Icao Risk Context Statement

Doc 10108 — Restricted
Aviation Security
Global Risk Context Statement
First Edition, 2018
Approved by and published under the authority of the Secretary General
INTERNATIONAL CIVIL AVIATION ORGANIZATION

Doc 10108 — Restricted
Aviation Security
Global Risk Context Statement
First Edition, 2018
Approved by and published under the authority of the Secretary General

Published in separate English, Arabic, Chinese, French, Russian
and Spanish editions by the
999 Robert-Bourassa Boulevard, Montréal, Quebec, Canada H3C 5H7
For ordering information and for a complete listing of sales agents

and booksellers, please go to the ICAO website at www.icao.int
First edition, 2018
Doc 10108, Aviation Security Global Risk Context Statement

Order Number: 10108
ISBN 978-92-9258-509-9
© ICAO 2018
All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system or transmitted in any form or by any means, without prior
permission in writing from the International Civil Aviation Organization.
GUIDANCE ON HANDLING RESTRICTED INFORMATION
The Aviation Security Global Risk Context Statement is not for public distribution as it is intended for the limited use of
government, industry and other aviation security stakeholders for risk assessment purposes. Copies should not be put
on publicly accessible web sites.
Any onward distribution of this document, electronically or in hard copy, should be accompanied by appropriate
instructions in line with the above.
If you have any questions about the sharing or handling of this document, please contact the ICAO Secretariat at
ASP@icao.int.
_____________________
(iii)
AMENDMENTS
Amendments are announced in the supplements to the Products and

Services Catalogue; the Catalogue and its supplements are available
on the ICAO website at www.icao.int. The space below is provided to
keep a record of such amendments.
RECORD OF AMENDMENTS AND CORRIGENDA
AMENDMENTS CORRIGENDA
No. Date Entered by No. Date Entered by

FOREWORD
This document contains a global aviation security risk assessment, including a global threat picture, and is intended to
help inform and support ICAO Member States’ processes for national and local aviation security risk assessment.
Included in Appendix A is the risk assessment methodology and process map used to conduct this global risk
assessment and other guidance information that may further assist Member States in their national processes.
Please note that six previous versions of the Aviation Security Global Risk Context Statement (RCS) were published
without a document number. The ICAO Council, at the seventh meeting of its 211th session on 16 June 2017, approved
the ICAO Aviation Security (AVSEC) Panel recommendation that the RCS be provided with an official document number
in the catalogue of ICAO publications in order to increase its availability. Therefore, this new version, the seventh edition
of the RCS, is being issued as a first edition of Doc 10108.
The Aviation Security Global Risk Context Statement should be made available to those who are responsible for
conducting national and other aviation security risk assessments and aviation security decision makers, practitioners
and other relevant stakeholders. Procedures for handling, transmission and storage of this document must be applied in
accordance with each Member State’s regulations for sensitive aviation security information.
_____________________
RESTRICTED
(v)
TABLE OF CONTENTS
Page
Glossary ........................................................................................................................................................... (ix)
Chapter 1. Introduction ................................................................................................................................ 1-1
Chapter 2. The global aviation threat picture ............................................................................................. 2-1
Current global threat .................................................................................................................... 2-1

Global trends................................................................................................................................ 2-2
Chapter 3. Risk assessment results ........................................................................................................... 3-1
Overview of risk assessment results ............................................................................................ 3-1
Appendix A. Risk assessment method, process map and guidance information for Member States .. A-1
1. Risk assessment method and process map ......................................................................... A-1

2. Role of Member States in national and local risk management ............................................ A-8
3. Establishing the threat picture............................................................................................... A-8
Appendix B. Terms of reference for the Aviation Security Panel Working Group on Threat and Risk B-1
1. Mandate ................................................................................................................................ B-1

2. Reporting .............................................................................................................................. B-1
Appendix C. Summary of WGTR risk assessments for all threat scenarios ........................................... C-1
1. Person-borne improvised explosive devices (PBIEDs) ......................................................... C-1

2. Vehicle-borne IEDs ............................................................................................................... C-3
3. IEDs in cargo ........................................................................................................................ C-4
4. MANPADS (and other weapons representing a similar threat to aircraft at or near an airport) C-6
5. Airborne threats .................................................................................................................... C-8
6. Cyber threats ........................................................................................................................ C-11
7. Chemical, biological and radiological (CBR) threats ............................................................. C-12
8. Threats to the landside ......................................................................................................... C-14
9. IED, weapon or toxins concealed in catering or other services............................................. C-16
10. Remotely piloted aircraft system (RPAS) threats .................................................................. C-18
11. Other possible threats ........................................................................................................... C-19
12. Hoaxes.................................................................................................................................. C-20
RESTRICTED
(vii)
(viii) Aviation Security Global Risk Context Statement
Page
Appendix D. Insider threat ........................................................................................................................... D-1
1. Introduction ........................................................................................................................... D-1

