Transcription
Introduction to cyber security policyfor ATMMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar1
Agenda Introduction Security Benefits of Policy Documentation Developments in Cybersecurity in ICAO Introduction of Air Traffic ManagementCybersecurity Policy Template Security policy template review Goals Content Use case exampleMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar2
IntroductionMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar3
Security Benefits of PolicyHow good security policy protects and defendsMarch 16, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar4
Have we just been lucky so far There have been security incidents that have affected aviation, but no truly disruptive cyber event.Is that because we’re “good”, or because we’ve been “lucky”The “Good” We have a culture of care and attention to support safety Our systems generally operate in an isolated environment (but this is changing ) Our processes and procedures are naturally defensive & cautious We have checklists of checklistsWhat if our safety focus can be used to distract from other threats the systems we trust implicitly have been altered our caution stops us acting quickly when we need to our checklists & procedures make us predictable to an attacker a supplier we trust gets compromised
Step 4 - -raindrop
Policy stands as the foundation of good technical protections
Is There any Example For “Good” PolicyOf course! The “Air Traffic ManagementCybersecurity Policy Template”Developed in partnership by ICAO, CANSO and Airbus:
So What are the benefitsLooking back over the how the ATM Cyber Policy Template requirements protect against an attacklike the SolarWinds Orion attack AccessControlCommsSecurityNew SystemsOps SecurityMaintenanceHandlingIncidents
DocumentsMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar11
Documentation Resolution A40-10: Addressing Cybersecurity in CivilAviation Air Traffic Management Cybersecurity Policy Template. Safety Management Manual (SMM) (Doc 9859). ICAO Aviation Security Global Risk Context Statement(Doc 10108) Aviation Security Manual (Doc 8973) Annex 17: Security ProvisionsMarch 16, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar12
Documentation Air Traffic Management Security Manual (Doc 9985) Annex 19; Safety Management. ICAO Aviation Cybersecurity Strategy CANSO Standard of Excellence in Cybersecurity ISO/IEC 27000-series comprises informationsecurity standards ICAO Cybersecurity Action PlanMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar13
ISO/IEC 27000-series comprises information security standards Information about best practices to improve information security ISO/IEC 27000 Information security management systems Overview and vocabularyISO/IEC 27001 Information security management systems RequirementsISO/IEC 27002 Code of practice for information security managementISO/IEC 27003 Information security management system implementation guidanceISO/IEC 27004 Information security management MeasurementISO/IEC 27005 Information security risk managementISO/IEC 27006 Requirements for bodies providing audit and certification of information securitymanagement systems ISO/IEC 27010 Information technology -- Security techniques -- Information security managementfor inter-sector and inter-organizational communications.March 16, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar14
ISO/IEC 27000-series comprises information security standards Information about best practices to improve information security ISO/IEC 27011 Information security management guidelines for telecommunications organizationsbased on ISO/IEC 27002 ISO/IEC 27031 Guidelines for information and communications technology readiness for businesscontinuity ISO/IEC 27033-1 Network security overview and concepts ISO/IEC 27033-3:2010 Network security - Part 3: Reference networking scenarios - Threats, designtechniques and control issues ISO/IEC 27035 Security incident management ISO 27799 Information security management in health using ISO/IEC 27002March 16, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar15
Cybersecurity must interface with other disciplines(safety, efficiency) similarly to what currently happens with“traditional” aviation security to ensure the accurateassessment of exposure to cybersecurity threats and ensurethe development of effective and efficient risk-based cyberprotection strategies. Cybersecurity needs to build bridgesbetween aviation security and safety as the multi-disciplinarynature of cybersecurity needs to benefit from security andSafety.March 16, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar16
Developments in Cybersecurity in ICAOMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar17
Introduction of Air Traffic ManagementCybersecurity Policy TemplateMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar18
Information Security Management system (ISMS) approachISMS provides a systematic approachfor managing an organization'sinformation security.PLANDOCHECK With the objectives to: Comply with safety constraints Provide resilience Ensure reliability Support ATM business modelACTMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar19
Cybersecurity policy for setting up ISMSRequirement ATMSP-001-01Based on this security policy, an information security management system shall be defined,implemented and maintained based on a risk management approach.NB: ISO27001 and ISO27002 Standards provide approved process and best practices forISMS Benefits from Airbus Aircraft Security Management System principles in addition: achieving maturity enables reducing too manychanges to System and Information Systems under safetyregulation constraints (Cost driven)March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar20
