This article looks at the actual cybersecurity ecosystem in aviation and air traffic control: are there norms, documents proposed by the aviation regulation bodies? What are the existing solutions? Who are the current cybersecurity vendors that propose a solution for aviation, and especially for airports and air traffic control.
ICAO and Cybersecurity
During The 40th Session of the ICAO, the Assembly adopted the Resolution A40-10 named “Addressing Cybersecurity in Civil Aviation”.
The resolution strongly recommends states to implement ICAO cybersecurity strategy. Among the several points developed in the strategy, one may distinguish the following one:
“Cybersecurity is to be included within a State’s aviation security and safety oversight systems as part of a comprehensive risk management framework. “
A “Cybersecurity Action Plan” has also been adopted recently by the ICAO, in November 2020.
The action plan offers several deadlines ranging from 2020 to 2023.
The chapter 12 of the action plan underlines specifically the need for adequate training in cybersecurity: ”CAPACITY BUILDING, TRAINING AND CYBERSECURITY CULTURE AND EDUCATION “
IATA and Cybersecurity
IATA, which represents mostly the interests of commercial airlines, have also developed a Cybersecurity program. IATA also developed the Aviation Cyber Security Roundtable (ACSR) which aims at promoting cybersecurity culture, among others, in aviation.
IATA wishes to bring cybersecurity into airports and for this wants the creation of the Airport Cyber Security Certification Program (in 2030)
Task Forces
Many Aerospace consortiums or groups have developed their own cybersecurity task forces. EASA and EUROCAE are also coordinating a number of technical advisory committees on the topic.
We should note two directives at the EU level:
- RMT.0648: Aircraft cybersecurity . Specifications to integrate cybersecurity considerations
- RMT.0720: Cybersecurity risks. Transverse regulations for all aeronautic domains to set up a global framework for information security management systems.
Cybersecurity solutions for aviation and ATC
Here is a non exhaustive selection of solutions from some vendors:
Frequentis and secure voice communication
Frequentis is known for their data and communication solutions in aviation. The company provides cyber-security for voice communication systems
Aerospace Cyber Security by Honeywell
Honeywell’s end-to-end Cybersecurity Assurance Center is based on data collection and penetration testing so to provide efficient aviation cybersecurity solution
Utimaco's end-to-end security infrastructure
Utimaco provides a vendor-agnostic end-to-end security infrastructure for aviation and ATC infrastructures. Utimaco’s solution is able to create decentralized networks from any vendor at any location including local data centers and hybrid clouds.. The solutions include industry-grade Hardware Security Modules, Public Key Infrastructures, Digital Signing Solutions, landline, radio and 5G protection.
THALES Cybersecurity for aviation
Thales propose a complete solution: multi-level protection, tailored solutions for specific domains such as communications, radar, air traffic management, in-flight entertainment, avionics, preventive maintenance; security supervision incorporating specific threat intelligence; and rapid response teams in case of an attack.
Other providers
Current situation in ATC
Air Traffic Management (ATM) deals with an enormous amount of data, especially from radars and aircraft.
Digitalization of data is ongoing, voice may also be replaced soon by chats-based sessions using telegrams.
In such a context a risk is created by an attacker being able to disrupt/modify the data exchanged between the ATC and the planes.
This creates a challenge because the ATC personnel must not only understand the attack but be able to counter it and recover from it in a ‘real-time’ manner.
A trend is the development of Remote Towers provided with adequate cybersecurity and AI-based cybersecurity diagnostic and decision management. But “traditional” Air traffic safety electronics personnel (ATSEP) remains the heart of security architecture in the traffic management.
It is therefore mandatory to continuously train ATSEP team members in cybersecurity to understand cybersecurity designs and be able to quickly react to different cyberattacks.
About the Author
Martin Rupp is a cryptographer, mathematician and cyber-scientist. He has been developing and implementing cybersecurity solutions for banks and security relevant organizations for 20 years. Currently he is researching attack scenarios and the role of AI in ATC cyber-security.
References and Further Reading
- Gartner Top Security and Risk Trends for 2021 (April 2021)
- Read more about Cybersecurity for ATSEP and AVSEC (2019-today), by Dawn Turner, Martin Rupp, Peter Smirnoff, Ulrich Scholten and Dennis Vasilev.
- More articles on Cryptography, Key Blocks and Key Management (2018 - today), by Martin Rupp
- Articles on the protection of critical platforms and strategic response (2017 - today), by Ulrich Scholten and Stefan Hansen
- Articles on Key Management and HSMs (2017 - today), by Peter Smirnoff
- Articles on Digital Signing, the eIDAS standard, cyber-security and ATSEP qualification (2016 - today), by Dawn M. Turner
