Escolar Documentos
Profissional Documentos
Cultura Documentos
CANSO Cyber
Security and Risk
Assessment Guide
Published June 2014 Contents
1 Introduction____ page 4
2
Cyber Threats and Risks page 5
3
Motives and Methods page 6
4
Cyber Assets page 10
5
Cyber Security in ATM page 13
6
Managing Cyber Risks page 16
7
Conclusions and Recommendations page 17
8 Appendix A - International Standards page 20
A.1. - ISO 27000 - Series of standards page 20
A.2. - ISO 27005 - Information security risk management (ISRM) page 21
A.3 - NIST Cybersecurity Framework page 22
9 Appendix B - Risk Assessment Methodology page 25
B.1 Overview page 25
B.2 Threats and vulnerabilities page 26
B.3 Dealing with the human threat page 29
B.4 Consequence of risk occuring page 31
B.5 Likelihood of risk occuring page 32
B.6 Assessement of the level of risk and risk tolerance page 32
B.7 Sample risk assessment tables page 34
B.8 Treatment recommendations page 46
10 Sources page 47
2
Cyber Threats and Risks
The US Department of Homeland Security deterred by organisational (a policy, for example),
has defined a cyber threat as any identified logical (authentication, for example) and physical
effort directed toward access to, exfiltration of, (restricted proximity card access, for example)
manipulation of, or impairment to the integrity, controls.
confidentiality, security, or availability of data, an
application, or a federal system, without lawful It is important to note that a threat can
authority. be a combination of a cyber and physical attack,
for example, a physical intrusion into a ground
A cyber threat can be intentional or infrastructure and a modification of the software
unintentional, targeted or non-targeted, and can code hosted in the infrastructure. This would be
come from a variety of sources, including: foreign an intentional cyber and physical attack. Or, when
nations engaged in espionage and information authorised personnel do not follow procedure to
warfare; criminals; hackers; virus writers; and check the infrastructure, and the infrastructure
disgruntled employees and contractors working generates and transmits misleading data. This is
within an organisation. both a cyber and unintentional physical attack.
3
Motives and Methods
The motivation of intentional actions in or may have serious effects far beyond those
attacks may emerge from a variety of sources intended by the hackers. Defences at this level
a foreign State or terrorist, criminal, or social- are focused on establishing a perimeter around an
issue organisations. Threat agents performing organisations information system infrastructure,
such intentional actions may be unauthorised and defending that perimeter using firewalls and
entities or insiders, and their primary objective is other commercially available tools.
to engineer potential hazards and performance
losses in the net-centric aviation system. At the next level are cyber thieves who
attempt to acquire critical information anything
Potential attackers span a wide range of from credit card numbers to proprietary business
abilities, resources, and motives. At the bottom plans. Defences at this level include protecting
of the scale are the traditional hackers who information and systems not just at the perimeter
hone their skills and claim bragging rights by but wherever it resides within the enterprise,
vandalising easy targets. Attackers in this group using techniques such as hard drive encryption.
have limited expertise and resources. They are
not typically focused on any specific target; The third level is cyber surveillance, in
they will attempt to compromise any vulnerable which attackers seek to obtain a foot hold within
systems that can be reached via the Internet. an organisation and execute subsequent higher-
The result of attacks at this level may be limited level attacks on their own timetable. Attackers
6_7
at this level will have moderate expertise, and The range of threats is so broad, and
may launch multiple attacks targeting particular the sophistication and resources available to
organisations. The consequences for ANSPs attackers at the top of the scale are so great that
of attacks at this level and above may be this problem cannot be addressed with a single
quite serious, ranging from loss of proprietary solution, nor can it be addressed only at a single
information to partial or total failures of air traffic point in time. The tools, tactics, and strategies of
management services, whether as an intended attackers at all levels are readily available and will
or unintended consequence of the attack. continue to evolve, and the threat will continue
Defence at this level requires continuous internal to increase. It would be naive to believe that the
monitoring and system hardening throughout the proliferation of these tools can be controlled
enterprise. through legislation or regulations. Responding
effectively to the threat will require a long-term
At the fourth level are cyber espionage commitment from senior leadership to an ongoing
units sophisticated adversaries capable of process of building and operating increasing
mounting multiple coordinated attacks aimed levels of information system security capabilities.
at establishing a persistent foot hold within
an organisations infrastructure, which may be
used to exfiltrate sensitive information or plant
capabilities to disable or disrupt systems. Defence
at this level requires an enterprise architecture
that can impede an attackers actions within the
organisations information system infrastructure
and ensure continuity of critical mission
operations.
To help organise efforts for responding and legacy systems. Protection techniques must
to the cyber threat, most relevant international be agile; that is, they must be able to quickly
standards suggest applying an approach that change and adapt to an ever-changing threat.
divides the ongoing security process into four This requires the organisation to leverage
complementary areas: plan, protect, detect, and emerging technologies and implement them at
respond. See the diagram below. an enterprise-wide level. While some aspects of
security must be built into individual systems,
The Plan quadrant includes the creation enterprise solutions can be shared throughout an
of design strategies and an enterprise-wide organisation and are a key underlying element
or overall system-of-systems architecture that of an effective architecture. Enterprise security
enhances security, provides agility, and reduces solutions reduce overall costs and, just as
overall costs. To effectively implement the importantly, make it possible for new and evolving
architecture, organisations must develop policy threats to be addressed centrally rather than
and fund security solutions throughout the having to introduce new measures into every part
enterprise with total management commitment. of the system. The success of any information
technology (IT) security programme is, in part,
The Protect quadrant includes prioritising dependent on the ability to detect and respond
information security investments in both new to a cyber security event.
Contingency
Respond Detect Centralised cyber
planning and operations
business continuity
Detection monitoring
Multi stakeholder and analysis
cooperation
Shared knowledge of
Training and awareness cyber threats
8_9
The need for the next two quadrants Past experience is not the best predictor
Detect and Respond reflects the unfortunate of current and future cyber security threats.
reality that no matter how much planning and As new systems like NextGen and SESAR are
protection is put in place, failures will occur and designed, implemented, and operated, increasing
determined attackers will gain access to protected vulnerabilities to the cyber threat must be
systems. This fact does not minimise the need for mitigated. It is essential that ANSPs (individually
good architecture design and investment, both and collectively) make cyber security a top
of which reduce the susceptibility to compromise. priority, and that they work together to ensure
Adequate intrusion-detection capability is a secure global air transportation system. Cyber
required to monitor and detect potential cyber security is not a choice but a requirement.
security incidents at ATC facilities. Detection
requires a centralised cyber security operations
centre (SOC) staffed by experts with up-to-date
knowledge of the evolving cyber threat. The
SOC must be supported by analysis tools fed by
intrusion monitoring sensors installed throughout
the enterprise, which provide the ability to detect
when an organisations information system has
been compromised.
