Roadmap to reality
Cyber security and resilience are now accepted as key requirements for air traffic management (ATM), and indeed the wider aviation system. But the hard work is only just beginning, particularly for air navigation service providers (ANSPs), as next-generation ATM systems and infrastructure are deployed.
The context is difficult: a changing regulatory environment, a need for a minimum industry level of security and increasingly sophisticated cyber-attacks. But what specifics are stopping ANSPs 'implementing' cyber-security? Here's my big four:
1. Legacy systems and Operational Technology: ATM is not traditional IT. Introducing controls such as intrusion detection and event-level auditing on old equipment is hard and expensive. Operational Technology, such as Industrial Control Systems and 'Smart Infrastructure', is a new focus of attack, as the December 2015 cyber-attack on the Ukrainian electricity network highlighted.
2. Lack of people with deep technical expertise: Few people understand both ATM and cyber-security, and cyber itself has many separate specialisms.
3. No clear 'Means of Compliance': ANSPs effectively need to decide themselves on when security has been assured. This needs to be neither 'not too much' (overly expensive) nor 'not too little' (residual risk is too high). It also needs to flow down (often vast) supply chains.
4.Insecure systems cannot be assumed to be safe: Establishing the right touchpoints between safety and security processes is crucial. The lack of accepted practice, and different cultures, poses problems.
So, what to do? Every ANSP should have a Security Management System (SecMS) and implementation roadmap. These provide the brains and engine for controlling and effecting activity. The SecMS demands leadership plus a classic Plan-Do-Check-Act cycle of continual improvement (How do we assure ourselves?), all underpinned by risk assessment. It requires a clear scope (What systems and networks do we have? What is our supply chain?) and then people, process and technology aspects to be addressed (How do we know we have the right technical people? How does security interact with safety?). A roadmap leads to a progressive approach at building up cyber-security and embedding requirements in new services and systems, forcing decisions on what to prioritise (Legacy? Operational Technology?).
Actions now need to match words. ATM is not yet ready to meet the threat, but a roadmap will help us get there. And since, cyber-security is a never-ending arms-race between attackers and defenders, a SecMS will manage threats and risks as they evolve.
For more information contact Matt Shreeve