CYBER SECURITY IN AIR NAVIGATION SERVICES– A challenging new domain for ATSEP

CYBER SECURITY IN ANS

– A challenging new domain for ATSEP

By Theodore Kiritsis

IFATSEA Vice President

Editor Navaire

Until recently the technical and operational environment of Air Navigation Services was a secluded area with its proprietary technologies specifically made for purpose, such as CNS/ATM disconnected from the information flow of the rest of the aviation and other industries. Only recently we have moved towards a more and more distributed/networked environment. In any case the ‘legacy’ networks used so far e.g AFTN, AMHS and even IP based ones, are disconnected from outside users. Thus the possibilities of intrusions were minimal by architectural design and only randomly there were cases of malware.

However, it is worth noting that very few, if any, data exists on potential intrusions or cyber-attacks as no incident

collection has been done in an organized fashion so far. Under the current culture, the CNS/ATM environment of an ACC or

an Airport that is subjected to an attack will be addressed as a technical failure and be attributed to h/w or s/w failures by the operational technical personnel, the ATSEP. It is worth noting that if for a moment we confine the focus in the ACC or the Airport areas on an example of a cyber-attack such as e.g. denial of a service, the ATCO on duty will be deprived of critical data. The ATCO on duty will alert the ATC room supervisor will communicate the failure or degradation from the Ops room to the Technical SMC (Systems monitoring and Control room) and the ATSEP on duty will try detect, through symptomatic detection (as there are no tools to detector identify a cyber-attack) whether it is a failure or intrusion.

Therefore, in an ANSP, the ATSEP on duty will be requested to deal with the impact/symptom of a Cyber-attack, basically acting based on best practice and under the current maintenance culture. There are also cases where the Local Systems Supervision tools may identify some abnormal behavior through the monitoring of specific critical or crucial technical parameters, or intrusion in remote CNS installations which are simpler to interpret. Given that usually the distances of the remote CNS facilities, on mountain tops etc. the element of (response mitigation) time is introduced in an unknown,

so far, fashion and impact on the system resources as the response has to be able to mitigate the failure, the event and any potential interference, with the data provided from the facility. Of course if the intrusion is not detected, many security and consequently safety issues, can arise.

It is expected that, an advanced Local SMC Supervision with systems health management and cybersecurity tools will be researched and developed in SESAR2020 so as that the future concepts implemented through tomorrow’s elements of the Service Oriented Architecture (SoA) and distributed sociotechnical systems,

gain the capability level of ‘sniffing’ and proactively identifying

abnormal system behaviors whether they are of technical or cybersecurity nature (or both!).

This new anticipated technical environment will give the ATSEP of the future the ability to counter the potential threats and thus avoid service degradation at system level and even the propagation of the threat. As after the 11/09 it was decided to think ‘out of the box’, so we must do now in the ANS domain. It must be noted here that the

Resilience of the ANS technical and operational system to withstand external ‘perturbations’ being Security breaches/attacks but also to overcome and recover from them will be enabled by the above tools and of course the necessary competence levels of both ATSEP and ATCO on the ground and of course Pilots in the air. This may even expand further to cooperation with competent authorities on the boundary of the ANS domain.

It is worth noting that today the ACC and the Airport systems are fed with data from Sensors that are open with

no encryption whatsoever (e.g ADSB transmissions). The same goes for the communications which are still VHF with AM modulation and datalink with VDL xx modes that are also open

with no encryption. Therefore, it is very demanding trying to identify if the failure is a malfunction or an attack. In order to think out of the box, studies must be made in order to strengthen the CNS/ATM system and increase its Resilience. This would be a new element/approach as today the Research on System Resilience focuses not on the technical side but on the ATC service provision (indeed excluding even the Navigation failures – e.g EGNOS(?) provided directly to the pilot). Coming now to the SESAR and

NextGen technologies that rely mainly on networking (through SWIM) it easily realized (and it has been) that everything from the system design to the business model has to be scrutinized

for creating inherent security gaps. Sometimes this is even connected to proposed changes in the Business model.

I will explain with a small example.

