As Air Navigation Service Providers (ANSPs) and regulators seek to bolster their cybersecurity defenses, the debate over whether to include a Computer Security Incident Response Team (CSIRT) within the Air Traffic Safety Electronics Personnel (ATSEP) structure or as part of an IT team remains ongoing.
This article explores the advantages and limitations of both approaches and proposes a hybrid solution that combines the strengths of each to enhance incident response capabilities for ANSPs.
CSIRT as Part of IT Team
Advantages of CSIRT as Part of IT Team
Specialized Expertise: IT teams typically comprise professionals with specialized knowledge in managing and maintaining information technology systems. Their expertise allows them to efficiently address routine IT-related issues and maintain the organization's technological infrastructure.
Business Hours Coverage: IT teams usually operate during regular business hours, providing support from 9:00 to 17:00 on weekdays. This ensures that ANSPs have dedicated support during their peak operational hours when the majority of incidents may occur.
Efficient Routine Tasks: IT teams are well-equipped to handle routine tasks such as system maintenance, software updates, and network troubleshooting. Their structured approach to managing IT operations ensures smooth day-to-day functioning.
- Dedicated IT teams in cybersecurity think along the line of the worst-case scenarios, emulating the spirit of an attacker to explore potential risk scenarios.
Limitations of IT Team for Incident Response
Limited 24/7 Coverage: Cybersecurity threats are not limited to business hours; they can strike at any time. Relying solely on an IT team's availability may leave ANSPs vulnerable during non-business hours, weekends, and holidays.
Inadequate Sensing of Intrusions: IT teams often focus on IT infrastructure, but they may lack the specialized knowledge and experience to detect signs of intrusion in the performance of Air Traffic Management (ATM) systems. This could lead to delayed or overlooked incident detection.
CSIRT as part of the ATSEP Structure
Advantages of Integrating CSIRT into ATSEP Structure
24/7 Coverage: ATSEP personnel work round-the-clock to ensure the smooth functioning of ANSPs' critical infrastructure. Integrating CSIRT into the ATSEP structure ensures continuous incident response capabilities, reducing response time for potential threats.
Better Sensing of Infrastructure Compromises: ATSEP personnel possess a deeper understanding of ANSPs' infrastructure and operational processes. This situational awareness enables them to detect unusual activities and potential compromises in the ATM systems more effectively.
Seamless Collaboration: With CSIRT embedded within the ATSEP structure, collaboration between cybersecurity experts and infrastructure specialists becomes more streamlined. This integrated approach facilitates quicker decision-making during incidents.
Blending different thought approached: An often discussed weak point of ATSEP is their orientation towards safety. The thinking along the lines of hackers is normally not immanent to ATSEP. Here the teaming with IT Teams will round up the skill set.
Managed Cybersecurity Services
Note that cybersecurity services could be external. External cybersecurity services offer expertise, threat intelligence, and specialized skills from diverse experiences. They provide cost-effective solutions, 24/7 coverage, and compliance support.
External Services and Information Sharing
External intelligence aggregation and sharing offers ANSPs sector-specific insights, benchmarking, and early warning capabilities for proactive cybersecurity measures. These services could be coupled with internal responsibilities of ATSEP and IT-Team.
The Aviation Information Sharing & Analysis Center (A-ISAC) for instance is a global consortium for cybersecurity information sharing across the aviation sector. Founded in 2014 by seven global aviation companies, the A-ISAC has established itself as the trusted point of coordination around cyber threats for the global aviation community. Read our full article on this subject.
Proposing a Hybrid Solution
To optimize incident response capabilities, a hybrid solution that combines the strengths of both approaches is recommended. This solution entails:
Dedicated CSIRT within ATSEP: Establish a specialized CSIRT team within the ATSEP structure, comprising cybersecurity experts with a deep understanding of ANSPs' ATM systems and operational needs. This team would provide 24/7 coverage and enhance incident detection and response. An externally managed cybersecurity service will be the 3rd player.
Collaborative IT, CSIRT Operations, and external services: Promote seamless collaboration and knowledge-sharing between the IT team, the ATSEP-embedded CSIRT, and external services. This approach ensures that routine IT tasks and infrastructure maintenance continue efficiently while enabling the CSIRT to leverage ATSEP insights for better incident response.
- The technology to enable the CSIRT processes is key. It will allow to integrate and automate data sharing with external services like the A-ISAC, while retaining data sovereignty and data privacy. We discuss cybersecurity architecture in various articles.
Regular Training and Skill Enhancement: Invest in continuous training for both IT and CSIRT personnel to stay updated on the latest cybersecurity threats and technological advancements. This ongoing skill enhancement enhances the effectiveness of incident response efforts.
As ANSPs grapple with the critical task of strengthening their cybersecurity posture, the debate over integrating CSIRT within the ATSEP structure or IT team continues. Acknowledging the advantages and limitations of each approach, a hybrid solution emerges as the most promising option.
By combining the 24/7 coverage and better sensing of infrastructure compromises offered by ATSEP personnel with the specialized expertise and routine IT support from an IT team, ANSPs can establish a robust incident response mechanism to safeguard their vital operations from cyber threats. External services and shared data and experience enhance this even more.
Operational Technology (OT) Cybersecurity Model
In 2022 NIST drafted an Operational Technology (OT) cybersecurity model in unison with the above suggested players. According to them, the structure should ground on an OT cybersecurity strategy which:
- Refines and supplements, as necessary, guidance from the organization-wide risk management strategy to address OT-specific constraints and requirements
- Identifies the OT cybersecurity team and personnel
- Addresses the OT cybersecurity operation model: insource, outsource, and/or use managed security services
- Outlines the appropriate cybersecurity architecture for the various OT sites within the OT program
- Defines OT-specific cybersecurity training and awareness
Who is in Charge?
Remaining question: Who is the overall authority or organization responsible for coordinating and overseeing all aspects and parties involved? We perceive it has to be the head of ATSEP. His / her team is responsible. The head of ATSEP is in charge of overseeing and ensuring the efficient and secure functioning of Air Traffic Safety Electronics. Cybersecurity is a key factor. ATSEP has to be in control as you simply cannot delegate responsibility.
SkyRadar and Cybersecurity Training
Talk to the SkyRadar team to discuss solutions that help your organization to withstand the increasing threat of cyberattacks on the aviation sector.