Discussion and working groups on cybersecurity in air traffic management have proliferated. It sometimes feels like a full-time job to keep up with the latest developments and papers! However, in getting to grips with the emerging policy and regulatory landscape on cybersecurity, ANSPs are still left asking "what do we need to do to be good enough?". Is non-ATM commercial good practice 'good enough' or is something more required because ATM is part of critical infrastructure? If so, what is the extra? What is good practice in a safety-critical environment?
Of course, the simple answer to what is 'good enough' is whatever it takes to manage your risks effectively. Regulation (both aviation-specific, like the Common Requirements, and cross-sectorial, like the NIS Directive) take this risk-based approach. This is correct in a world of performance-based regulation. However, since risks differ between ANSPs, and because the accompanying means of compliance and standards are still to emerge, the question remains and there is no common reference for the industry.
Now ANSPs can take a step towards answering that question by 'road testing' a prototype ATM Cybersecurity Maturity Model. The model is one of the outputs from some work undertaken by Helios and Prof Chris Johnson for EUROCONTROL's Network Manager (NM), looking at the cybersecurity of the NM and its suppliers.
Maturity models are a highly simplified, but still useful, view of reality. They are not the same as detailed audits or gap analyses, which still serve crucial purposes. Instead they allow you to easily compare your ANSP to how it looked at some point in the past to track improvements over time, or to apply a common model across your suppliers to assess your supply chain maturity.
Prototype model applied illustratively to an ANSP and its suppliers for a visual dashboard
The prototype model is inspired by existing cyber standards and developed following an August 2018 workshop with the NM and some willing ANSPs. Once feedback from those ANSPs has been received, the intention is to develop the model further, adding more refinements and functionality, for example automated reporting.
The model describes a range of capabilities you would expect to see in an organisation with an effective approach to cybersecurity. You assess an organisation's overall cybersecurity maturity by comparing its practices against those described and backing up the assessment with some evidence, to justify the result. The result is a picture of maturity, from 'non-existent' to 'adaptive' (explanations are provided). It enables a broad assessment of strengths and weaknesses and is intended as a tool for senior management to discuss where to focus finite resources and agree a roadmap of improvements . This is much like the long-established EUROCONTROL / CANSO Standard of Excellence in the safety-world.
Early indications from participating ANSPs are encouraging. They think it could be a helpful addition to their toolkit. What do you think? Please contact me on the details below to receive it for your own organisation.