You are on page 1of 48

civil air navigation services organisation

CANSO Cyber
Security and Risk
Assessment Guide
Published June 2014 Contents

1 Introduction____ page 4
2
Cyber Threats and Risks page 5
3
Motives and Methods page 6
4
Cyber Assets page 10
5
Cyber Security in ATM page 13
6
Managing Cyber Risks page 16
7
Conclusions and Recommendations page 17
8 Appendix A - International Standards page 20
A.1. - ISO 27000 - Series of standards page 20
A.2. - ISO 27005 - Information security risk management (ISRM) page 21
A.3 - NIST Cybersecurity Framework page 22
9 Appendix B - Risk Assessment Methodology page 25
B.1 Overview page 25
B.2 Threats and vulnerabilities page 26
B.3 Dealing with the human threat page 29
B.4 Consequence of risk occuring page 31
B.5 Likelihood of risk occuring page 32
B.6 Assessement of the level of risk and risk tolerance page 32
B.7 Sample risk assessment tables page 34
B.8 Treatment recommendations page 46
10 Sources page 47

Copyright CANSO 2014


All rights reserved. No part of this publication may be reproduced, or transmitted in any form, without the prior permission of CANSO. This paper is for
information purposes only. While every effort has been made to ensure the quality and accuracy of information in this publication, it is made available
without any warranty of any kind.
www.canso.org
CANSO Cyber Security
and Risk Assessment Guide

Purpose of this document


The purpose of this document is to This trend is not unique to ATM; most
provide air navigation service providers with industries are applying information technology to
an introduction to cyber security in air traffic improve the efficiency of existing operations as
management, including the cyber threats and well as to enable new modes of operation. Benefits
risks and motives of threat actors, as well as are achieved by allowing information to be rapidly
some considerations to managing cyber risks and shared among humans and systems, wherever
implementing a cyber security programme. The and whenever it is needed. Unfortunately,
appendices include information on standards and these benefits come with risks. Increased use of
a framework for cyber security, and some practical information technology means greater exposure
guidance to conducting a cyber risk assessment to cyber attack. The threat is both very real and
a recommended first step to understanding very serious. ANSPs must develop and execute
and managing the cyber security risks to systems, security strategies and plans to ensure continued
assets, data and capabilities in ATM. mission operations despite this threat. If we are to
transform global ATM performance and achieve
safe, efficient, and seamless airspace globally,
1
the global ATM system must meet clear security
Introduction requirements and expectations. The Global Air
The current trend in air traffic management Traffic Management Operational Concept (ICAO
(ATM), both at the international level as well as Doc. 9854) speaks to this and defines the security
within individual air navigation service providers expectation of an integrated, interoperable and
(ANSPs), is toward increased sharing of information globally harmonised ATM system as:
and creating a common situational awareness for
a wide spectrum of aviation stakeholders. While the protection against threats that
this enhances the efficiency of operations and stem from intentional acts (e.g. terrorism) or
raises productivity, it also opens up the potential unintentional acts (e.g. human error, natural
for cyber attack. And, the vulnerabilities are only disaster) affecting aircraft, people or installations
growing because current and next generation on the ground. Adequate security is a major
systems, like NextGen and SESAR, demand more expectation of the ATM community and of citizens.
information sharing through increased use of The ATM system should therefore contribute to
commercially available information technology, security, and the ATM system, as well as ATM-
shared network and computing infrastructures, and related information, should be protected against
network-centric architectures and operations. security threats. Security risk management should
balance the needs of the members of the ATM
Unlike in the past, information sharing in the community that require access to the system,
future ATM system will not be limited to point- with the need to protect the ATM system. In the
to-point communications, it will also utilise open event of threats to aircraft or threats using aircraft,
systems architecture and internet-based flow ATM shall provide the authorities responsible with
of information. We are seeing a trend towards appropriate assistance and information.
increased use of existing technologies, growing
interoperability among systems, and use of
automation to improve productivity.
4_5

2
Cyber Threats and Risks
The US Department of Homeland Security deterred by organisational (a policy, for example),
has defined a cyber threat as any identified logical (authentication, for example) and physical
effort directed toward access to, exfiltration of, (restricted proximity card access, for example)
manipulation of, or impairment to the integrity, controls.
confidentiality, security, or availability of data, an
application, or a federal system, without lawful It is important to note that a threat can
authority. be a combination of a cyber and physical attack,
for example, a physical intrusion into a ground
A cyber threat can be intentional or infrastructure and a modification of the software
unintentional, targeted or non-targeted, and can code hosted in the infrastructure. This would be
come from a variety of sources, including: foreign an intentional cyber and physical attack. Or, when
nations engaged in espionage and information authorised personnel do not follow procedure to
warfare; criminals; hackers; virus writers; and check the infrastructure, and the infrastructure
disgruntled employees and contractors working generates and transmits misleading data. This is
within an organisation. both a cyber and unintentional physical attack.

Unintentional threats can be caused by


inattentive or untrained employees, software
upgrades, maintenance procedures and
equipment failures that inadvertently disrupt
computer systems or corrupt data.

Intentional threats include both targeted


and non-targeted attacks. A targeted attack is
when a group or individual specifically attacks
a critical infrastructure system. A non-targeted
attack occurs when the intended target of the
attack is uncertain, such as when a virus, worm,
or malware is released on the Internet with no
specific target.

Repeatedly identified as the most


worrisome threat is the insider someone
who has authorised and legitimate access to
a system or network. Other malefactors may
make use of insiders, such as organised crime or
a terrorist group suborning a willing insider (a
disgruntled employee, for example), or making
use of an unwitting insider (by getting someone
with authorised network access to insert a disk
containing hidden code, for example). However,
insider threats can be guarded against and
CANSO Cyber Security
and Risk Assessment Guide

3
Motives and Methods
The motivation of intentional actions in or may have serious effects far beyond those
attacks may emerge from a variety of sources intended by the hackers. Defences at this level
a foreign State or terrorist, criminal, or social- are focused on establishing a perimeter around an
issue organisations. Threat agents performing organisations information system infrastructure,
such intentional actions may be unauthorised and defending that perimeter using firewalls and
entities or insiders, and their primary objective is other commercially available tools.
to engineer potential hazards and performance
losses in the net-centric aviation system. At the next level are cyber thieves who
attempt to acquire critical information anything
Potential attackers span a wide range of from credit card numbers to proprietary business
abilities, resources, and motives. At the bottom plans. Defences at this level include protecting
of the scale are the traditional hackers who information and systems not just at the perimeter
hone their skills and claim bragging rights by but wherever it resides within the enterprise,
vandalising easy targets. Attackers in this group using techniques such as hard drive encryption.
have limited expertise and resources. They are
not typically focused on any specific target; The third level is cyber surveillance, in
they will attempt to compromise any vulnerable which attackers seek to obtain a foot hold within
systems that can be reached via the Internet. an organisation and execute subsequent higher-
The result of attacks at this level may be limited level attacks on their own timetable. Attackers
6_7

at this level will have moderate expertise, and The range of threats is so broad, and
may launch multiple attacks targeting particular the sophistication and resources available to
organisations. The consequences for ANSPs attackers at the top of the scale are so great that
of attacks at this level and above may be this problem cannot be addressed with a single
quite serious, ranging from loss of proprietary solution, nor can it be addressed only at a single
information to partial or total failures of air traffic point in time. The tools, tactics, and strategies of
management services, whether as an intended attackers at all levels are readily available and will
or unintended consequence of the attack. continue to evolve, and the threat will continue
Defence at this level requires continuous internal to increase. It would be naive to believe that the
monitoring and system hardening throughout the proliferation of these tools can be controlled
enterprise. through legislation or regulations. Responding
effectively to the threat will require a long-term
At the fourth level are cyber espionage commitment from senior leadership to an ongoing
units sophisticated adversaries capable of process of building and operating increasing
mounting multiple coordinated attacks aimed levels of information system security capabilities.
at establishing a persistent foot hold within
an organisations infrastructure, which may be
used to exfiltrate sensitive information or plant
capabilities to disable or disrupt systems. Defence
at this level requires an enterprise architecture
that can impede an attackers actions within the
organisations information system infrastructure
and ensure continuity of critical mission
operations.

At the fifth level is cyber warfare. Attackers


at this highest level are very sophisticated, and
have the resources for continuous, coordinated
attacks. Defence at this level requires agility,
adaptation, and flexibility to dynamically reshape
operations and maintain mission continuity even
while under continuous attack.

There has been a general increase in the


capability of the information security attacker
due to the support from States and criminal
organisations in this low risk, high return
environment. This capability is rapidly finding
its way into the hands of traditionally less
capable cyber attackers, hacktivists those
who deliberately interfere with online data and
services in order to bring attention to a political
or ideological cause.
CANSO Cyber Security
and Risk Assessment Guide

To help organise efforts for responding and legacy systems. Protection techniques must
to the cyber threat, most relevant international be agile; that is, they must be able to quickly
standards suggest applying an approach that change and adapt to an ever-changing threat.
divides the ongoing security process into four This requires the organisation to leverage
complementary areas: plan, protect, detect, and emerging technologies and implement them at
respond. See the diagram below. an enterprise-wide level. While some aspects of
security must be built into individual systems,
The Plan quadrant includes the creation enterprise solutions can be shared throughout an
of design strategies and an enterprise-wide organisation and are a key underlying element
or overall system-of-systems architecture that of an effective architecture. Enterprise security
enhances security, provides agility, and reduces solutions reduce overall costs and, just as
overall costs. To effectively implement the importantly, make it possible for new and evolving
architecture, organisations must develop policy threats to be addressed centrally rather than
and fund security solutions throughout the having to introduce new measures into every part
enterprise with total management commitment. of the system. The success of any information
technology (IT) security programme is, in part,
The Protect quadrant includes prioritising dependent on the ability to detect and respond
information security investments in both new to a cyber security event.

