Security Blind Spots in the ATM Safety Culture

Abstract

In 2008 EUROCONTROL published Information and Communications Technology (ICT) Security Guidance to Air Navigation Service Providers (ANSPs), to assist them in complying with regulatory security requirements. The validation of that guidance included surveys which were conducted to contrast current practice in European ANSPs with a baseline control set based on ISO/IEC 27001:2005. The surveys are confidential and unpublished, however, by identifying the controls that are missing in all the survey responses it is possible to identify potential 'blind spots' in Air Traffic Management (ATM) security while maintaining the anonymity of the respondents. Key issues identified in this way include security management and senior management engagement, system accreditation, the validation and authentication of data used by ATM systems, incident management, and business continuity preparedness. Since little can be said about the original surveys these results are necessarily indicative, so the paper contrasts these findings with contemporaneous audit reports on security in US ATM systems. The two sources prove to be in close agreement, suggesting that the issues identified are systematic difficulties in introducing security into Air Traffic Management culture.