Cybersecurity – one of my favourite topics – is a consideration that you can’t avoid today, regardless of what industry you work in and even at a personal level. Risks continue to increase, attacks get smarter and now bad actors are leveraging artificial intelligence (AI). Now let’s think about this challenge when it comes to protecting critical infrastructure. There’s been quite a bit of discussion recently as to whether or not the air traffic control infrastructure should be considered critical infrastructure or not. For the intent of this article, let’s consider that it is. How do we ensure our air traffic controllers (ATCOs) are adequately prepared?
ATM research underway
The SESAR Joint Undertaking (SJU) launched an exploratory research project in 2023 as part of the Digital European Sky entitled SEC-AIRSPACE – Cyber Security Risk Assessment in virtualised airspace scenarios and stakeholders’ awareness of building resilient air traffic management (ATM). The project will run until 2026 and is focussing on virutalisation and cyber data sharing.
The project has quite a range of participating organisations from industry and research institutions – Sintef, Deutsches Zentrum für Luft- und Raumfahrt (DLR), Deep Blue, Advanced Laboratory On Embedded Systems (ALES), Cefriel, Zenabyte, Luftfartsverket (LFV), Skyway Air Navigation Sevices, and Linkopings Universitet (LiU).
The stated goal of the project is to consider the balance between the benefits that digitalisation and modernisation of ATM bring to aviation, along with the challenges that come with it. Most importantly, managing cyber vulnerabilities. The project aims to introduce cybersecurity components into the state-of-the-art security risk assessment methodologies currently in use in ATM.
It will also investigate the potential of applying the concept of people analytics to increase cybersecurity awareness in ATM organisations. Results will be validated and demonstrated through two real use cases, involving relevant stakeholders.
Accomplishments to date
On 22 and 23 October 2024, partners in the SEC-AIRSPACE SESAR JU project met at the LFV Östgöta Kontrollcentral in Norrköping, Sweden, to conduct a validation exercise focussing on testing the attack simulator to enhance cybersecurity training and awareness among aviation stakeholders. So what did this actually mean?
The exercise used an advanced cyber-attack simulator to test the cybersecurity awareness and readiness of ATCOs. Starting with the replication of realistic threat scenarios, it can evaluate the performance of the ATCOs resulting in an analysis of the effectiveness of current training methods and the identification of knowledge gaps. The data collected would then be used to refine cybersecurity strategies and training programmes. The learnings in this exercise provided valuable insights as to the effectiveness in using a simulator for cyber awareness testing and training.
Building on these learnings, from 3 to 7 February 2025, eight ATCOs participated in the final validation exercise of the cyber-attack simulator of the SEC-AIRSPACE project. Changes were made based on the 2024 exercises prior to these sessions. The changes incorporated more structured methodologies, refined training materials, and enhanced participant engagement strategies, including:
- Training material was significantly improved
- Static screenshots were replaced with interactive video-based content resulting in a more intuitive learning process
- More time was dedicated at the beginning of the session to familiarize participants with the simulator with a hands-on practice phase.
The validation platforms and equipment used in the exercise to collect data were the attack simulator, the ISA/OSAT tool to evaluate perceived instantaneous workload and stress, the Polar H10 heart rate monitor chest strap and LimeSurvey to gather feedback from the ATCOs.
Outcomes and next steps
The learnings from this programme will continue to be incorporated in the SecRAM Navigator tool. The summary findings of the project are detailed below:
- Stakeholders confirmed that the methodology is comprehensive, flexible, and relevant for current and emerging ATM scenarios
- 87% of participants found the SecRAM Navigator easy to use and would recommend it to colleagues
- Users highly valued the flexibility to add new assets and vulnerabilities, threats and security controls during risk assessments, enabling tailored risk management
- More than 67% of users felt the updated methodology and tool effectively supported threat and vulnerability identification
- The concept of cascading effect analysis was well received, though further development is needed.
The more we can increase awareness and preparedness for cyber risks within our industry, they safer we will remain. Although this topic can feel daunting to many who aren’t involved daily in cybersecurity tasks, tools like this can make the topic more accessible and increase the level of comfort for ATCOs when/if they have to deal with an attack. I believe that in our current world, the scenario will unfortunately be when and not if. So the more prepared we are the better.
