Is air traffic control a soft target for hackers?

Safety is always our number one priority, and that includes when it comes to cyber security and information assurance. Improving security is an on-going effort to ensure that we understand and can guard against the latest risks.

As NATS’ Chief Information Officer, it’s an area that I have responsibility for.

The nature of the risks the industry faces has changed enormously over the past few years. For example, in the United States, the idea of ADS-B ‘spoofing’ has had a lot of attention. ADS-B is a technology where an aircraft determines its own position using satellites and then broadcasts that information unencrypted via a radio frequency.

It would therefore be technically possible for someone to broadcast the details of fake aircraft, with obvious safety concerns. A huge amount of work is being done within the industry to better understand and guard against these kinds of attacks. At NATS, we are very supportive of the further development of ADS-B, and fully expect it to form part of our operations in the future. For the time being, we actually have a number of ways of determining an aircraft’s position so that we are never reliant on a single source of information.

But, it’s not just the technologies and methods of hackers that have changed – our own business and industry has also been transformed. A decade ago the fact that many air traffic control systems were quite old and had limited connectivity was a relative defence against a cyber-attack, but the world has moved-on and so has NATS. We have invested £1 billion in modernising our technology and are now working all over the world within an industry where systems are connected across organisations, countries and continents. This has revolutionised air traffic management, but it has also increased the risks.

Security is only ever as good as its weakest link.

It’s for that reason that NATS has joined the newly formed CANSO ATM Security Group, which follows the completion of a two year review into how we protect our information and systems. That study has given us objective information on which to base our future plans and we’re now setting up a Cyber Security Organisation within NATS to lead on this work. A lot of it will involve looking at governance and protecting critical systems, but security is as much about people as it is technology. That’s why we’re also focusing at helping our people to better understand the value of information and how they can help protect it.

It may seem counter-intuitive, but I believe giving people greater flexibility in how they work is vitally important. We are currently in the midst of rolling out a new virtualised desktop system that lets people login and access their work from almost any device with an internet connection.

Far from this increasing the risks, by giving people more flexible access to their work you can actually make it more secure. You’re less likely to email a piece of work home, or save it to an easily lost USB stick if you have a hassle-free way of accessing it via a secure connection on your own computer or tablet.

Fundamentally, security is all about striking the right balance. Of course you need to protect your organisation wherever possible, but at the same time you need to do so in a way that allows people to do their jobs. Our vision is for a fit for purpose cyber defence capability that is commensurate with the risk to our systems while enabling our business to grow and that’s exactly what we are doing.