By Alasdair Shannon, Head of CNI Cyber Solutions for Leonardo Security & Information Systems

The WannaCry ransomware attacks this month have raised public awareness on the disruptive effects of a major cyber-attack on our daily lives.  While the impacts are still being addressed by the NHS, there is well publicised evidence through the National Cyber Security Centre on the cyber risk exposure to the UK Critical National Infrastructure (CNI) which notably, has varying degrees of maturity in threat awareness and cyber protection across the CNI sectors.

One such area of increasing concern is in UK Air Traffic Management (ATM), as highlighted by the British Chancellor (Philip Hammond) when he specifically noted the threat to UK airports during the launch of the UK National Cyber Security Strategy (2016-2020)[1]  in 2016.

Robust risk management happens at all levels in ATM across Safety, Security, Operations, Business and Finance, however evidence indicates that cyber security regulation and standards specific to European ATM are not maturing at the appropriate pace .   At the 2016 ICAO Assembly on Cyber Resilience in Civil Aviation, it was critically noted that: “the continuous evolution of the Air Traffic Management (ATM) systems are demanding greater interconnectivity and systems integration… and so far, the exposure of the aviation system to cyber-incidents has increased”. [2]

The UK ATM operators’ exposure to cyber risk has historically been low due to the ‘insulation effects’ of the random patchwork nature of bespoke systems holding data across various silos.  This is now changing with the strategic need across ATM for more data capacity, efficiencies and cost reduction.   The inherent shift towards interconnectivity and the demands for systems-of-systems with common standards introduces vulnerabilities to a rapidly evolving and sophisticated cyber threat; which if not addressed could have inevitable consequences on ATM operations, brand reputation and public safety.   The following malicious threat examples indicate the breadth of the exposures to ATM:

  • In 2015 the Swedish Luftfartsverket cyber-attack (Advanced Persistent Threat) grounded Arlanda, Landvetter and Brцmmer airports, causing disruption with knock-on effects across the Baltic airspace and ATM operations.[3]
  • In 2015 Ryan Air suffered Ј3m in financial damages resulting from a targeted cyber-attack on its bank accounts.
  • The 2016 Turkish Ataturk and Sabiha Gзцkзen Airports’ attacks closed down Turkish immigration control.

So clearly the challenge for ATM operators is how best to optimise cyber – resilience as airports shift to cloud based systems, and increase the adoption of user friendly web sites with online check-in and automated checked baggage systems etc?

This challenge is exacerbated by the exponential forecast demand in European air travel[4] with consequences on ATM infrastructure demanding renewal, expansion and ultimately the development of a wider integrated (UK) air transport system.[5]  Inevitably the intensification of integrated technologies underpinning this development with greater automation, presents a major challenge at Main Board level as the risk is no longer limited to IT, or security, but is considered a strategic business risk.   For instance the implementation of the GDPR13 (EU General Data Protection – Article13) in May 2018 will demand appropriate protection of personal data with enforced financial penalties for non-compliance.  Other challenges facing the ATM Boards in relation to their data / cyber exposures are:

  • How to gain a realistic appreciation of the cyber risk?
  • How to protect the (ATM) groups’ sensitive operational & customer data?
  • How to integrate resilient cyber-defences without disruption to their critical operational flows, while remaining within the existing ‘Operational Expenditure’ budget constraints?

So how can industry assist?  Greater engagement with industry is one option to consider offsetting the cyber exposure. A useful example from Italy shows the value of integrating the ATM infrastructure with the Italian Government’s National Cyber Security and Defence network.  ENAV, the Italian Air Navigation Service Provider (ANSP) ensures that 1.8M flights per year are managed effectively and safely across four control zones and forty-four airports.  It is highly resilient to targeted cyber-attacks with a centralised Secure Operations Centre (SOC) which monitors all assets, and correlates a number of external intelligence feeds supplied by various agencies.   All cyber operations are tailored to the stringent standards of international ATM infrastructures[6] and therefore this offers a useful template model of how to reduce cyber risk across ATM.[7]

An additional approach to reducing the cyber exposure is with the adoption of the ‘cyber resilient airport operation’. Founded on next generation ‘enterprise’ cyber defence concepts, this integrated cyber security model is gaining increasing interest from operators in Europe, The Middle East and SE Asia.

The Cyber Resilient Airport Operation

Given the flight safety–critical nature of the ATM sector,  operators, ANSP’s and regulators have traditionally mandated the highest levels of data integrity to ensure safe and secure Air Navigation Services and air passenger safety.   Given the rapidly evolving nature of cyber threat, it is now time for the operators to adopt the same standards and approach, without which, ATM customer confidence, brand reputation & revenues could be critically impacted.

We would like to thank Alasdair Shannon for writing a guest blog for the Institute. Please note that a guest blog provides an external independent perspective, and does not necessarily represent the views of the ATI.

[1] ‘Hostile foreign hackers could take down our airports and power grids’  Philip Hammond speech launching National Cyber Security Strategy (2016-2020) – 01 Nov 2016

[2] ICAO Working Paper – Assembly 39th Session Executive Committee:  Paper presented by The United States on behalf of the European Union, the European Civil Aviation Conference and EUROCONTROL A39-WP/99 EX/45, TE/26 Rev 1 dated 27/7/16

[3] Nov 2015.  Aldrimer.no (Swedish News) & SC MagazineUK.com – large scale ‘Baltic’ APT Attack

[4] European air travel is estimated to rise by 40% (to 3 million aircraft movements per year by 2030).

[5] Airport Operators Association (AOA) Annual Conference – London 21st Nov 2016

[6] ENAV is compliant with ICAO AN17 Doc 8973, 9985 and European Commission Regulations No’s: 1035/2011 & No73 / 2010 as well an Italian National Security & Defence Standards

[7] IAI – The Defence of Civilian Air Traffic Systems from Cyber Threats.  Tommasso De Zan.  Instituto Affari Internazionali.  IAI 2016.