Airspace Article
“The methods of attack are forever changing and evolving with more complex and diverse attacks taking place, nation states and state-sponsored groups are becoming more meticulous in their planning and delivery, which means organisations must become more resilient in their defence.”
CANSO Cybersecurity Risk Assessment Guide – 2023
Once an ANSP knows what might be attacked, it can assess the potential outcomes. In a worst-case scenario, a cyberattack could result in the total loss of a primary asset or perhaps the corruption of essential data, such as that on which the air traffic controller bases operational decisions. The ANSP can then examine how this would affect its business and services and determine the level of security needed to achieve their defined risk tolerance.
But all assets should be considered as supporting systems as they can be exploited too and cause problems for the primary asset. Basically, if the confidentiality, integrity, or availability of any ANSP service is compromised, it will have an impact on overall safety and efficiency.
Knowing the types of cyberattacks that could occur is essential. A cybersecurity threat may be targeted or non-targeted, such as a virus, and can come from a variety of sources, including nations engaged in espionage and information warfare, criminals, hackers, and disgruntled employees.
The insider threat is often the biggest concern. This doesn’t necessarily have to be the angry staff member but could be caused by inattentive or poorly trained employees, weaknesses in operating/maintenance procedures, or incomplete software upgrades. All aspects must be guarded against, according to the CANSO Guide. Organisational policy, authentication, and access card controls can all play a part, as can enhanced training.
In terms of outside threats, the most common forms of cyberattack include:
Malware – this creates a backdoor to control systems.
Phishing – an email that tricks the target into clicking on a link or downloading a file. If targeted to individuals in positions of authority, it is known as whale phishing/whaling). If it appears to come from a known contact of the victim, it is called spear phishing.
Denial of Service (DoS) – this usually overloads a system causing it to fail. Websites can be knocked offline by bombarding them with requests, for example.
Man in the Middle – this intercepts and can manipulate data between systems. These are sophisticated attacks that often directs sensitive data to a different destination.
Brute Force – as the name suggests, this entails endlessly cycling through passwords to gain access to information.
Structured Query Language (SQL) Injection – a technical attack that can allow the reading or modifying of database data. It is commonly used against websites to gain access to data.
Cross-site Scripting (XSS) – XSS injects a payload onto a vulnerable webserver, which then harvests user data or steals their session to take over their account.
Risk identification
The aim of ANSPs is to establish a cybersecurity strategy that can:
Reliably detect possible compromises.
Quickly respond to, and recover from a cyberattack.
Ensure systems can function despite part or parts of them being compromised.
A good place to start is deciding the tolerance for risk. This will vary according to circumstance. The CANSO Guide presents three separate levels; unacceptable, tolerable, and acceptable. Here, the minimum level of risk would be tolerable but a more conservative and risk-averse approach would be to achieve an acceptable level.
Naturally, the criteria for these risk levels need to be established. A risk perimeter defines the boundaries of the risk assessment. All services can be in scope, or a subset of them can be selected. According to the CANSO Guide, the selection of the risk assessment perimeter shall take into consideration:
The time at which services were last assessed, recognising that their existing assessment may become obsolete as risks evolve.
Occurrences of recent security incidents targeting or impacting specific services.
Internal or external requirements that may impose a predefined assessment frequency.
When the risk level is determined and benchmarked against the risk acceptance criteria, it provides guidance regarding the mitigating efforts that need to be developed to control the risk. So, if a risk is deemed unacceptable, work and investment to improve the risk profile is essential and not discretionary.
Clearly, cybersecurity is not an area of ANSP expertise, and they need qualified support and tools to identify, analyse, evaluate, and mitigate cybersecurity risks.
In 2019, CANSO created the Cyber Safety Task Force (CSTF) to help ANSPs detect, respond to, and recover from a cybersecurity incident. Its latest publication on the subject, the CANSO Cybersecurity Risk Assessment Guide should be used alongside the CANSO Standard of Excellence in Cybersecurity and the CANSO Emergency Response Planning Guide to enable a comprehensive approach to managing cybersecurity in ATM.
