Like buses, you wait a long time for specific ATM cybersecurity guidance, and then two (or more) come along at once. First you have two European standards, CEN's EN 16495 and EUROCAE's ED-205 both expected to be published in the first half 2019. EN 16495 extends the cross-sectorial ISO 27002 approach to civil aviation and addresses the crucial dimension of trust between different organisations. ED-205 addresses the security aspects of service provider certification, opening the door for a standard process to assess whether ATM/ANS ground systems are appropriately secure for use. Both address security's relationship to safety in a similar way: recommending coordinated processes with clear touch-points. The link with safety is key and indeed where other cross-sectorial standards and guidance can be insufficient.
In terms of regulation it is equally busy - even after last year's GDPR and NIS Directive deadlines. The NIS Directive in particular impacts on ATM across Europe, though the end effect is still materialising as implementation continues. In mid-2019 EASA is expected to release a proposed new rule on Aeronautical Information System Security (AISS) addressing ATM and other aviation domains.
In terms of guidance, a EUROCONTROL-led ATM cybersecurity maturity model is being released. CANSO Europe has recently formalised its cybersecurity activities and CANSO Global is establishing a new Cyber-Safety Task Force. Regular cyber-threat briefings are also emerging from the EATM-CERT and the European Cybersecurity Centre in Aviation. Furthermore, the European Strategic Coordination Platform (ESCP) is working hard to produce a cross-aviation strategy and risk management approaches.
In short, the proliferation of interest and activity (and unfortunately abbreviations) in this area shows no sign of stopping. Much of this will help to define the question of, in practice, what needs to be done? Of course, just having standards, guidance and tools is insufficient. They must be used, and used wisely, to be effective. In particular without mandate from regulators, all remain voluntary, which means they may not be used at all. Experience shows that real change often comes in response to an actual incident, in response to regulation, in response to what peers are doing or, in the most positive way, from solid leadership and good governance. Fortunately, we have avoided major incidents so far and are increasingly seeing initiatives and improvements from many operational stakeholders and suppliers. Pan-European initiatives, like NewPENS and a common PKI for SWIM, will also make tangible progress in 2019.
The ATM industry has started on a journey to cyber-maturity. There is no single or clear measure of how far we have come, nor is the endpoint static, but with clearer sign-posting, and enough drive, commitment and execution, we should get there faster, cheaper and at less risk. Five years ago, when I first worked on the topic for this industry, it was a niche concern, but now it is a top-level issue, even being chosen as the focus for the CANSO CEO Summit at World ATM Congress. Join us on stand #339 to continue the conversation.