2. Assessing risks from insider threats ..................................................................................... D-1
3. Insider threat mitigation measures — Additional considerations ........................................... D-6
Appendix E. Additional detail on risk assessments for cyber threats..................................................... E-1
1. ATM systems ........................................................................................................................ E-1

2. Aircraft systems .................................................................................................................... E-2
3. Airport systems ..................................................................................................................... E-5
______________________
RESTRICTED
GLOSSARY
ACRONYMS
ATM Air traffic management

CBR Chemical, biological and radiological
COTS Commercial off-the-shelf
EDS Explosives detection system
HME Homemade explosive
IED Improvised explosive device
LNMC Low- or no-metal content
MANPADS Man-portable air defence system
PBIED Person-borne improvised explosive device
PoC Point of contact
RCS ICAO Aviation Security Global Risk Context Statement
RED/RDD Radiological exposure device/radiological dispersal device
RPAS Remotely piloted aircraft system
SAM Surface-to-air missile
SARPs Standards and Recommended Practices
SATCOM Satellite communication
SRA Security restricted area
VBIED Vehicle-borne improvised explosive device
WGTR Working Group on Threat and Risk
______________________
RESTRICTED
(ix)
Chapter 1
INTRODUCTION
1.1 The continuing threat of terrorism to the global aviation system is most effectively managed by identifying,
understanding and addressing the potential risks to and from civil aviation, including the transportation of passengers
and goods (baggage, cargo, and mail). The identification of risks permits Member States to determine and implement
proportionate measures and controls to mitigate appropriately against each risk type.
1.2 To assist Member States in this process, the Aviation Security Global Risk Context Statement (RCS) has
been developed and is updated on a regular basis. The RCS aims to:
a) offer States a methodology and a framework to conduct risk assessments at the national level (see
Appendix A);
b) provide an overview of the current global aviation security threat;
c) present high-level global risk assessments to help inform States’ national civil aviation security
programmes; and
d) assist ICAO in improving and updating Standards and Recommended Practices (SARPs) and
guidance material.
1.3 The development of the RCS is undertaken by the ICAO AVSEC Panel Working Group on Threat and Risk
(WGTR), whose terms of reference are provided in Appendix B. The work is done in recognition of the importance of a
risk-based approach to aviation security and relies on the input of relevant experts, as well as the effective and timely
reporting and sharing of information by ICAO Member States.
1.4 The WGTR regularly reviews previously completed risk assessments or conducts new risk assessments,
updates the RCS on an annual basis, or as needed, and provides analysis and advice on risks to aviation to the AVSEC
Panel. ICAO also draws on the advice of the WGTR with regard to evolving threats and incidents.
1.5 The RCS is aimed primarily at decision makers, practitioners and other relevant stakeholders within
Member States who are responsible for conducting aviation security risk assessments.
______________________
RESTRICTED
1-1
Chapter 2
THE GLOBAL AVIATION THREAT PICTURE
2.1 For many years, civil aviation has been a very attractive terrorist target for a variety of reasons, and that
remains the case as terrorists continue to seek to exploit real or perceived vulnerabilities in the international civil aviation
system. Despite enhancements to the security system, terrorists continue to develop new techniques and weapons in
the hope of circumventing or defeating security measures. Recent successes or partial successes in doing so have
encouraged them to research and plan further attacks.
2.2 Terrorists, whether as part of an organized group or acting alone, generally aim to achieve one or more of
the following objectives in selecting aviation as a target for attack:
a) inflicting mass casualties;
b) causing economic disruption;
c) making a symbolic statement; and
d) generating public anxiety.
2.3 These objectives may lead to a variety of forms of attack on the aviation system. Terrorists have shown
themselves to be innovative, and may seek out a wider range of modus operandi and targets, influenced by the
availability and vulnerability of such targets and dependent upon capability and the perceived opportunity for success.
CURRENT GLOBAL THREAT
2.4 Much information is available in the public domain about the specific nature of recent and current threats to
aviation. However, there is also much that, because of the sensitive nature of the information itself or of its sources,