4
Cyber Assets
There are a number of assets, or In the context of applying an information
components of the aviation system that need to security management system (ISMS) or a cyber
be protected from threats and from becoming a security framework, it is often useful to use a
threat. profile as a guideline. All organisations face
industry-specific risks and issues and it is often
The cyber assets diagram provides not clear from a standard or framework how the
examples of people, processes and technology controls should be implemented to cover industry
that you would find within an ANSP, split into specific processes or technology. For example,
operational areas (engineering, operations, air protective monitoring and physical access control
traffic control etc.) and other business areas (legal, are two controls that are often part of cyber
finance, HR, etc.). It is important to note that this security standards or frameworks. However, while
is not an exhaustive list, but rather an example of these are beneficial to larger organisations, the
some of the key assets involved in the day to day cost would be prohibitive for smaller businesses
operation of an ANSP. with only marginal benefits. Smaller businesses
would be better off if they identified their biggest
10_11
threat. This includes software, network protocols, devices brought onboard aircraft,
computing algorithms, media storage used in the including passenger-owned devices and
following infrastructures: crew-operated mobile devices
Large-scale information sharing networking and information technology
infrastructure: information sharing infrastructure (e.g., radar, ground
between multiple users and applications stations, satellites)
for worldwide collaboration for aviation airport information infrastructure
tasks. Examples include: organisations responsible for
- aeronautical-specific information assets and information
infrastructure such as SWIM, ISDN management systems
- public infrastructures such as individual persons, employed by
cloud computing and Internet. organisations, who are authorised and
Voice communication infrastructure: responsible to carry out operations and
transition from analogue to digital voice procedures that involve information
and an intelligent voice switching system assets and information management
over Internet, i.e. Voice over IP (VOIP) systems
Air navigation support infrastructure:
deployed extensively for air-ground
communications and passive/active
monitoring and tracking of aircraft
positions.
- ground-based transponders for
air-ground communications
- positioning systems (e.g., GBAS,
multilateration stations) and radars
for supporting air traffic control
- satellites as communication
relay and navigation support
infrastructure
- airport surface area network
(e.g., ASDE, WiMAX based
AeroMACS).
Aircraft information systems: networked
platforms of aircraft, embedded and
crew carried.
Physical assets
A number of physical assets also pose a
threat to the aviation system. These include:
manned and unmanned aircraft, and
their payload (i.e., passengers, baggage
and cargo)
12_13
5
Cyber Security in ATM
Within the context of the Convention on Authentication: assurance of the
International Civil Aviation (ICAO Doc. 7300, identity of message senders and
or the Chicago Convention), air navigation receivers. Authentication supports the
services are provided as part of a State obligation validation of messages and information
and States must safeguard essential national system requests.
security or defence policy interests and in many Authorisation: the verifiable identity
cases must meet certain legal requirements, of each entity handling any asset must
obligations and specific procedures regarding be checked to possess appropriate
critical infrastructure protection. Of paramount permission and privilege.
importance to cyber security in ATM is data Non-repudiation: assurance that the
integrity and information assurance. Thus, it is data sender is provided with proof of
important to understand the requirements for delivery, and the recipient is provided
data and information assurance as well as the with proof of the senders identity,
measures and strategies that can be taken in this assuring that sender and receiver
regard. processing of the data.
Traceability: all actions performed on
Information assurance requirements each asset must be logged in a format
Confidentiality: the assurance that and for a time period that can satisfy
aviation information is not disclosed both regulatory and consumer needs.
to unauthorised persons, processes, or
devices. It includes both the protection Enterprise systems, wireless, and cloud
of operational aviation information and computing security
the information assurance of password Information exchanges on the ground
or configuration files. network benefit from the use of enterprise
Integrity: assures that aviation security and cloud computing security
information is not modified by considerations for addressing information
unauthorised entities or through assurance, mixed criticality of assets, and multiple
unauthorised processes. Integrity business domains. Wireless security solutions at all
supports the assurance that aviation layers, including physical-layer security of wireless
information is not accidentally or networks, can help secure the aviation system.
maliciously manipulated, altered, or
corrupted. Integrity also means that Aeronautical systems security
detection occurs with no or minimal Pre-shared symmetric key-based solutions
false alarms when information has been can provide data link security and aeronautical
altered; the alteration source must be information exchange security (e.g., ACARS,
identifiable. satellite links). Position verification mechanisms
Availability: assures timely, reliable, are needed for detection of spoofing, and
continued access to aviation data and regulations and criminal statutes need to be in
information systems by authorised place to deter spoofing and other such threats.
users. Availability controls protect Spoofing is where a person or programme
against degraded capabilities and successfully masquerades as another by falsifying
denial of service conditions. data and thereby gaining illegitimate access,
CANSO Cyber Security
and Risk Assessment Guide
usually due to lack of authentication mechanisms centric ecosystem. Air traffic controllers and pilots
for identity verification. are trusted with various air traffic control tasks,
including protecting their credentials against
Mitigating physical attacks on cyber assets misuse.
Methods to prevent or detect adverse
human actions, physical destruction or sabotage Cyber security solution strategies
of networking and information technology The security architecture must be
infrastructure of cyber, radio frequency (RF) developed to identify points of unauthorised
jamming, etc. The physical methods used to entry, vulnerabilities, and mitigations. An end-
defeat physical attacks targeted at cyber assets to-end security architecture is required as
can include physical access control to systems; multiple stakeholders are involved in information
physical checks and processes; detection of sharing. A security and trust relationship
abnormal and unauthorised sources of RF energy; must exist between information suppliers and
and aircraft security, which is dependent on the information consumers. The global scale of
security of the connections to the ground and the aviation system makes achieving end-to-
airborne and satellite systems. end security challenging, due to needs such as
system interoperability and security policies.
