Supporting every aircraft in flight is an unseen, complex, global infrastructure called the Air Traffic Management (ATM) system, which ensures that safety and security are routinely maintained. As the digitalisation of aviation proceeds at pace, ATM is evolving in parallel to deliver new services seamlessly and cost-efficiently. John Hird reveals how the system is changing, and how regulators and other ATM stakeholders are working together to ensure that the system remains cyber-resilient.
Aerodromes are familiar places for the flying public, but few are aware of the Air Traffic Management (ATM) system that supports aircraft in transiting from departure to destination. The ATM system comprises a variety of physical, organisational, information and human assets, interacting in a complex system of systems to deliver a seamless travelling experience to passengers. Operational stakeholders include Air Navigation Service Providers (ANSPs) and the EUROCONTROL Network Manager (NM), working together to deliver air traffic flow and capacity management (ATFCM). The goals of ATM are to expedite flights safely, balancing capacity and demand by providing effective flow management to minimise delays, and to do so cost-effectively while limiting environmental impacts.
However, the current system used to do this is a patchwork of evolving, interconnected systems, comprising be¬spoke legacy systems and more recent commercial off-the-shelf (COTS) systems, connected by a variety of interfaces utilising a combination of national, international and proprietary standards. These include ground and space-based communication, navigation, and surveillance (CNS) systems, air traffic control centres (ACCs), airports, and the information used by and exchanged between systems as aircraft are assisted through controlled airspace. The diversity of systems has, as we will see, significant implications for cybersecurity.
Digitalisation
The digitalisation of aviation is proceeding at pace, and the architecture of the future European ATM system will rely on increased interconnectivity, based on modern technologies and enhanced interoperability, to deliver new operational concepts building on the sharing of aeronautical information. Examples include the development of System Wide Information Management (SWIM) for information exchange, and the use of Global Navigation Satellite Systems (GNSS), e.g. GPS, Galileo, GLONASS, and associated ground- and satellite-based augmentation systems for navigation and surveillance. Virtual centres are another example, where the goal is to decouple ATM data services, such as flight data, radar, and weather information, from physical controller working positions. This could deliver greater flexibility in organising ATM operations and, in doing so, provide seamless and more cost-efficient service provision to airspace users.
In connected aircraft, digital services support the use of Electronic Flight Bags by pilots, hand-held devices by passengers and crew, infotainment systems, and real-time aircraft engine monitoring, among other things. For such new concepts to be successfully deployed operationally, they must be resilient to current and emerging security threats. Some issues that may elevate risk in future ATM systems include the following:
- Increased interconnectivity and integration between different civil and military actors (ANSPs, airlines, airports, aircraft) and CNS systems;
- Greater use of COTS products and open protocols for networking and communications;
- An attack on one system could propagate to impact a large geographical area;
- Certain legacy wireless protocols possess known vulnerabilities;
- The interconnection of legacy systems to modern networks may create vulnerabilities;
- The introduction of new vehicles, such as drones, into controlled airspace adds another dimension of complexity and risk;
- The development of Mobility as a Service (MaaS) in Europe will require secure information-sharing between transport modes.
The rapid pace of digitalisation in the evolving system has resulted in cybersecurity becoming increasingly important to ATM stakeholders. Thanks to its strong focus on safety, ATM already benefits from extensive redundancy (the duplication of critical components to provide fail-safes if primary mechanisms malfunction), and the existence of fall-back systems and procedures supporting non-nominal operations, meaning that the system is fundamentally robust. However, ATM is transitioning into an increasingly new environment, where the application of new approaches to system development and operation is a prerequisite to limit the effects of unlawful interference by intelligent adversaries.
Potential Impact of a Security Breach
There are several potential consequences of a security breach. Service provision could be disrupted, causing congestion, delays or service termination. In certain scenarios, the impact on passengers or personnel could include stress, injury, or in the worst case, fatalities. An incident could also result in financial losses, or in severe cases, bankruptcy. Reputational issues resulting from negative publicity around a breach could affect future business opportunities. The ease with which information in certain wireless protocols used for CNS can be eavesdropped upon and used for criminal purposes has triggered both privacy issues and data confidentiality concerns.
Disruptions to ATM could also have a wider societal impact, affecting trade and the wider economy. Disruptions might be localised, but could potentially affect a large geographical area in a highly interconnected system. An incident could also negatively impact the environment by creating delays that result in increased emissions, while non-compliance with security regulations could have associated legal, financial, reputational, and operational consequences.
