The rapid development in technology has greatly enhanced the security and efficiency of various sectors, and the aviation sector is no exception. From the digitisation of data information exchanges and online reservation systems to aircraft automation, civil aviation has benefited hugely from technological advancements. With the introduction of such systems in Bhutan, Kinley Yangden explores potential cyber vulnerabilities and discusses the measures implemented to address them.
Civil aviation, perhaps more than any other industry, relies on sophisticated software and systems for innovation and efficiency. The use of computer-based systems in civil aviation has certainly improved the lives of not only the operators, but passengers and global citizens in general. However, the fact that civil aviation now relies mostly on IT systems has introduced a plethora of new threats. It is therefore crucial that Bhutan considers cyber vulnerabilities in civil aviation and identifies ways to mitigate these threats.
Bhutan, a small Himalayan country with one international and three domestic airports has two carriers – namely, Royal Bhutan Airlines and Bhutan Airlines – and a helicopter operator called Royal Bhutan Helicopter Service Limited. The aviation industry in Bhutan is now at a stage in its development where paper-based aeronautical information exchanges are slowly preparing to transit to aeronautical information management systems; paperless aircraft operations and online reservation systems are being introduced among many other computer-based and information technology systems.
The digitalisation of data information exchanges has been in the spotlight for the last decade and continues to maintain a high profile. The Global Air Navigation Plan of the International Civil Aviation Organisation (ICAO) stresses the need for ‘implementation of a seamless, global air traffic management system that will enable aircraft operators to meet their planned times of departure and arrival and adhere to their preferred flight profiles with minimum constraints and without compromising agreed levels of safety’. This vision focuses on integrated air traffic management (ATM), which involves automation of current paper-based information. Aeronautical information is exchanged globally through information technology-based systems. For instance, exchange of flight plans, notices to airman (NoTAM) and weather reports are all generated and disseminated though systems such as ATS Message Handling Systems (AMHS).
“…Bhutan, a small Himalayan country with one international and three domestic airports has two carriers – namely, Royal Bhutan Airlines and Bhutan Airlines – and a helicopter operator called Royal Bhutan Helicopter Service Limited…”
ICAO’s ‘No Country Left Behind’ initiative helps to ensure that every state implements the most sophisticated systems available to them. ICAO’s initiative calls for the automation of paper-based aeronautical information since paper documentation and telex-based text messages can not satisfy the requirements of ATM integrated and interoperable systems. Therefore, paper product-centric aeronautical information services (AIS) must evolve into data-centric aeronautical information management (AIM) systems to improve methods of information provision and management. The initiative reflects the importance of the evolution referred to as the transition from AIS to AIM. The transition to AIM has increased emphasis on data distribution, placing future AIM systems in a better position to serve airspace users and ATM in terms of their information management requirements.
Additionally, systems such as flight control, GPS-based navigation and flight data management are integrated into flight decks, resulting in safer and more efficient operations. However, these systems may also be vulnerable to cyber attacks.
Airlines also use IT-based systems to enable customers to easily make reservations and access their services. Today, flight tickets can be purchased online using a desktop computer or smartphone. Whilst these systems have improved accessibility, the potential threat of cyber hacking has also increased. Similarly, the use of Flight Movement Recording and Charges System (FMRCS) by airport service providers has largely improved methods of calculating charges, analysing data and producing reports but has failed to guarantee complete protection against cyber threats. Any computer connected to the internet is vulnerable to hacking and therefore poses a threat to the civil aviation industry.
While the introduction of IT in the civil aviation industry in Bhutan, and elsewhere, has improved efficiency, the threat of cyber attack remains. One way to confront this threat is through the development of frameworks and processes required to implement, monitor and manage security operations in line with international best practice. It is therefore the responsibility of aviation industry stakeholders in Bhutan to implement organisational policies and procedures for cyber security systems to identify threats, vulnerabilities and other impacts on system integrity and network communications.
It is equally important for the civil aviation in Bhutan to carry out thorough research and risk assessment of current, as well as future, IT systems. Emerging cyber threat scenarios need to be evaluated, findings documented, and remediation recommendations provided to ensure safe, efficient and reliable air transport in Bhutan.
Additionally, regulators are responsible for developing and implementing an appropriate and proportionate regulatory framework for aviation cyber security. Strict compliance by the service provider and airliners need to be ensured. ICAO states that, “Each Contracting State should encourage entities involved with or responsible for the implementation of various aspects of the national civil aviation security programme to identify their critical information and communications technology systems, including threats and vulnerabilities, and develop protective measures to include security by design, supply chain security, network separation, and remote access control, as appropriate.”
“…while the introduction of IT in the civil aviation industry in Bhutan, and elsewhere, has improved efficiency, the threat of cyber attack remains…”
The establishment of a proportionate legal framework at government level to investigate and prosecute those involved in cybercrimes could also help in the fight against cyber threats. Cyber threats cannot be completely eradicated so it is necessary to continuously monitor and work on identifying possible future cyber vulnerabilities. Increased awareness of cyber security and enhancement of human resource capabilities in cyber security can result in a reduction of cyber threats. Nonetheless, cyber security needs to increase its profile to enhance safety and efficiency in civil aviation in Bhutan.
Kinley Yangden works as Aeronautical Information Officer in Department of Air Transport, Bhutan. She holds Post Graduate Diploma in Public Administration from the Royal Institute of Management. She is also an alumni of the Civil Aviation Training Centre in Thailand.