This also means that an information security However, end-to-end security design may reduce
management system (ISMS) is part of a more the security cost impact on the net-centric
complex security framework called a security aviation system. In order to implement effective
management system (SeMS) in which strong cyber security strategies, multi-stakeholder
and robust relationships exist among the main trust partnerships need to be established that
pillars of personnel, infrastructures, information, encourage information sharing and collaboration.
organisation, and procedures.
It will also be necessary to determine how
Cross-correlations between physical and to evaluate the security strength of the aviation
information security allow one to understand system. A high assurance level for an end-to-
events that, individually considered, are end security architecture is challenging due to
meaningless, but could be of significance if the need for cost-effective and timely analytical
related and properly analysed. methods that can assure security integrity. High-
level security standards for solutions that cover
Cyber security development and management airborne, space, and ground-based systems in
Security of the net-centric aviation the net-centric aviation system are needed. And,
system must be designed, implemented these standards should be defined such that they
and administered appropriately, e.g. proper do not add unnecessary cost nor open additional
assignment and management of suitable access exploitable vulnerabilities.
privileges at each entity, proper management and
protection of strong passwords, cryptographic Adaptive threat monitoring and evaluation
and security quantities. The ability to match the need for the
right information at the right time with the right
Aircraft operators are assumed to information assurance controls will be a key
operate correctly, reliably managing software challenge. The dynamic operational environment
configuration and other digital content important of the net-centric aviation system may require
for the secure operation of their fleet in the net- the tightening or loosening of these controls
14_15
based on the type of events and threats. Risk Threat response strategy
from cyber threats will evolve over time. Hence, Mechanisms are needed for responding
the security model to measure and assess the to detected threats and unanticipated security
evolving threat impact and risks will need to be failures that create unacceptable risks in the net-
adaptive. Security planners will be required to centric aviation system. And, the rules, procedures,
adjust the security models to minimise risk, yet processes that respond to unanticipated or
enable air commerce. Again, threat information detected security events in the system.
sharing between stakeholders will be critical, which
requires the establishment of multi-stakeholder Information sharing and handling
trust partnerships and forums. Within a system of systems environment,
such as ATM, that involves a number of actors, it is
Threat mitigation strategy important to establish an appropriate information-
Mitigations for every conceivable cyber and sharing protocol, which will allow stakeholders to
physical threat that will have a significant impact commit to sharing information and intelligence
on the net-centric aviation system need to be openly, yet securely, to increase overall situational
established. The mitigating measures must be awareness of the cyber threat within ATM.
sufficient to make the threat somewhat unlikely
or implausible with minimal risk. An acceptable Through this, a common framework for
risk level is determined by the potential impact. marking information assets is outlined below
For example, a threat that results in a catastrophic to enable stakeholders to understand their
impact must be an extremely improbable security responsibilities when handling information. The
risk. Cyber threat mitigations may be specified originator should assign an appropriate level of
as a requirement to be implemented, and they classification for information, having a common
may also be stated as a dependency in the net- glossary and a common term of reference to
centric aviation system. Such dependencies must understand the relevance of information managed.
be clearly identified, and must be promulgated to One of the possible ways to classify information
the entities responsible for implementing them, for is to give one of four Information Handling Levels
example by way of guidance or as instructions. to every piece of information shared within a
community of stakeholders:
6
Managing Cyber Risks
ANSP management needs to be able would not be provisioned unless required for the
to assess the impact of security and the lack business function, but the integrity and availability
of security on the net-centric aviation system of data for operational systems will be higher than
performance. This includes performing cost- other business areas. It is therefore important to
benefit analysis due to the introduction or understand the threats and vulnerabilities, and
the absence of security functions. Suitable examples are provided in Appendix B.
policies, procedures and processes need to be
determined. Detection mechanisms need to be
put in place to identify the presence of a threat
and decision support tools are needed for threat
evaluation and mitigation. An approach is needed
that uses standardised mitigations and scopes
each threat to a minimum risk manageable, based
on established policies, rules, processes and
procedures.
7
Risk assessment
Conclusions and Recommendations ANSPs should conduct a risk assessment to
Cyber security as a part of ATM Security and, determine the greatest risks to the organisation
more generally, of overall aviation security and business, and should consider assessing
Cyber security receives specific the adequacy of their cyber security controls
consideration in the general legal framework against a recognised standard or framework.
contained in Annex 17 Security to the Chicago This assessment can be scoped against a subset
Convention, which recommends that each of controls or against a profile that matches an
Contracting State should develop measures in ANSPs business environment and needs.
order to protect information and communication
technology systems used for civil aviation The NIST Cybersecurity Framework is one
purposes from interference that may jeopardize of the standards available and provides a common
the safety of civil aviation. The Aviation Security taxonomy and mechanism, primarily focussed
Manual (Doc 8973 Restricted) and the Air towards organisations that provide critical national
Traffic Management Security Manual (Doc. 9985 infrastructure, to:
- Restricted) provide guidance on how to apply 1. Describe their current cyber security
the Standards and Recommended Practices posture
(SARPs) contained in Annex 17. The importance 2. Describe their target state for cyber
of air traffic management to the aviation security security
process is evidenced by recent amendments to 3. Identify and prioritise opportunities for
Annex 17 that include measures relating to cyber improvement within the context of a
threats and oblige States to ensure protection continuous and repeatable process
to infrastructures and facilities and to harmonise 4. Assess progress toward the target state
security programmes into the national legal 5. Communicate among internal and
framework. external stakeholders about cyber
security risk
Society expects a high standard of aviation
safety and security and the level of security As part of the process, threats and
performance will determine societys confidence vulnerabilities to the organisation will be
in air transport. The lack of a high level of security documented and control gaps will be identified
performance would impact the reputation of for areas that have insufficient or ineffective
aviation stakeholders and thus, influence customer controls to mitigate assessed risks. Guidance on
perception and choice. how to conduct a risk assessment is provided in
Appendix B.
The performance of the future ATM system
must therefore contribute to ensuring a high Cyber security as part of an enterprise-wide
level of security to be achieved by the aviation approach
industry as a whole. Expectations are that this As cyber attacks grow in intensity and
can be achieved not only by ensuring that the become increasingly sophisticated, changing
infrastructure which makes up the ATM system is constantly in response to the defensive systems
itself resilient to attack, but also that the system they encounter, it will become necessary to adopt
will provide information that can be used by other an approach to cybersecurity that is proactive,
organisations to act and protect air transport and dynamic, and adaptive, evolving beyond the
the aviation system as a whole.
