ATM: navigating the challenging cybersecurity landscape

Juhan Lepassaar

With the exponential increase in digitalisation of our society we have witnessed over the past two to three years, all sectors of our economy need specific attention, and this is, of course, also the case for the aviation sector, explains Juhan Lepassaar, Executive Director of the European Union Agency for Cybersecurity.

ENISA, the EU Agency for Cybersecurity, engages with all the actors of the different economic sectors, together with Member States and EU institutions and bodies, to issue recommendations and ensure the highest level of trustworthiness in command, control and supervisory control systems used in all critical infrastructure networks.

However, as multifold as it is, the role of ENISA goes far beyond this high level of action. The Agency supports cybersecurity policy development and implementation and helps Member States with their cybersecurity strategies. It also gives its support to address challenges at national levels by issuing recommendations and best practices. We work here to strengthen cooperation between Member States and EU institutions, bodies and agencies. This can be through operational cooperation with joint situational awareness activities or through capacity-building activities such as co-organised cyber exercises. ENISA acts, therefore, as a lead management coordinator between technical actors and political decision-makers in the event of a large-scale, cross-border cyber crisis.

"Maintaining a high level of safety remains especially vital in this sector considering our current context of volatile and highly impactful global events"

ENISA also supports Member States with the organisation of cyber exercises such as Cyber Europe, designed to test the cybersecurity levels, business continuity processes and crisis management capabilities of specific sectors. In 2022, the Cyber Europe exercise tested the resilience of the EU health sector.

The Agency also issues a yearly threat landscape report to identify trends. The ENISA Threat Landscape report gives some essential insights into the evolution of threats. With more than 10 terabytes of data stolen monthly, ransomware remains one of the two top threats, alongside attacks against availability (Distributed Denial of Service (DDoS) attacks). The analysis of threat actors and threat trends help support better preparedness across the EU and among relevant EU bodies and sectors.

Defined by the Cybersecurity Act, the activities of ENISA play a central role in meeting the objectives of the EU's Cybersecurity Strategy in the Digital Decade .

ENISA has been encouraging and facilitating cybersecurity developments for a number of economic sectors such as telecommunications, finance, health, energy and transports, including aviation. The COVID-19 pandemic accelerated several drivers in many industries, forcing companies into a "no return" digital transformation path. In the process, as end users flocked towards online channels, organisations increased the pace of innovation and adoption of more advanced technological solutions across the supply chain. If we observe that the aviation sector, like most sectors, is also embracing digital transformation, then maintaining a high level of safety remains especially vital in this sector considering our current context of volatile and highly impactful global events, such as the pandemic and climate change.

Air traffic management (ATM) systems are one of these many other critical systems, which are complex by nature as they are part of a large ecosystem of services. Connectivity and capacity, even for the latest generation of aircraft, can become specifically challenging when it comes to managing an array of legitimate functions from operations to performance, maintenance, traffic and safety.

Such integration is often challenged by the necessary links between information technology and operational technology (OT) environments. Even if information technology is typically known to be more mature when it comes to cybersecurity, a breach of IT systems is a risk to consider. It could have significant impacts, such as causing service disruption, delays, reputational or financial damage even if it typically does not or may not impact the safe operating of the aircraft, for instance. On the other hand, cyberattacks or cyber physical attacks that target OT systems may result in harm, injury or ultimately loss of lives.

The aviation sector is also known to have engaged efforts in order to address incompatibilities in ATM's legacy systems, known vulnerabilities, performance requirements and the emerging availability of off-the-shelf solutions to make its systems more flexible, connectable and scalable. And while the established use of practices such as system redundancy or "failsafe" and fall back procedures ensure that safety is the primary concern in ATM, this new complex digital ecosystem inevitably paves the way to new and additional threats and cyber risks.

But attacks on ATM infrastructure are not new. We can go as far back as 2008 when the US Federal Aviation Administration saw the integrity of its systems corrupted and hackers gained access to critical networks servers . The tampering with satellite navigation signals has also been widely reported over recent years, and within the particular context of the Russian invasion of Ukraine.

"It is paramount to understand that without cybersecurity there will be no trust to be able to fully reap the benefits of a digital economy and society in Europe"

Cybercriminals deploy increasingly sophisticated tools and are fine tuning their tactics, techniques and procedures (TTPs) aiming at more efficient and effective attacks. As the attack surface widens proportionally to the number of Internet of Things (IoT) devices used and connected among others, the playground for malicious actors also expands just as much. Nation state actors make extensive use of zero-day exploits to achieve their operational and strategic goals, and the hacking-as- a-service business model continues to gain traction.

