Moving Targets

Read Moving Targets: James Careless assesses the huge challenge of developing a cyber security strategy for European air traffic management

Read Moving Targets: James Careless assesses the huge challenge of developing a cyber security strategy for European air traffic managementJames Careless assesses the huge challenge of developing a cyber security strategy for European air traffic management
Cyber security: whether it is as small a threat as a teenager hacking in from their basement, or as serious as a hostile nation unleashing its cyber warriors en masse, cyber security is an increasingly dangerous challenge to safe air traffic management.
Nowhere is this truer than in Europe, where the Single European Sky ATM Research (SESAR) programme for research and innovation (R&I) is aiming to integrate the continent`s diverse and often incompatible national air traffic control (ATC) systems into a single cohesive, efficient and modern entity.
“The current ATM is a patchwork network of bespoke systems connected by an array of different interfaces, often utilising national or proprietary standards,” says Florian Guillermet, executive director of the SESAR Joint Undertaking.
“Modernisation initiatives, including the ICAO Global Air Navigation Plan, SESAR, and NextGen, as well as other initiatives across the world, focus on a significantly more-connected ATM system that use modern technologies and interoperability to deliver operational improvements through a common view of all aeronautical information.”
Mindful of how reliant the SESAR ATM system will be on co-operative surveillance, SWIM (System Wide Information Management) and similar data-driven applications – and how vulnerable these applications could be to hacking – SESAR is investigating, analysing, and creating an implementable strategy known as the SESAR Cyber Security Study.
Awarded to a consortium formed by Helios and Thales, the €700,000 study project was initiated in mid-2014, and is due to deliver its final report in the second quarter of 2015.
“The results of the study will be used to support the SESAR programme’s next developments – in particular on SWIM – and provide the basis for proactive, effective and efficient management of information in relation to any cyber security specific threats in the new ATM system,” says Guillermet. “Such a strategy will then also contribute to the development of the security threat and safety risk analysis required for the effective deployment of the new ATM systems and to their interoperability.”
To remain effective, this strategy will have to be capable of adapting as cyber security threats evolve over time. “It has to be recognised that cyber threats are not static; they evolve with the sophistication of attackers and as systems change new vulnerabilities are introduced,” says Guillermet. “Crucially, cyber security is not just about technical IT solutions: physical, human, process and (pan-) organisational measures are needed. Cyber defence in this context will require every ATM stakeholder to prepare and protect itself, to be ready to detect and analyse attacks as early as possible, and respond effectively to stop their escalation.”
Variety of Threats
The kinds of cyber threats faced by controllers and the reasons these threats exist, have been enumerated in the CANSO Cyber Security and Risk Assessment Guide released by the Civil Air Navigation Services Organisation in June 2014, and available online.
“Potential attackers span a wide range of abilities, resources, and motives,” states the CANSO report. The range of potential attackers starts with relatively harmless hackers who are trying to prove their skills and gain ‘bragging rights’ with their peers, followed by cyber thieves looking to steal saleable/exploitable information; and intruders looking to covertly explore the penetrated network with the option of attacking it.
Next come organised cyber espionage units working on behalf of a government/business intent on both stealing and disrupting/destroying the network’s data; and true cyber warriors acting on behalf of hostile governments, who wreak as much havoc as they can on the targeted network and the clients it serves.
Unfortunately, the high profile of commercial aviation, plus the horrific attention-grabbing power of the 9/11 airliner attacks in New York, make airline travel and air traffic control natural targets. And make no mistake, cyber attacks are already occurring. In fact, ‘the FAA’s systems are probed 50,000 times an hour by people intent on doing harm at some point,’ noted FAA Administrator Michael Huerta.
Ghost Plane
Computer security researcher Andrei Costin and Professor Aurélien Francillon’s team have proved that an ADS-B beacon can be ‘spoofed’ using store-bought electronic parts, to convince a controller that a non-existent ‘ghost plane’ is about to land. Costin’s work is cited in ‘Cyber Security for Civil Aviation’, a paper delivered at ICAO’s Twelfth Air Navigation Conference in November 2012.