A model for effective cyber security

Agile architecture and design strategies Investment priorisation

Enterprise-wide information Legacy system compliance


system security (ISS)
solutions Leverage emerging
technologies
ISS governance
and policy Plan Protect

Contingency
Respond Detect Centralised cyber
planning and operations
business continuity
Detection monitoring
Multi stakeholder and analysis
cooperation
Shared knowledge of
Training and awareness cyber threats
8_9

The need for the next two quadrants Past experience is not the best predictor
Detect and Respond reflects the unfortunate of current and future cyber security threats.
reality that no matter how much planning and As new systems like NextGen and SESAR are
protection is put in place, failures will occur and designed, implemented, and operated, increasing
determined attackers will gain access to protected vulnerabilities to the cyber threat must be
systems. This fact does not minimise the need for mitigated. It is essential that ANSPs (individually
good architecture design and investment, both and collectively) make cyber security a top
of which reduce the susceptibility to compromise. priority, and that they work together to ensure
Adequate intrusion-detection capability is a secure global air transportation system. Cyber
required to monitor and detect potential cyber security is not a choice but a requirement.
security incidents at ATC facilities. Detection
requires a centralised cyber security operations
centre (SOC) staffed by experts with up-to-date
knowledge of the evolving cyber threat. The
SOC must be supported by analysis tools fed by
intrusion monitoring sensors installed throughout
the enterprise, which provide the ability to detect
when an organisations information system has
been compromised.

The Response quadrant includes


contingency planning, procedures, and training
and awareness, which allow an organisation to
quickly and effectively respond to a compromise
and minimise the possible impact on mission
operations. Cyber security content is almost
non-existent in the curriculum of current training
programmes, and what might be needed in
regards to cyber security knowledge, skills,
and abilities of ATCOs, engineers, technicians,
and other staff needs to be identified. The
combination of detection and response provide
the organisation with an ability to know when
cyber compromise is a problem, and assist the
organisation in executing cyber procedures
to ensure the operational mission is fulfilled
(although perhaps degraded) throughout an
attack. On the other hand, the response action
also requires an appropriate evaluation of lessons
learned to prevent any re-occurrence and thus
promote a cycle of continuous improvement
through each of the four quadrants.
CANSO Cyber Security
and Risk Assessment Guide

4
Cyber Assets
There are a number of assets, or In the context of applying an information
components of the aviation system that need to security management system (ISMS) or a cyber
be protected from threats and from becoming a security framework, it is often useful to use a
threat. profile as a guideline. All organisations face
industry-specific risks and issues and it is often
The cyber assets diagram provides not clear from a standard or framework how the
examples of people, processes and technology controls should be implemented to cover industry
that you would find within an ANSP, split into specific processes or technology. For example,
operational areas (engineering, operations, air protective monitoring and physical access control
traffic control etc.) and other business areas (legal, are two controls that are often part of cyber
finance, HR, etc.). It is important to note that this security standards or frameworks. However, while
is not an exhaustive list, but rather an example of these are beneficial to larger organisations, the
some of the key assets involved in the day to day cost would be prohibitive for smaller businesses
operation of an ANSP. with only marginal benefits. Smaller businesses
would be better off if they identified their biggest
10_11

risks and invested in a reliable anti-malware Data and information


platform and email cleaner and ensured that their In a net-centric environment, data and
premises were physically secured, rather than information are prime assets which need to be
rely on expensive logical controls. This emphasis protected, as well as the networks and technology
on prioritisation is one of the key drivers behind handling the data and information. These include:
using a profile to implement a framework across a Flight operational and planning data:
wide range of organisations. examples include aircraft trajectory,
RNP data, and ACARS messages on air-
The cyber assets diagram would be used as ground communications
part of an ANSP specific profile for the application Weather and traffic surveillance
of an ISMS. An ANSP specific profile would data: examples include ADS-B-In,
therefore have two primary benefits to the ATM FIS-B, TIS-B, aircraft weather sensor
community: it could be used by any ANSP as a data shared on air-ground and air-air
guide on where and how to apply ISMS controls communications
within the context of their organisation; and it would Position, navigation and timing data:
provide a reference document for an auditor on examples include GNSS, ADS-B-Out
where to look for key ISMS or framework controls Aeronautical information services and
within an ANSP and how they should be applied. meteorological data: examples include
real-time updates on meteorological
Not all of the assets in the diagram would conditions and airport conditions;
necessarily need to be covered by the scope of emergencies and restrictions that limit
an ISMS, but a profile would be able to highlight airspace use during flight
which areas of the organisation would need Controller-pilot automated messages
to be included in an ISMS and could give an and voice communications: examples
indication of what controls should be considered include the two-way communications
for securing those assets. A profile could also that replace voice communications with
include an indication of sample maturity levels data link of automated messages and
so organisations could gauge their own progress receipts
towards fully implementing an ISMS or framework. Aircraft status data: examples include
cabin and flight deck video for airspace
The control domains of an ISMS (ISO 27001) security
or a security framework (National Institute of Airport surface area communications:
Standards and Technologys (NIST) Cybersecurity examples include airport surface area
Framework) are provided as reference within operations data
Appendix A and are recommended for use when Security relevant data: examples
creating profiles and in the application of controls. include digital certificates, keys,
credentials, and passwords
The cyber assets outlined in the diagram
on the previous page are described in more detail Information systems
below. They are split into three key areas Data The systems that collect, filter, process,
and Information; Information Systems; and Physical create, store and distribute data and information
Assets. are also prime assets susceptible to the cyber
CANSO Cyber Security
and Risk Assessment Guide

threat. This includes software, network protocols, devices brought onboard aircraft,
computing algorithms, media storage used in the including passenger-owned devices and
following infrastructures: crew-operated mobile devices
Large-scale information sharing networking and information technology
infrastructure: information sharing infrastructure (e.g., radar, ground
between multiple users and applications stations, satellites)
for worldwide collaboration for aviation airport information infrastructure
tasks. Examples include: organisations responsible for
- aeronautical-specific information assets and information
infrastructure such as SWIM, ISDN management systems
- public infrastructures such as individual persons, employed by
cloud computing and Internet. organisations, who are authorised and
Voice communication infrastructure: responsible to carry out operations and
transition from analogue to digital voice procedures that involve information
and an intelligent voice switching system assets and information management
over Internet, i.e. Voice over IP (VOIP) systems
Air navigation support infrastructure:
deployed extensively for air-ground
communications and passive/active
monitoring and tracking of aircraft
positions.
- ground-based transponders for
air-ground communications
- positioning systems (e.g., GBAS,
multilateration stations) and radars
for supporting air traffic control
- satellites as communication
relay and navigation support
infrastructure
- airport surface area network
(e.g., ASDE, WiMAX based
AeroMACS).
Aircraft information systems: networked
platforms of aircraft, embedded and
crew carried.

Physical assets
A number of physical assets also pose a
threat to the aviation system. These include:
manned and unmanned aircraft, and
their payload (i.e., passengers, baggage
and cargo)
12_13

5
Cyber Security in ATM
Within the context of the Convention on Authentication: assurance of the
International Civil Aviation (ICAO Doc. 7300, identity of message senders and
or the Chicago Convention), air navigation receivers. Authentication supports the
services are provided as part of a State obligation validation of messages and information
and States must safeguard essential national system requests.
security or defence policy interests and in many Authorisation: the verifiable identity
cases must meet certain legal requirements, of each entity handling any asset must
obligations and specific procedures regarding be checked to possess appropriate
critical infrastructure protection. Of paramount permission and privilege.
importance to cyber security in ATM is data Non-repudiation: assurance that the
integrity and information assurance. Thus, it is data sender is provided with proof of
important to understand the requirements for delivery, and the recipient is provided
data and information assurance as well as the with proof of the senders identity,
measures and strategies that can be taken in this assuring that sender and receiver
regard. processing of the data.
Traceability: all actions performed on
Information assurance requirements each asset must be logged in a format
Confidentiality: the assurance that and for a time period that can satisfy
aviation information is not disclosed both regulatory and consumer needs.
to unauthorised persons, processes, or
devices. It includes both the protection Enterprise systems, wireless, and cloud
of operational aviation information and computing security
the information assurance of password Information exchanges on the ground
or configuration files. network benefit from the use of enterprise
Integrity: assures that aviation security and cloud computing security
information is not modified by considerations for addressing information
unauthorised entities or through assurance, mixed criticality of assets, and multiple
unauthorised processes. Integrity business domains. Wireless security solutions at all
supports the assurance that aviation layers, including physical-layer security of wireless
information is not accidentally or networks, can help secure the aviation system.
maliciously manipulated, altered, or
corrupted. Integrity also means that Aeronautical systems security
detection occurs with no or minimal Pre-shared symmetric key-based solutions
false alarms when information has been can provide data link security and aeronautical
altered; the alteration source must be information exchange security (e.g., ACARS,
identifiable. satellite links). Position verification mechanisms
Availability: assures timely, reliable, are needed for detection of spoofing, and
continued access to aviation data and regulations and criminal statutes need to be in
information systems by authorised place to deter spoofing and other such threats.
users. Availability controls protect Spoofing is where a person or programme
against degraded capabilities and successfully masquerades as another by falsifying
denial of service conditions. data and thereby gaining illegitimate access,
CANSO Cyber Security
and Risk Assessment Guide