“…in Alaska in 2006, the system had to be shut down when its integrity was compromised by a viral attack, which spread from administrative networks, highlighting the importance of isolating operational systems…”
EUROCONTROL and ATM Cybersecurity
EUROCONTROL is involved in ATM cybersecurity at several levels. At ICAO, it contributes to the Aviation Security (AVSEC) Threat and Risk Working Group (TRWG) and the Secretariat Study Group on Cybersecurity (SSGC), and is an observer on the AVSEC Panel.
In Europe, it participates in the Stakeholders Advisory Group on Aviation Security (SAGAS) at the European Commission (EC), and participates in EASA’s ESCP. It also participates in the European Civil Aviation Conference’s (ECAC) Security Forum, the Guidance Material Task Force (GMTF), and the study group on cyber threats to aviation. EUROCONTROL also takes part in European Organisation for Civil Aviation Equipment (EUROCAE) working groups, including WG-72 (Aeronautical Systems Security), developing security certification standards for both ground and airborne systems. It led the development of ED205, which delivered a process to assess the security of ATM/ANS ground systems, and participates in a number of other related activities.
“…involved in cybersecurity awareness building and training, delivering courses at EUROCONTROL’s training centre in Luxembourg…”
Along with the EC, EUROCONTROL is a co-founder of the Single European Sky ATM Research (SESAR) programmes, participating in the development of security risk assessment methods, tools, and guidance material for the SESAR and SESAR2020 programmes, which aim at developing new concepts and technologies in aviation. In the meantime, planning for the future SESAR3 programme is in progress. EUROCONTROL also participates in the Advisory Council for Aeronautics Research in Europe (ACARE) and has the role of security co-chair in the Safety and Security Working Group (WG4).
EUROCONTOL is the home of the EATM CERT, which supports EUROCONTROL services and products and ATM stakeholders in protecting themselves against cyber threats that could impact operational IT assets and data. To provide these services, the organisation collaborates with national and international ATM stakeholders, ATM manufacturers, sectoral and national CERTs, EASA, the European Centre for Cyber Security in Aviation (ECCSA), information sharing and analysis centres (ISACs), Europol and others. It is also involved in cybersecurity awareness building and training, delivering courses at EUROCONTROL’s training centre in Luxembourg, and providing tailored cybersecurity workshops to ANSPs, civil aviation authorities, and national supervisory authorities in member states.
ATM Cyber-attacks and Incidents
Cyber-attacks on ATM are not new. One of the first widely documented incidents in ATC occurred in an FAA system in Alaska in 2006. The system had to be shut down when its integrity was compromised by a viral attack, which spread from administrative networks, highlighting the importance of isolating operational systems. Later, in 2008, hackers breached the integrity of the FAA system over a wide area. Additionally, the manipulation of satellite navigation signals has become mainstream, with several incidents documented in Russian waters since 2017. These attacks resulted in ships’ navigation systems showing them to be in different locations than in reality. Although targeted at shipping, such attacks would impact other GNSS users in the region.
There are also several examples demonstrating the ease with which crowd-sourced information from aircraft tracking applications (such as FlightRadar24 and PlaneFinder) can be accessed and analysed to expose confidential information and impact third-parties outside the aviation system. For example, CIA rendition flights during the ‘war on terror’ were exposed by journalists using such data to track the activities of specific aircraft. Aircraft tracking information has also been exploited for stock market trading, with the movements of high-level executives providing clues on future mergers and acquisitions. The tracking of aircraft can therefore potentially negatively impact national security, business competitiveness, and potentially undermine the personal safety and security of passengers.
“…the manipulation of satellite navigation signals has become mainstream, with several incidents documented in Russian waters since 2017. These attacks resulted in ships’ navigation systems showing them to be in different locations than in reality…”
Information from EUROCONTROL’s European ATM Computer Emergency Response Team (EATM-CERT) provides an insight into a wide spectrum of security incidents reported by aviation stakeholders in 2019, of which 20% targeted ANSPs. In terms of event severity, 80% were classified as low, 20% were medium and, fortunately, none were high. The consequences of the attacks were primarily the leaking of sensitive documents (47%) and data theft (35%), including network schematics and user credentials for sensitive systems. Threat actors were generally cyber-criminals and state-sponsored groups, with the main motives being to target airspace users for financial gain, and/or acquire the intellectual property of equipment manufacturers.
