Ground-to-Ground and Ground-to-Air interoperability make perimeter-orientation in cybersecurity obsolete. Cyber-security needs to be data-centric. Identity for systems and humans is a keystone in interconnected ATM.
Cybersecurity has moved from perimeter-protection (a firewall around a secure world) to endpoint protection (systems and devices). More sophisticated Identity and Access Management Systems (IAM) are taking care of the protection, now in a decentralized approach. This unfortunately also significantly enlarges the attack surfaces of the cybersecurity infrastructure, as Gartner rightly points out. Sophisticated attacks like the 2020 United States federal government data breach "Solar Winds" used administrative permissions stolen from users or system administrators.
Gartner's catchy statement "Identity is the new perimeter" describes this frazzled architecture pretty well. In ATM we do not need to wait until trajectory oriented ATC has materialized. Just look at a simple radar tower, or MET data provider, communicating data from remote, through public telephone lines into the central ATM infrastructure.
Data needs to be encrypted through a public key infrastructure in transit (when travelling from one location to the other) or at rest (when resting in a database). It should only be unencrypted when used in the ATM applications.
The key to safely protecting data is to make its start and endpoints unbreachable. This can be done with digital identities. Such a digital identity can be assigned to humans and systems (like radar towers, or severs, or the MET service providing company). There are highly protected standards like the European eIDAS standard for digital identities and signatures (backed by a European Regulation). They even allow for qualified identities and signatures, where a EU certified Qualified Trust Service Provider is verifying the user identity in every transaction (message, call, authentication attempt etc). Logs are stored and allow for non-repudiation in case that something goes wrong. Non-repudiation means, nobody can say "I did not do it".
Messages coming from the radar or the MET could be signed (e.g. the ASTERIX Protocol). The radar would have its own digital identity. The signature will be tied to the identity. If somebody changes a parameter, the message will show an error, the SMC system will raise an alarm.
Even applications can be signed, to avoid that some malicious code snippets are brought in, like a trojan. In the moment, someone tries to change the code, it sends out an alarm.
We need to get to a unified view on all systems and a centralized alarm mechanism for ATSEPs. When a subsystem has been compromised, the ATSEP should get alarmed through the SMC. A proper Computer Security Incident Response process needs to be set up. It has to be backed by reliable identities. In the European Union, using eIDAS is a must.
The question whether or not incident response is part of the ATSEP's portfolio or of an adjacent team should not be part of this article. But there is no doubt that the process should flag immediate alarm in case of a cybersecurity incident.
A signature or an authorization process can only be as good as the identity and the authentication process behind. This is why we mandate for solutions like eIDAS, which as sophisticated and proven, and in the same time backed by a Regulation.
This article is explaining the pair of identity and data as being a major pillar in a protected decentralized architecture. In our series about cybersecurity in ATM we shed light on many aspects of architecture, but also on incident response.
Stay tuned to be always the first to learn about new use cases and training solutions in SMC and cybersecurity qualification for ATSEPs.
Or simply talk to us to discuss your training solution.