Cybersecurity Risk Assessment in Air Traffic Management: The European Methodology
Copyright (c) 2025 Horváth Gábor
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Abstract
The digitalisation of Air Traffic Management (ATM) systems, the introduction of service-oriented
architectures, and data-sharing models significantly increase system complexity and cybersecurity exposure. This paper comprehensively analyses the cybersecurity challenges of modern ATM systems, with particular focus on the practical limitations of risk assessment methodologies (e.g. SecRAM), vulnerabilities in communication protocols (ADS-B, CPDLC), and the cascade effects caused by supply chains and system integration. The study presents the innovative approach of the Horizon Europe SEC-AIRSPACE project, which aims to enhance existing risk management procedures rather than developing new methodologies. The project’s key innovations include the development of a holistic ATM taxonomy, consideration of virtualised environments and human factors, and the implementation of dynamic risk monitoring. The results contribute to establishing a cyber resilient ATM ecosystem capable of maintaining the exceptional safety standards of air transportation even in a continuously evolving threat landscape.
Keywords:
How to Cite
References
[1] Palik M., A repülésirányítás alapjai. Budapest, Dialóg Campus, 2018.
[2] T. De Zan, F. d’Amore, F. Di Camillo, „The Defence of Civilian Air Traffic Systems From Cyber Threats,” Instituto Affari Internazionali, 2015. Online: https://www.iai.it/sites/default/files/iai1523e.pdf
[3] E. Harison, N. J. Zaidenberg, „Survey of Cyber Threats in Air Traffic Control and Aircraft Communications Systems” Cyber Security: Power and Technology, 2018, pp. 199-217. Online: https://doi.org/10.1007/978-3-319-75307-2_12
[4] P. Cornish szerk., The Oxford Handbook of Cyber Security. Oxford University Press, 2021. Online: https://doi.org/10.1093/oxfordhb/9780198800682.001.0001
[5] S. Roy, B. Sridhar, Cyber- Threat Assessment for the Air Traffic Management System: A Network Controls Approach. NASA, 2016. Online: https://doi.org/10.2514/6.2016-4354
[6] SecRAM 2.0. Security Risk Assessment Methodology for SESAR 2020. SESAR Joint Undertaking, 2017. Online: https://www.sesarju.eu/sites/default/files/documents/transversal/SESAR%202020%20-%20Security%20Reference%20Material%20Guidance.pdf
[7] Air Traffic Management – A Cybersecurity Challange. Eurocontrol, 2021. Online: https://www.eurocontrol.int/publication/air-traffic-management-cybersecurity-challenge
[8] K. Hemsley, R. Fisher, „A History of Cyber Incidents and Threats Involving Industrial Control Systems,” in Critical Infrastructure Protection XII. ICCIP 2018. IFIP Advances in Information and Communication Technology, vol 542. J. Staggs, S. Shenoi szerk. Cham, Springer, 2018, pp. 215–242. Online: https://doi.org/10.1007/978-3-030-04537-1_12
[9] K. Bernsmed és G. Bour, „An Evaluation of Practitioners’ Perceptions of a Security Risk Assessment Methodology in Air Traffic Management Projects,” Journal of Air Transport Management, 102. évf. 2022. Online: https://doi.org/10.1016/j.jairtraman.2022.102223
[10] Horváth G., „A helyszíntől független repülőtéri irányítás katonai alkalmazhatóságának vizsgálata a kapcsolódó SESAR-projekt tapasztalatainak tükrében,” Repüléstudományi Közlemények, 34. évf. 2. sz. pp. 95–106. 2022. Online: https://doi.org/10.32560/rk.2022.2.8
[11] Opinion 03/2021. Management of Information Security Risks. European Aviation Safety Agency, 2021. június 11. Online: https://www.easa.europa.eu/en/document-library/opinions/opinion-032021
[12] K. Charitoudi, A. Blyth, „A Socio-Technical Approach to Cyber Risk Management and Impact Assessment,” Journal of Information Security, 4. évf. 1. sz. pp. 33–41. 2013. Online: https://doi.org/10.4236/jis.2013.41005
[13] J. de Haan, „Specific Air Traffic Management Cybersecurity Challenges: Architecture and Supply Chain,” Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops. New York, Association for Computing Machinery, 2020. pp. 245–249. Online: https://doi.org/10.1145/3387940.3392223
[14] A. Gurtuv és E. Sofie, „Demonstrating ADS-B AND CPDLC Attacks with Software-Defined Radio,” in IEEE 2020 Integrated Communications Navigation and Surveillance Conference (ICNS). Herndon, 2020. Online: https://doi.org/10.1109/ICNS50378.2020.9222945
[15] R. Santamarta, A Wake-up Call for SATCOM Security (Technical White Paper). IOActive, 2014. Online: https://ioactive.com/wp-content/uploads/2018/05/IOActive_SATCOM_Security_WhitePaper.pdf
[16] R. Milne, „Russian GPS Jamming Threatens Air Disaster, Warn Baltic Ministers”, Financial Times, 2024. április 28. Online: https://www.ft.com/content/37776b16-0b92-4a23-9f90-199d45d955c3
[17] G. Lykou, G. Iakovakis, D Gritzalis, „Aviation Cybersecurity and Cyber-Resilience: Assessing Risk in Air Traffic Management,” in Critical Infrastructure Security and Resilience, Advanced Sciences and Technologies for Security Applications. D. Gritzalis, M. Theocharidou, G. Stergiopoulos szerk. Cham, Springer, 2019, pp. 245–260. Online: https://doi.org/10.1007/978-3-030-00024-0_13
[18] Az Európai Parlament és a Tanács (EU) 2022/2555 irányelve (2022. december 14.) az Unió egész területén egységesen magas szintű kiberbiztonságot biztosító intézkedésekről, valamint a 910/2014/EU rendelet és az (EU) 2018/1972 irányelv módosításáról és az (EU) 2016/1148 irányelv hatályon kívül helyezéséről (NIS 2 irányelv) (EGT-vonatkozású szöveg).
