57TH ANNUAL CONFERENCE, Accra, Ghana, 19-23 March 2018
WP No. 93
Incorporating Cybersecurity into Unlawful Interference Policy
Presented by TOC
In the current Unlawful Interference policy, only the security of ATC personnel is mentioned. Cyber-attacks are targeting the computerized automation systems instead of personnel. At the 2017 IFATCA conference, provisional policy on cybersecurity was adopted. This policy is now incorporated to the existing IFATCA unlawful interference policy.
1.1 At the 56th IFATCA Annual Conference in May 2017, TOC presented a working paper on cybersecurity in both committee B and C. The following Provisional Policy was adopted by committee B:
|Compromised cyber security poses a significant risk to safety in aviation. IFATCA considers intentional cyberattacks to be a form of unlawful interference.|
1.2 The significance of cybersecurity and fast evolution of digital technologies keeps this subject being constantly monitored by IFATCA. Recent developments in the area of cybersecurity in aviation are mentioned in this paper.
2.1 Cybersecurity measures in aviation after 2017 conference
On 31 May 2017, EASA and EUROCAE held a joint workshop to support the new regulatory framework that addresses cybersecurity. As a result, EASA and EUROCAE agreed to “analyse the proposals made for further standardisation and regulatory activities and develop our respective work programmes”.
On 16 November 2017, IFALPA issued a security briefing leaflet and a position paper on cyber threats articulating its concern about the possibility of a cyber-attack against an aircraft, ground facility, or other critical infrastructure resulting in unsafe situations or ultimately even loss of life. The paper concludes:
- Software and hardware developers/providers to demonstrate the effectiveness of security measures against cyber-attacks
- Considerations regarding Electromagnetic Interference (EMI) of navigation and communication systems
- Requirements for data protection (electronic and physical) covering secure data transfer, message integrity, access control and network lines monitoring
- Training for all operative personnel (including flight crews and maintenance staff) regarding cyber threats
- Governance and control referring to security policies and procedures including with ISO 27000 series standard guidance
- Information sharing of cybersecurity incidents
The ATCOs response to a cybersecurity threat may differ to that of a pilot. A pilot experiencing a cybersecurity threat whilst airborne does not have access to the same level of support as an ATCO. They are operating in an environment where in most cases they only have the support of one other pilot.
ATCOs have far more options for support. Often, but not always, other ATCOs are available for support. There is also the opportunity to access technical and security staff to help deal with any issues that may arise. ATCOs have access to more technical and operational support allowing them remain focused on the more immediate tasks of providing an air traffic control service.
2.2 ICAO Definitions
According to ICAO Annex 17:
|Acts of unlawful interference. These are acts or attempted acts such as to jeopardize the safety of civil aviation, including but not limited to:
The last paragraph, mentioning “communication of false information” clearly covers realization of cybersecurity threats as an act of unlawful interference according to ICAO, followed by general definition of security:
|Security. Safeguarding civil aviation against acts of unlawful interference. This objective is achieved by a combination of measures and human and material resources.|
Meaning that general security definition covers cybersecurity as well according to ICAO.
2.3 Current IFATCA Unlawful Interference policy
The current IFATCA unlawful interference policy came from combining in 1993 (Christchurch 1993 – WP 125) of Hijacking Policy (1977) and policy on unlawful interference with international civil aviation and its facilities (1990). It was the first time aviation facilities were considered of high significance and importance. As ATC becomes more about information management and information sharing, ATC facilities and systems are even more important than before.
Bearing in mind the controllers’ fundamental responsibility to preserve safety in the air and deriving authority from its constitution, IFATCA adopted the following policy as a tool designed to highlight the basic policies set out in the Technical & Professional Manual on this subject.
|ATC personnel are entitled to maximum security with respect to the safeguarding of personal life, operational environment and the safety of aircraft under their control.
If during unlawful interference with civil aviation, the appropriate authorities instruct the Controller to deviate from or violate the ICAO rules, he shall in no way be held legally responsible for carrying out such an order.
All orders which imply a deviation from the established air traffic rules shall be conveyed through the appropriate authorities, normally the immediate superior and always through the authority responsible for the provision of Air Traffic Services. Such orders shall always be issued in written form, clearly identifying their origin and authority, and retained for investigative purposes.
The Air Traffic Controller on duty shall be granted relief from his working position when the conditions stated above are not followed, or when he considers the content of the order wrong or criminal.
During unlawful interference against ATC facilities or its threat, services may be withdrawn. Measures shall be included in national or international contingency.
Member Associations shall also urge their governments to ratify the existing protocols, conventions and treaties on these matters, to make them available to whom it concerns and to refrain from any course of action contrary to those rules.
Member Associations should seek formal agreement on the conduct of an Air Traffic Controller during situations of unlawful interference and the adoption of contingency procedures during such situations.
IFATCA will undertake, through its Executive Board, to transmit the contents of this policy to the appropriate international organisations, namely the United Nations, ICAO and the ILO, and also regional organisations who may be concerned with these matters.
In current policy’s paragraphs, only security of ATC personnel is mentioned, but cyberattacks are targeting the computerized automation systems instead. These systems are developing fast, with cyber-attacks becoming increasingly complex and realistic.
As decided by the 2017 conference, IFATCA considers to be intentional cyberattacks as a form of unlawful interference. TOC, in consultation with PLC, proposes to incorporate the Cybersecurity Provisional Policy into the Unlawful Interference policy in the form of the following sentence – “IFATCA considers intentional cyber-attacks to be a form of unlawful interference”. Further review of the professional paragraphs of the Unlawful Interference policy is recommended.
3.1 Qualifying an intentional cyberattack as a form of unlawful interference is in line with ICAOs consideration of communication of false information as unlawful interference.
3.2 The ATCOs response to a cybersecurity threat may differ to that of a pilot . ATCOs have access to more technical and operational support allowing them remain focused on the more immediate tasks of providing an air traffic control service.
3.3 More in depth review on the professional paragraphs of the unlawful interference policy is recommended.
4.1 It is recommended that IFATCA policy is:
IFATCA considers cyber-attacks to be a form of unlawful interference.
And is included as the second paragraph of IFATCA Technical and Professional Manual LM 11.4 Unlawful interference with international civil aviation facilities.
4.2 It is recommended that IFATCA provisional policy COM 4.12 Cybersecurity:
Compromised cyber security poses a significant risk to safety in aviation. IFATCA considers intentional cyber-attacks to be a form of unlawful interference.
Is removed from the IFATCA Technical and Professional Manual.
IFATCA TPM 2017 – COM 4.12 CYBERSECURITY – Page 3 2 4 14.
Report on Workshop on Cyber Security in Aviation jointly organised by EASA and EUROCAE, 31 May 2017, Brussels.
IFALPA Security Briefing Leaflet, Cyber Threats, 17SECBL01, 16 November 2017.
International Civil Aviation Organization (ICAO), Annex 17 Security-Safeguarding International Civil Aviation Against Acts of Unlawful Interference. 10th Edition (April 2017), Chapter 1 Definitions, page 1-1 and 1-2.
IFATCA Technical and Professional Manual, 2017 edition, LM 11.4.1, Page 4 2 4 55.
IFATCA Minutes of Meeting Committee B, Toronto 2017, B2.
Last Update: October 1, 2020