What should ANSPs do?
When the systems at NATS – the UK’s air navigation service provider (ANSP) – went down in late August 2023, the initial fear was that it had been the victim of a cyberattack. It proved not to be the case (a one in 15 million IT glitch was to blame), but the speculation brought home the importance of cybersecurity in air traffic management (ATM).
In fact, the warning signs were already there. In April 2023, EUROCONTROL did suffer an attack, claimed by pro-Russian hackers. There was no impact on flights, though access to its website was affected.
As managers of critical national infrastructure, ANSPs are prime targets for cyberattacks, especially organised, sophisticated crime. Moreover, increasing digitalisation means it is likely that vulnerabilities and attacks will increase in the years ahead. This has been compounded by the shift to remote work and modern, e-enabled aircraft, both of which introduce new attack vectors.
Regulations have been put in place or are on their way to ensure a degree of resilience. For example, ICAO adopted a resolution addressing cybersecurity during its 40th Assembly. This reaffirms “the importance and urgency of protecting civil aviation critical infrastructure systems and data against cyber threats and calls upon States to implement the ICAO Cybersecurity Strategy”.
Meanwhile, in 2022, the European Parliament adopted the European Aviation Safety Agency’s cyber regulation, which will be added to nearly all existing aviation safety regulations by 2025.
Clearly, a cyberattack can have a significant effect on the net-centric aviation system. ANSPs therefore need to ensure a tolerable level of risk as a minimum.
Over time, risks will change and evolve as technologies improve on both the attack and security sides. That means a thorough assessment of cybersecurity risk must be a constant element in ANSP planning. The CANSO Guide recommends that, for consistency, the same risk matrix used in the original risk assessment should be applied again.
“The application of a comprehensive and effective process of cybersecurity risk identification, analysis, evaluation, mitigation and monitoring will help maintain aviation safety and security through the delivery of safe and secure air navigation services,” concludes the CANSO Guide.
Minimal risk
Read full article
The aim of ANSPs is to establish a cybersecurity strategy that can:
Reliably detect possible compromises.
Quickly respond to, and recover from a cyberattack.
Ensure systems can function despite part or parts of them being compromised.
A good place to start is deciding the tolerance for risk. This will vary according to circumstance. The CANSO Guide presents three separate levels; unacceptable, tolerable, and acceptable. Here, the minimum level of risk would be tolerable but a more conservative and risk-averse approach would be to achieve an acceptable level.
Naturally, the criteria for these risk levels need to be established. A risk perimeter defines the boundaries of the risk assessment. All services can be in scope, or a subset of them can be selected. According to the CANSO Guide, the selection of the risk assessment perimeter shall take into consideration:
The time at which services were last assessed, recognising that their existing assessment may become obsolete as risks evolve.
Occurrences of recent security incidents targeting or impacting specific services.
Internal or external requirements that may impose a predefined assessment frequency.
When the risk level is determined and benchmarked against the risk acceptance criteria, it provides guidance regarding the mitigating efforts that need to be developed to control the risk. So, if a risk is deemed unacceptable, work and investment to improve the risk profile is essential and not discretionary.
Clearly, a cyberattack can have a significant effect on the net-centric aviation system. ANSPs therefore need to ensure a tolerable level of risk as a minimum.
Over time, risks will change and evolve as technologies improve on both the attack and security sides. That means a thorough assessment of cybersecurity risk must be a constant element in ANSP planning. The CANSO Guide recommends that, for consistency, the same risk matrix used in the original risk assessment should be applied again.
“The application of a comprehensive and effective process of cybersecurity risk identification, analysis, evaluation, mitigation and monitoring will help maintain aviation safety and security through the delivery of safe and secure air navigation services,” concludes the CANSO Guide.
