Modern military aircraft and their supporting ground systems have become increasingly reliant on computer systems for safe and efficient operation, making them targets for cyber-attack. The Military Aviation Authority (MAA) is implementing enhanced requirements for cybersecurity, to evaluate and counter this threat to air safety.

Background

The use of computers in aircraft and their supporting systems is not a new phenomenon, the ability to implement complex functions in software and improve them without changing the hardware has been an attractive attribute in aircraft design for several decades. Previous generations of computers utilised on aircraft tended to be bespoke, isolated systems with novel components. As such, attacks on these computer systems would require physical access and use of specialist equipment and knowledge.

Traditional security measures (such as physical access controls) were effective against such attacks and the computers themselves were limited in their ability to affect aircraft safety. Modern computers are far more powerful and versatile than those of earlier generations. Improved programming techniques now allow them to be used with confidence for safety-critical functions.

Previously, the requirement for military applications drove the cutting edge of computer technology, whereas more recent developments are designed to meet the needs of complex civilian applications such as safety control systems, entertainment and communication systems. Whilst the use of available ‘off-the-shelf’ software and hardware components in military systems represents good value for money by leveraging on the billions of pounds being invested in the civil sector, as a direct consequence it may increase the systems’ susceptibility to cyber-attack.

The threat of cyber-attack on military systems is multifaceted and can include incidental attacks not specifically aimed at military systems. An example is a ransomware attack, which encrypts general IT systems and demands payment to unlock the data. The WannaCry ransomware attack of 2017 infected an estimated 300,000 computers worldwide, leading to a lock-down of the UK National Health Service computer system at an estimated cost of £92 million and the cancellation of 19,000 appointments.

Of specific concern to military systems are state-sponsored attacks, multiply directly from government teams or from covert groups with access to state resources operating under directed intent. Such attacks are likely to be aimed at reducing or impeding military capability or securing access to sensitive information. The attackers themselves are likely to have access to sophisticated technology and intimate knowledge of previously-undisclosed vulnerabilities.

An example of an alleged state-sponsored attack is the infamous Stuxnet virus of 2010, which targeted Iranian nuclear enrichment facilities. This virus spread through PCs operating Windows software, infecting an estimated 200,000 computers. However, it had limited noticeable effect on these machines unless they were connected to a specific type of Siemens control system used in the operation of the Iranian centrifuges.

Once connected, the virus could target the precise motors in use and control their rotational speeds. The attack was subtle in its approach, doing nothing at first but then periodically speeding up and slowing down the equipment, wearing out the motors whilst the cause remained particularly difficult to pinpoint. Deemed highly successful, the attack resulted in a reported 30% drop in output and may have destroyed up to 1000 (10%) centrifuges used at the site.

New civil aviation requirements for cybersecurity

The European Aviation Safety Agency (EASA) has published two notices of proposed amendment (NPA) related to cybersecurity. NPA 2019-01 ‘Aircraft cybersecurity’ was added in February 2019 and NPA 2019-07 ‘Management of information security risks’ added in May 2019.

NPA 2019-01 introduced the new acceptable means of compliance (AMC) 20-42 which detailed changes to various existing certification specifications (CS) that now include new cybersecurity requirements. For example, CS 25 (large aircraft) will introduce a new clause, CS 25-1319, which requires applicants to protect against ‘intentional unauthorised electronic interactions that may result in adverse effects on the safety of the aeroplane’, whilst demanding that ‘security risks have been identified, assessed and mitigated as necessary’.

NPA 2019-07 has a wider scope, introducing new draft regulation to cover the direct (aircraft specific) and indirect effects on air safety caused by a cyber event impacting the normal functioning of the European Aviation Traffic Management Network (EATMN).

MAA cybersecurity requirements

In 2015, the MAA formally recognised the risk posed by cyber-attacks by updating its default airworthiness code, Defence Standard (Def Stan) 00-970, to introduce requirements for assessing cyber risks to airworthiness. At the time, there were no equivalent requirements within civil regulation, although civilian standards for assessing cyber risks to safety had been published. Therefore, these civilian standards, RTCA DO-326 and DO-356, were introduced to a single clause in part 13 of Def Stan 00-970 and tailored for the military requirement. Def Stan 00-970 is invoked for both type airworthiness (through regulatory article (RA) 5810) and changes to type design (through RA 5820).

The MAA endorses the wider Defence principle of ‘as civil as possible, as military as necessary’. In line with this, Def Stan 00-970 is currently undergoing transformation, as reported in a previous article titled MAA transformation of the design and airworthiness requirements for service aircraft (Defence Standard 00-970). Basing its requirements on recognised civil airworthiness codes to which military deltas are applied, where necessary.