CANSO Cyber Security
and Risk Assessment Guide
Appendix A
International Standards
This appendix gives further details about the structure of the organisation. While the 2005 version
ISO 27000 series of standards and other security of the standard heavily employed the Plan-Do-
frameworks as follows: Check-Act (PDCA) model to structure the processes,
A.1. Description of each of the the latest 2013 version places more emphasis on
standards ISO 27001 to ISO 27006 measuring and evaluating how well an organisations
A.2. ISO 27005 standard that provides ISMS is performing.
guidelines for information security risk
management (ISRM) The ISO 27002 standard, also published in
A.3. Cybersecurity Framework of the 2005, provides a code of practice for information
US Commerce Departments National security and outlines the potential controls and
Institute of Standards and Technology control mechanisms, which may be implemented,
(NIST). subject to the guidance provided within ISO 27001.
The two documents are intended to be used
A.1. ISO 27000 series of standards together, with one complementing the other. The
The ISO 27000 series of standards have ISO 27002 standard established guidelines and
been specifically reserved by ISO for information general principles for initiating, implementing,
security matters. maintaining, and improving information security
management within an organisation. The actual
The ISO 27001 standard, originally published controls listed in the standard are intended to
in October 2005, provides the specification for an address the specific requirements identified through
information security management system (ISMS). a formal risk assessment. The standard is also
The objective of the standard is to provide intended to provide a guide for the development
requirements for establishing, implementing, of organisational security standards and effective
maintaining and continuously improving an ISMS. security management practices and to help build
Regarding its adoption, this should be a strategic confidence in inter-organisational activities. A new
decision and is influenced by an organisations version published in 2013 contains 114 controls, as
needs and objectives, security requirements, the opposed to the 133 documented within the 2005
organisational processes used and the size and version.
Failure of air-conditioning
Loss of essential services Loss of power supply
Failure of telecommunication equipment
Electromagnetic radiation
Disturbance due to radiation Thermal radiation
Electromagnetic pulses
Interception of compromising interference signals
Remote spying
Eavesdropping
Theft of media or documents
Theft of equipment
Compromise of information Retrieval of recycled or discarded media
Disclosure
Data from untrustworthy sources
Tampering with hardware
Tampering with software
Position detection
Saturation of the information system
Technical failure
Breach of information system maintainability
Unauthorised use of equipment
Fraudulent copying of software
Use of counterfeit or copied software
Unauthorised action Corruption of data
Abuse of rights
Forging of rights
Compromise of functions
Denial of actions
Breach of personnel availability
CANSO Cyber Security
and Risk Assessment Guide
Protect controls
PR.AC-1 Identities and credentials are
managed for authorised devices
and users
PR.AC-2 Physical access to assets is
managed and protected
PR.AC-3 Remote access is managed
Access Control (PR.AC) PR.AC-4 Access permissions are
managed, incorporating the
principles of least privilege and
separation of duties
PR.AC-5 Network integrity is protected,
incorporating network
segregation where appropriate.
Note: In the table above PR.AC is the coding that NIST uses in the format [Function].[Category]-[Sub-
category]. PR stands for Protect; AC stands for Access Control
Implementation tiers are used to create a context within which organisations can better
understand how their current cyber security capabilities stand against the characteristics described by
the NIST Framework. The tiers can be seen in the table below NIST recommends that any organisation
planning to develop effective cyber security capabilities should be aiming to progress to Tier 3 or 4.
Appendix B
Risk Assessment Methodology
B.1 Overview first establish the context for the risk assessment.
The risk assessment methodology forms part This involves defining the scope and identifying the
of a standard risk management process depicted assets that are potentially at risk. The identification,
below, which enables an organisation to effectively analysis and evaluation of risks together comprise
identify, assess, and treat risk.The term risk refers the Risk Assessment component of the risk
to the likelihood of being targeted by a given management process. The Communicate & Consult
attack. A risk assessment is therefore performed to part of the process recognises that engagement
determine the most important potential security of stakeholders, both internal and external to the
breaches to be addressed and evaluates these in organisation, is key to identifying, analysing and
terms of cost impact (consequence) and probability monitoring risk. The Monitor & Review component
of occurrence (likelihood). Analysing risk in this way of the process comprises the controls put in place to
can help determine appropriate security budgeting ensure that the risk assessment process continues to
and policy. As part of this process, it is important to operate effectively.
B.2 Threats and vulnerabilities Unix, OSX and Android. Operating systems fulfill a
A threat refers to the source and means number of key roles, which requires that they have
of a particular type of attack. A threat assessment multiple capabilities. This complexity results in
should be performed to determine the best not only capability specific vulnerabilities that can
approaches to securing a system against a be exploited but also unintentional design flaws
particular threat. Penetration testing exercises or conflicts with other systems or applications.
should be conducted to assess threat profiles and The latter can easily be seen by the number and
help develop effective countermeasures. While regularity of patches issued.
a risk assessment focuses more on analysing the
potential and tendency of the organisations Unsupported or unmaintained software
resources to fall prey to various attacks, a threat Commercially available software is
assessment focuses more on analysing the constantly being assessed for weaknesses and
attackers resources and can help develop specific vulnerabilities by software vendors, users and
security policies that need to be implemented. those with malicious intent. Failure to ensure
The term vulnerability refers to the security that Commercial Off The Shelf (COTS) software
flaws in a system that will allow an attack to is covered by support agreements and/or
be successful. Vulnerability testing should be rigorous patching procedures can lead to known
performed on an ongoing basis in order to resolve vulnerabilities being exploited. This is particularly
such vulnerabilities and for maintaining ongoing the case for legacy systems connected to the
security vigilance. Internet.
gain access to systems they are not authorised of the vulnerabilities that can occur as a result of
to use. An organisation cannot just rely on poor cyber security awareness include:
network monitoring as not all activities or actions, Lack of personal security online (social
particularly from a motivated external threat, will networking for example), including leaving
be identified. Other protective monitoring controls details that could compromise the security
should be applied which could include an effective of the organisation in the public domain
intrusion detection system. Improper use of sensitive information
Leaving key cards unattended
Lack of effective logging Not locking laptops/computers when
If an organisation does not log all system they are unattended
activity then it will limit its capability to track Allowing tailgating, i.e. the act of
actions and activities back to system users in the following someone into a building
event of an incident. Effective logging capability without proper authorisation
gives an organisation forensic capabilities that are Installing malicious software onto the
critical for determining who did what and when organisations systems
they did it, in a timely manner, facilitating an
effective response. Without these capabilities, it The lack of proper awareness training may
could be some time before a security incident is lead to exploitation of staff by social engineering,
discovered. which is a technique that is often used to glean
information about people and their work through
Lack of response capability a number of mediums. If employees use the same
If an organisation does not have some form password at home as they do at work, and they
of response capability, then regardless of the do not take measures to protect their personal
logging or monitoring controls in place, it will be password then they have immediately left the
unable to act with the required speed and efficacy. organisation vulnerable to a breach.