usually due to lack of authentication mechanisms centric ecosystem. Air traffic controllers and pilots
for identity verification. are trusted with various air traffic control tasks,
including protecting their credentials against
Mitigating physical attacks on cyber assets misuse.
Methods to prevent or detect adverse
human actions, physical destruction or sabotage Cyber security solution strategies
of networking and information technology The security architecture must be
infrastructure of cyber, radio frequency (RF) developed to identify points of unauthorised
jamming, etc. The physical methods used to entry, vulnerabilities, and mitigations. An end-
defeat physical attacks targeted at cyber assets to-end security architecture is required as
can include physical access control to systems; multiple stakeholders are involved in information
physical checks and processes; detection of sharing. A security and trust relationship
abnormal and unauthorised sources of RF energy; must exist between information suppliers and
and aircraft security, which is dependent on the information consumers. The global scale of
security of the connections to the ground and the aviation system makes achieving end-to-
airborne and satellite systems. end security challenging, due to needs such as
system interoperability and security policies.
This also means that an information security However, end-to-end security design may reduce
management system (ISMS) is part of a more the security cost impact on the net-centric
complex security framework called a security aviation system. In order to implement effective
management system (SeMS) in which strong cyber security strategies, multi-stakeholder
and robust relationships exist among the main trust partnerships need to be established that
pillars of personnel, infrastructures, information, encourage information sharing and collaboration.
organisation, and procedures.
It will also be necessary to determine how
Cross-correlations between physical and to evaluate the security strength of the aviation
information security allow one to understand system. A high assurance level for an end-to-
events that, individually considered, are end security architecture is challenging due to
meaningless, but could be of significance if the need for cost-effective and timely analytical
related and properly analysed. methods that can assure security integrity. High-
level security standards for solutions that cover
Cyber security development and management airborne, space, and ground-based systems in
Security of the net-centric aviation the net-centric aviation system are needed. And,
system must be designed, implemented these standards should be defined such that they
and administered appropriately, e.g. proper do not add unnecessary cost nor open additional
assignment and management of suitable access exploitable vulnerabilities.
privileges at each entity, proper management and
protection of strong passwords, cryptographic Adaptive threat monitoring and evaluation
and security quantities. The ability to match the need for the
right information at the right time with the right
Aircraft operators are assumed to information assurance controls will be a key
operate correctly, reliably managing software challenge. The dynamic operational environment
configuration and other digital content important of the net-centric aviation system may require
for the secure operation of their fleet in the net- the tightening or loosening of these controls
14_15

based on the type of events and threats. Risk Threat response strategy
from cyber threats will evolve over time. Hence, Mechanisms are needed for responding
the security model to measure and assess the to detected threats and unanticipated security
evolving threat impact and risks will need to be failures that create unacceptable risks in the net-
adaptive. Security planners will be required to centric aviation system. And, the rules, procedures,
adjust the security models to minimise risk, yet processes that respond to unanticipated or
enable air commerce. Again, threat information detected security events in the system.
sharing between stakeholders will be critical, which
requires the establishment of multi-stakeholder Information sharing and handling
trust partnerships and forums. Within a system of systems environment,
such as ATM, that involves a number of actors, it is
Threat mitigation strategy important to establish an appropriate information-
Mitigations for every conceivable cyber and sharing protocol, which will allow stakeholders to
physical threat that will have a significant impact commit to sharing information and intelligence
on the net-centric aviation system need to be openly, yet securely, to increase overall situational
established. The mitigating measures must be awareness of the cyber threat within ATM.
sufficient to make the threat somewhat unlikely
or implausible with minimal risk. An acceptable Through this, a common framework for
risk level is determined by the potential impact. marking information assets is outlined below
For example, a threat that results in a catastrophic to enable stakeholders to understand their
impact must be an extremely improbable security responsibilities when handling information. The
risk. Cyber threat mitigations may be specified originator should assign an appropriate level of
as a requirement to be implemented, and they classification for information, having a common
may also be stated as a dependency in the net- glossary and a common term of reference to
centric aviation system. Such dependencies must understand the relevance of information managed.
be clearly identified, and must be promulgated to One of the possible ways to classify information
the entities responsible for implementing them, for is to give one of four Information Handling Levels
example by way of guidance or as instructions. to every piece of information shared within a
community of stakeholders:

Information Handling Level Description


RED Personal for named recipients only: in the context of
a meeting, for example, red information is limited to
those present at the meeting. In most circumstances,
red information will be passed verbally or in person.
AMBER Limited distribution: the recipient may share amber
information with others within their organisation, but
only on a need-to-know basis. The originator may
be expected to specify the intended limits of that
sharing.
GREEN Community wide: information in this category can
be circulated widely within a particular community.
However, the information may not be published or
posted publicly on the Internet, nor released outside
the community.
WHITE Unlimited: subject to standard copyright rules. White
information may be distributed freely outside the
community without restriction.
CANSO Cyber Security
and Risk Assessment Guide

6
Managing Cyber Risks
ANSP management needs to be able would not be provisioned unless required for the
to assess the impact of security and the lack business function, but the integrity and availability
of security on the net-centric aviation system of data for operational systems will be higher than
performance. This includes performing cost- other business areas. It is therefore important to
benefit analysis due to the introduction or understand the threats and vulnerabilities, and
the absence of security functions. Suitable examples are provided in Appendix B.
policies, procedures and processes need to be
determined. Detection mechanisms need to be
put in place to identify the presence of a threat
and decision support tools are needed for threat
evaluation and mitigation. An approach is needed
that uses standardised mitigations and scopes
each threat to a minimum risk manageable, based
on established policies, rules, processes and
procedures.

Assessing the risks to ATM systems


A robust risk assessment methodology is
required to ensure all vulnerabilities are identified
for each ATM system and the required properties
of the data it processes in terms of the three
most important data assurance requirements:
confidentiality; integrity; and availability.

Risk assessment involves defining the scope


and identifying the assets that are potentially at
risk. A thorough analysis and evaluation of risks
is then conducted, and the necessary controls
put in place to reduce the risk to manageable
or acceptable levels. A generic risk assessment
methodology is explained in greater detail in
Appendix B.

The risks to ATM can be managed by first


identifying the overall systems in a functional unit
and the associated risks, e.g. LAN, computers,
HVAC, WAN connection, radio systems, etc. For
generic ATM systems, threats will exploit the
vulnerabilities to create a risk, and the level of
this risk will be unique to each ANSP and business
unit, e.g. an IT system for business support
16_17

7
Risk assessment
Conclusions and Recommendations ANSPs should conduct a risk assessment to
Cyber security as a part of ATM Security and, determine the greatest risks to the organisation
more generally, of overall aviation security and business, and should consider assessing
Cyber security receives specific the adequacy of their cyber security controls
consideration in the general legal framework against a recognised standard or framework.
contained in Annex 17 Security to the Chicago This assessment can be scoped against a subset
Convention, which recommends that each of controls or against a profile that matches an
Contracting State should develop measures in ANSPs business environment and needs.
order to protect information and communication
technology systems used for civil aviation The NIST Cybersecurity Framework is one
purposes from interference that may jeopardize of the standards available and provides a common
the safety of civil aviation. The Aviation Security taxonomy and mechanism, primarily focussed
Manual (Doc 8973 Restricted) and the Air towards organisations that provide critical national
Traffic Management Security Manual (Doc. 9985 infrastructure, to:
- Restricted) provide guidance on how to apply 1. Describe their current cyber security
the Standards and Recommended Practices posture
(SARPs) contained in Annex 17. The importance 2. Describe their target state for cyber
of air traffic management to the aviation security security
process is evidenced by recent amendments to 3. Identify and prioritise opportunities for
Annex 17 that include measures relating to cyber improvement within the context of a
threats and oblige States to ensure protection continuous and repeatable process
to infrastructures and facilities and to harmonise 4. Assess progress toward the target state
security programmes into the national legal 5. Communicate among internal and
framework. external stakeholders about cyber
security risk
Society expects a high standard of aviation
safety and security and the level of security As part of the process, threats and
performance will determine societys confidence vulnerabilities to the organisation will be
in air transport. The lack of a high level of security documented and control gaps will be identified
performance would impact the reputation of for areas that have insufficient or ineffective
aviation stakeholders and thus, influence customer controls to mitigate assessed risks. Guidance on
perception and choice. how to conduct a risk assessment is provided in
Appendix B.
The performance of the future ATM system
must therefore contribute to ensuring a high Cyber security as part of an enterprise-wide
level of security to be achieved by the aviation approach
industry as a whole. Expectations are that this As cyber attacks grow in intensity and
can be achieved not only by ensuring that the become increasingly sophisticated, changing
infrastructure which makes up the ATM system is constantly in response to the defensive systems
itself resilient to attack, but also that the system they encounter, it will become necessary to adopt
will provide information that can be used by other an approach to cybersecurity that is proactive,
organisations to act and protect air transport and dynamic, and adaptive, evolving beyond the
the aviation system as a whole.
CANSO Cyber Security
and Risk Assessment Guide

realm of traditional IT management. It will programme. Use of a framework, such as NISTs,