Initial MAA focus is to provide updated guidance on the assessment of cybersecurity considerations on type airworthiness and changes to type design. As the new EASA AMC 20 42 is based upon the same civilian cyber standards as previously embodied in Def Stan 00-970, the MAA is seeking to introduce both this new AMC and the updated CS clauses to the equivalent parts of Def Stan 00-970, with necessary military deltas applied. For example, introduce CS 25.1319 to the large aircraft standard, Def Stan 00-970 part 5.

Further reviews of MAA cybersecurity policy are anticipated and are likely to include:

• consideration of overarching MAA regulation of cybersecurity, applicable to all military air safety-critical and safety-enabling systems, including a new RA for cybersecurity and/or updates to existing MAA regulation. This work will embody the overarching cybersecurity framework requirements of the US National Institute of Standards and Technology (namely: identify, protect, detect, respond and recover), but with a specific focus on air safety

• embodiment of cybersecurity requirements into MAA regulation and guidance where they relate to wider air safety, such as Air Traffic Management requirements in Def Stan 00-972 and continuing airworthiness

• working with the other cybersecurity regulators and the Regulated Community to establish best practice for cybersecurity in military aviation platforms and their supporting systems

The MAA is mindful that impending Brexit outcomes may bring changes to national civil aviation requirements and is liaising with the Civil Aviation Authority with respect to their ongoing cybersecurity work.

Summary

Cyber-attack poses a significant threat to the safe and efficient operation of modern military aviation systems. By supplementing existing civil regulation where necessary, the MAA must now equip the Regulated Community with cybersecurity regulation that, by design and sufficient through-life support, will ensure our critical systems and infrastructure are appropriately protected from this non-traditional, emerging threat.

See latest information and actions for the public on the outbreak of Wuhan novel coronavirus, including the current situation in the UK and actions taken in the UK and abroad.

28 January 2020

As of Tuesday 28 January 2020, there are currently no confirmed cases in the UK or of UK citizens abroad, and the risk to the public remains low.

The Foreign and Commonwealth Office (FCO) are advising against all but essential travel to the Hubei Province. Anyone travelling to China should remain vigilant and check the latest travel advice on GOV.UK.

We have updated our guidance for individuals who have returned from Wuhan, China as follows:

Yvonne Doyle, Medical Director at PHE, said:

Isolating yourself from other people, like you would with other flu viruses, is in step with the best scientific and expert advice on how to stop the coronavirus from spreading. 

This means taking simple, common sense steps, such as staying at home and avoiding close contact with other people as much as possible.

If you have visited Wuhan and develop a fever, difficulty breathing or a cough within 14 days, you should seek medical attention either in China or on your return to the UK.

In the UK, please stay indoors and avoid contact with others where possible, call your GP or ring 111 informing them of your symptoms and your recent travel to the city.

22 January 2020

UK public health measures are world leading and our excellent NHS is well prepared to manage and treat new diseases. We have been carefully monitoring the situation in Wuhan for some time and are ready to put in place proportionate, precautionary measures.

From today, 22 January 2020, enhanced monitoring will be in place from all direct flights from Wuhan to the UK. The enhanced monitoring package includes a number of measures that will help to provide advice to travellers if they feel unwell.

For those travelling back directly from Wuhan, this includes a Port Health team who will meet each direct flight aircraft to provide advice and support to those that feel unwell. The team will include the Principal Port Medical Inspector, Port Health Doctor, Administrative Support, and Team Leader.

They will check for symptoms of coronavirus and provide information to all passengers about symptoms and what to do if they become ill. Mandarin and Cantonese language support will be available to Public Health England (PHE) and leaflets will be available to passengers.

There are 3 direct flights a week that arrive at Heathrow from Wuhan. The enhanced monitoring of direct flights will be kept under continuous review and expanded to other Chinese departure points if necessary.

Leaflets and information will be made available across all UK airports, advising travellers from China on what do to if they feel unwell.

The risk to the UK population has been assessed as low, based on the emerging evidence regarding case numbers, potential sources and human to human transmission, the risk to travellers to Wuhan is moderate. This has been raised from very low due to current evidence on the likelihood of cases being imported into this country.

There are currently no confirmed cases of this new infection in the UK.

The Department of Health and Social Care (DHSC) issued clinical guidance for the detection and diagnosis of Wuhan Novel Coronavirus and PHE has developed a diagnostic test, making the UK one of the first countries outside China to have a prototype specific laboratory test for this novel disease.

Dr Nick Phin, Deputy Director, National Infection Service, Public Health England, said:

This is a new and rapidly evolving situation where information on cases and the virus is being gathered and assessed daily.  Based on the available evidence, the current risk to the UK is considered low. We are working with the WHO and other international partners, have issued advice to the NHS and are keeping the situation under constant review.