[19] Az Európai Parlament és a Tanács (EU) 2019/881 rendelete (2019. április 17.) az ENISA-ról (az Európai Uniós Kiberbiztonsági Ügynökségről) és az információs és kommunikációs technológiák kiberbiztonsági tanúsításáról, valamint az 526/2013/EU rendelet hatályon kívül helyezéséről (kiberbiztonsági jogszabály) (EGT-vonatkozású szöveg)
[20] Minimum Set of Security Controls, D05-006, Edition 00.06.00. SESAR, 2013.
[21] K. Bernsmed, M. G. Jaatun, P. H. Meland, „Safety Critical Software and Security – How Low Can You Go?,” in 2018 IEEE/AIAA 37th Digital Avionics Systems Conference (DASC). London, 2018, pp. 1–6. Online: https://doi.org/10.1109/DASC.2018.8569579
[22] The Global Risks Report 2025, 20th Edition. Cologny, World Economic Forum, 2025. Online: https://reports.weforum.org/docs/WEF_Global_Risks_Report_2025.pdf
[23] The CEO’s Guide to Cybersecurity. Boston Consulting Group, 2021. Online: https://media-publications.bcg.com/BCG-Executive-Perspectives-CEO-Guide-to-Cybersecurity.pdf
[24] G. Horváth, „The Cybersecurity Aspect of Remote Tower Optical Systems,” Acta Avionica, 25. évf. 1. sz. pp. 45–54. 2023. Online: https://doi.org/10.35116/aa.2023.0006
[25] E. Frumento, The Role of Social Engineering in the Evolution of Attacks. Figshare, 2020. Online: https://doi.org/10.6084/M9.FIGSHARE.12369248.V1
[26] E. Frumento, C. Dambra, „The HERMENEUT Project: Enterprises Intangible Risk Management via Economic Models based on Simulation of Modern Cyber Attacks,” in Proceedings of the 5th International Conference on Information Systems Security and Privacy ICISSP. Prague, SciTePress, 2019, pp. 495–502. Online: https://doi.org/10.5220/0007413504950502
[27] aDvanced sOcial enGineering And vulNerability Assesment Framework. 2018. Online: https://doi.org/10.3030/653618
[28] A. Tursunbayeva, S. Di Lauro, C. Pagliari, „People Analytics – A Scoping Review of Conceptual Boundaries and Value Propositions,” International Journal of Information Management, 43. évf. pp. 224–247. 2018. Online: https://doi.org/10.1016/j.ijinfomgt.2018.08.002
[29] T. Elias, Learning Analytics: Definitions, Processes and Potential. The Landing-Athabasca University, 2011. Online: https://landing.athabascau.ca/file/download/43713
[30] M. Bourbonniere, „Military Aircraft and International Law: Chicago Opus 3,” Journal of Air Law and Commerce, 66. évf. 3. sz. pp. 885–978. 2001. Online: https://scholar.smu.edu/jalc/vol66/iss3/2
[31] J. N. Bradbury, „ICAO and Civil/Military Coordination,” in Automation and Systems Issues in Air Traffic Control. J. A. Wise, V. D. Hopkin, M. L. Smith szerk. Berlin, Heidelberg, Springer, 1991, pp. 301–319. Online: https://doi.org/10.1007/978-3-642-76556-8_30
[32] B. A. Berman, R. K. Dismukes, K. K. Jobe, Performance Data Errors in Air Carrier Operations: Causes and Countermeasures. NASA, 2012. Online: https://human-factors.arc.nasa.gov/publications/NASA_TM2012-216007.pdf