Lack of screening of business-critical data security awareness. It includes assets that could be
Data is vulnerable to corruption and stolen that contain valuable data, for example an
it is important that an organisation ensures unattended laptop. Items can also be stolen that
the integrity of its data and information. An might affect operational performance, e.g. theft
organisations data should be checked for of cabling. It is not the physical loss, but rather the
corruption as it enters and leaves one of its loss of the information asset linked to the physical
systems. Corrupt data can impact an organisation media, or the impact on operational performance
in several ways. It can damage the organisations and service provision.
reputation and impact trust amongst its customer
base and service users; or it can damage an Equipment disposal
organisations systems or hamper/limit its Redundant information assets such as
operations in some way. In the context of ATM, old hard drives, printers, routers, can contain
a corrupted flight plan can hang a flight data valuable intellectual property and other sensitive
processing (FDP) system if it is not screened to information if not securely sanitised. Such
ensure integrity before being processed. This items need to be securely destroyed to ensure
is known as a buffer overflow, an anomaly confidentiality of any residual data.
whereby a program, while writing data to a buffer,
overruns the buffers boundary and overwrites Radio-based technology
adjacent memory thereby resulting in erratic Interference can degrade the performance
program behavior or even a system crash. As such, of radio-based technologies such as a Wi-Fi
buffer overflows are the basis of many software network, radar, radio or navaid. Information
vulnerabilities and can be maliciously exploited. transferred over this technology may also be
susceptible to interception if not adequately
Systems are not synchronised to a single clock secured e.g. encrypted Wi-Fi.
Many ATM systems operate in a real-time
environment, relying on an accurate time. Lack HVAC (heating, ventilation, and air conditioning
of synchronisation between facilities or systems IT hardware has power, humidity and
can cause: disruption to services; corrupted temperature limits and a breach in these limits
information; and data being dropped. will affect its operational performance. Poor
maintenance of HVAC systems or a deliberate
Environmental and physical attack could disable hardware and therefore
Systems and facilities must be designed to disrupt or halt any interconnected software
work effectively in the environment in which they systems e.g. turning off air conditioning within a
are deployed. Site construction/location must server room leading to the overheating of racks
consider the perennial environmental risks like and disruption of an operational ATM system.
wind and rain, but also take into account less likely
events such as flood, extreme high temperatures B.3 Dealing with the Human Threat
and how this might impact support services that Human actions can constitute a security risk,
are critical to service operation like power and site and these can be broken down into two types of
access. actions:
Intentional: people carry out negative actions
Loss of information-related assets for different reasons, often based on their
Loss or theft of information-related assets motivations. Motivations can be influenced
is linked to both poor access control and cyber though communications, education, money,
CANSO Cyber Security
and Risk Assessment Guide
beliefs, etc. However, negative beliefs are controls; any residual risk can be minimised by
hard to change and can only be identified a number of other controls, such as restricting
through screening and monitoring. Third access to certain employees and thereby limiting
parties can influence the motivations of their capability to be a risk.
people through direct contact and persuasive
communication, money, etc. Below are listed the different types of threat actor
Unintentional: how people behave is also groups which have access to information systems:
influenced by motivations and personality. This Normal users: these are users of ANSP
can be due to lack of care, lack of pride, lack of information systems that have routine access to
training, time pressures, a belief they know better a broad amount of information with no special
As a general rule: access rights or permissions
Personality plus motivation influences behaviour Privileged users: users of ANSP information
Negative behaviour plus capability can equate systems, e.g. system administrators, specialist
to a cyber security risk engineers, technicians, that are able to change
configuration, edit/create access rights, manage
It is important to identify those threat actor system hardware including security controls
groups that could pose a risk, and this needs to be Indirectly connected: these are individuals,
done through a thorough threat assessment. A threat not necessarily authorised, that may be able
actor group is a group of people who can reasonably to access ANSP information systems via a
be considered to have the same characteristics in connected system
terms of capability, motivation and opportunity to Service consumers: these are users that benefit
perform an attack. For example, an organisations from the output of the information system and do
set of cleaners may be grouped together as one not themselves access it or manipulate the data
threat actor group, rather than conducting a threat Rest of the world (Internet): these are group
assessment for each individual cleaner. Security threat actors that are unauthorised and
personnel normally do not have the necessary outside the control of an ANSP or its business
soft skills to do this job without assistance. The partners. They will typically be outside the
internal Human Resources department should have a physical and logical ANSP borders or those of
specialist in this area. It must also be understood that their business partners
different cultures exist in different areas of a business Handlers: this is the group of people required
and, therefore, different approaches might need to to handle, transport, supply or deliver ANSP
be taken when working with these groups. information assets
Service providers: this threat actor group
Part 7 of the ISO 27002 standard provides for includes those non-ANSP but authorised entities
controls relating to Human Resources security and that support the ANSP business and therefore
ensures that the employee understands, is aware have an interaction with ANSP information
of and fulfils his security responsibilities. This also assets. This is usually through a service level
ensures that only those employees with the right agreement and contractual processes
personality and motivations are identified for certain Bystanders: these are users that may have been
roles. This is done through proper screening, testing, granted physical access to ANSP information
awareness education and training, as well as having assets or areas but with no access rights to
in place the disciplinary processes to deal with an the actual systems or information. Cleaners,
employee who commits an information security visitors or maintenance personnel would
breach. The ISO standard provides for the basic typically fit this group
B.4 Consequence of risk occurring
OPERATIONAL
Category Effect on Aircrew & FINANCE SERVICE DELIVERY REPUTATION
Overall ATM System effect
Passengers
Financial loss greater Irreparable damage to relationships
Multiple fatalities due
Catastrophic than $200M or Sustained inability with a majority of key stakeholders
to collision with other Sustained inability to provide
insolvency such that to provide a (owner, customers, employees, public,
1 aircraft, obstacles or any service.
government support is service. suppliers) resulting in the organisation
terrain.
required. not continuing in its current form.
