By Theodore Kiritsis,
Until recently
the technical and operational environment of Air Navigation Services was a
secluded area with its proprietary technologies specifically made for purpose,
such as CNS/ATM disconnected from the information flow of the rest of the
aviation and other industries. Only recently we have moved towards a more and
more distributed/networked environment. In any case the ‘legacy’ networks used
so far e.g AFTN, AMHS and even IP based ones, are disconnected from outside users. Thus the
possibilities of intrusions were minimal by architectural design and only
randomly there were cases of malware.
However, it is
worth noting that very few, if any, data exists on potential intrusions or
cyber-attacks as no incident collection has been done in an organized fashion
so far. Under the current culture, the CNS/ATM environment of an ACC or an
Airport that is subjected to an attack will be addressed as a technical failure
and be attributed to h/w or s/w failures by the operational technical
personnel, the ATSEP. It is worth noting that if for a moment we confine the
focus in the ACC or the Airport areas on an example of a cyber-attack such as
e.g. denial of a service, the ATCO on duty will be deprived of critical data.
The ATCO on duty will alert the ATC room supervisor will communicate the
failure or degradation from the Ops room to the Technical SMC (Systems
monitoring and Control room) and the ATSEP on duty will try detect, through
symptomatic detection (as there are no tools
to detector identify a cyber-attack) whether it is a failure or intrusion.
Therefore, in an
ANSP, the ATSEP on duty will be requested to deal with the impact/symptom of a
Cyber-attack, basically acting based on best practice and under the current
maintenance culture. There are also cases where the Local Systems Supervision
tools may identify some abnormal behavior through the monitoring of specific
critical or crucial technical parameters, or intrusion in remote CNS
installations which are simpler to interpret. Given that usually the distances
of the remote CNS facilities, on mountain tops etc. the element of (response
mitigation) time is introduced in an unknown, so far, fashion and impact on the
system resources as the response has to be able to mitigate the failure, the
event and any potential interference, with the data provided from the facility.
Of course if the intrusion is not detected, many security and consequently safety
issues, can arise.
It is expected
that, an advanced Local SMC
Supervision with systems health management
and cybersecurity tools will be
researched and developed in SESAR2020 so as that the future concepts
implemented through tomorrow’s elements of the Service Oriented Architecture
(SoA) and distributed sociotechnical systems, gain the capability level of ‘sniffing’ and proactively identifying abnormal
system behaviors whether they are of technical or cybersecurity nature (or
both!).
This new anticipated
technical environment will give the ATSEP of the future the ability to counter
the potential threats and thus avoid service degradation at system level and
even the propagation of the threat. As after the 11/09 it was decided to think
‘out of the box’, so we must do now in the ANS domain. It must be noted here
that the Resilience of the ANS technical and operational system to withstand
external ‘perturbations’ being Security breaches/attacks but also to overcome and
recover from them will be enabled by the above tools and of course the
necessary competence levels of both ATSEP and ATCO on the ground and of course
Pilots in the air. This may even expand further to cooperation with competent
authorities on the boundary of the ANS domain.
It is worth
noting that today the ACC and the Airport systems are fed with data from
Sensors that are open with no encryption whatsoever (e.g ADSB transmissions). The same goes for the
communications which are still VHF with AM modulation and datalink with VDL xx
modes that are also open with no encryption. Therefore, it is very demanding
trying to identify if the failure is a malfunction or an attack. In order to
think out of the box, studies must be made in order to strengthen the CNS/ATM
system and increase its Resilience. This would be a new element/approach as
today the Research on System Resilience focuses not on the technical side but
on the ATC service provision (indeed excluding even the Navigation failures – e.g
EGNOS(?) provided directly to the pilot). Coming now to the SESAR and NextGen
technologies that rely mainly on networking (through SWIM) it easily realized
(and it has been) that everything from the system design to the business model has
to be scrutinized for creating inherent security gaps. Sometimes this is even
connected to proposed changes in the Business model.
I will explain
with a small example.
“The SESAR2020
concept is investigating the splitting up of the Data Processing model in an
ACC to individual Services that may be fed to the iCWP from potentially
different data providers.
Thus the final picture that will presented to a controller will be a product of synthesis of data from
different originators or Data providers.