cannot be put into the public domain or discussed in documents such as this. This includes information about actual
attacks, but also planned attacks that may have been disrupted, not followed through, or not yet come to fruition. Such
information may be sought from States’ own security or intelligence services.
2.5 Twenty-two acts of unlawful interference were recorded in the ICAO Database of Acts of Unlawful
Interference in 2017, as compared to nine in 2016. These acts covered a range of geographical regions, and consisted
of various attack types including nine attacks on, or at, aviation facilities, one attempted attack on an aircraft, one
attempted attack using an aircraft as a weapon, one cyber-attack, two unlawful seizures and eight attacks qualified as
“others”, which include breaches of secure areas and systems. Other occurrences or incidents, identified through media
reports but not officially reported as acts of unlawful interference, continue to provide further evidence of planning by
terrorists to commit acts of unlawful interference against aviation targets.
RESTRICTED
2-1
2-2 Aviation Security Global Risk Context Statement
GLOBAL TRENDS
2.6 The ability of terrorist groups to inspire or call directly upon radicalized individuals to carry out attacks
remains a very prevalent threat. With centralized attack planning, groups have the ability to leverage resources and
skills to pursue sophisticated tactics against relatively hardened targets, such as aircraft. However, as the planning of
attacks becomes more decentralized, there is an expansion of tactics, techniques, and procedures to less sophisticated
weapons targeting more vulnerable and easily accessed targets, for example the public areas of airport terminals.
Globally, a high number of non-aviation related mass casualty attacks across many States during 2017 has again
demonstrated the vulnerabilities of crowded public spaces. Within the aviation security context, primary soft targets are
landside or public areas of the airport, specifically departure halls prior to the security checkpoint, and arrival halls.
2.7 Despite this, terrorist groups still demonstrate a preference to attack aircraft in flight if possible. Improvised
explosive devices (IEDs) remain a terrorist’s main weapon of choice for such attacks. Some groups or individuals
continue to attempt to develop innovative ways of making, concealing and conveying IEDs in order to bypass or defeat
aviation security measures. IEDs may be introduced onto an aircraft concealed on the person or in items carried by a
passenger, or in checked baggage, cargo or aircraft supplies. Other potential means of attack on board an aircraft
include weapons and chemical agents.
2.8 Terrorists have consistently sought to identify and exploit vulnerabilities in security environments in an
attempt to find or create the path of least resistance to their targets. This could include the exploitation of people (e.g.,
airport employees or other “insiders”) or a process (e.g., ineffective security measures) to allow or facilitate a terrorist to
conduct an attack using less sophisticated methods than may otherwise be necessary.
______________________
RESTRICTED
Chapter 3
RISK ASSESSMENT RESULTS
3.1 The WGTR has updated its global risk assessment each year since 2009. Risks are assessed by threat
type. Each threat category incorporates many scenarios or sub-scenarios, and for each of these there is an explanation
of the general scenario, including the target (e.g., an aircraft), the means of attack (e.g., armed assault) and, where
necessary, the type or perpetrator (e.g., a category of privileged insider). For each plausible threat scenario, the WGTR
assesses the likelihood, consequences, mitigating measures in place, and residual vulnerability in order to determine the
residual risk. The detailed results are recorded on risk matrices compiled for each threat type, which are then used as
the basis for the WGTR’s advice to ICAO and for the broader summaries that are set out in the RCS.
3.2 Keep in mind that these risk results attempt to reflect an overall global picture and not a specific regional or
national picture (an exception is the threat from man-portable air defence systems (MANPADS), because this is
considered to vary significantly depending on the local proliferation of such weapons). Also note that the vulnerability
level has been assessed here as the residual vulnerability, assuming that States have implemented effectively all
relevant security measures currently required by ICAO, primarily those in Annex 17 — Security.
3.3 The following sections of this document provide an overview of the risk assessment results and a summary
of the changes for this 2018 edition. A more complete summary of the results of the WGTR’s global risk assessments is
provided in Appendix C.
OVERVIEW OF RISK ASSESSMENT RESULTS
3.4 Table 3-1 below provides a high-level overview of the results, grouped according to the threat type.
Table 3-1. Threat-type risk levels
THREAT TYPE Likelihood Consequence Vulnerability RISK
PERSON-DELIVERED IED on the body High High Medium-high to HIGH