Large reduction in safety
margin; Inability to provide any
Major degree of service (including A financial loss such Inability to provide Sustained 'outrage' from majority
serious or fatal injury to
contingency measures) within that board approval of any degree of of key stakeholders on capability to
2 small number;
one or more airspace sectors response is required. service. provide functions/services.
serious physical distress for a significant time.
to air crew.
Slight reduction in safety The ability to provide a service A financial loss such that Occasional complaints from key
Minor The ability to
margin. is impaired within one or stakeholders requiring additional
delegate approval is provide a service is
4 more airspace sectors without management attention to reach a
required. impaired
warning for a significant time. satisfactory outcome.
No effect on the ability to
provide a service in the short
A financial loss that can Isolated complaint by individual
Insignificant term, but the situation needs Negligible effect
Potential for some be managed within a stakeholder which can be managed to
to be monitored and reviewed on the ability to
5 inconvenience. business unit/ branch/ a satisfactory outcome as part of day-
for the need to apply some provide a service.
section budget. to-day business.
form of contingency measures
if the condition prevails.
30_31
CANSO Cyber Security
and Risk Assessment Guide
Insignificant 5
Moderate 3
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
ID.BE-1 IDENTIFY Business Operational Operational and 4 5 D Accept
Environment activities are business dependencies
disrupted due are identified and
to dependencies mapped. Frameworks/
not being fully guidelines are
understood and established for
risk managed. dependency
relationships (e.g.
receive flight plans by
a certain time, if not
received by deadline
then can chase).
Alternative capabilities/
redundancies for
dependencies
are identified and
established.
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
ID.RM IDENTIFY Risk Motivated 3 3 B Reduce Emphasise the need to 5 4 D
Management and capable implement supply chain
Strategy outsider threat risk management, as well
attempting to as an associated policy,
hack the overall to minimise exploitation
system through vulnerabilities in hardware,
exploitation of software and firmware.
vulnerability due Emphasise the need and
to insufficient associated policy (FAA)
supply chain risk to use secure software
management. development practices
to minimise exploitation
vulnerabilities.
PR.AC-1 PROTECT Access Risk of Access rights assigned 3 4 C Reduce Ensure an access 5 4 D
Control unauthorised to roles; approval system management policy is in
access to in place for access rights place; adopt an access
confidential or requests. authorisation procedure
business critical that manages access rights
information. requests; ensure appropriate
levels of approval are in place
for different levels of access
rights and that access rights
are not granted until proper
approvals are in place.
PR.AC-2 Organisation is Physical access to buildings 5 4 D Accept
vulnerable to and facilities is restricted to
physical attacks, authorised personnel only.
which could take Business critical facilities should
business critical have further restrictions on who
and operational has access. Logical controls
systems offline. are backed up by physical
controls. Access rights need to
be authorised and approved
before access is granted.
37
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PR.AT-1 PROTECT Awareness No cyber or Line manager training 3 3 B Reduce Implement broad cyber 6 3 D
and Training information events that outline roles and and information security
security responsibilities for managers awareness training to
awareness to ensure that their staff have enhance the ability of staff
training for staff read online courses. to recognise the diverse
or contractors, range of cyber threats
particularly and their capability to
covering critically impact upon
accidental ATM infrastructure
disclosure of and business as usual
confidential or procedures. Ensure that
business critical contractual obligations and
information. requirements are included
for all staff with respect to
continual education and
awareness training, so
that everyone is aware of
their responsibilities. Staff
should be made aware that
management will expect
them to apply information
security In line with the
policies and procedures of
the organisation. A culture
of information security
should be encouraged
within the organisation
whereby information
security is integrated into
standard business practices.
38
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PR.DS-1 Data from Secondary radar is available 4 5 D Accept
primary radar as a backup to the primary
could be radar in the event that the
corrupted data from the primary radar
or otherwise is compromised, corrupted or
compromised lost.
or lost due to
an attack by a
motivated and
capable intruder
via the internet.
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PS.DS-6 Confidential or 4 4 C Reduce Procedure for the safe 5 5 D
business critical disposal of media should
information be disseminated to the
could be leaked organisation and enforced.
unintentionally All portable media should
through incorrect be disposed of in the proper
disposal of and approved way.
equipment and/
or media.
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
PR.MA-1 Poor engineering Regular checks carried out by 4 3 C Reduce An audit which looks at 5 3 C
procedures line management. engineering procedures
could leave including line managers
organisation checks.
Maintenance at risk to
information or
cyber based
attacks.
PR.PT-1 GPS Secure development policy 4 2 B Reduce Further emphasise the 5 3 C
infrastructure which covers GPS program. need to employ highly
could be secure development and
victim of cyber implementation practices
disruption or such as those being used
attack due to for the GPS Operational
vulnerability in Control System (OCX)
the infrastructure Program.
to spoofing/ Employ redundant systems
PROTECT exploitation. operators and ATCOs
should be able to operate
from an alternative means to
Protective GPS.
PR.PT-2 Technology Compromise Secure development policy 5 4 D Accept
of ATM in place; business critical
systems due applications are tested and
to weakness in reviewed when there are
business-critical system or platform changes;
applications or information regarding
applications that technical vulnerabilities of
give access to business critical applications
wider system. are obtained and highlighted
as soon as possible; and
development, testing and
operational environments are
kept separate.
41
Current Residual
risk Accept/ Recommended risk
Ref Function Category Risk Existing controls
reduce controls
L C R L C R
PR.PT-3 Business critical Ensure information regarding technical 5 4 D Accept
systems disrupted vulnerabilities of business critical operating
by attack from systems are obtained and highlighted as
internal/external soon as possible; ensure there is a secure
threats due to development policy in place; ensure
vulnerabilities business critical operating systems are
in operating tested and reviewed when there are system
systems, for or platform changes; and ensure that the
example where development, testing and operational
exploits have not environment are kept separate.
been fixed due to
Protective irregular rolling
PROTECT out of patches.
Technology
PR.PT-5 Unable to track All user activities, including from 4 5 D Accept
or audit historical administrator and operator accounts,
activities of users are recorded and time/date stamped
in the event of a (systems are synchronised to same clock
security event or on regular basis to ensure accurate time/
incident. date stamping). The logs are secured
and can only be accessed by authorised
users, and access is only available once
proper approvals are in place. Access to
the logs themselves should also be logged
(separately).