Cybersecurity policy objectives Focused on 2 key objectives Safety Business continuity Based on ISO27001 and IEC62443 (industrial systems) keyprinciples Benefits from Airbus Aircraft Security Management System principles To provide consistent end-to-end security: “security by design fromground to air”March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar21
Scope & Objectives Address the whole ATM: Actors, employees, partners and suppliers Services and related information systems Infrastructures (IT, OT, IACS) With the objective to provide resilience Based on criticality regarding safety and operabilityMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar22
Infrastructures (IT, OT, IACS)IT InfrastructureIT infrastructure are the componentsrequired to operate and manage enterprise ITenvironments.hardware, software, networking components,an operating system (OS), and data storage.March 16th to 18th, 2021OT & IACS InfrastructureOperational Technology (OT) andComponents Cybersecurity CertificationScheme; Industrial Automation & ControlSystems (IACS).Critical element for cybersecurityICAO-CANSO-AIRBUS Cybersecurity Webinar23
Cyber security Risk ManagementRequirement ATMSP-002-01:ATM security shall be intelligence led, threat based andrisk managed.Requirement ATMSP-003-01:Information security risk management shall be consideredas an integral part of the overall system life cycleprocess.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar24
Cyber security Risk ManagementRequirement ATMSP-004-01:All ATM assets (data, systems, personnel.) shall havedefined ownership.Requirement ATMSP-005-01:Defense in depth principles as defined in 5 – Securityarchitecture objective, shall be part of the informationsecurity management.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar25
Cyber security Risk ManagementRequirement ATMSP-006-01:ATM Security Risk based approach shall implementtechnical security measures and operational securitymeasures (policies and processes) to reduce risk to anacceptable level regarding: (Intentional) Successful cyber-attack,Human error,Accident or incident,Impact from natural disaster.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar26
Cyber security Risk ManagementRequirement ATMSP-007-01:The organization in charge of physical or information ATMsecurity shall ensure efficient and coordinated treatment ofsecurity risk.Requirement ATMSP-008-01:ATM information security risks shall be reviewed andmonitored on a regular basis.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar27
Cyber security Risk Management Reduce risk to acceptable levelPeople Based on criticality regarding safety andComplianceoperabilityReq 044 Likelihood based on systems’resilience to the Attack Architecture principles No single nor common point ofvulnerabilitiesMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity WebinarReq. 013AccessControlReq. 018RISKSuppliersReq 036OperationsReq 029CommunicationsReq 03228
Let discuss about InformationSecurity Management system(ISMS)March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar29
Security Governance and OrganisationRequirement ATMSP-009-01:CAA shall designate the Appropriate Authority (AA) responsible for the overall ATM security.Requirement ATMSP-010-01:CAA designated ATM security responsible shall define at a minimum: Roles and responsibilities for ATM security risk management;Process for risk management;Processes for incident, crisis and business continuity management.Requirement ATMSP-011-01:Skills and competencies of personnel appointed to ATM security roles and responsibilities shall be keptup to date.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar30
Security Governance and organization Think cybersecurity on long term perspective Cybersecurity policy in place and applicable Cybersecurity identified as core stake of the organization (as for safety) Define Roles and Responsibilities Formal nomination Detailed description of responsibilitiesMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar31
Security riskMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar32
Policy in details Human resources Asset management Access control Physical and environmentsecurity Operation security Communication securityMarch 16th to 18th, 2021 System Acquisition,Development and Maintenance Suppliers and partners Security Incident Management Business continuity Personal data ComplianceICAO-CANSO-AIRBUS Cybersecurity Webinar33
Human resources Background check before employment Security culture and training during employment De-provisioning and commitments reminders afteremploymentMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar34
Human resourcesRequirement ATMSP-012-01:Personnel shall be part of ATM security during allemployment phases: Before employment: through measures such as backgroundchecks in accordance with local regulations; During employment: by developing a security culture throughregular training and raising awareness; and After employment: by ensuring the respect of the de-provisioningprocess and reminding staff of non-disclosure commitments.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar35
Human resourcesRequirement ATMSP-013-01:Security personnel shall ensure thatindividuals with access to ATM facilities,controlled areas and ATM sensitive datado not constitute an unacceptable risk(as per Chapter 7 Risk Management).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar36
security background checksMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar37