or in cabin baggage High
LANDSIDE ATTACKS High Medium-low to Medium-high MEDIUM-HIGH

Medium
MANPADS in conflict or proliferation zone Medium-high High Medium-high MEDIUM-HIGH
IED IN CARGO Medium-high Medium-high to Medium-high MEDIUM-HIGH

High
RESTRICTED
3-1
3-2 Aviation Security Global Risk Context Statement
THREAT TYPE Likelihood Consequence Vulnerability RISK
IED IN HOLD BAGGAGE Medium-low High Medium to MEDIUM

Medium-high
VEHICLE-BORNE IED Medium Medium-high Medium-high MEDIUM
AIRCRAFT USED AS A WEAPON Medium High Medium MEDIUM
CONVENTIONAL HIJACK High Medium-low Medium-low MEDIUM
CHEMICAL, BIOLOGICAL, AND Medium Medium-high Medium-high MEDIUM

RADIOLOGICAL THREATS
IED IN SERVICES (catering, in-flight Medium-low High Medium MEDIUM-LOW

supplies, etc.)
ATTACK USING REMOTELY PILOTED Low High Medium-high MEDIUM-LOW

AIRCRAFT SYSTEMS (on aviation
targets)
MANPADS (non-conflict or proliferation Medium-low High Medium-high MEDIUM-LOW

zone)
CYBER-ATTACKS Low High Medium-low LOW
3.5 According to this assessment, the threat type which still poses the greatest risk to international civil
aviation at the global level is person-borne IEDs, that is, explosive devices carried on board a plane by a passenger
either on their body or in cabin baggage and personal effects. Following a further review of this threat type by the WGTR
this year and of recent events, the residual risk continues to be assessed as HIGH, having been increased to that level
three years ago. Within this category, it is considered that IEDs concealed in personal belongings, including electronic or
electro-mechanical devices, currently represent the greatest risk.
3.6 The threat types that are assessed to represent the next highest level of risk are landside attacks, IEDs
concealed in cargo (which continue to attract the interest of certain groups), and attacks using MANPADS in areas of
conflict and proliferation. Each of these continues to be assessed as MEDIUM-HIGH. In particular the WGTR has noted
a renewed interest by terrorist groups in the use of cargo and mail as a means of getting IEDs on board aircraft, whether
to attack the aircraft directly or to convey them to other locations. As foreseen in the previous edition, the WGTR has
completed a further review during 2017 of the risk from chemical, biological and radiological (CBR) attacks. This has
taken account of events in the past year, including the report by Australian authorities that the same group responsible
for a failed plot to smuggle an IED on board an aircraft in Sydney was also found to have acquired the materials needed
to produce an improvised chemical dispersal device. In light of these and other developments, the WGTR has increased
its assessment of the likelihood of a CBR attack against civil aviation, and consequently the overall assessed residual
risk for this type of attack has been raised from LOW to MEDIUM.
RESTRICTED
Chapter 3. Risk assessment results 3-3
3.7 The WGTR has continued to assess other emerging threat types, including remotely piloted aircraft
systems (RPAS), and the threat of cyber-attacks (against aircraft or air traffic management systems). In each of these
cases the risk continues to evolve, but is currently assessed as MEDIUM-LOW and LOW, respectively. However,
potential vulnerabilities have been identified, and the risk could well increase as current technological trends continue or
if the threat likelihood should grow.
_____________________
RESTRICTED
APPENDIX A
RISK ASSESSMENT METHOD, PROCESS MAP AND