DE.AE Intruders are A baseline level of network operations 3 5 D Accept
able to breach and activity, as well as expected data
network without flows, has been established for users and
being detected systems. Incident alert thresholds have been
Anomalies or the incident established and anything that does not
DETECT
& Events is not flagged conform to the thresholds is flagged up as
up appropriately an incident. Detected events are analysed
or in time for a via data aggregated from a number of
response to be sources in order to understand targets and
mobilised. methods and the impact of the event.
42
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
DE.CM Threats Monitoring system in place to 3 2 A Reduce Monitoring systems should 5 4 D
to the monitor traffic on network. be put in place to pick up
organisation information security events
would not and incidents, unusual user
be caught activities, exceptions and faults.
due to This monitoring should include
insufficient administrator and system
Security monitoring operator activities. The facilities
Continuous procedures. supporting the monitoring
Monitoring systems should be protected
from tampering/unauthorised
access. There should be a
reporting system in place that
assesses information security
events, classifies them, and
escalates the events to be dealt
with as necessary.
DETECT
DE.DP Failure Anti-virus software installed on 3 4 C Accept
of critical all systems. Staff are aware of
system the threat that malware poses
such as to vulnerable systems through
flight data awareness training. It is necessary
processing to ensure that appropriate malware
(FDP) due detection capability is in place
to malware so that malware can be caught
Detection
infection. before it propagates throughout a
Processes
network and infects critical systems
however, due to business critical
nature of certain systems, it may
not be possible to ensure most up
to date definitions and patches are
applied in a timely manner. Best
judgement should be used as to
when patches should be applied.
43
Current Residual
risk Accept/ risk
Ref Function Category Risk Existing controls Recommended controls
reduce
L C R L C R
RS.RP Response has not Response plan is in place 5 4 D Accept
been prepared for the organisation, which
for information integrates information
security incidents security and cyber security
or crises that into the wider organisational
Response would affect the strategy. Strategy is owned
Planning organisation in by a senior manager who
such a way that has responsibility for
systems and ensuring that the plan is
activities that are implemented appropriately.
business critical Incident response plans and
are disrupted. procedures are in place.
RS.CO In the event Response plan is available to 4 3 C Reduce Include contractual 4 5 D
of a security staff as a soft copy document obligations for key staff
incident, response on the employee portal. to be familiar with all
plan cannot be organisational policies,
RESPOND implemented including the response
because key staff plan. Ensure staff are made
Communications
had not been aware of the plan through
made aware of it. both formal and informal
training. Ensure staff buy-in
by having key staff input
into the plan when it is
reviewed and updated.
RS.AN In the event that a Analysis and reporting 4 3 C Reduce Breaches are logged and 4 5 D
security incident is framework in place to mandatory investigation
reported, no further provide step guidance timeframes are enforced,
investigation is on how to proceed an i.e. a SIEM tool.
Analysis carried out into the investigation when a breach
nature of the breach is identified.
and resulting
collateral damage,
i.e. the cost.
44
Current Residual
risk Accept/
Ref Function Category Risk Existing controls Recommended controls risk
reduce
L C R L C R
RS.MI In the event of Anti-malware packages 3 3 B Reduce Shut down infected 3 4 C
a virus breach, installed on systems. networks and consider
limited action shutting down adjacent
Mitigation is taken to halt networks to prevent
its propagation propagation.
throughout the
RESPOND system.
RS.IM Lessons learnt Lessons learnt from 4 5 D Accept
from previous implementation of response
Improvements security incidents/ plan are recorded in a log and
crises are not acted upon.
implemented.
RC.RP Lack of resilience Disaster recovery plan is in 5 4 D Accept
and recovery place for the organisation,
capability within which integrates information
the organisation security and cyber security
resulting in into the wider organisational
increased time strategy. Plan is owned by
between an a senior manager who has
Recovery incident and responsibility for ensuring
Planning returning to that the plan is understood,
business as usual. disseminated throughout the
organisation and implemented
RECOVER
appropriately. Recovery
plan has redundancies and
alternative capabilities built in
in the event of unavailability
of key staff.
RC.IM Lessons learnt Lessons learnt from 4 5 D Accept
from previous implementation of business
Improvements security incidents/ continuity strategy or plan are
crises are not recorded in a log and acted
implemented. upon.
45
Current Residual
risk Accept/
Ref Function Category Risk Existing controls Recommended controls risk
reduce
L C R L C R
RC.CO Reputation suffers Communications and public 4 3 C Accept
as the result of a relations team are well briefed
breach in a way in the event of an incident on
that impacts the the potential impacts to the
operation of the organisation.
RECOVER Communications business, either
financially or Good communication within
operationally. the organisation from the
Communications and PR
team on lines to take with the
media.
B.8 46
Treatment recommendations
Ref
Recommendation Risk Rating Commentary Status
#
S1.1
47
10
Sources
ICAO Doc 9985 ATM Security Manual, 1st Ed. (Restricted)
Cyber Security of a Net-Centric Aviation Ecosystem, Network Centric Operations Industry Consortium
(NCOIC), version 1.0, December 2011
Information Security in a Net-Centric Environment Enforcing Secure Data Sharing in a Distributed Network,
Network Centric Operations Industry Consortium (NCOIC), version 3.0, January 2012
Analysis of Cybersecurity Content in the Air Traffic Collegiate Training Initiative (AT-CTI) Program, Juan Lopez
Jr. and Deanne W. Otto, Two Cultures: International Journal of Technology, Humanities, and Human Security. ISSN
2324-738X Vol. 1, no. 1
A Taxonomy of Operational Cyber Security Risks, James J. Cebula and Lisa R. Young, Software Engineering
Institute. Technical Note CMU/SEI-2010-TN-028, December 2010
The Connectivity Challenge: Protecting Critical Assets in a Networked World A Framework for Aviation
Cybersecurity, The American Institute of Aeronautics and Astronautics (AIAA). August 2013
Glossary of Key Information Security Terms (NISTIR 7298, Revision 2.) Richard Kissel, Editor. Computer Security
Division, Information Technology Laboratory, National Institute of Standards and Technology (NIST), May 2013
Framework for Improving Critical Infrastructure Cybersecurity. Version 1.0. National Institute of Standards and
Technology (NIST). February 12, 2014
Getting ahead of the threat: Aviation and cyber security, Emilio Iasiello, iSIGHT Partners. Aerospace
America. The American Institute of Aeronautics and Astronautics (AIAA). July-August 2013
Article Under Attack? Cyber security and air traffic management Airspace Magazine Issue 14 Quarter 3 2011
CANSO Members
CANSO the Civil Air Navigation Services Organisation is the global voice of
air traffic management worldwide. CANSO Members support over 85% of world
air traffic. Members share information and develop new policies, with the ultimate
aim of improving air navigation services (ANS) on the ground and in the air.