This evolving threat landscape is obviously now a concern of all sectors providing essential services such as the aviation sector which operate with complex infrastructures in place.

The Russian invasion of Ukraine has defined a new era for cyber warfare and hacktivism. It is a whole new game for unlocking and bringing the potential of cyberattacks into the physical war front, to disrupt critical infrastructures, establish pre-positioning activities, engage in cyber influence operations and disinformation and propaganda, to mention but a few.

In this new era it is paramount to understand that without cybersecurity there will be no trust to be able to fully reap the benefits of a digital economy and society in Europe. If we don't invest in those benefits and technologies, we won't be in the position to strengthen our digital autonomy. So what measures can we take to increase the resilience of critical, safety-of-life infrastructures such as ATM?

The European Union has developed and is still developing a number of legislative measures in order to implement the its EU Cybersecurity Strategy. Major policies developed so far include the Directive on measures for a high common level of cybersecurity across the Union  (known as NIS2), the Cyber Resilience Act  (CRA), or the Digital Operational Resilience Act  for the financial sector.

Latest developments in legislation show a tendency to focus on and address the needs of specific sectors. The EU has therefore pioneered a set of inter-linked legislative initiatives which are unprecedented worldwide.

As for the aviation sector, in particular opinion Nº 03/2021 proposes "the introduction of an information security management system (ISMS) for the competent authorities and for organisations in all aviation domains and requires them to report incidents and vulnerabilities related to information security," (Horizontal Rule Part-IS ).

The Horizontal Rule Part-IS text has been developed in consultation with the European Strategic Coordination Platform (ESCP). ENISA is a Member of ESCP and has contributed to the consultation process by participating in two expert working groups.

In addition, under the recently adopted NIS2, ENISA has established a service-oriented sectorial strategy, under which ENISA's "service catalogue" is delivered in the format of a package (according to a sector's specificities) that aims to boost capability and overall resilience. Aviation is one of such sectors targeted by the service package.

But our work does not end here. Given that attackers are sector-agnostic, when it comes to critical infrastructure – as is the case of the aviation industry – targeted cooperation among sectorial bodies and agencies, public and private sectors can help fill gaps in the digital autonomy of strategic sectors, help foster and promote initiatives and ensure common responses to common threats.

ENISA has had a close collaboration with EUROCONTROL over the past years, sharing relevant information and analysis under the threat landscape and EUROCONTROL/EATM-CERT reports respectively, thus boosting overall threat knowledge and situational awareness. In addition, EUROCONTROL experts are part of the ENISA ad hoc working group on cyber threat landscapes, and they regularly exchange know-how with ENISA on aviation threats.

ENISA also actively participates in the Aviation Cybersecurity Working Group and liaises with the European Union Aviation Safety Agency  (EASA) on multiple initiatives as a catalyst for collaboration and exchange in the aviation sector. These include, but are not limited to, information sharing (e.g. threats and incidents), disseminating good practices (e.g. incident reporting, taxonomies), and work with stakeholders to achieve EU-wide harmonisation.

In conclusion, first we need to gear up collaboration and make full use of the tools in our hands in an effort to strengthen resilience and trust.

Secondly, we need research, innovation, foresight and looking at emerging technologies (e.g. passwordless authentication, AI-based security operations, decentralised identity, cloud native application protection platforms, etc.) as the key to getting ahead of the cybersecurity game. But we also have to make sure that the technologies of tomorrow are deployed to make our internal market more cyber secure and not less so.

Thirdly, we need responsibility. The newly adopted directive introduces now accountability for top management for non-compliance with cybersecurity risk management measures. This accountability is an important tool as it is designed to direct the attention of operators of critical infrastructures to strategic investments in the necessary cybersecurity and risk-based solutions and approaches.

The pandemic has made it clear just how much of our critical infrastructures and economy depend on an open and secure access to the internet. As a community, we need to come together to cooperate and prepare to respond to a future large-scale cyber incident.

Get our latest issue of Skyway

Explore our latest articles and download the full issues.

Latest highlights

Christophe Vivier

New military technologies will require ATM modernisation to manage airspace more dynamically, safely and efficiently

Eduardo Santander

Towards a unified sky vision: integrating ATM & AAM for future air transport

Brian Bruckbauer

We must agree on the data architecture

New Network Manager Ops Centre

Moving to new Network Manager Ops Centre is a step change in European airspace digitisation

Adina Vălean

The way forward for Europe's aviation sector

Tanja Grobotek

How ANSPs are changing with the aviation market