GUIDANCE INFORMATION FOR MEMBER STATES
1. RISK ASSESSMENT METHOD AND PROCESS MAP
1.1 The risk assessment method set out below was developed to enable the WGTR to carry out its work in a
logical, consistent and clear manner, to explain the method used and its results to the recipients of the RCS, and to
assist States and other entities in performing risk assessments of their own. It is not a precise scientific or mathematical
exercise but is designed to generate an understanding and a relative ranking of current residual risk in order to inform
policy-making.
1.2 Figure A-1 provides the risk assessment process map employed by the WGTR. This risk assessment
process comprises the following elements:
a) the identification and analysis of plausible threat scenarios and their likelihoods, and consequences;
b) the assessment of current mitigations and remaining vulnerabilities;
c) residual risk assessment taking into account the likelihood, consequences, and vulnerabilities of a
specific threat scenario; and
d) recommendations for further risk-based work and possible mitigation.
1.3 The key components for completion of the risk assessment are:
a) threat scenario — an identification and description of a credible act of unlawful interference comprising
a target (such as an airport terminal, associated infrastructure or an aircraft), the modus operandi
(including conveyance and concealment) and methods of an attack (such as an IED), and the
adversary (based on the role an adversary plays in the aviation system — passenger, non-travelling
person, and/or insider). This should be sufficiently detailed to permit accurate assessment and
analysis; “an attack against an aircraft” is not good enough as a scenario;
b) likelihood of an attack — the probability or likelihood of that attack being attempted, based on terrorist
intentions and capabilities but NOT taking into account current security measures. The WGTR utilizes
likelihood as an indicator of threat, considering both the intent and capability of a perpetrator to carry
out a threat scenario;
c) consequences — the nature and scale of the consequences of the specific attack, in human,
economic, political, and reputational terms under a reasonable worst-case scenario;
RESTRICTED
A-1
A-2 Aviation Security Global Risk Context Statement
Figure A-1. Risk assessment process map
RESTRICTED
Appendix 1. Risk assessment method, process map
and guidance information for Member States A-3
d) current mitigation measures — the relevant SARPs (which it is normally assumed are being effectively
applied; where that is clearly not the case, the residual risk will be higher), and any other factors which
assist in reducing the likelihood of the attack being successful and/or reducing the consequences if it
were to occur. It is assumed that no threat can be entirely eliminated;
e) residual vulnerability — the extent of the remaining vulnerabilities once the current mitigating
measures have been taken into account;
f) residual risk — the overall risk of a successful attack which remains, assuming current mitigating
measures have been implemented, taking account of threat likelihood and consequences; and
g) possible additional mitigation — identified measures that Member States or ICAO could implement to
further mitigate residual risks where necessary.
1.4 The risk assessment must identify the plausible scenarios carefully and in sufficient detail, being specific
and thorough in considering each form of threat. Threats could be directed at specific airports, terminals or other
infrastructure, such as fuel farms, air traffic control facilities or navigational equipment, as well as aircraft, including
different forms of aviation, such as general aviation, passenger aircraft, and cargo-only aircraft. The means and methods
by which a threat could be carried out should also be evaluated. This would include how a weapon or explosive device
could be constructed, the means by which it might be conveyed (e.g., whether person- or vehicle-borne) and by whom
(e.g., a staff member, passenger or member of the public), how it could be concealed, and how it could be activated or
utilized in order to perpetrate an act of unlawful interference. An indicative list of some possible threat scenarios is
included in Appendix D (Table D-1). However, this does not cover the full list of scenarios considered by the WGTR, and
States or other entities conducting risk assessments are encouraged to develop their own versions reflecting local
circumstances as appropriate.
Example of an individual threat scenario
1.5 The threat scenario will be the foundation of the risk analysis, and likelihood, consequences, and
vulnerabilities will be determined based upon each specific threat scenario. The template below is used by the WGTR
and may be used by States or others to assess individual threat scenarios. For illustrative purposes, an example risk
matrix has been included, considered under “Airborne Threats — Use of Aircraft as a Weapon”, and using a “9/11”
Scenario in which a large commercial passenger aircraft (target) is commandeered by cabin crew (adversary) using a
prohibited item/weapon (modus operandi) and the aircraft is used as a weapon to attack a populous target on the
ground.
Example risk matrix (scenario)
Additional
Scenario Likelihood Consequences Mitigations Vulnerabilities Residual risk mitigations
9/11 scenario:
large
commercial
passenger
aircraft
commandeered
by cabin crew
using a weapon
and used as a
weapon itself
RESTRICTED
1.6 In this methodology, likelihood, consequences, and vulnerability have been scored on a five-point scale
from HIGH to LOW. The general meanings of the scores, in each case, are given below.
1.7 For likelihood:
a) HIGH means a very plausible scenario, with an actual attack of this kind having occurred in the past
few years, or strong evidence of capability, intent, and planning;
b) MEDIUM-HIGH means a clearly plausible scenario, with relatively recent examples or evidence of
early attack planning or hostile reconnaissance;
c) MEDIUM means an essentially plausible scenario, with some evidence of intent and capability and
possibly some examples, but no evidence of current attack planning;
d) MEDIUM-LOW means a scenario for which there are no, or no recent, examples, but some evidence
of intent, yet with a method apparently not sufficiently developed for a successful attack scenario or
probably superseded by other forms of attack; and
e) LOW means a theoretically plausible scenario but with no examples or signs of attack or attack
planning, and a theoretical intent but no apparent capability.
1.8 For likelihood, possible questions that could be asked to determine the score could include: whether there
is current intelligence of such an attack being planned or if there are previous known examples of similar attacks. An
example of likelihood scoring is shown below.
Example risk matrix (likelihood)
Residual Additional
Scenario Likelihood Consequences Mitigations Vulnerabilities risk mitigations
9/11 scenario: LOW

Large
commercial – No known
passenger cases or
aircraft information on
commandeered intent
by cabin crew
using a weapon – Requires
and used as a greater
weapon itself preparation,
collusion, etc.
than if
attempted by
pax
– Crew members
may have
capability due
to access to
cockpit
RESTRICTED
1.9 For consequences, the scores mean that, in a reasonable worst-case scenario, the outcome can be
expected to be along the lines shown in the table below.
Consequences
Impact rating Human Economic Other

1
HIGH Hundreds of deaths Billions of dollars Severe disruption to services and
confidence in the aviation system
MEDIUM-HIGH Some but not all of the HIGH consequences above
MEDIUM Tens of deaths Tens or hundreds of Substantial disruption to services and

millions of dollars confidence in the aviation system
MEDIUM-LOW Some but not all of the MEDIUM consequences above
LOW Possibly some deaths Some economic impact Some disruption to services and
and injuries confidence in the aviation system
1.10 It is recognized that this is not an exact science — where there is doubt, the best fit is selected where the
most criteria are met in a reasonable worst case scenario. Below is an example of consequence scoring.
Example risk matrix (consequences)
Residual Additional
Scenario Likelihood Consequences Mitigations Vulnerabilities risk mitigations
9/11 scenario: LOW HIGH