 If you are traveling to Wuhan, you should maintain good hand, respiratory and personal hygiene and should avoid visiting animal and bird markets or people who are ill with respiratory symptoms. Individuals should seek medical attention if they develop respiratory symptoms within 14 days of visiting Wuhan, either in China or on their return to the UK. They should phone ahead before attending any health services and mention their recent travel to the city.

Previous updates

20 January 2020

As of Monday 20 January 2020, the Wuhan Municipal Health Commission has reported 217 cases of Wuhan Novel Coronavirus. Four of these cases have been diagnosed outside of China – 2 in Thailand, one in Japan and one in South Korea, following travel to Wuhan, China. There have also now been cases in other cities in China. There have been 3 fatalities.

Based on the latest information and analysis, the World Health Organization (WHO) has said that there is evidence of limited human to human transmission of the virus.

Currently, the risk to the UK population is very low and the risk to travellers to Wuhan is low, but the situation is under constant review. However, in line with our robust preparedness activities for emerging infections, we have issued clinical guidance for the detection and diagnosis of Wuhan Novel Coronavirus. There are no confirmed cases of this new infection in the UK.

Dr Nick Phin, Deputy Director, National Infection Service, Public Health England, said:

Based on the available evidence, the current risk to the UK is very low. We are working with the WHO and other international partners, have issued advice to the NHS and are keeping the situation under constant review.

People travelling to Wuhan should maintain good hand, respiratory and personal hygiene and should avoid visiting animal and bird markets or people who are ill with respiratory symptoms. Individuals should seek medical attention if they develop respiratory symptoms within 14 days of visiting Wuhan, either in China or on their return to the UK, informing their health service prior to their attendance about their recent travel to the city.

13 January 2020

Public Health England (PHE) is monitoring the situation with international partners, including the World Health Organization (WHO). PHE has also issued advice to travellers ahead of Chinese New Year this month.

The risk to the UK population is very low and the risk to travellers to Wuhan is low, but they are advised to take simple precautions such as practicing good hand and personal hygiene and minimise contact with birds and animals in markets in Wuhan as a further precaution.

The Wuhan Municipal Health Commission has reported 41 cases of the disease so far, the majority of which appear to be connected to a seafood and animal market in the city. There have been no deaths reported and there is no significant evidence of transmission from person to person or any signs of illness among medical and nursing staff.

Dr Nick Phin, National Infection Service Deputy Director at PHE, said on the reported Wuhan novel coronavirus:

Based on the available evidence, the risk to travellers to Wuhan from this disease is low and we are not advising them to change their plans.

In order to minimise the risk of transmission, people travelling to the area should maintain good hand and personal hygiene. Travellers should seek medical attention if they develop respiratory symptoms within 14 days of visiting Wuhan, informing their health service prior to their attendance about their recent travel to the city.

The risk to the UK population is very low. The UK has robust arrangements to manage emerging diseases and we can draw on our experience of developing pioneering diagnostic tests in humans for the coronaviruses – SARS and MERS.

Besides the evolving situation in Wuhan, all travellers should also be aware of the risk of avian flu when visiting China during the Chinese New Year, or Spring Festival, beginning on 25 January 2020.

Human cases of avian influenza have recently been reported in China, and historically there have been more cases at this time of year. Cases have originated from several provinces and municipalities across mainland China, and there have been a small number of avian influenza cases among Hong Kong SAR and Taiwan residents who have travelled to mainland China.

The majority of reported human cases in China have had close contact with wild birds or poultry. Although the risk is very low, Public Health England and the National Travel Health Network and Centre (NaTHNaC) are reminding UK travellers to protect themselves from avian flu by minimising exposure to wild birds and poultry.

Dr Phin added on avian flu:

Although the risk of avian flu to UK residents travelling to China remains very low, anyone planning to visit China, Hong Kong SAR or Taiwan should minimise their exposure to any birds such as wild birds or live birds in ‘wet markets’ as a precaution.

We strongly urge people to avoid touching dead or dying birds and maintain good hand and personal hygiene.

Avian influenza remains a risk in a number of parts of China and if travellers experience coughing or difficulty breathing within 14 days of returning from China, they should call their GP or NHS 111 and report their recent travel.

Travellers can check NaTHNaC’s TravelHealthPro website for current travel health recommendations for:

The Prime Minister spoke to Prime Minister Löfven of Sweden.

The leaders expressed condolences to all those who lost loved ones on the Ukraine International Airlines flight – including from the UK and Sweden.

They agreed that there must now be a full, transparent investigation and committed to work closely together and with other international partners to ensure the families of the victims get the answers they deserve.

They also underlined the importance of the continued fight against the shared threat from Daesh and urgent de-escalation in the region.

Published 10 January 2020

The Charity Commission has found the two founding trustees of Jole Rider Friends responsible for serious misconduct and/or mismanagement in their handling of the charity’s finances and governance, as well as for failures to sufficiently comply with directions from the Commission. The charity has been wound up and the trustees disqualified.