need to be of concern to the ANSP board and may assist leadership in identifying areas of
senior management where cyber issues can be weakness and enable objectives to be created.
addressed from the perspective of enterprise risk
management, thereby enabling the organisation Duties and responsibilities
to adopt an approach that incorporates a wide Information security is not only a matter
range of integrated cyber security activities to for information technology staff but it is an
understand and mitigate enterprise risks. organisational concern as well. Security controls
need to be in place to safeguard an information
Security management system system from attacks against the confidentiality,
A security management system (SeMS) integrity, and availability of computer systems,
sets out the organisations security policies as networks and the data they use. And the security
an integral part of its business processes, and is controls that are selected and applied must be
based on the same concepts used for a safety based on a risk assessment of the information
management system (SMS). It provides an system. As such controls can restrict the power
organisation-wide approach to security through or influence held by any one individual, a proper
the development of a security culture as well as a separation of duties must be designed to
system-wide security model that encourages close ensure that individuals do not have conflicting
cooperation between all relevant stakeholders, responsibilities. Separation of duties in IT security
both within and outside the organisation. is now considered a best practice to prevent
Developed in conjunction with an efficient threat potential conflicts of interest in the organisation.
assessment mechanism and risk management Conflicts of interest might include a situation in
programme, SeMS helps the organisation develop which the IT department decides and applies, on
proactive, efficient and cost-effective security its own, policy and procedures without third-party
measures. The cyber security programme should assessment and evaluation.
fit within this overall framework of a SeMS.
The security department can be requested
Leadership and governance to act as an independent party to provide advice,
Effective leadership and governance helps audit systems and processes without having a
ensure that cyber security supports business direct role in operation. Security managers should,
goals, optimises business investment in cyber on the other hand, be skilled, prepared and
security, and appropriately manages cyber provided with the appropriate resources, authority
security related risks and opportunities. and power to act in a decisive manner, by
either imposing security requirements for a new
To exercise effective cyber security project or existing technologies, or by enforcing
governance, ANSP boards and senior procedures and policies that have been adopted
management must have a clear understanding at the executive level of the organisation.
of the cyber security vulnerabilities and what to
expect from their cyber security programme. They Security culture
need to know how to direct the implementation The commitment of people to protecting
of an information security programme, how their organisation is an essential component of a
to evaluate their own status with regard to an strong cyber defence. This means a critical part of
existing security programme, and how to decide the cyber security programme must be to focus
the strategy and objectives of an effective security on the human aspects of the organisation on
18_19

developing a positive security culture that is Monitoring and reporting


grounded in employees attitudes, evident in the Adequate logs enable post-incident
behaviours people exhibit and which is reinforced investigations and support disciplinary action
by the actions of leaders. and/or prosecution in the event of a security
breach. ANSPs should take measures to ensure
It is therefore important that management that logging is enabled for key operational
take their information security responsibilities and business systems and monitored using
seriously, support the information security policies technology, e.g. a security information and event
and act as a role model for the employees they management (SIEM) tool such as HP ArcSight,
manage. Management responsibilities should IBM Q1 Labs, Splunk, or LogRhythm, and through
include information security tasks to reflect this. regular audit.

Training and awareness Updates through reports and management


Similarly, training is a critical element of information should be produced and provided to
security as employees need to understand the senior management on a regular basis.
value of sensitive information and their role in
keeping it safe. Employees need to know the Industry collaboration and information sharing
policies and practices they are expected to follow The sharing of information between
in the workplace regarding cyber security. ANSPs of known or potential cyber security
threats and vulnerabilities can play a vital part in
ANSPs should implement an annual training strengthening our overall response to incidents
programme that enables users to understand and their prevention.
their security responsibilities and the procedures
they need to follow while working within the Generation of an information sharing
organisation, handling sensitive information. The protocol provides a means by which information
training programme should be reviewed annually sharing and handling, confidentiality, liability
to ensure it is current and incorporates the latest and appropriate behaviour are established and
cyber security intelligence. managed by the stakeholders involved.

As a minimum, the security training


programme should include guidance on:
their legislative and regulatory
responsibilities for the information they
process e.g. data protection
how to handle protectively marked
information assets and their personal
responsibility to ensure secure
processing of information e.g. storing
and transferring
mechanisms they can use to report an
incident in the event of an actual or
suspected security breach
CANSO Cyber Security
and Risk Assessment Guide

Appendix A
International Standards
This appendix gives further details about the structure of the organisation. While the 2005 version
ISO 27000 series of standards and other security of the standard heavily employed the Plan-Do-
frameworks as follows: Check-Act (PDCA) model to structure the processes,
A.1. Description of each of the the latest 2013 version places more emphasis on
standards ISO 27001 to ISO 27006 measuring and evaluating how well an organisations
A.2. ISO 27005 standard that provides ISMS is performing.
guidelines for information security risk
management (ISRM) The ISO 27002 standard, also published in
A.3. Cybersecurity Framework of the 2005, provides a code of practice for information
US Commerce Departments National security and outlines the potential controls and
Institute of Standards and Technology control mechanisms, which may be implemented,
(NIST). subject to the guidance provided within ISO 27001.
The two documents are intended to be used
A.1. ISO 27000 series of standards together, with one complementing the other. The
The ISO 27000 series of standards have ISO 27002 standard established guidelines and
been specifically reserved by ISO for information general principles for initiating, implementing,
security matters. maintaining, and improving information security
management within an organisation. The actual
The ISO 27001 standard, originally published controls listed in the standard are intended to
in October 2005, provides the specification for an address the specific requirements identified through
information security management system (ISMS). a formal risk assessment. The standard is also
The objective of the standard is to provide intended to provide a guide for the development
requirements for establishing, implementing, of organisational security standards and effective
maintaining and continuously improving an ISMS. security management practices and to help build
Regarding its adoption, this should be a strategic confidence in inter-organisational activities. A new
decision and is influenced by an organisations version published in 2013 contains 114 controls, as
needs and objectives, security requirements, the opposed to the 133 documented within the 2005
organisational processes used and the size and version.

ISO 27001 - Information technology ISO 27002 - Information technology


Security techniques Information security Security techniques Code of practice for
management systems Requirements information security management
ISO 27003 - Information Technology ISO 27004 - Information technology
Security techniques Information security Security techniques Information security
management system implementation management Measurement
guidance
ISO 27005 - Information technology ISO 27006 - Information technology
Security techniques Information security Security techniques Requirements for
risk management. bodies providing audit and certification of
information security management systems
20_21

A.2. ISO 27005 Information security risk


management (ISRM)
of the ISRM process including risk assessment, risk
The ISO 27005 standard provides guidelines
treatment, risk acceptance, risk communication and
for information security risk management (ISRM)
risk monitoring and review.
in an organisation, specifically supporting
the requirements of an information security
The SESAR ATM Security Risk Assessment
management system defined by ISO 27001. The ISO
Method Draft Edition 00.02 dated 20 December
27005 standard does not provide or recommend
2012, provides a sample threat list of deliberate
a specific methodology, but provides an overview
actions that is based on ISO 27005:

Failure of air-conditioning
Loss of essential services Loss of power supply
Failure of telecommunication equipment
Electromagnetic radiation
Disturbance due to radiation Thermal radiation
Electromagnetic pulses
Interception of compromising interference signals
Remote spying
Eavesdropping
Theft of media or documents
Theft of equipment
Compromise of information Retrieval of recycled or discarded media
Disclosure
Data from untrustworthy sources
Tampering with hardware
Tampering with software
Position detection
Saturation of the information system
Technical failure
Breach of information system maintainability
Unauthorised use of equipment
Fraudulent copying of software
Use of counterfeit or copied software
Unauthorised action Corruption of data

Illegal processing of data

Abuse of rights
Forging of rights
Compromise of functions
Denial of actions
Breach of personnel availability
CANSO Cyber Security
and Risk Assessment Guide

A.3. NIST Cybersecurity Framework


The Framework for Improving Critical cyber security capabilities, a target state, and a plan
Infrastructure Cybersecurity was drafted by the for improving and maintaining their cyber security
US Commerce Departments National Institute of capabilities. The framework is also an iterative model
Standards and Technology (NIST), and was released that is designed to evolve and adapt with changes
in February 2014. It does not introduce any new in the cyber security threat landscape, including new
standards or concepts but rather it leverages existing processes and technologies it is therefore well suited
cyber security practices that have been developed to the ATM industry.
and refined by other organisations, not limited to
but including the International Organization for The framework assessment mechanism contains
Standardization (ISO). three key elements: Core; Implementation Tiers; and
Profile. The Framework Core defines standardised
The framework itself comprises a risk-based cyber security activities, desired outcomes, and
compilation of guidelines that can help organisations applicable references, and comprises five Functions
identify, implement, and improve cyber security that can be performed concurrently and continuously:
practices, and creates a common taxonomy for Identify, Protect, Detect, Respond, and Recover. The
internal and external communication of cyber security Framework Core, in effect, describes the continuous
issues, as well as an assessment mechanism which cycle of business processes that constitute effective
enables organisations to determine their current cyber security.

Function Description Category


Asset management
An understanding of how to Business environment
manage cyber security risks
Identify to systems, assets, data and
Governance
capabilities Risk assessment
Risk management strategy
Access control
The controls and safeguards Awareness and training
necessary to protect or deter Data security
Protect cyber security threats
Information protection
processes and protocols
Maintenance
The controls and safeguards Anomalies and events
necessary to protect or deter Security continuous
Detect cyber security threats monitoring
Detection processes
Response planning
Communications
Respond Incident response activities Analysis
Mitigation
Improvements
Business continuity plans to Recovery planning
Recover maintain resilience and recover Improvements
capabilities after a cyber breach. Communications
22_23

Each category breaks down into a number


of controls, for example:

Protect controls
PR.AC-1 Identities and credentials are
managed for authorised devices
and users
PR.AC-2 Physical access to assets is
managed and protected
PR.AC-3 Remote access is managed
Access Control (PR.AC) PR.AC-4 Access permissions are
managed, incorporating the
principles of least privilege and
separation of duties
PR.AC-5 Network integrity is protected,
incorporating network
segregation where appropriate.
Note: In the table above PR.AC is the coding that NIST uses in the format [Function].[Category]-[Sub-
category]. PR stands for Protect; AC stands for Access Control

Implementation tiers are used to create a context within which organisations can better
understand how their current cyber security capabilities stand against the characteristics described by
the NIST Framework. The tiers can be seen in the table below NIST recommends that any organisation
planning to develop effective cyber security capabilities should be aiming to progress to Tier 3 or 4.