“Upon a closer look at the ADS-B specification, it was very soon obvious that the system/protocol is unprotected and there is potential for many attacks,” Costin told Air Traffic Management in 2012. “What surprised us most is that ADS-B development and deployment costs hundreds of millions of US dollars. At the same time it can be attacked, and many times successfully compromised, using equipment worth less than US$1000 and several weeks of research and development.”
These are just two examples of the many kinds of cyber threats that could attack ATM in the years ahead. Getting ahead of them is the weighty task of the SESAR Cyber Security Study.
From Threat Assessment to Strategy
Ambitious: That`s the appropriate term to describe the scope of the SESAR Cyber Security Study. It is comprised of four ‘deliverables’; collectively taking the process from initial research to usable, implementable strategy. As outlined in SESAR’s tender specifications for this project, the four phases are labelled Deliverables D1 through to D4.
Deliverable D1 is the ‘ATM Cyber-Security Threat and Vulnerability Assessment’, according to the SESAR tender. As the name suggests, this stage is concerned with determining what kind of threats are arrayed against Europe’s ATM system, and where the systems are vulnerable.
“Unfortunately, today’s ATM infrastructures are comprised of multi-vendor products and networks, which are only as strong as their weakest links,” says Jeff Snyder, vice president of Raytheon’s cyber programmes. Raytheon offers end-to-end cyber-security solutions for a number of industries and sectors, including aviation and ATC. “You’ve got to find and remedy these weaknesses in order to reduce vulnerability,” Snyder adds. “As well, your code has to be written to be highly secure, right from the start.”
In assessing threats to Europe’s ATM system, the Helios-Thales consortium will have to go beyond hardware and software to consider the ‘cyber security ecosystem’ in which SESAR’s European ATM System (EATMS) will be operating. They will have to identify threats – including threats from within – the methods of attack, and the potential business consequences.
Deliverable D2 is the SESAR Target ATM Cyber Security Framework. This is where the Helios-Thales consortium will take what they have learned about cyber security threats and vulnerabilities to European ATM; compares them to their research into SESAR’s structure, progress and challenges, and use the two to propose a framework for implementing ATM cyber security in the emerging SESAR system.
This is not a one-shot deal. As SESAR moves ahead, the expectations and requirements of its cyber security system will have to progress as well. “A pragmatic and practical framework is required in order to measure at given moments the level of maturity and capability reached in comparison to a required level and to select areas of evolution and high level requirements to reach the next level,” states the SESAR tender. “Deliverable D2 shall provide such a framework.”
Deliverable D3 is the SESAR Cyber Security Maturity Assessment. This is where the study team will compare SESAR’s current level of development against the D2 cyber security framework, “to understand the level of maturity already achieved and to manage its further evolution,” the SESAR tender outlines. “This assessment will also lead to an identification of the areas of improvement that should be addressed in order to make it possible for SESAR to handle the ATM cyber security threats as identified in D1 in an appropriate way.”
Finally – and this is the final stage of the study due in the second quarter of 2015 – Deliverable D4 is the SESAR Cyber Security Strategy and Evolution. This is where all the work done in phases D1-D3 is translated into a defined, applicable strategy that will guide SESAR’s cyber security protection system.
According to the SESAR tender, “The final deliverable D4 shall provide a set of proposed steps that would be taken in applying such a strategy to reach the target level – to be defined as part of this strategy – of cyber security maturity that should allow SESAR and its SWIM component to address the ATM cyber security threats as identified in D1 in an appropriate way.
No Small Endeavour
The sheer scope of the SESAR Cyber Security Study is breathtaking: The Helios-Thales consortium is charged with plotting the course of Europe’s ATM cyber security for years to come; including proposing the systems and approaches that will keep Europe’s skies safe.
One thing is certain: The topics being considered in the SESAR Cyber Security Study are of monumental importance to global aviation, and the millions of passengers who fly every year. The conclusions this study provides will form the basis for further work under SESAR 2020 and will contribute to the safety of European aviation for years to come.