The report emphasises the importance of a holistic approach to security, suggesting that excessively focusing on technical controls at the expense of people and processes may expose exploitable vulnerabilities. As security expert Bruce Schneier underlines, “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”. The report also highlights the importance of securely sharing anonymised security incident information, since this allows others to improve their security posture.
Attackers are resourceful and adapt to changing circumstances. This year has seen criminal groups deploying COVID-19 themed lures for phishing purposes. There is also evidence that remote working, which has massively increased for many white-collar workers during the pandemic, significantly increases the risk of a successful attack, due to weaker controls being present in home IT networks and systems.
Responding to the Challenge
In recognition of the challenge of developing cyber-secure and resilient ATM systems, recent amendments to the International Civil Aviation Organisation (ICAO) Annex 17 Standards and Recommended Practices (SARPs) and associated guidelines explicitly address cybersecurity.
In Europe, in order to promote a harmonised approach to meeting ICAO Annex 17 SARPs, the current ATM-specific Implementing Rule is IR (EU) 2017/373 which, coupled with amendment 2020/469, specifies security requirements for ANSPs, the EUROCONTROL NM, and ATFCMs. This regulation compels operators to adopt a broad-based, holistic approach to security, addressing people, processes, and technology, beginning with the requirement to implement a Security Management System (SeMS) to protect facilities, personnel, service provision, and operational data.
In order to bolster their defences and protect their systems from attack, operators must perform security risk assessments, implement security controls to mitigate identified risks, and perform security monitoring and improvement activities. Where appropriate, personnel must also be security-cleared. When their defences are compromised, operators must detect these breaches, alert personnel, contain the effects of the breaches, and identify recovery and mitigation actions based on contingency plans.
The challenge of making systems cyber-resilient is exacerbated by the increasing importance of artificial intelligence (AI), which is set to have a profound influence on aviation in the future. The Fly AI Report developed by the European Aviation AI High Level Group provides a comprehensive overview of current and expected uses of AI in aviation, including an analysis of how AI may support aviation cyber-resilience. Developments in machine- and deep-learning will increase the resilience of systems and services in, for example, malware detection, network analysis, message filtering, and providing support to human operators. However, AI can also be used to attack systems, and will change the nature of the attack surface accessible to malicious actors. In the security operations centre of the future, AI may contribute to the automation of cyber-defences in areas such as vulnerability identification, predicting the evolution of threats, and adaptively mitigating attacks in real-time.
European Regulatory Complexity
In addition to complying with aviation-specific European regulations, operators may also have to comply with other legal instruments that apply to industry in general. For example, if an operator happens to be designated as part of ‘critical infrastructure’ or as a ’provider of an essential service’, it may also become subject to additional regulations and be required to report to additional authorities. This can make the task of maintaining regulatory compliance rather complex, so rationalisation and harmonisation of this complex regulatory framework is currently being tackled by EASA, the European Union Aviation Safety Agency and a number of aviation stakeholders in the European Strategic Coordination Platform (ESCP), which promotes international cooperation and harmonisation in risk management, risk information-sharing between organisations, and risk assessment methods. To this end, the ESCP has developed a Strategy for Cybersecurity in Aviation to make aviation an evolutionary cyber-resilient system, adopting a ‘built-in’ security approach and addressing security from a system’s conception through its development, deployment, and operations. Comprehensive guidance material and acceptable means of compliance for the security certification of ATM systems will soon be provided to operators.
Conclusion
As we have seen, there are many potential impacts of security incidents in ATM, some of which have consequences for broader society and impact on third parties outside of the aviation system. With the ongoing digitalisation of ATM, a system-wide, holistic approach to cybersecurity is required to ensure that ATM remains cyber-resilient. This is currently being addressed by a multitude of actors in aviation seeking to harmonise the regulatory framework and to provide the guidance material required by ATM stakeholders to support the concept of resilience by design.
In order to address the threat posed by adversaries seeking to exploit the weakest link in the system, information sharing on security incidents is already becoming increasingly important to stakeholders, and will be of mutual benefit in improving their security postures. EUROCONTROL will continue to cooperate with aviation stakeholders to ensure that cyber-resilience is enhanced in the current system and maintained in the future.
John Hird is an ATM security specialist
with EUROCONTROL, providing support to ANSPs, regulators, state authorities and industry on methods, tools, and regulatory requirements. He also participates in European R&D programmes in this area, and is based in Brussels, Belgium.
He can be contacted at: john.hird@eurocontrol.int.