Tiers of cyber security maturity


Risk management is ad hoc, with
Tier 1 Partial limited awareness of risks and no
collaboration with others.
Risk-management processes and
programmes are in place but are
not integrated enterprise-wide;
Tier 2 Risk informed
collaboration is understood
but organisation lacks formal
capabilities.
Formal policies for risk
management processes and
Tier 3 Repeatable programmes are in place
enterprise-wide, with partial
external collaboration.
Risk management processes
and programmes are based on
Tier 4 Adaptive lessons learnt and embedded
in culture, with proactive
collaboration.
CANSO Cyber Security
and Risk Assessment Guide

The profile aspect of the framework


recognises that different industries and
organisations have different business needs,
operating models, risk appetites and available
resources for developing a robust cyber security
programme. The profile enables organisations to
align and improve their cyber security practices
based on their individual circumstances. A
current and target profile can be defined and
a comparison of these states can be used to
identify the gaps that should be closed in order
to enhance cyber security and provide the basis
for a prioritised roadmap to help achieve these
improvements.
24_25

Appendix B
Risk Assessment Methodology
B.1 Overview first establish the context for the risk assessment.
The risk assessment methodology forms part This involves defining the scope and identifying the
of a standard risk management process depicted assets that are potentially at risk. The identification,
below, which enables an organisation to effectively analysis and evaluation of risks together comprise
identify, assess, and treat risk.The term risk refers the Risk Assessment component of the risk
to the likelihood of being targeted by a given management process. The Communicate & Consult
attack. A risk assessment is therefore performed to part of the process recognises that engagement
determine the most important potential security of stakeholders, both internal and external to the
breaches to be addressed and evaluates these in organisation, is key to identifying, analysing and
terms of cost impact (consequence) and probability monitoring risk. The Monitor & Review component
of occurrence (likelihood). Analysing risk in this way of the process comprises the controls put in place to
can help determine appropriate security budgeting ensure that the risk assessment process continues to
and policy. As part of this process, it is important to operate effectively.

Figure 1: Risk management process


CANSO Cyber Security
and Risk Assessment Guide

B.2 Threats and vulnerabilities Unix, OSX and Android. Operating systems fulfill a
A threat refers to the source and means number of key roles, which requires that they have
of a particular type of attack. A threat assessment multiple capabilities. This complexity results in
should be performed to determine the best not only capability specific vulnerabilities that can
approaches to securing a system against a be exploited but also unintentional design flaws
particular threat. Penetration testing exercises or conflicts with other systems or applications.
should be conducted to assess threat profiles and The latter can easily be seen by the number and
help develop effective countermeasures. While regularity of patches issued.
a risk assessment focuses more on analysing the
potential and tendency of the organisations Unsupported or unmaintained software
resources to fall prey to various attacks, a threat Commercially available software is
assessment focuses more on analysing the constantly being assessed for weaknesses and
attackers resources and can help develop specific vulnerabilities by software vendors, users and
security policies that need to be implemented. those with malicious intent. Failure to ensure
The term vulnerability refers to the security that Commercial Off The Shelf (COTS) software
flaws in a system that will allow an attack to is covered by support agreements and/or
be successful. Vulnerability testing should be rigorous patching procedures can lead to known
performed on an ongoing basis in order to resolve vulnerabilities being exploited. This is particularly
such vulnerabilities and for maintaining ongoing the case for legacy systems connected to the
security vigilance. Internet.

The potential threats and vulnerabilities Poor access control


within ATM systems could include: A lack of proper access controls can
increase the likelihood of unauthorised individuals
Weaknesses in business critical applications gaining access to areas that should be forbidden
A possible application weakness is if there to them. If an organisation fails to limit who can
is poor quality software and/or if it has not been access their information and physical assets, then
developed and tested with sufficient rigour. they increase their exposure to both insider and
Issues of information and system availability and outsider threats. Theft and unauthorised disclosure
integrity can often be addressed through ensuring of confidential or business critical information
proper safety requirements for ATM systems. The as a result of poor access controls can damage
weakness in application security is not just an issue a firms reputation as well as incur a financial
in terms of the application itself, but also in terms impact. Access controls can be both physical and
of the security of under or overlying systems. logical, i.e. barriers that require a proximity card
Application vulnerabilities can often be exploited to gain access to the building are physical controls
not just to deny access to a specific application whereas digital access rights linked to a user
but also to gain access to the wider system or account managed through Active Directory are
network. logical controls. Having rigorous access controls
must also be combined with proper authorisation
Weaknesses in operating and business critical systems management it is no use having access controls
Due to the expense of creating an operating if a user can request access to a system and be
system (OS), there is a limited choice of practical granted access without proper approval, or if
OS to use. Modern operating systems come in access is given before the approval is confirmed.
a limited number of forms, e.g. Linux, Windows,
26_27

Poor change management Obsolescence


If there is no organisational process for Upgrading existing hardware and software
change management, then uncontrolled changes can often be deemed too expensive in terms
can introduce instability and openly expose an of immediate benefit to the business. However,
organisation to systems vulnerabilities. reliance on legacy or obsolete systems can expose
an organisation to a number of risks and leaves
Weak network controls it vulnerable to exploitation. Obsolete systems
Most network devices are designed by do not have the same level of service support
default to allow access to data by any user or as current systems and thus vulnerabilities due
system that wants to access it. Effective controls to conflicts with other software or hardware are
must be applied to ensure only those systems/ unlikely to be found and patched.
people that legitimately need access to the
network are allowed. Weak network controls Poor software control
can be either internal or external in all cases, Operational system performance can be
an organisation needs to ensure that boundary heavily impacted if the incorrect software has
network controls are effective and do not allow been installed. If there are no policies in place to
unauthorised access to the network from outsiders. restrict the installation of software on operational
systems then any user could install anything on
Poor cloud and virtual machine implementation and their system. This could result in the introduction
management of malware to the network or just degrade
Cloud computing and virtual machines are operational system performance. While the focus
relatively new technology platforms in the ATM for this should be on key operational systems,
environment. Use of these new technologies can it is also important to ensure that corporate
increase an organisations exposure to emergent (finance, HR, etc.) systems are not left vulnerable,
risks and threats. Cloud computing, in particular, as these can often be an inroad to the rest of
can increase a firms exposure due to the reliance the organisation if network controls are not tight
on a third party service. An organisation can leave enough e.g. if network domains are not separated
itself vulnerable if their cloud service provider is from each other i.e. segregated.
affected by a denial of service (DOS) attack, for
example. In a contingency situation, the operational
software and the last backup are required to
Poor asset management restore operational services back to business as
Business assets can be both tangible usual. Backup copies of software required for
(physical assets such as laptops, servers, etc.) normal operational service should not be kept at a
and intangible (information stored digitally). If different site in case of a fire or other unforeseen
an inventory of assets is not kept, then it will incident that could result in their damage or loss.
be difficult for an organisation to keep track
of its assets and could result in a delay in an Lack of effective monitoring
organisation realising that it has lost assets, If there is no intrusion detection or threat
be they physical assets or information assets. monitoring system in place for the network, then it
Further, if the value of an asset to the organisation is unlikely that an organisation will know that it has
is not properly assessed and recorded, then been attacked until long after it has happened;
proportionate controls to secure the asset and its whether this is an external threat trying to breach
immediate environment cannot be implemented. the network from outside or an insider trying to
CANSO Cyber Security
and Risk Assessment Guide

gain access to systems they are not authorised of the vulnerabilities that can occur as a result of
to use. An organisation cannot just rely on poor cyber security awareness include:
network monitoring as not all activities or actions, Lack of personal security online (social
particularly from a motivated external threat, will networking for example), including leaving
be identified. Other protective monitoring controls details that could compromise the security
should be applied which could include an effective of the organisation in the public domain
intrusion detection system. Improper use of sensitive information
Leaving key cards unattended
Lack of effective logging Not locking laptops/computers when
If an organisation does not log all system they are unattended
activity then it will limit its capability to track Allowing tailgating, i.e. the act of
actions and activities back to system users in the following someone into a building
event of an incident. Effective logging capability without proper authorisation
gives an organisation forensic capabilities that are Installing malicious software onto the
critical for determining who did what and when organisations systems
they did it, in a timely manner, facilitating an
effective response. Without these capabilities, it The lack of proper awareness training may
could be some time before a security incident is lead to exploitation of staff by social engineering,
discovered. which is a technique that is often used to glean
information about people and their work through
Lack of response capability a number of mediums. If employees use the same
If an organisation does not have some form password at home as they do at work, and they
of response capability, then regardless of the do not take measures to protect their personal
logging or monitoring controls in place, it will be password then they have immediately left the
unable to act with the required speed and efficacy. organisation vulnerable to a breach.