Assuming that a ‘false’ or ‘suspicious’ indication
appears on the screen, the ATSEP that will be called to identify the cause of
the problem and restore it, will have to identify the root cause and on top of
that to identify whether it is a cyber-attack or not! “
In other words,
while the Controller is facing a demanding safety critical situation the ATSEP has to trace back the causal analysis to the said data providers and/or potential
interference with the unencrypted sensor data. Now, if we include in the system
a new concept such as RPAS with their own sensors and
failure modes for which no experience exists yet, then
the cybersecurity equation becomes more and more complex. Remember a RPAS
flying in non-segregated airspace is another target for the system. The new
proposed business model for CNS provision and/or even a centralized critical
functionality like a Central Tracker inherently creates single points of
failure. Just imagine for a moment the case of a false alarm on the Centralized
tracker and the impact it would have on the clients/ANSPs having to revert to
their backup systems. Similar,
clearly technical failures
in
ANSPs have created havoc for several hours in the European skies. If you want to
elaborate a little more,
include
the Pilot in the awareness loop
in
this time critical situation! So it is the ATSEP and the ATCO (if the failure
reaches their screen) and the Pilot in the air and that is all. This incident I
described above will be a battle against time!
Moreover,
the issue needs to be resolved because Safety, security and even performance
are threatened especially in the case of false alarms. The issue of False
alarms and Probability of detection is a well-known problem for detecting
potential threats especially in the Airport Security metrics. Addressing the
Cybersecurity issues, directly addresses the CNS/ATM system resilience and the failure
propagation to other interconnected systems and now in the SESAR and Next-Gen
era most, if not all, systems communicate through SWIM.
Speaking
in Resilience terminology, the Cybersecurity attack when successful will be
treated as a system Perturbation and Resilience will be the capability of the
system to withstand the attack, limit and stop its propagation and Recover as
soon as possible to nominal system operation and consequently tactical
Operations reach normal state. Although not directly related as it was a
sabotage, just a few months ago a subcontractor cut the Communication lines of
the Chicago ATC center and set fire to the housing of ANS systems. It took a
lot of effort (18days?), miles of optical fiber and reinstallation of certain
h/w and s/w elements, in order to restore the ACC Center back to normal
operations. The cutting of communication lines had a severe effect on
operations since no Surveillance and/or Data Processing picture was available
(suddenly). The fact that the fire alarm rang mandated the evacuation of the premises
with the ATSEP returning first to the site in order to try to evaluate the damage
and draw a plan in order to begin restoring systems operation. This example may
sound overstretched but please focus on the fact that, in cybersecurity terms,
this event may be considered as an ‘insider’s job’ because he knew which
communication lines to cut (at least) but, as the press reads, without
realizing the effect it would have on the traffic. This could equally have been
a deliberate insertion of a virus, or a ‘key logger’s/W patch that came in a
piece of COTS equipment.
In
conclusion, mainly ATSEP are likely to spot a security breach (at data/network)
level while it is evolving. Arming the SMC suites with security tools for detection
and addressing (decision making tools), together with specialized training* for
all involved stakeholders (ATSEP, ATCO), clearly defined Roles and
Responsibilities will be the basis for further work. Needless to say the
Technical System Supervision will have to be standardized and formalized in
such a way as to have the same Technical Supervision capability, including on
Cybersecurity threats, is available in all deployed systems. Failure mode analysis
(FMEA) will have to be revisited and of course Contingency Plans to say the
least. Even a special Protocol (technical status Exchange Model) for systems
supervision and monitoring will greatly facilitate for technical system
awareness. On the Human side this will mean that in order to address a Security
incident a meaningful TRM context for ATSEP/ATCO and Pilot coordination will
have to be developed. EASA has identified this need for ATSEP security Training
and included it in the NPA 2013-08
Theodore
is an ATSEP, working for Hellenic Civil Aviation Authority. He is Vice
President of IFATSEA and editor of Navaire. He has been
involved
in SESAR since the early days of the definition phase in 2005. Currently he
contributes in the IFATSEA SJU IVT Team and represents staff associations in
the ADMIN Board of SJU.
No comments:
Post a Comment