Minimal risk
Clearly, cybersecurity is not an area of ANSP expertise, and they need qualified support and tools to identify, analyse, evaluate, and mitigate cybersecurity risks.
In 2019, CANSO created the Cyber Safety Task Force (CSTF) to help ANSPs detect, respond to, and recover from a cybersecurity incident. Its latest publication on the subject, the CANSO Cybersecurity Risk Assessment Guide should be used alongside the CANSO Standard of Excellence in Cybersecurity and the CANSO Emergency Response Planning Guide to enable a comprehensive approach to managing cybersecurity in ATM.
What should ANSPs do?
Once an ANSP knows what might be attacked, it can assess the potential outcomes. In a worst-case scenario, a cyberattack could result in the total loss of a primary asset or perhaps the corruption of essential data, such as that on which the air traffic controller bases operational decisions. The ANSP can then examine how this would affect its business and services and determine the level of security needed to achieve their defined risk tolerance.
But all assets should be considered as supporting systems as they can be exploited too and cause problems for the primary asset. Basically, if the confidentiality, integrity, or availability of any ANSP service is compromised, it will have an impact on overall safety and efficiency.
Knowing the types of cyberattacks that could occur is essential. A cybersecurity threat may be targeted or non-targeted, such as a virus, and can come from a variety of sources, including nations engaged in espionage and information warfare, criminals, hackers, and disgruntled employees.
The insider threat is often the biggest concern. This doesn’t necessarily have to be the angry staff member but could be caused by inattentive or poorly trained employees, weaknesses in operating/maintenance procedures, or incomplete software upgrades. All aspects must be guarded against, according to the CANSO Guide. Organisational policy, authentication, and access card controls can all play a part, as can enhanced training.
In terms of outside threats, the most common forms of cyberattack include:
Malware – this creates a backdoor to control systems.
Phishing – an email that tricks the target into clicking on a link or downloading a file. If targeted to individuals in positions of authority, it is known as whale phishing/whaling). If it appears to come from a known contact of the victim, it is called spear phishing.
Denial of Service (DoS) – this usually overloads a system causing it to fail. Websites can be knocked offline by bombarding them with requests, for example.
Man in the Middle – this intercepts and can manipulate data between systems. These are sophisticated attacks that often directs sensitive data to a different destination.
Brute Force – as the name suggests, this entails endlessly cycling through passwords to gain access to information.
Structured Query Language (SQL) Injection – a technical attack that can allow the reading or modifying of database data. It is commonly used against websites to gain access to data.
Cross-site Scripting (XSS) – XSS injects a payload onto a vulnerable webserver, which then harvests user data or steals their session to take over their account.
Risk identification
In fact, the warning signs were already there. In April 2023, EUROCONTROL did suffer an attack, claimed by pro-Russian hackers. There was no impact on flights, though access to its website was affected.
As managers of critical national infrastructure, ANSPs are prime targets for cyberattacks, especially organised, sophisticated crime. Moreover, increasing digitalisation means it is likely that vulnerabilities and attacks will increase in the years ahead. This has been compounded by the shift to remote work and modern, e-enabled aircraft, both of which introduce new attack vectors.
Regulations have been put in place or are on their way to ensure a degree of resilience. For example, ICAO adopted a resolution addressing cybersecurity during its 40th Assembly. This reaffirms “the importance and urgency of protecting civil aviation critical infrastructure systems and data against cyber threats and calls upon States to implement the ICAO Cybersecurity Strategy”.
Meanwhile, in 2022, the European Parliament adopted the European Aviation Safety Agency’s cyber regulation, which will be added to nearly all existing aviation safety regulations by 2025.
When the systems at NATS – the UK’s air navigation service provider (ANSP) – went down in late August 2023, the initial fear was that it had been the victim of a cyberattack. It proved not to be the case (a one in 15 million IT glitch was to blame), but the speculation brought home the importance of cybersecurity in air traffic management (ATM).
Airspace Article