Title: Control consistency as a management tool: the identification of systematic security control weaknesses in air traffic management
Authors: Howard Chivers
Addresses: Department of Computer Science, University of York, Deramore Lane, York, YO10 5GH, UK
Abstract: In 2008, EUROCONTROL published information and communications technology (ICT) security guidance to air navigation service providers (ANSPs), to assist them in complying with regulatory security requirements. This included a visualisation tool which allowed the consistency of control sets to be reviewed and communicated: consistency being the degree to which more sophisticated controls were supported by core controls. The validation of that guidance included surveys which were conducted to contrast current practice in European ANSPs with a baseline control set based on ISO/IEC 27001:2005. The consistency test revealed significant gaps in the control strategies of these organisations: despite relatively sophisticated control regimes there were areas which lacked core controls. Key missing elements identified in the ANSPs surveyed include security management and senior management engagement, system accreditation, the validation and authentication of data used by ATM systems, incident management, and business continuity preparedness. Since anonymity requires that little can be said about the original surveys these results are necessarily indicative, so the paper contrasts these findings with contemporaneous literature, including audit reports on security in US ATM systems. The two sources prove to be in close agreement, confirming the value of the control consistency view in providing an overview of an organisation's security control regime.
Keywords: security management; security control; data authentication; business continuity; incident management; air traffic management; air navigation service; control consistency; air traffic control; senior management engagement; system accreditation; audit reports.
International Journal of Critical Computer-Based Systems, 2016 Vol.6 No.3, pp.229 - 245
Accepted: 13 Oct 2015
Published online: 11 Sep 2016 *