large
commercial – No known – Loss of life of
passenger cases or all on board
aircraft information on aircraft
commandeered intent
by cabin crew – Loss of life and
using a weapon – Requires damage to
and used as a greater infrastructure
weapon itself preparation, on the ground
collusion, etc.
than if attempt- – Widespread
ed by pax economic
damage
– Crew members
may have
capability due
to access to
cockpit
1. This scoring system means in practice that most scenarios involving the loss of a large passenger aircraft as a reasonable worst
case are likely to be scored as HIGH. While this may reduce differentiation between scenarios, the WGTR considers this a fair
reflection of the impact of a successful attack on such an aircraft. It is also recognized that the HIGH categorization encompasses
certain threat scenarios, e.g., using a plane as a weapon (“9/11 scenario”), that may potentially result in thousands of deaths.
RESTRICTED
1.11 For vulnerability:
a) HIGH means no mitigating measures are in general effect, either because there is no Annex 17
requirement or because no realistic effective measures are available;
b) MEDIUM-HIGH means that mitigation has a limited scope and that important areas and aspects of the
risk are not covered by Annex 17 requirements or measures in general effect;
c) MEDIUM means that features of both MEDIUM-HIGH and MEDIUM-LOW are present;
d) MEDIUM-LOW means that mitigating measures are generally in place, but they may be immature or
only partially effective. For instance, the broad Annex 17 requirements may be in place for all areas
and aspects, but they are capable of being further developed or better implemented in practice; and
e) LOW means that clear Annex 17 requirements exist and that mitigating measures generally regarded
as effective are in widespread use.
1.12 When analysing vulnerability, take into account how well ICAO Annexes, national programmes and airport
programmes address the specific threat scenario, as well as how effective current security measures are in mitigating
the scenario and, where reliable information is available, how well those security measures are implemented and
sustained over time. The RCS takes into account mitigating actions that are already generally in place, including
Annex 17 Standards and Recommended Practices, and assumes that these are being effectively implemented (unless
there is clear and objective evidence to the contrary). In conducting their own assessments, States and other entities will
wish to assure themselves that the relevant measures are actually in place and are being effectively and continuously
implemented. Where this is not the case, the residual vulnerability scores would inevitably be higher.
Example risk matrix (vulnerabilities)
Additional
9/11 scenario: LOW HIGH Annex 17: SCORE (To be