CANSO represents its Members views in major regulatory and industry forums,
including at ICAO, where it has official Observer status. CANSO has an extensive
network of Associate Members drawn from across the aviation industry. For
more information on joining CANSO, visit www.canso.org/joiningcanso.
Full Members - 84
Aeronautical Radio of Thailand (AEROTHAI) Letov prevdzkov Sluby Slovenskej Republiky, ATCA Japan
ttny Podnik ATECH Negcios em Tecnologia S/A
Aeroportos de Moambique
Luchtverkeersleiding Nederland (LVNL) Aviation Advocacy Sarl
Air Navigation and Weather Services,
Luxembourg ANA Aviation Data Communication Corp (ADCC)
CAA (ANWS) Avibit Data Processing GmbH
Air Navigation Services of the Czech Republic Maldives Airports Company Limited (MACL)
Avitech GmbH
(ANS Czech Republic) Malta Air Traffic Services (MATS)
AZIMUT JSC
AirNav Indonesia National Airports Corporation Ltd. Barco Orthogon GmbH
Air Traffic & Navigation Services (ATNS) National Air Navigation Services Company Brel & Kjaer EMS
Airports and Aviation Services Limited (AASL) (NANSC) BT Plc
Airports Authority of India (AAI) NATS UK Comsoft GmbH
Airports Fiji Limited NAV CANADA CGH Technologies, Inc
Airservices Australia NAV Portugal CSSI, Inc.
Naviair EADS Cassidian
Airways New Zealand
Nigerian Airspace Management Agency (NAMA) EIZO Technologies GmbH
Albcontrol
Office de lAviation Civile et des Aeroports European Satellite Services Provider (ESSP SAS)
Austro Control Emirates
Avinor AS (OACA)
ENAC
AZANS Azerbaijan ORO NAVIGACIJA, Lithuania
Entry Point North
Belgocontrol PNG Air Services Limited (PNGASL) Era Corporation
Bulgarian Air Traffic Services Authority Polish Air Navigation Services Agency (PANSA) Etihad Airways
(BULATSA) PIA Adem Jashari - Air Control J.S.C. Guntermann & Drunck GmbH
CAA Uganda ROMATSA Harris Corporation
Civil Aviation Authority of Bangladesh (CAAB) Sakaeronavigatsia Ltd Helios
Civil Aviation Authority of Botswana S.E. MoldATSA Honeywell International Inc. / Aerospace
SENEAM IDS Ingegneria Dei Sistemi S.p.A.
Civil Aviation Authority of Mongolia
Serbia and Montenegro Air Traffic Services Indra Navia AS
Civil Aviation Authority of Singapore (CAAS) Indra Sistemas
Civil Aviation Authority of Swaziland Agency (SMATSA)
INECO
Civil Aviation Regulatory Commission (CARC) Serco
Inmarsat Global Limited
Comisin Ejecutiva Portuaria Autonoma (CEPA) skyguide
Integra A/S
Croatia Control Ltd Slovenia Control Intelcan Technosystems Inc.
Department of Airspace Control (DECEA) State Airports Authority & ANSP (DHMI) International Aero Navigation Systems Concern,
Department of Civil Aviation, Republic of Cyprus State ATM Corporation JSC
DFS Deutsche Flugsicherung GmbH (DFS) Sudan Air Navigation Services Department Jeppesen
Direccin General de Control de Trnsito Areo Tanzania Civil Aviation Authority JMA Solutions
Trinidad and Tobago CAA Jotron AS
(DGCTA)
The LFV Group LAIC Aktiengesellschaft
DSNA France LEMZ R&P Corporation
Dutch Caribbean Air Navigation Service Provider Ukrainian Air Traffic Service Enterprise (UkSATSE)
LFV Aviation Consulting AB
(DC-ANSP) U.S. DoD Policy Board on Federal Aviation
Micro Nav Ltd
ENANA-EP ANGOLA The MITRE Corporation CAASD
ENAV S.p.A: Societ Nazionale per lAssistenza Gold Associate Members - 11 MLS International College
al Volo Airbus ProSky MovingDot
Entidad Pblica Aeropuertos Espaoles y Boeing NLR
Navegacin Area (Aena) FREQUENTIS AG Northrop Grumman
Estonian Air Navigation Services (EANS) GE Air Traffic Optimization Services NTT Data Corporation
GroupEAD Europe S.L. Ncleo de Comunicaciones y Control, S.L.U.
Federal Aviation Administration (FAA)
Quintiq
Finavia Corporation ITT Exelis
Rockwell Collins, Inc.
General Authority of Civil Aviation (GACA) Lockheed Martin
Rohde & Schwarz GmbH & Co. KG
Ghana Civil Aviation Authority (GCAA) Metron Aviation RTCA, Inc.
Hellenic Civil Aviation Authority (HCAA) Raytheon Saab AB
HungaroControl Pte. Ltd. Co. Selex ES Saab Sensis Corporation
Instituto Dominicano de Aviacion Civil (IDAC) Thales Saudi Arabian Airlines
Israel Airports Authority (IAA) Schmid Telecom AG
Iran Airports Co Silver Associate Members - 70 SENASA
Irish Aviation Authority (IAA) Adacel Inc. SITA
Aeronav Inc. SITTI
ISAVIA Ltd
Aireon Snowflake Software Ltd
Japan Civil Aviation Bureau (JCAB)
Air Traffic Control Association (ATCA) STR-SpeechTech Ltd.
Kazaeronavigatsia TASC, Inc.
Association Group of Industrial Companies
Kenya Civil Aviation Authority (KCAA) Tetra Tech AMT
TIRA Corporation
Latvijas Gaisa Satiksme (LGS) Washington Consulting Group
ATAC
WIDE
Membership list correct as of 12 June 2014. For the most up-to-date list and organisation profiles go to www.canso.org/cansomembers