Lack of alternate capability (back up and Security controls in supplier relationships


contingency) A supplier is unlikely to consider an ANSPs
System availability all of the time cannot security as a high priority unless it is required
be guaranteed - no organisation is immune to, for example by a contractual agreement. In
from disaster. If an organisation does not have many cases, unless an organisation is explicit
alternative capability or contingency plans in in its security requirements, it may find that its
place, be it for operational systems, people, or suppliers will dictate or heavily influence the
power for its facilities, then it exposes itself to technical security implementation used. It is
a high level of risk. An organisation that cannot often the case that an organisation will also have
operate effectively during a disaster or incident relationships with several suppliers or third parties.
due to lack of alternate capability could suffer The result is that there can be a wide range of
significant financial and reputational damage (loss information exchange point solutions in use, with
of business/trust etc.). broad diversity in approach, transfer mechanisms,
protocols and encryption standards used. It is the
Lack of cyber security training and awareness responsibility of the organisation to ensure that
If an organisation does not invest in cyber its suppliers are secure; that consistent security
security training for staff then it is likely to suffer controls are used; and, ultimately, that it is not
from a number of security related issues. Some vulnerable to a security breach via a third party.
28_29

Lack of screening of business-critical data security awareness. It includes assets that could be
Data is vulnerable to corruption and stolen that contain valuable data, for example an
it is important that an organisation ensures unattended laptop. Items can also be stolen that
the integrity of its data and information. An might affect operational performance, e.g. theft
organisations data should be checked for of cabling. It is not the physical loss, but rather the
corruption as it enters and leaves one of its loss of the information asset linked to the physical
systems. Corrupt data can impact an organisation media, or the impact on operational performance
in several ways. It can damage the organisations and service provision.
reputation and impact trust amongst its customer
base and service users; or it can damage an Equipment disposal
organisations systems or hamper/limit its Redundant information assets such as
operations in some way. In the context of ATM, old hard drives, printers, routers, can contain
a corrupted flight plan can hang a flight data valuable intellectual property and other sensitive
processing (FDP) system if it is not screened to information if not securely sanitised. Such
ensure integrity before being processed. This items need to be securely destroyed to ensure
is known as a buffer overflow, an anomaly confidentiality of any residual data.
whereby a program, while writing data to a buffer,
overruns the buffers boundary and overwrites Radio-based technology
adjacent memory thereby resulting in erratic Interference can degrade the performance
program behavior or even a system crash. As such, of radio-based technologies such as a Wi-Fi
buffer overflows are the basis of many software network, radar, radio or navaid. Information
vulnerabilities and can be maliciously exploited. transferred over this technology may also be
susceptible to interception if not adequately
Systems are not synchronised to a single clock secured e.g. encrypted Wi-Fi.
Many ATM systems operate in a real-time
environment, relying on an accurate time. Lack HVAC (heating, ventilation, and air conditioning
of synchronisation between facilities or systems IT hardware has power, humidity and
can cause: disruption to services; corrupted temperature limits and a breach in these limits
information; and data being dropped. will affect its operational performance. Poor
maintenance of HVAC systems or a deliberate
Environmental and physical attack could disable hardware and therefore
Systems and facilities must be designed to disrupt or halt any interconnected software
work effectively in the environment in which they systems e.g. turning off air conditioning within a
are deployed. Site construction/location must server room leading to the overheating of racks
consider the perennial environmental risks like and disruption of an operational ATM system.
wind and rain, but also take into account less likely
events such as flood, extreme high temperatures B.3 Dealing with the Human Threat
and how this might impact support services that Human actions can constitute a security risk,
are critical to service operation like power and site and these can be broken down into two types of
access. actions:
Intentional: people carry out negative actions
Loss of information-related assets for different reasons, often based on their
Loss or theft of information-related assets motivations. Motivations can be influenced
is linked to both poor access control and cyber though communications, education, money,
CANSO Cyber Security
and Risk Assessment Guide

beliefs, etc. However, negative beliefs are controls; any residual risk can be minimised by
hard to change and can only be identified a number of other controls, such as restricting
through screening and monitoring. Third access to certain employees and thereby limiting
parties can influence the motivations of their capability to be a risk.
people through direct contact and persuasive
communication, money, etc. Below are listed the different types of threat actor
Unintentional: how people behave is also groups which have access to information systems:
influenced by motivations and personality. This Normal users: these are users of ANSP
can be due to lack of care, lack of pride, lack of information systems that have routine access to
training, time pressures, a belief they know better a broad amount of information with no special
As a general rule: access rights or permissions
Personality plus motivation influences behaviour Privileged users: users of ANSP information
Negative behaviour plus capability can equate systems, e.g. system administrators, specialist
to a cyber security risk engineers, technicians, that are able to change
configuration, edit/create access rights, manage
It is important to identify those threat actor system hardware including security controls
groups that could pose a risk, and this needs to be Indirectly connected: these are individuals,
done through a thorough threat assessment. A threat not necessarily authorised, that may be able
actor group is a group of people who can reasonably to access ANSP information systems via a
be considered to have the same characteristics in connected system
terms of capability, motivation and opportunity to Service consumers: these are users that benefit
perform an attack. For example, an organisations from the output of the information system and do
set of cleaners may be grouped together as one not themselves access it or manipulate the data
threat actor group, rather than conducting a threat Rest of the world (Internet): these are group
assessment for each individual cleaner. Security threat actors that are unauthorised and
personnel normally do not have the necessary outside the control of an ANSP or its business
soft skills to do this job without assistance. The partners. They will typically be outside the
internal Human Resources department should have a physical and logical ANSP borders or those of
specialist in this area. It must also be understood that their business partners
different cultures exist in different areas of a business Handlers: this is the group of people required
and, therefore, different approaches might need to to handle, transport, supply or deliver ANSP
be taken when working with these groups. information assets
Service providers: this threat actor group
Part 7 of the ISO 27002 standard provides for includes those non-ANSP but authorised entities
controls relating to Human Resources security and that support the ANSP business and therefore
ensures that the employee understands, is aware have an interaction with ANSP information
of and fulfils his security responsibilities. This also assets. This is usually through a service level
ensures that only those employees with the right agreement and contractual processes
personality and motivations are identified for certain Bystanders: these are users that may have been
roles. This is done through proper screening, testing, granted physical access to ANSP information
awareness education and training, as well as having assets or areas but with no access rights to
in place the disciplinary processes to deal with an the actual systems or information. Cleaners,
employee who commits an information security visitors or maintenance personnel would
breach. The ISO standard provides for the basic typically fit this group
B.4 Consequence of risk occurring

OPERATIONAL
Category Effect on Aircrew & FINANCE SERVICE DELIVERY REPUTATION
Overall ATM System effect
Passengers
Financial loss greater Irreparable damage to relationships
Multiple fatalities due
Catastrophic than $200M or Sustained inability with a majority of key stakeholders
to collision with other Sustained inability to provide
insolvency such that to provide a (owner, customers, employees, public,
1 aircraft, obstacles or any service.
government support is service. suppliers) resulting in the organisation
terrain.
required. not continuing in its current form.
Large reduction in safety
margin; Inability to provide any
Major degree of service (including A financial loss such Inability to provide Sustained 'outrage' from majority
serious or fatal injury to
contingency measures) within that board approval of any degree of of key stakeholders on capability to
2 small number;
one or more airspace sectors response is required. service. provide functions/services.
serious physical distress for a significant time.
to air crew.

The ability to provide a service


Significant reduction in The ability to
Moderate is severely compromised A financial loss such Expressions of 'outrage' by a key
safety margin. provide a service
within one or more airspace that CEO approval is stakeholder on organisations services/
3 is severely
sectors without warning for a required. activities.
compromised.
significant time.

Slight reduction in safety The ability to provide a service A financial loss such that Occasional complaints from key
Minor The ability to
margin. is impaired within one or stakeholders requiring additional
delegate approval is provide a service is
4 more airspace sectors without management attention to reach a
required. impaired
warning for a significant time. satisfactory outcome.
No effect on the ability to
provide a service in the short
A financial loss that can Isolated complaint by individual
Insignificant term, but the situation needs Negligible effect
Potential for some be managed within a stakeholder which can be managed to
to be monitored and reviewed on the ability to
5 inconvenience. business unit/ branch/ a satisfactory outcome as part of day-
for the need to apply some provide a service.
section budget. to-day business.
form of contingency measures
if the condition prevails.
30_31
CANSO Cyber Security
and Risk Assessment Guide

B.5 Likelihood of risk occurring


We have adopted the definitions in
Event is expected to occur
the table to the right for estimating the 1 More frequently than hourly
likelihood of an identified risk occurring. 2 Between hourly and daily
3 Between daily and yearly
4 Between yearly and 5 yearly
5 Between 5 and 50 years
6 Less frequently than once every 50 years

B.6 Assessment of the level of risk and risk


tolerance
We have reviewed all identified risks and The conversion of the combination of
provided for each an overall risk ranking which consequence and likelihood into a risk rating has
is a combination of the two characteristics of been achieved by use of the following matrix.
consequence and likelihood. For example, a risk
with a major consequence but a 5 likelihood
would be described as having a B or tolerable
risk rating.

Likelihood Criteria Consequence Criteria


Catastrophic 1

Insignificant 5
Moderate 3

Event expected to occur:


Minor 4
Major 2

More frequently than


1 A A A A C
hourly

2 Between hourly and daily A A A B D

3 Between daily and yearly A A B C D

Between yearly and 5


4 A B C C D
yearly

5 Between 5 and 50 years A B C D D

Less frequently than once


6 B C D D D
every 50 years
32_33

The previous matrix provides a guide to


determine which risks are the highest priorities
from the perspective of the timeliness of the
corrective action required. The following diagram
outlines the position in more definitive terms.
B.7
L = Likelihood 34

Sample risk assessment tables C = Consequence


R = Risk
Current Residual
Existing risk Accept/ risk
Ref Function Category Risk Recommended controls
controls reduce
L C R L C R
ID.AM-1 IDENTIFY Asset Risk of loss, theft Inventory 3 3 B Reduce Ensure that an inventory D
Management and/or misuse of physical of assets is completed,
of organisational assets is made; including who owns
assets or protective individual assets; the
information assets. marking scheme acceptable use of assets and
is in place. information associated with
information and information
processing facilities; and
a procedure for the return
of assets owned by the
organisation by external
third parties, employees or
contractors on termination
of their employment,
contract or agreement.
Policies for the use of
disposable or removable
media should be put in
place, particularly where
these devices are used for
the transport of protectively
marked information.
A protective marking
scheme for information
assets should be in place
to ensure compliance with
legal requirements and to
aid staff in determining how
assets should be dealt with.
This should also aid with
preventing unauthorised
disclosure.
35

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
ID.BE-1 IDENTIFY Business Operational Operational and 4 5 D Accept
Environment activities are business dependencies
disrupted due are identified and
to dependencies mapped. Frameworks/
not being fully guidelines are
understood and established for
risk managed. dependency
relationships (e.g.
receive flight plans by
a certain time, if not
received by deadline
then can chase).
Alternative capabilities/
redundancies for
dependencies
are identified and
established.

