This article looks at the actual cybersecurity ecosystem in aviation and air traffic control: are there norms, documents proposed by the aviation regulation bodies? What are the existing solutions? Who are the current cybersecurity vendors that propose a solution for aviation, and especially for airports and air traffic control.
During The 40th Session of the ICAO, the Assembly adopted the Resolution A40-10 named “Addressing Cybersecurity in Civil Aviation”.
The resolution strongly recommends states to implement ICAO cybersecurity strategy. Among the several points developed in the strategy, one may distinguish the following one:
“Cybersecurity is to be included within a State’s aviation security and safety oversight systems as part of a comprehensive risk management framework. “
A “Cybersecurity Action Plan” has also been adopted recently by the ICAO, in November 2020.
The action plan offers several deadlines ranging from 2020 to 2023.
The chapter 12 of the action plan underlines specifically the need for adequate training in cybersecurity: ”CAPACITY BUILDING, TRAINING AND CYBERSECURITY CULTURE AND EDUCATION “
IATA, which represents mostly the interests of commercial airlines, have also developed a Cybersecurity program. IATA also developed the Aviation Cyber Security Roundtable (ACSR) which aims at promoting cybersecurity culture, among others, in aviation.
IATA wishes to bring cybersecurity into airports and for this wants the creation of the Airport Cyber Security Certification Program (in 2030)
Many Aerospace consortiums or groups have developed their own cybersecurity task forces. EASA and EUROCAE are also coordinating a number of technical advisory committees on the topic.
We should note two directives at the EU level:
Here is a non exhaustive selection of solutions from some vendors:
Frequentis is known for their data and communication solutions in aviation. The company provides cyber-security for voice communication systems
Honeywell’s end-to-end Cybersecurity Assurance Center is based on data collection and penetration testing so to provide efficient aviation cybersecurity solution
Utimaco provides a vendor-agnostic end-to-end security infrastructure for aviation and ATC infrastructures. Utimaco’s solution is able to create decentralized networks from any vendor at any location including local data centers and hybrid clouds.. The solutions include industry-grade Hardware Security Modules, Public Key Infrastructures, Digital Signing Solutions, landline, radio and 5G protection.
Thales propose a complete solution: multi-level protection, tailored solutions for specific domains such as communications, radar, air traffic management, in-flight entertainment, avionics, preventive maintenance; security supervision incorporating specific threat intelligence; and rapid response teams in case of an attack.
Air Traffic Management (ATM) deals with an enormous amount of data, especially from radars and aircraft.
Digitalization of data is ongoing, voice may also be replaced soon by chats-based sessions using telegrams.
In such a context a risk is created by an attacker being able to disrupt/modify the data exchanged between the ATC and the planes.
This creates a challenge because the ATC personnel must not only understand the attack but be able to counter it and recover from it in a ‘real-time’ manner.
A trend is the development of Remote Towers provided with adequate cybersecurity and AI-based cybersecurity diagnostic and decision management. But “traditional” Air traffic safety electronics personnel (ATSEP) remains the heart of security architecture in the traffic management.
It is therefore mandatory to continuously train ATSEP team members in cybersecurity to understand cybersecurity designs and be able to quickly react to different cyberattacks.
Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Currently he is researching attack scenarios and the role of AI in ATC cyber-security.