ATM security risks: a snapshot of industry concerns

Back to articles

It's always interesting to hear what industry considers to be the most pressing issues and the third CANSO ATM Security Working Group (ASWG) was no exception. In attendance were security specialists from an increasingly wide-range of ANSPs and their suppliers. The ASWG examines common security topics and produces guidance, such as the CANSO cyber-security risk assessment guide. This blog, published with permission from CANSO, builds on that guidance.

With the Dubai sun shining outside, the hot topic of security was coolly analysed over two days of presentations and discussions. One group exercise looked at priority risks and resulting mitigations, and whilst not intended as comprehensive risk assessment, it offers an insightful 'pulse check' on the important issues. Asked to describe the likely next major incident to threaten their organisation, some common answers jumped out:

Threats to ANS infrastructure

  • Denial of service (i.e. jamming, electromagnetic attack, GPS time spoofing)
  • Malware injection, including wider network intrusion via compromise of remote sites
  • Failure of third party products or services, including inadvertent errors
  • Compromise of unencrypted data (including datalink)
  • Credible threats made via social media (closing airspace on suspicion of compromise)

ANS workforce issues

  • Lack of staff awareness (accidental damage, social engineering, etc)
  • Insider threat (intentional acts)
  • Lack of strategic cyber-workforce development
  • Penetration of restricted airspace by unauthorized users (i.e. drones)
  • Passenger gaining connection to cockpit data
  • Terrorism, insiders/sleepers, access to system by terrorists

Direct threats to aircraft

  • Penetration of restricted airspace by unauthorized users (i.e. drones)
  • Passenger gaining connection to cockpit data
  • Terrorism, insiders/sleepers, access to system by terrorists

The group then went on to discuss mitigations, identifying a wide variety of actions and an equally wide range of responsible parties. This comes as no surprise to anyone involved with security, knowing that a holistic and coordinated response is required from all parts of the aviation industry. Even within this short exercise, there were actions identified for ANSPs (top management, HR and staff), regulators, suppliers and aircraft manufacturers.

Whilst it is clear that much more work is required, it was great to see participants sharing experiences and lessons – in my view essential, if we are to manage these (and other) security risks in a joined-up and cost-effective way.

Contact the author

Matt Shreeve
Tel: +44 1252 451 651

Call us to discuss your next project: +44 1252 451 651

Contact us