ID.GV-1 Governance Incurring penalties Business activities are 4 5 D Accept


for failing to audited for compliance
meet regulatory and business maintains
requirements links with regulators to
ensure that business
objectives and strategy
meet with regulatory
requirements.
ID.RA Risk Inconsistency in Use a risk assessment 4 5 D Accept
Assessment risk assessments framework to guide
and/or those conducting
approach to risk risk assessments and
assessments. increase consistency
between deliverables.
36

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
ID.RM IDENTIFY Risk Motivated 3 3 B Reduce Emphasise the need to 5 4 D
Management and capable implement supply chain
Strategy outsider threat risk management, as well
attempting to as an associated policy,
hack the overall to minimise exploitation
system through vulnerabilities in hardware,
exploitation of software and firmware.
vulnerability due Emphasise the need and
to insufficient associated policy (FAA)
supply chain risk to use secure software
management. development practices
to minimise exploitation
vulnerabilities.
PR.AC-1 PROTECT Access Risk of Access rights assigned 3 4 C Reduce Ensure an access 5 4 D
Control unauthorised to roles; approval system management policy is in
access to in place for access rights place; adopt an access
confidential or requests. authorisation procedure
business critical that manages access rights
information. requests; ensure appropriate
levels of approval are in place
for different levels of access
rights and that access rights
are not granted until proper
approvals are in place.
PR.AC-2 Organisation is Physical access to buildings 5 4 D Accept
vulnerable to and facilities is restricted to
physical attacks, authorised personnel only.
which could take Business critical facilities should
business critical have further restrictions on who
and operational has access. Logical controls
systems offline. are backed up by physical
controls. Access rights need to
be authorised and approved
before access is granted.
37

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PR.AT-1 PROTECT Awareness No cyber or Line manager training 3 3 B Reduce Implement broad cyber 6 3 D
and Training information events that outline roles and and information security
security responsibilities for managers awareness training to
awareness to ensure that their staff have enhance the ability of staff
training for staff read online courses. to recognise the diverse
or contractors, range of cyber threats
particularly and their capability to
covering critically impact upon
accidental ATM infrastructure
disclosure of and business as usual
confidential or procedures. Ensure that
business critical contractual obligations and
information. requirements are included
for all staff with respect to
continual education and
awareness training, so
that everyone is aware of
their responsibilities. Staff
should be made aware that
management will expect
them to apply information
security In line with the
policies and procedures of
the organisation. A culture
of information security
should be encouraged
within the organisation
whereby information
security is integrated into
standard business practices.
38

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PR.DS-1 Data from Secondary radar is available 4 5 D Accept
primary radar as a backup to the primary
could be radar in the event that the
corrupted data from the primary radar
or otherwise is compromised, corrupted or
compromised lost.
or lost due to
an attack by a
motivated and
capable intruder
via the internet.

PS.DS-2 Saturation of 3 3 B Reduce Ensure access to data


data processing processing resources
resources due is managed to prevent
to obsolete or saturation; prioritise
legacy systems. systems so that business
PROTECT Data Security critical systems can have
access to data processing
resources when they need
them; and ensure resource
requirements are reviewed
regularly.

PS.DS-5 Systems rely on All business-critical systems 5 4 D Accept


synchronised synchronised to a single
time and are reference clock. Validation
vulnerable to takes place (both logical and
corrupted times physical) to check this.
in the system
39

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PS.DS-6 Confidential or 4 4 C Reduce Procedure for the safe 5 5 D
business critical disposal of media should
information be disseminated to the
could be leaked organisation and enforced.
unintentionally All portable media should
through incorrect be disposed of in the proper
disposal of and approved way.
equipment and/
or media.

PR.IP-1 Change Change management 4 3 C Reduce A change management 4 6 D


management process is in place and process should be in place
PROTECT controls and has information security that governs effective
processes are embedded in it. change management
not suitable to within the organisation.
the environment Effective use of the change
Information
they are management process should
Protection
intended to mitigate the impacts of
Processes &
operate in changes to the business
Procedures
and are not and control the impacts of
integrated with changes to the organisation,
information business processes,
security policies. information processing
facilities and systems on
information security.
40

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PR.MA-1 Poor engineering Regular checks carried out by 4 3 C Reduce An audit which looks at 5 3 C
procedures line management. engineering procedures
could leave including line managers
organisation checks.
Maintenance at risk to
information or
cyber based
attacks.
PR.PT-1 GPS Secure development policy 4 2 B Reduce Further emphasise the 5 3 C
infrastructure which covers GPS program. need to employ highly
could be secure development and
victim of cyber implementation practices
disruption or such as those being used
attack due to for the GPS Operational
vulnerability in Control System (OCX)
the infrastructure Program.
to spoofing/ Employ redundant systems
PROTECT exploitation. operators and ATCOs
should be able to operate
from an alternative means to
Protective GPS.
PR.PT-2 Technology Compromise Secure development policy 5 4 D Accept
of ATM in place; business critical
systems due applications are tested and
to weakness in reviewed when there are
business-critical system or platform changes;
applications or information regarding
applications that technical vulnerabilities of
give access to business critical applications
wider system. are obtained and highlighted
as soon as possible; and
development, testing and
operational environments are
kept separate.
41

Current Residual
risk Accept/ Recommended risk
Ref Function Category Risk Existing controls
reduce controls
L C R L C R
PR.PT-3 Business critical Ensure information regarding technical 5 4 D Accept
systems disrupted vulnerabilities of business critical operating
by attack from systems are obtained and highlighted as
internal/external soon as possible; ensure there is a secure
threats due to development policy in place; ensure
vulnerabilities business critical operating systems are
in operating tested and reviewed when there are system
systems, for or platform changes; and ensure that the
example where development, testing and operational
exploits have not environment are kept separate.
been fixed due to
Protective irregular rolling
PROTECT out of patches.
Technology
PR.PT-5 Unable to track All user activities, including from 4 5 D Accept
or audit historical administrator and operator accounts,
activities of users are recorded and time/date stamped
in the event of a (systems are synchronised to same clock
security event or on regular basis to ensure accurate time/
incident. date stamping). The logs are secured
and can only be accessed by authorised
users, and access is only available once
proper approvals are in place. Access to
the logs themselves should also be logged
(separately).
DE.AE Intruders are A baseline level of network operations 3 5 D Accept
able to breach and activity, as well as expected data
network without flows, has been established for users and
being detected systems. Incident alert thresholds have been
Anomalies or the incident established and anything that does not
DETECT
& Events is not flagged conform to the thresholds is flagged up as
up appropriately an incident. Detected events are analysed
or in time for a via data aggregated from a number of
response to be sources in order to understand targets and
mobilised. methods and the impact of the event.
42

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
DE.CM Threats Monitoring system in place to 3 2 A Reduce Monitoring systems should 5 4 D
to the monitor traffic on network. be put in place to pick up
organisation information security events
would not and incidents, unusual user
be caught activities, exceptions and faults.
due to This monitoring should include
insufficient administrator and system
Security monitoring operator activities. The facilities
Continuous procedures. supporting the monitoring
Monitoring systems should be protected
from tampering/unauthorised
access. There should be a
reporting system in place that
assesses information security
events, classifies them, and
escalates the events to be dealt
with as necessary.
DETECT
DE.DP Failure Anti-virus software installed on 3 4 C Accept
of critical all systems. Staff are aware of
system the threat that malware poses
such as to vulnerable systems through
flight data awareness training. It is necessary
processing to ensure that appropriate malware
(FDP) due detection capability is in place
to malware so that malware can be caught
Detection
infection. before it propagates throughout a
Processes
network and infects critical systems
however, due to business critical
nature of certain systems, it may
not be possible to ensure most up
to date definitions and patches are
applied in a timely manner. Best
judgement should be used as to
when patches should be applied.
43

Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
RS.RP Response has not Response plan is in place 5 4 D Accept
been prepared for the organisation, which
for information integrates information
security incidents security and cyber security
or crises that into the wider organisational
Response would affect the strategy. Strategy is owned
Planning organisation in by a senior manager who
such a way that has responsibility for
systems and ensuring that the plan is
activities that are implemented appropriately.
business critical Incident response plans and
are disrupted. procedures are in place.
RS.CO In the event Response plan is available to 4 3 C Reduce Include contractual 4 5 D
of a security staff as a soft copy document obligations for key staff
incident, response on the employee portal. to be familiar with all
plan cannot be organisational policies,
RESPOND implemented including the response
because key staff plan. Ensure staff are made
Communications
had not been aware of the plan through
made aware of it. both formal and informal
training. Ensure staff buy-in
by having key staff input
into the plan when it is
reviewed and updated.
RS.AN In the event that a Analysis and reporting 4 3 C Reduce Breaches are logged and 4 5 D
security incident is framework in place to mandatory investigation
reported, no further provide step guidance timeframes are enforced,
investigation is on how to proceed an i.e. a SIEM tool.
Analysis carried out into the investigation when a breach
nature of the breach is identified.
and resulting
collateral damage,
i.e. the cost.
44