Asset management Set up and maintain asset inventory Include criticality (regarding safety andoperability) in assets’ categorization Ensure consistency between Logical and physical access Access and zoningMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity WebinarVolumePeripheryPerimeter38
Asset managementRequirement ATMSP-014-01:An inventory of ATM assets shall be developed and kept upto date.Requirement ATMSP-015-01:ATM shall classify (categorize) its assets according to theircriticality in order to implement appropriate means ofprotection.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar39
Asset managementRequirement ATMSP-016-01:ATM data shall be by default classified with adequate level ofclassification.Additional information: please refer to applicable nationalregulationRequirement ATMSP-017-01:ATM data shall be protected during storage, processing andexchange, in line with its sensitivity profile.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar40
Let talk about cybersecurity assetMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar41
Logical zoning Zoning is a logical design approachused to control and restrict access anddata communication flows only to thosecomponents and users as per securitypolicy.March 16, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar42
Access control & Physical and Environmental Security Pay attention to the balancebetween physical and logicalaccess control Ensure consistency of logicaland physical zones Monitor and adapt to changesAccess levelExtendedSupervisedVery limitedzones Regular checks and revisions Disposal & decommissioningMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar43
Access control & Physical and Environmental SecurityRequirement ATMSP-018-01:Access to any ATM assets shall be granted on:The verification of absence of unacceptable risk(as per Chapter 7 Risk Management);need-to-know basis).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar44
Access control & Physical and Environmental SecurityRequirement ATMSP-019-01:ATM physical security shall safeguard IT, OT, IACS andCNS/ATM infrastructure, against unlawful interference andunauthorized access.Requirement ATMSP-020-01:ATM physical security shall identify zones hostingCNS/ATM assets according to their criticalityregarding safety and operability.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar45
Access control & Physical and Environmental SecurityRequirement ATMSP-021-01:ATM physical security measures shall protect the CNS/ATMfrom unlawful or intentional interruption of services andoperations.Requirement ATMSP-022-01:ATM physical security shall protect incoming and outgoingflows from storage zones and data centers.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar46
Cybersecurity zonesMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar47
Operation Security Operate security from trustedzone Efficiency of security measuresbased on robustness of securityprocesses Apply vulnerability managementprocess (including monitoring,qualification and mitigation)March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar48
Operation SecurityRequirement ATMSP-023-01:ATM cybersecurity organization shall ensure thecoordination of security operations, monitoring andcontinuous improvement of information processing.Requirement ATMSP-024-01:ATM cybersecurity operations shall include IT, OT, IACSand CNS/ATMs infrastructure in the scope of securityoperations.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar49
Operation SecurityRequirement ATMSP-025-01:ATM cybersecurity operations shall maintain theeffectiveness of security measures throughout theirlifecycle.Requirement ATMSP-026-01:ATM cybersecurity shall be operated from dedicated zoneshaving dedicated physical and logical security perimeter.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar50
Operation SecurityRequirement ATMSP-027-01:ATM cybersecurity shall prevent the exploitation oftechnical vulnerabilities on IT, OT, IACS and CNS/ATMinfrastructure.Requirement ATMSP-028-01:ATM cybersecurity shall forbid the use of personal mobiledevices for CNS/ATM activities.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar51
Operation SecurityRequirement ATMSP-029-01:ATM cybersecurity shall ensure that professionalmobile devices do not constitute an unacceptable riskto security (as per Chapter 7 Risk Management).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar52
Cybersecurity ManagementMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar53
Communication Security Keep control on connections &connectivity Ensure consistency of logicaland physical zones (Assets) Implement defense in depthbased on asset criticalityregarding safety and operabilityMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar54
Communication SecurityRequirement ATMSP-030-01:ATM cybersecurity shall maintain an up to date mapping ofnetworks and their interconnections.Requirement ATMSP-031-01:ATM networks shall be logically or physically segregatedbased on their criticality regarding safety and operability.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar55
Communication SecurityRequirement ATMSP-032-01:ATM cybersecurity shall ensure that wireless technologies andaccess to the Internet do not constitute an unacceptable risk tosafety and security (as per Chapter 7 Risk Management).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar56
Network segregationMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar57
System Acquisition, Development and Maintenance Integrate security todevelopment life cycle Based on risk management And Vulnerabilitymanagement at any timeMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar58