Jole Rider Friends had charitable objects to advance education, by providing facilities and equipment at schools and other educational institutions in Africa.

The Commission engaged with the charity in 2015, identifying it only had two trustees. Further enquiries revealed other serious concerns including that the trustees were remunerated, contravening their own constitution. At the time, the trustees refused to make restitution for the amount they had taken.

The trustees had also failed to submit accounts, annual reports and returns on time. And, in December 2016, the Advertising Standards Agency ruled the charity had made misleading claims about their charity operations on the charity’s website.

The Commission opened a statutory inquiry to examine matters further in September 2017 and on the same day issued two orders to restrict the charity’s bank from parting with property belonging to the charity and to restrict the trustees from using the charity’s credit card. It was found the founding trustees had, by that point, received unauthorised remuneration of £322,500, equating to 23% of all income received by the charity since it began.

The inquiry found that the charity claimed that it had sent 13,697 bicycles to Africa. However, the charity was unable to supply any documents to show that charity funds were used for this purpose.

The inquiry found the charity operated seven different entities, but as different brand names for the same organisation.

The inquiry also found the charity was insolvent as a result of rent arrears, and that County Court proceedings had been brought against the trustees for unpaid debts owed by the charity.

The inquiry found misconduct and/or mismanagement in relation to:

• a failure to engage with the action plan, issued by the Commission to the charity, in September 2016
• the charity being in default of its filing obligations
• both trustees consistently breached the charity’s own constitution and paid themselves and/or received unauthorised remuneration despite knowing at some point that this was unlawful and against the charity’s governing document.
• the trustees’ failure to comply, in full or at all, with directions issued by the Commission

Restitution was considered but was not found to be proportionate at the time.

The charity was removed from the charity register on 13 September 2019; it was wound up by an interim manager appointed to the charity on a pro bono basis.

The trustees have been disqualified from acting as a trustee or in senior management role of a charity for 12 years.

Amy Spiller, Head of Investigations Team at the Charity Commission, said:

Charities exist to improve lives and strengthen society –so it’s a legitimate expectation that trustees take their responsibilities seriously. This starts with trustees ensuring charitable funds are spent on the charity’s aims and purpose.

The trustees of the Jole Rider grossly misused charity in paying themselves unauthorised remuneration and in doing so, they betrayed their donors as well as those that could have benefited from this charitable support. Their behaviour throughout, both in the running of their charity, as well as during this inquiry, was a world apart from that expected of trustees. It’s therefore right that both trustees have been disqualified for the part they played in this matter.

The full report is available on GOV.UK.

Ends

International Trade Minister, Conor Burns, will meet with Ministers in Rabat, Morocco today to reaffirm the UK’s commitment to investing in Africa’s future through trade.

While there, Minister Burns will be the first UK Minister to visit the Noor Solar Plant, the world’s largest solar plant of its kind, as Morocco pursues its ambition to source more than half of its energy from renewable sources by 2030.

The UK has widely recognised and respected expertise in renewable energy, and its experienced solar industry has great potential for collaboration with Morocco in this crucial sector.

The visit comes ahead of the world’s first UK-Africa Investment Summit, to be held in London later this month, which will seek to create lasting partnerships to deliver more investment, jobs and growth in the UK and Africa.

Africa is expected to be home to 8 of the 15 fastest growing economies in the world this year. By 2050, more than 2 billion people will live in Africa and 1 in 4 global consumers will be African. A closer trade and investment partnership between the UK and Africa will benefit people and businesses both in Africa and the UK.

Meeting with senior government officials including Minister for Foreign Affairs Mr Nasser Bourita and Finance Minister Mr Mohamed Benchaaboun, Minister Burns will discuss our mutual ambition to broaden trade with Morocco post-Brexit, particularly in burgeoning Moroccan industries such as green energy, finance, agriculture and manufacturing. Latest figures show the UK’s trade with Morocco is worth £2.4bn annually.

International Trade Minister Conor Burns said:

As we get Brexit done, we want a closer trading partnership with African nations including Morocco.

It’s been a pleasure to be here this week, working to build on our already strong and lasting partnership and finding even more ways to work together, including in finance, agriculture and green energy. I am confident that our relationship will grow even stronger in the months and years to come.

In October last year, the UK and Morocco signed the UK-Morocco Association Agreement, ensuring that British businesses and consumers benefit from continued trade with Morocco after we leave the EU.

The UK will also be guest of honour at the International Agriculture Show in Morocco in the Moroccan city of Meknes in April this year.

Background

Latest figures show that the UK exported £2.4 billion worth of goods and services to Morocco in the 12 months to end of June 2019. [Source: ONS UK total trade: all countries, non-seasonally adjusted]