Safety is always our number one priority, and that includes when it comes to cyber security and information assurance. Improving security is an on-going effort to ensure that we understand and can guard against the latest risks.

As NATS’ Chief Information Officer, it’s an area that I have responsibility for.

The nature of the risks the industry faces has changed enormously over the past few years. For example, in the United States, the idea of ADS-B ‘spoofing’ has had a lot of attention. ADS-B is a technology where an aircraft determines its own position using satellites and then broadcasts that information unencrypted via a radio frequency.

It would therefore be technically possible for someone to broadcast the details of fake aircraft, with obvious safety concerns. A huge amount of work is being done within the industry to better understand and guard against these kinds of attacks. At NATS, we are very supportive of the further development of ADS-B, and fully expect it to form part of our operations in the future. For the time being, we actually have a number of ways of determining an aircraft’s position so that we are never reliant on a single source of information.

news_Prestwick_2012_10

But, it’s not just the technologies and methods of hackers that have changed – our own business and industry has also been transformed. A decade ago the fact that many air traffic control systems were quite old and had limited connectivity was a relative defence against a cyber-attack, but the world has moved-on and so has NATS. We have invested £1 billion in modernising our technology and are now working all over the world within an industry where systems are connected across organisations, countries and continents. This has revolutionised air traffic management, but it has also increased the risks.

Security is only ever as good as its weakest link.

It’s for that reason that NATS has joined the newly formed CANSO ATM Security Group, which follows the completion of a two year review into how we protect our information and systems. That study has given us objective information on which to base our future plans and we’re now setting up a Cyber Security Organisation within NATS to lead on this work. A lot of it will involve looking at governance and protecting critical systems, but security is as much about people as it is technology. That’s why we’re also focusing at helping our people to better understand the value of information and how they can help protect it.

news_Swanwick_2012_70

It may seem counter-intuitive, but I believe giving people greater flexibility in how they work is vitally important. We are currently in the midst of rolling out a new virtualised desktop system that lets people login and access their work from almost any device with an internet connection.

Far from this increasing the risks, by giving people more flexible access to their work you can actually make it more secure. You’re less likely to email a piece of work home, or save it to an easily lost USB stick if you have a hassle-free way of accessing it via a secure connection on your own computer or tablet.

Fundamentally, security is all about striking the right balance. Of course you need to protect your organisation wherever possible, but at the same time you need to do so in a way that allows people to do their jobs. Our vision is for a fit for purpose cyber defence capability that is commensurate with the risk to our systems while enabling our business to grow and that’s exactly what we are doing.

Comments

Please respect our commenting policy and guidelines when posting on this website.

Your email address will not be published. Required fields are marked *


28.10.2013

14:26

Angel Smith

8th paragraph down, “computer of tablet” instead of “computer or tablet”.
a very interesting read! 🙂

Thanks, Angel. I’ll pass your feedback to Gavin and will amend the typo!

28.10.2013

17:30

AeroJourn

Small correction for NATS, ADS-B and ADS-C are both encrypted systems, an Aircraft gets its fix by broadcasting and the system by responding. Hence fake aircraft can never be broadcast because that technology is simply not sold to anyone who does not make an Aircraft. There are so many checks ADS manufacturing companies have to do; the checks you can say are almost military grade!

If you do allow people to remotely access your system, there is a huge problem, how can you possibly verify that the person may not be under duress (hypothetically, in order to be safe you have to consider it)? You would need a go / no go password system which would have to be monitored so if someone entered a no go password you could alert the Police.

Also considering Human Factors and Coffee shop culture, what if someone takes a Laptop and leaves it open and forgets to take it with them, granted you would need to know what you are doing, but even then, some damage can be done! Unless you have an ID card system like NHS Doctors do in their HP Keyboards, you cannot access the system without initially inserting the card into the Keyboard and then going through the security identification procedures. However you can log out in an emergency just by pulling the card out of the keyboard!

And being realistic as the British Army/ MoD TV advert says be careful whom you tell what you do, most people in the civil sector write everything about their job on linkedin and other sites and put up pictures with their names which is all public! You would need to ban you staff from doing that because that would be your first and foremost safeguard to your systems.

Warm regards.

Twitter: @AeroJourn

Hi AeroJourn,

Thanks for taking the time to comment. ADS-B/C equipment is actually widely available and certainly isn’t limited just to aircraft manufacturers. For example, websites like Planefinder.net use their own ADS-B receivers to pick up the aircraft information they display. ADS-B is an exciting technology and a lot of work is going to address the security questions around it. I expect one day NATS will be making use of it too.

In regard to remote access, it’s important to emphasise that I’m talking about normal desktop IT, not our operational systems. However, I stand by my point that security has to be a balance between the probable risks and providing people with flexible tools that help them work as efficiently as possible. I hope that helps and thanks again for commenting.

Gavin


Top

Please start typing and we will search our website for you.

Search Results