System Acquisition, Development and MaintenanceRequirement ATMSP-033-01:ATM cybersecurity shall ensure that information security isan integral part of CNS/ATM information systems throughoutthe entire lifecycle.Additional information: This also includes the requirementsfor information systems which provide ATM services overpublic networks.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar59
System Acquisition, Development and MaintenanceRequirement ATMSP-034-01:ATM cybersecurity shall ensure that CNS/ATM information systems aredesigned based on the following principles (list not exhaustive): No single, nor common point of vulnerability; Definition and implementation of security coding rules; Vulnerability management on COTS software and hardware; Implementation of industry standards and recommendations (NIST,OWASP, ).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar60
When you development projects .March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar61
Suppliers and Partners (S & P) Define your security expectations: S & P securityrequirements Assess S & P’s security maturity Monitor and follow-up S & P Include procurement in security teamMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar62
Suppliers and partnersSecurityfollow-upSecurityrequirementsSelf capabilityAssessmentMarch 16th to 18th, 2021ProjectSecurityorganizationICAO-CANSO-AIRBUS Cybersecurity WebinarSecurity onchange andmaintenance63
Suppliers and partnersRequirement ATMSP-035-01:ATM cybersecurity shall provide End-to-End securityfrom supply chain to partners in the scope of CNS/ATMcybersecurity management system.Requirement ATMSP-036-01:ATM cybersecurity shall ensure relationships withexternal entities do not constitute an unacceptable risk(as per Chapter 7 Risk Management).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar64
Talk about suppliers .March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar65
Security Incident Management Be prepared: by training, regular tests, serious game play, Define communication rules and identify key decision makers(escalation process) Connect incident with crisis andBusiness Continuity Management Ensure to collect logs in aconsistent way between Security, Safetyand Operability (critical asset focused) Ensure consistency of incident detection with risks toimprove incident accuracy and priorityMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar66
Security Incident ManagementRequirement ATMSP-037-01:ATM cybersecurity shall ensure a consistent and effectiveapproach to the management of CNS/ATM security incidents,including communication on security events and weaknesses.Requirement ATMSP-038-01:Safety and Business Continuity shall be the main priorities ofATM security incident management.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar67
Cybersecurity incidents and procedures March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar68
Business Continuity Identify triggering criteriaDisasterrecovery From Business Continuity to Disaster Recovery From Business Continuity to Crisis Reconsider Business Continuity includingmalicious act and supply chain security Review alternatives sites based on criticality andsecurity Consider security in relocation to alternativebusiness sites Include security in Test of shifting and recoveryproceduresMarch 16th to 18th, 2021BusinesscontinuityICAO-CANSO-AIRBUS Cybersecurity RISK69
Business ContinuityRequirement ATMSP-039-01:ATM Business continuity shall be designed in accordance withRisk Management outcomes.Requirement ATMSP-040-01:ATM cybersecurity shall establish a consistent, effective andcommon strategy to manage CNS/ATM security and safetythrough integration of all Stakeholders with common efforts,sharing information, to complete their operational objectives.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar70
Business Continuity Plan (BCP)March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar71
Personal DataRequirement ATMSP-041-01:ATM cybersecurity shall ensure the privacy and protection of personallyidentifiable information in accordance with applicable regulations.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar72
Personal Data Establish and maintain personal data processinginventory and perform privacy impact assessment Nominate the DPO and establish personal datagovernance (policy and procedures) Pay attention to legal aspect of exchange of datawith US (Privacy Act) and EU (GPDR) Implement minimized data collection and avoiddata interconnection Check data duration storage and implement datapurgingMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity mationSecurity73
Compliance Perform Third party Security auditand deliver formal statement Check compliance to regulation Verify consistency of governanceand organization Evaluate Efficiency of securitycontrols Perform Intrusion test Support continuous improvementMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar74
ComplianceRequirement ATMSP-042-01:CNS/ATM information systems shall receive recognizedsecurity validation qualification before entry into service incompliance with ED 205 Process standard for Air TrafficManagement / Air Navigation Services (ATM/ANS) groundsystems security aspects of certification / declaration.Additional information: recognized accreditation process is tobe defined at national level and made applicable for criticalinfrastructures.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar75