large determined
commercial – No known – Loss of life of – Staff Screening based on
passenger cases or all on board residual
aircraft information on aircraft – Crew member vulnerabilities
commandeered intent certificate with after considering
by cabin crew – Loss of life and background current
using a weapon – Requires damage to check mitigations in
and used as a greater infrastructure place)
weapon itself preparation, on the ground Also take into
collusion, etc. account Aviation
than if – Widespread Security Manual
attempted by economic and
pax damage national/airport
programmes
– Crew members
may have
capability due
to access to
cockpit
RESTRICTED
1.13 Each plausible scenario selected is then given a residual risk score based on a combination of the
assessed scores for likelihood, consequences, and vulnerability.
1.14 Residual risk is assessed on the same five-point scale. The ranking is derived from the other scores, but in
this methodology this is not done mathematically and involves some elements of judgement as well as aggregation of
other scores. Rather, it reflects a consensual analysis based on the information currently available — reflecting the fact
that there is generally limited data to draw upon — and in some cases certain elements, such as low threat likelihood or
high vulnerability, may be judged to weigh more heavily than others in the final risk assessment.
1.15 It is helpful to record in the risk matrix or elsewhere the main reasons for the conclusions reached during
the risk assessment process. This will be important when reviewing the assessments or using them to inform policy
responses.
1.16 The final rankings can only offer a guide to policy-making and to the relative prioritization of different threat
types. Local circumstances differ, and States or other entities should take into account all relevant local factors in
conducting their own risk assessments.
1.17 The different elements of the risk assessment are likely to evolve over time, for example, if there is a
change in the threat picture or if new mitigating measures are implemented; it is therefore important to keep these
assessments under periodic review and to reassess them in light of any relevant incidents or threat change.
1.18 For each threat scenario, having considered the residual risk and the extent to which it is already mitigated,
it will be helpful to capture any conclusions regarding further measures that could be taken to address residual
vulnerabilities that have been identified. At the global level this could include, for example, proposals to develop
amendments or updates to Annex 17 and the Aviation Security Manual.
1.19 For States or other entities wishing to apply this method to their own risk assessments, any resulting
residual risks that are uncovered should be reviewed, and possible additional security measures evaluated, to see
whether they can provide effective, practicable, and sustainable mitigation commensurate with the threat.
Example risk matrix (residual risk and additional mitigations)
Additional
9/11 scenario: LOW HIGH Annex 17: SCORE (To Be SCORE (To be What more
large determined determined could be
commercial – No known cases – Loss of life of – Staff screening based on residual based on done to
passenger or information on all on board vulnerabilities assessments of mitigate this
aircraft intent aircraft – Crew member after considering likelihood, threat
commandeered certificate with current consequences scenario?
– Requires greater
by cabin crew – Loss of life background mitigations in and residual
preparation,
using a weapon and damage to check place) vulnerabilities
collusion, etc.
and used as a infrastructure
than if attempted
weapon itself on the ground Also take into
by pax
account Aviation
– Crew members – Widespread Security Manual
may have economic and
capability due to damage national/airport
access to cockpit programmes
RESTRICTED
2. ROLE OF MEMBER STATES IN NATIONAL AND LOCAL RISK MANAGEMENT
2.1 Standard 3.1.3 of Annex 17 requires that:
Each Contracting State shall keep under constant review the level and nature of threat to civil
aviation within its territory and airspace above it, and establish and implement policies and
procedures to adjust relevant elements of its national civil aviation security programme
accordingly, based upon a security risk assessment carried out by the relevant national
authorities.
2.2 Assessment of national, regional or even local aviation security risks, in conjunction with the overall risk
factors, provides important and useful information on potential terrorist methods and types of attack. While the RCS
provides a global high-level view of aviation security risks, it does not attempt to create a detailed view of national or
local risks, or to suggest that one State has higher levels of risk associated with it than another State. It is therefore the
duty of each Member State to make its own assessment of the risk applying to its territory, airspace and assets, and to
implement appropriate risk mitigating measures, taking into account the high-level view presented in the global RCS.
2.3 Each Member State should document and review its risk assessment periodically, or when significant new
developments arise, in order to maintain an accurate, complete, and up-to-date picture of the risk environment.
2.4 According to Standard 5.3.1 of Annex 17, each Member State has the obligation to exchange information
and report to ICAO all pertinent information concerning the security aspects of an act of unlawful interference. The
sharing of information with all Member States allows for a broader understanding of the global threat to aviation.
3. ESTABLISHING THE THREAT PICTURE
3.1 All national aviation systems are linked to global aviation networks, and terrorists may attack from
anywhere within the international civil aviation system by identifying vulnerabilities to gain access to their intended target.
Decision makers in national authorities and industry entities must therefore take into account how the threat to civil
aviation is developing globally. This does not mean that threat levels are identical around the world; there are regional,
national, and even local variations. However, many threats have the potential to jump national borders very quickly and
may manifest themselves across many regions. This has been exacerbated as terrorist groups have sought to radicalize
and inspire potential adherents around the world through social media, and to proliferate knowledge about possible
attack methods. All States should be aware of the vulnerabilities and consequences associated with such threats.
Terrorists are constantly seeking to identify the perceived limitations of aviation security measures and to identify and
exploit remaining vulnerabilities and weak points within the global system.
3.2 The increasing globalization of travel and of the airline industry means that a successful attack on any
aircraft is likely to involve the citizens of many different countries. And beyond that, the economic consequences of
terrorist attacks on the global aviation system mean that an attack upon the aviation interests of even one State is
effectively an attack upon the aviation interests of all. This further reinforces the need for all States and aviation
organizations to pay close attention to threats to aviation, even if they do not consider themselves to be directly
threatened by a terrorist attack.
3.3 Given the global character of the terrorist threat to the aviation system (and the global nature of the
aviation system generally), it follows that terrorist attacks upon the aviation system have global consequences. Public
anxiety and economic disruption caused by a terrorist attack — two of the key terrorist objectives — will manifest
themselves well beyond the borders of States that are the locations of or direct targets for terrorist attacks. Even terrorist
RESTRICTED
attacks failing to have direct consequences have the demonstrated ability to achieve terrorist objectives, because the
