SkyRadar Blog | Radar Training Systems Online Radars - SkyRadar

Cybersecurity in Aviation and Air Traffic Control: Regulatory Bodies, Existing Solutions and ATSEP Qualification Requirements

Written by Martin Rupp | May 24, 2021

This article looks at the actual cybersecurity ecosystem in aviation and air traffic control: are there norms, documents proposed by the aviation regulation bodies?  What are the existing solutions? Who are the current cybersecurity vendors that propose a solution for aviation, and especially for airports and air traffic control.

ICAO and Cybersecurity

During The 40th Session of the ICAO, the  Assembly adopted the Resolution A40-10  named “Addressing Cybersecurity in Civil Aviation”.

The resolution strongly recommends states to implement ICAO cybersecurity strategy. Among the several points developed in the strategy, one may distinguish the following one:

“Cybersecurity is to be included within a State’s aviation security and safety oversight systems as part of a comprehensive risk management framework. “

A “Cybersecurity Action Plan” has also been adopted recently by the ICAO, in November 2020. 

The action plan offers several deadlines ranging from 2020 to 2023.

The chapter 12 of the action plan underlines specifically the need for adequate training in cybersecurity: ”CAPACITY BUILDING, TRAINING AND CYBERSECURITY CULTURE AND EDUCATION “

IATA and Cybersecurity

IATA, which represents mostly the interests of commercial airlines, have also developed a Cybersecurity program. IATA also developed the Aviation Cyber Security Roundtable (ACSR) which aims at promoting cybersecurity culture, among others, in aviation. 

IATA wishes to bring cybersecurity into airports and for this wants the creation of the Airport Cyber Security Certification Program (in 2030)

Task Forces

Many Aerospace consortiums or groups have  developed their own cybersecurity task forces. EASA and EUROCAE are also coordinating a number of technical advisory committees on the topic. 

 We should note two directives at the EU level:

  • RMT.0648: Aircraft cybersecurity . Specifications to integrate cybersecurity considerations 
  • RMT.0720: Cybersecurity risks. Transverse regulations for all aeronautic domains to set up a global framework for information security management systems.

Cybersecurity solutions for aviation and ATC

Here is a non exhaustive selection of solutions from some vendors:

Frequentis and secure voice communication

Frequentis is known for their data and communication solutions in aviation.  The company provides cyber-security for voice communication systems

Aerospace Cyber Security by Honeywell

Honeywell’s end-to-end Cybersecurity Assurance Center is based on data collection and penetration testing so to provide efficient aviation cybersecurity solution

Utimaco's end-to-end security infrastructure

Utimaco provides a vendor-agnostic end-to-end security infrastructure for aviation and ATC infrastructures. Utimaco’s solution is able to create decentralized networks from any vendor at any location including local data centers and hybrid clouds.. The solutions include industry-grade Hardware Security Modules, Public Key Infrastructures, Digital Signing Solutions, landline, radio and 5G protection. 

THALES Cybersecurity for aviation

Thales propose a complete solution: multi-level protection, tailored solutions for specific domains such as communications, radar, air traffic management, in-flight entertainment, avionics, preventive maintenance; security supervision incorporating specific threat intelligence; and rapid response teams in case of an attack.

Other providers

Current situation in ATC

Air Traffic Management (ATM) deals with an enormous amount of data, especially from radars and aircraft. 

Digitalization of data is ongoing, voice may also be replaced soon by chats-based sessions using telegrams. 

In such a context a risk is created by an attacker being able to disrupt/modify the data exchanged between the ATC and the planes.

This creates a challenge because the ATC personnel must not only understand the attack but be able to counter it and recover from it in a ‘real-time’ manner. 

A trend is the development of Remote Towers provided with adequate cybersecurity and AI-based cybersecurity diagnostic and decision management. But “traditional” Air traffic safety electronics personnel (ATSEP) remains the heart of security architecture in the traffic management.

It is therefore mandatory to continuously train ATSEP team members  in cybersecurity to understand cybersecurity designs and be able to quickly react to different cyberattacks.

About the Author

Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Currently he is researching attack scenarios and the role of AI in ATC cyber-security.

References and Further Reading