the number of potential entry points for attackers，alongside the challenge of third-party supplier risk management.Overall, the difficulty of understanding risk across interdepende

31、nt and complex digitalized aviation systems with extensive supply chains is only increasing. Securing the supply and value chains must address the end-to-end product life cycle, including design, commission and operations until decommissioning. The different entities in the supply and value chain mu

32、st collaborate on business-critical activities for products and systems, and hence an isolated approach will not suffice. A resilient ecosystem requires individual as well as shared responsibilities.142.3 Fragmented approach at governance and policy levelsExisting practices of information security m

33、anagement systems and corporate governance are inherently limited to individual organizations. This means that governing and managing cybersecurity and its related risks are often not performed beyond the perimeter of the organization.Approaching cyber security from an isolated- perimeter-perspectiv

34、e is insufficient to counter the risks introduced by the System-of-Systems architecture. It can lead to blind spots and a misunderstanding of residual risks from interconnection points in the supply and value chains, compounded with ambiguous accountability related to cyber resilience. A collaborati

35、ve approach from all actors in the aviation value chain should be leveraged, building on a strong history of safety management systems and cross-sector safety collaboration. This will help ensure that cyber risks are adequately and consistently governed and managed across the aviation digital ecosys

36、tem.National or regional cybersecurity strategies, regulations and policy frameworks (such as the European Directive on Security of Network and Information Systems or “NIS Directive) recognize that the market alone cannot effectively incentivize appropriate cybersecurity practices, particularly for

37、critical infrastructure where a cyberattack can affect critical functions.The fragmented regulatory landscape however poses a barrier to aligning approaches nationally and internationally. The NIS Directive, for instance, is interpreted, implemented and enforced separately by each European Union Mem

38、ber State, leading to wide disparity in laws and regulations. Additionally, the assurance frameworks and processes for verifying compliance are limited, with audits and inspections occurring very infrequently and fines imposed only in the most egregious cases. Often regulators do not have the legal

39、authority to impose a fine. Under the NIS Directive, each country has discretion about when to impose a fine and its amount, if the minimum requirements are clearly established. Some of these regulatory gaps are being addressed in the revised European NIS Directive, scheduled for a vote in 2021.图 A

40、collaborative approach from all actors in the aviation value chain should be leveraged, building on a strong history of safety management systems and cross-sector safety collaboration.The revised NIS directive will cover four key areas: 1) greater capabilities for supervision and sanctions by nation

41、al authorities, 2) use of Ell certification schemes and integration with network codes, 3) increased cooperation for crises, incidents and information sharing, and 4) alignment of cyber risk management requirements.These national cybersecurity strategies and regulations would cover critical infrastr

42、ucture industries such as transportation. However, the diversity of the industry ecosystem makes it difficult to regulate each sector at a national level, when capacity and skilled workforces are limited in most national cybersecurity agencies. Emerging countries especially lack plans to establish n

43、ational cybersecurity agencies. Besides, for the aviation industry, the regulation and minimum standards would often derive from those defined for the transportation sector.The power of international and government organizations - such as the European Aviation Safety Agency (EASA), and national civi

44、l aviation authorities (CAAs) like the Federal Aviation Administration (FAA) in the US - are limited by their mandate. Meanwhile, neither digital innovation nor cyberthreats are waiting for regulators to take action.Better interoperability at technical and policy level will help realize the potentia

45、l value of securing the global digital ecosystem. Collaboration between actors is a necessary step to ensuring sustainable, systemic resilience. Currently, many cyber resilience initiatives have emerged on strategic, tactical and operational levels within the industry, but they tend to be fragmented

46、 and limited in scope.2.4 Lack of visibility and transparency across the supply chainThere is a general consensus that access to timely and actionable threat intelligence would improve a companys security, however, such information-sharing between industry actors and government agencies is rare and

47、is hindered by the lack of effective and common data-sharing mechanisms and models.Sharing different types of data requires appropriate security and privacy controls and mechanisms, depending on how critical it is. For example, the sharing of publicly known vulnerabilities and best practices would n

48、ever be handled in the same way as a companys private assessment results, or as intelligence related to an incident.Besides, complex and dynamic data privacy and national security laws need to be taken into account not only within an organization, but also beyond. This raises concerns about legal liability and reputational damage if the wrong information is shared.There must be increased dialogue and contributions from all aviation-sector stakeholders, including manufacturers, end users, gover