ComplianceRequirement ATMSP-043-01:CNS/ATM information systems security validation shallbe controlled on a regular basis.Requirement ATMSP-044-01:ATM cybersecurity shall ensure that any deviation,detected through the validation process, does notconstitute an unacceptable risk (as per Chapter 7 RiskManagement).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar76
External Requirements .March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar77
Use Case example& Cyber security kick off activitiesMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar78
Agenda Start your ATM Security Management SystemCybersecurity policy commitmentExpected activitiesUse case example Communication System DescriptionArchitectureFunctional Impact identificationSamples of traceability and justification with the security policy Conclusion Q&AMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar79
Start your ATM Security Management System Customize this cyber securitypolicy to your own contextPLANDOCHECK Check compliance withregulation Make it applicable andcommunicateACTMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar80
Cybersecurity policy commitment Empower the organization Nominate key people Assign roles and responsibilities Lead implementation of ISMS (Top-Downcommunication)March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar81
Expected activities Implement Security baseline, based on standards & best practices(ISO 27002, NIST, IEC 62443) and begin implementation. Start working using a process-based method Introduce ISMS in organization’s processes Evaluate risk and make risk mitigation decisions Follow-up on risk mitigation implementation until acceptance Monitor risks and set up threat intelligence analysis Check the effectiveness (Auditing & pen testing) Repeat the aboveMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar82
Use case: Communication System The system in charge of all communications betweencontroller and aircraft (voice and data) It manages the frequencies and enable the pilots To be aware other aircraft in the same zone Collect and manage route instructions Switched from circuit based to software and voice over IPMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar83
Cybersecurity functional impact Consequences evaluation:PhaseImpact descriptionImpact Level (Safety)Ground /TaxiLoss of data transmission: controller overload,capacity limitation on Take-off and LandingMajor to HazardousLoss of communication: Delays, AoGMinor to MajorClimb /ApproachLoss of communication: Closure of controller position/ ATC Zone closure / « Clear the sky » procedureHazardous to CatastrophicCruiseLoss of communication: High capacity limitationHazardous to CatastrophicMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar84
Communication System global kingPositionMarch 16th to 18th, 2021Communication AIRBUS Cybersecurity mergencycoverageTx/RxTx/RxTx/Rx85
Feared events orkingPositionStaff & itionMarch 16th to 18th, 2021Communication AIRBUS Cybersecurity mergencycoverageTx/RxTx/RxTx/Rx86
Staff & usersRequirement ATMSP-012-01:Personnel shall be part of ATM securityduring all employment phases: Before employment: throughmeasures such as background checksin accordance with local regulations;During employment: by developinga security culture through regulartraining and raising awareness; andAfter employment: by ensuring therespect of the de-provisioning processand reminding staff of non-disclosurecommitments.March 16th to 18th, 2021Requirement ATMSP-013-01:Security personnel shall ensure thatindividuals with access to ATMfacilities, controlled areas and ATMsensitive data do not constitute anunacceptable risk (as per Chapter 7Risk Management).ICAO-CANSO-AIRBUS Cybersecurity Webinar87
Staff and users Extend background checks to all employees includingthose outside airport zones Define cyber security training plan Establish connections with authorities Implement strict decommissioning of users accountsand rightsMarch 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar88
Feared events orkingPositionStaff & ingPositionMarch 16th to 18th, 2021Communication AIRBUS Cybersecurity mergencycoverageTx/RxTx/RxTx/Rx89
Check zoning consistencyFilesPeriphery etryDatacenterApplicationsDMZNetworksCLOUDMarch 16th to 18th, 2021OfficeSECURITYICAO-CANSO-AIRBUS Cybersecurity Webinar90
Access control & Physical and Environmental SecurityRequirement ATMSP-019-01:ATM physical security shall safeguard IT, OT, IACS andCNS/ATM infrastructure, against unlawful interference andunauthorized access.Requirement ATMSP-020-01:ATM physical security shall identify zones hostingCNS/ATM assets according to their criticalityregarding safety and operability.March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar91
Access control & Physical and Environmental SecurityRequirement ATMSP-018-01:Access to any ATM assets shall be granted on:The verification of absence of unacceptable risk(as per Chapter 7 Risk Management);need-to-know basis).March 16th to 18th, 2021ICAO-CANSO-AIRBUS Cybersecurity Webinar92
Feared events orkingPositionStaff & ingPositionMarch 16th to 18th, 2021Communication SystemPrimaryCritical systemSecondaryINTERFACEHWBypassICAO-CANSO-AIRBUS Cybersecurity mergencycoverageTx/RxTx/RxTx/Rx93
Manage risks on critical systems Implement best securitypractices (ISO 27002, NIST)PLANDOCHECK Identify evaluate & reduceunacceptable risks Accept residual risk
Air Traffic Management Cybersecurity Policy Template. Safety Management Manual (SMM) (Doc 9859). ICAO Aviation Security Global Risk Context Statement (Doc 10108) Aviation Security Manual (Doc 8973) Annex 17: Security Provisions March 16, 2021 ICAO-CANSO-AIRBUS Cybersecurity Webinar 12