Current Residual
risk Accept/
Ref Function Category Risk Existing controls Recommended controls risk
reduce
L C R L C R
RS.MI In the event of Anti-malware packages 3 3 B Reduce Shut down infected 3 4 C
a virus breach, installed on systems. networks and consider
limited action shutting down adjacent
Mitigation is taken to halt networks to prevent
its propagation propagation.
throughout the
RESPOND system.
RS.IM Lessons learnt Lessons learnt from 4 5 D Accept
from previous implementation of response
Improvements security incidents/ plan are recorded in a log and
crises are not acted upon.
implemented.
RC.RP Lack of resilience Disaster recovery plan is in 5 4 D Accept
and recovery place for the organisation,
capability within which integrates information
the organisation security and cyber security
resulting in into the wider organisational
increased time strategy. Plan is owned by
between an a senior manager who has
Recovery incident and responsibility for ensuring
Planning returning to that the plan is understood,
business as usual. disseminated throughout the
organisation and implemented
RECOVER
appropriately. Recovery
plan has redundancies and
alternative capabilities built in
in the event of unavailability
of key staff.
RC.IM Lessons learnt Lessons learnt from 4 5 D Accept
from previous implementation of business
Improvements security incidents/ continuity strategy or plan are
crises are not recorded in a log and acted
implemented. upon.
45

Current Residual
risk Accept/
Ref Function Category Risk Existing controls Recommended controls risk
reduce
L C R L C R
RC.CO Reputation suffers Communications and public 4 3 C Accept
as the result of a relations team are well briefed
breach in a way in the event of an incident on
that impacts the the potential impacts to the
operation of the organisation.
RECOVER Communications business, either
financially or Good communication within
operationally. the organisation from the
Communications and PR
team on lines to take with the
media.
B.8 46

Treatment recommendations

Ref
Recommendation Risk Rating Commentary Status
#

S1.1
47

10
Sources
ICAO Doc 9985 ATM Security Manual, 1st Ed. (Restricted)

ICAO Doc. 8973 Aviation Security Manual, 8th Ed. (Restricted)

Cyber Security of a Net-Centric Aviation Ecosystem, Network Centric Operations Industry Consortium
(NCOIC), version 1.0, December 2011

Information Security in a Net-Centric Environment Enforcing Secure Data Sharing in a Distributed Network,
Network Centric Operations Industry Consortium (NCOIC), version 3.0, January 2012

Analysis of Cybersecurity Content in the Air Traffic Collegiate Training Initiative (AT-CTI) Program, Juan Lopez
Jr. and Deanne W. Otto, Two Cultures: International Journal of Technology, Humanities, and Human Security. ISSN
2324-738X Vol. 1, no. 1

A Taxonomy of Operational Cyber Security Risks, James J. Cebula and Lisa R. Young, Software Engineering
Institute. Technical Note CMU/SEI-2010-TN-028, December 2010

The Connectivity Challenge: Protecting Critical Assets in a Networked World A Framework for Aviation
Cybersecurity, The American Institute of Aeronautics and Astronautics (AIAA). August 2013

Glossary of Key Information Security Terms (NISTIR 7298, Revision 2.) Richard Kissel, Editor. Computer Security
Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST), May 2013

Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0. National Institute of Standards and
Technology (NIST). February 12, 2014

Getting ahead of the threat: Aviation and cyber security, Emilio Iasiello, iSIGHT Partners. Aerospace
America. The American Institute of Aeronautics and Astronautics (AIAA). July-August 2013

Article Under Attack? Cyber security and air traffic management Airspace Magazine Issue 14 Quarter 3 2011
CANSO Members
CANSO the Civil Air Navigation Services Organisation is the global voice of
air traffic management worldwide. CANSO Members support over 85% of world
air traffic. Members share information and develop new policies, with the ultimate
aim of improving air navigation services (ANS) on the ground and in the air.

CANSO represents its Members views in major regulatory and industry forums,
including at ICAO, where it has official Observer status. CANSO has an extensive
network of Associate Members drawn from across the aviation industry. For
more information on joining CANSO, visit www.canso.org/joiningcanso.

civil air navigation services organisation

Full Members - 84
Aeronautical Radio of Thailand (AEROTHAI) Letov prevdzkov Sluby Slovenskej Republiky, ATCA Japan
ttny Podnik ATECH Negcios em Tecnologia S/A
Aeroportos de Moambique
Luchtverkeersleiding Nederland (LVNL) Aviation Advocacy Sarl
Air Navigation and Weather Services,
Luxembourg ANA Aviation Data Communication Corp (ADCC)
CAA (ANWS) Avibit Data Processing GmbH
Air Navigation Services of the Czech Republic Maldives Airports Company Limited (MACL)
Avitech GmbH
(ANS Czech Republic) Malta Air Traffic Services (MATS)
AZIMUT JSC
AirNav Indonesia National Airports Corporation Ltd. Barco Orthogon GmbH
Air Traffic & Navigation Services (ATNS) National Air Navigation Services Company Brel & Kjaer EMS
Airports and Aviation Services Limited (AASL) (NANSC) BT Plc
Airports Authority of India (AAI) NATS UK Comsoft GmbH
Airports Fiji Limited NAV CANADA CGH Technologies, Inc
Airservices Australia NAV Portugal CSSI, Inc.
Naviair EADS Cassidian
Airways New Zealand
Nigerian Airspace Management Agency (NAMA) EIZO Technologies GmbH
Albcontrol
Office de lAviation Civile et des Aeroports European Satellite Services Provider (ESSP SAS)
Austro Control Emirates
Avinor AS (OACA)
ENAC
AZANS Azerbaijan ORO NAVIGACIJA, Lithuania
Entry Point North
Belgocontrol PNG Air Services Limited (PNGASL) Era Corporation
Bulgarian Air Traffic Services Authority Polish Air Navigation Services Agency (PANSA) Etihad Airways
(BULATSA) PIA Adem Jashari - Air Control J.S.C. Guntermann & Drunck GmbH
CAA Uganda ROMATSA Harris Corporation
Civil Aviation Authority of Bangladesh (CAAB) Sakaeronavigatsia Ltd Helios
Civil Aviation Authority of Botswana S.E. MoldATSA Honeywell International Inc. / Aerospace
SENEAM IDS Ingegneria Dei Sistemi S.p.A.
Civil Aviation Authority of Mongolia
Serbia and Montenegro Air Traffic Services Indra Navia AS
Civil Aviation Authority of Singapore (CAAS) Indra Sistemas
Civil Aviation Authority of Swaziland Agency (SMATSA)
INECO
Civil Aviation Regulatory Commission (CARC) Serco
Inmarsat Global Limited
Comisin Ejecutiva Portuaria Autonoma (CEPA) skyguide
Integra A/S
Croatia Control Ltd Slovenia Control Intelcan Technosystems Inc.
Department of Airspace Control (DECEA) State Airports Authority & ANSP (DHMI) International Aero Navigation Systems Concern,
Department of Civil Aviation, Republic of Cyprus State ATM Corporation JSC
DFS Deutsche Flugsicherung GmbH (DFS) Sudan Air Navigation Services Department Jeppesen
Direccin General de Control de Trnsito Areo Tanzania Civil Aviation Authority JMA Solutions
Trinidad and Tobago CAA Jotron AS
(DGCTA)
The LFV Group LAIC Aktiengesellschaft
DSNA France LEMZ R&P Corporation
Dutch Caribbean Air Navigation Service Provider Ukrainian Air Traffic Service Enterprise (UkSATSE)
LFV Aviation Consulting AB
(DC-ANSP) U.S. DoD Policy Board on Federal Aviation
Micro Nav Ltd
ENANA-EP ANGOLA The MITRE Corporation CAASD
ENAV S.p.A: Societ Nazionale per lAssistenza Gold Associate Members - 11 MLS International College
al Volo Airbus ProSky MovingDot
Entidad Pblica Aeropuertos Espaoles y Boeing NLR
Navegacin Area (Aena) FREQUENTIS AG Northrop Grumman
Estonian Air Navigation Services (EANS) GE Air Traffic Optimization Services NTT Data Corporation
GroupEAD Europe S.L. Ncleo de Comunicaciones y Control, S.L.U.
Federal Aviation Administration (FAA)
Quintiq
Finavia Corporation ITT Exelis
Rockwell Collins, Inc.
General Authority of Civil Aviation (GACA) Lockheed Martin
Rohde & Schwarz GmbH & Co. KG
Ghana Civil Aviation Authority (GCAA) Metron Aviation RTCA, Inc.
Hellenic Civil Aviation Authority (HCAA) Raytheon Saab AB
HungaroControl Pte. Ltd. Co. Selex ES Saab Sensis Corporation
Instituto Dominicano de Aviacion Civil (IDAC) Thales Saudi Arabian Airlines
Israel Airports Authority (IAA) Schmid Telecom AG
Iran Airports Co Silver Associate Members - 70 SENASA
Irish Aviation Authority (IAA) Adacel Inc. SITA
Aeronav Inc. SITTI
ISAVIA Ltd
Aireon Snowflake Software Ltd
Japan Civil Aviation Bureau (JCAB)
Air Traffic Control Association (ATCA) STR-SpeechTech Ltd.
Kazaeronavigatsia TASC, Inc.
Association Group of Industrial Companies
Kenya Civil Aviation Authority (KCAA) Tetra Tech AMT
TIRA Corporation
Latvijas Gaisa Satiksme (LGS) Washington Consulting Group
ATAC
WIDE

Membership list correct as of 12 June 2014. For the most up-to-date list and organisation profiles go to www.canso.org/cansomembers