“The SESAR2020 concept is investigating the splitting up of the Data Processing model in an ACC to individual Services that may be fed to the iCWP from potentially different data providers. Thus the final picture that will presented to a controller will be a product of synthesis of data from different originators or Data providers.

Assuming that a ‘false’ or ‘suspicious’ indication appears on the screen, the ATSEP that will be called to identify the cause of the problem and restore it, will have to identify the root cause and on top of that to identify whether it is a cyber-attack or not! “

In other words, while the Controller is facing a demanding safety critical situation the ATSEP has to trace back the causal analysis to the said data providers and/or potential interference with the unencrypted sensor data. Now, if we include in the system a new concept such as RPAS with their own sensors and failure modes for which no experience exists yet, then the cybersecurity equation becomes more and more complex. Remember a RPAS flying in non-segregated airspace is another target for the system. The new proposed business model for CNS provision and/or even a centralized critical functionality like a Central Tracker inherently creates single points of failure. Just imagine for a moment the case of a false alarm on the Centralized tracker and the impact it would have on the clients/ANSPs having to revert to their backup systems. Similar, clearly technical failures in ANSPs have created havoc for several hours in the European skies. If you want to elaborate a little more, include the Pilot in the awareness loop

in this time critical situation! So it is the ATSEP and the ATCO (if the failure reaches their screen) and the Pilot in the air and that is all. This incident I described above will be a battle against time!

Moreover, the issue needs to be resolved because Safety, security and even performance are threatened especially in the case of false alarms. The issue of False alarms and Probability of detection is a well-known problem for detecting potential threats especially in the Airport Security metrics. Addressing the Cybersecurity issues,

directly addresses the CNS/ATM system resilience and the

failure propagation to other interconnected systems and now in the

SESAR and NextGen era most, if not all, systems communicate through SWIM.

Speaking in Resilience terminology, the Cybersecurity attack when successful will be treated as a system Perturbation and Resilience will be the capability of the system to withstand the attack, limit and stop its propagation and Recover as soon as possible to nominal system operation and consequently tactical Operations

reach normal state. Although not directly related as it was a sabotage, just a few months ago a subcontractor cut the Communication lines of the Chicago ATC center and set fire to the housing of ANS systems. It took a lot of effort (18days?), miles of optical fiber and reinstallation of certain h/w and s/w elements, in order to restore the ACC Center back to normal operations. The cutting of communication lines had a severe effect on operations since no Surveillance and/or Data Processing picture was available (suddenly). The fact that the fire alarm rang mandated the evacuation of the premises with the ATSEP returning first to the site in order to try to evaluate the damage and draw a plan in order to begin restoring systems operation. This example may sound overstretched but please focus on the fact that, in cybersecurity terms, this event may be considered as an ‘insider’s job’ because he knew which communication lines to cut (at least) but, as the press reads, without realizing the effect it would have on the traffic. This could equally have been a deliberate insertion of a virus, or a ‘key logger’s/W patch that came in a piece of

COTS equipment.

In conclusion, mainly ATSEP are likely to spot a security breach (at data/network) level while it is evolving. Arming the SMC suites with security tools for detection and addressing (decision making tools), together with specialized training* for all involved stakeholders

(ATSEP, ATCO), clearly defined Roles and Responsibilities will be the basis for further work. Needless to say the Technical system Supervision will have to be standardized and formalized in such a way as to have the same Technical Supervision capability, including on Cybersecurity threats, is available in all deployed systems. Failure mode analysis (FMEA) will have to be revisited and of course Contingency Plans to say the least. Even a special Protocol (technical status Exchange Model) for systems supervision and monitoring will greatly facilitate for technical system awareness. On the Human side this will mean that in order to address a Security incident a meaningful TRM context for ATSEP/ATCO and Pilot coordination will have to be developed. EASA has identified this need for ATSEP security Training and included it in the NPA 2013-08

Theodore is an ATSEP, working for Hellenic Civil Aviation Authority. He is Vice President of IFATSEA and editor of Navaire. He has been

involved in SESAR since the early days of the definition phase in 2005. Currently he contributes in the IFATSEA SJU IVT Team and

represents staff associations in the ADMIN

Board of SJU.