fear and uncertainty that they generate are often no less than that arising from a successful attack. Further, the global
span of the media and the internet — specifically exploited by increasingly aware and capable terrorist groups — grants
terrorists the ability to reach audiences worldwide, via news reporting or their own propaganda, almost instantaneously.
Potential perpetrators of terrorism
3.4 Terrorists have varied cultural and social backgrounds, live in differing social circumstances and act from a
number of different extreme motivations and intentions in committing or planning acts of terrorism. They may act for
political, religious, social, environmental and/or personal (e.g., economic or mental health) reasons. Terrorists that have
been involved in attacks against civil aviation have included:
a) members of established and organized international terrorist groups;
b) members of regional affiliates and allies of such groups;
c) “Insiders” within the aviation sector recruited by such groups to help facilitate attacks (see below);
d) so called ‘lone wolf’ terrorists, who have limited or no links to such groups; and
e) radicalized individuals who travel to areas of conflict and undergo training and militarization, then plan
and execute an attack outside of the conflict zone.
3.5 Terrorists may act on their own initiative — the self-radicalized and self-organized — or as a part of wider
groups and support structures. In both cases, they may be employed in the aviation industry or in supply chains serving
it. Terrorists continue to view insiders, depending on their role, as a potentially useful resource to facilitate attack
planning, either knowingly or unknowingly, willingly or through coercion, because of their specialized knowledge of
security measures and potential access to security restricted areas and aircraft. Guidance on possible methods for
assessing the risk from threat scenarios involving insiders is contained in Appendix D.
Terrorism and criminality
3.6 Consideration should be given to the possibility of connections between criminality and terrorism. Criminal
activity in the aviation and transportation arenas, when recognized, may point out vulnerabilities in security practices,
expose weaknesses in security posture or identify individuals who may be coerced or persuaded to assist terrorists.
Where weaknesses are exploited for criminal purposes, they may also be exploited for terrorist purposes.
3.7 There may also in some cases be links between criminal networks and terrorist groups or sympathizers.
Criminal activity may provide funding, weapons and/or facilitation for terrorist groups and activities. As States continue to
seize terrorist assets worldwide, extremist groups resort to criminal activities to fund their operations of violence and
terror. The following criminal activity can sometimes be linked to the funding or facilitation of terrorist groups and activity:
a) smuggling of humans, drugs, cash and/or contraband;
b) drug trafficking;
c) kidnapping;
RESTRICTED
d) provision of weapons; and
e) use of fraudulent documentation or identity.
3.8 Criminal activity may also be used by terrorists in attempts to test specific security measures and learn
how to overcome them. In addition, surveillance can be carried out by terrorists in order to check security systems,
processes, and habitual activity in any setting, either covert or overt.
3.9 Identifying criminal activity in the aviation security environment may lead to identifying terrorist activities or
evidence of support of terrorist missions. Any unusual or increased incidence of criminal activity in transportation sectors
should be noted and, where practicable, shared among relevant State agencies and jurisdictions, such as law
enforcement, and between Member States.
Sharing of threat information
Types of information
3.10 In conducting a risk assessment, it is necessary to assemble information about the threat, particularly
possible targets and modus operandi. Such information may come from a variety of sources, such as:
a) actual incidents, including successful or thwarted attacks on aviation, which provide information on
terrorist objectives and methodologies;
b) closed sources, primarily counter-terrorist intelligence and assessments, which may be gathered or
generated by intelligence, law enforcement and other agencies of States; and
c) open sources, which may include publicly-available information on unusual or suspicious occurrences,
and the availability of items that could be used for terrorist purposes, and any other information that
may contribute to the threat picture.
Bilateral, multilateral, and global information sharing
3.11 Open lines of communication, both formal and informal, between the aviation security officials of States
assist in the rapid exchange of information between States, including any change in the threat level or the nature of the
threat. The timely dissemination of such information to other States and to industry, to the extent possible, can often
help in the mitigation of such threats, and should be considered as part of the response to a new or increased threat.
The exchange of information on techniques used to try to breach security, experience with security equipment, and
operational practices are also extremely advantageous. States are reminded that Chapter 2, Section 2.4 of Annex 17
places obligations on them to cooperate in such exchanges of information.
3.12 States should develop internal procedures for the analysis and dissemination of threat information in order
to ensure that appropriate actions are taken by aircraft and airport operators to counter the identified threat, and to assist
with their own risk assessment processes. Information should be disseminated to individuals with appropriate security
clearances where such information can assist them to carry out their security functions effectively and develop a better
understanding of the threat and risk environment.
RESTRICTED
3.13 States with limited resources for collecting and disseminating threat information may wish to seek
assistance from others within their regions or elsewhere who may be able to provide assistance in this regard.
3.14 Details of important developments, such as actual or attempted attacks on aviation, and new or unusual
methods of operation and techniques used by perpetrators, should be promptly disseminated to other States and ICAO.
The WGTR will help provide advice and relevant guidance in such cases. While public knowledge of such matters is
undesirable, officials responsible for airport and aviation security should be informed as soon as possible to facilitate the
early development and implementation of effective countermeasures and procedures.
3.15 Urgent communications may be facilitated through use of the ICAO Aviation Security Point of Contact
(PoC) Network, established for the communication of imminent threats to civil air transport operations. Pursuant to
Assembly Resolution A39-18: Consolidated statement of continuing ICAO policies related to security, States who have
not done so are urged to participate in the ICAO PoC Network.
3.16 If a State has specific information about a possible occurrence involving an aircraft operator or airport, it
should immediately and concurrently inform the State(s) where the occurrence may take place, directly through the
ICAO PoC Network or through the local diplomatic mission or other appropriate channels. If a State is unable to
communicate urgent information to another State, it should immediately request the assistance of a third State or ICAO.
3.17 As soon as possible after a security incident, a review and analysis of the event should be conducted by
the appropriate authority. The results of this review and analysis should be made available to all participants, along with
the recommendations of the appropriate authority for civil aviation security for general improvement and for the
correction of any vulnerabilities or deficiencies identified. ICAO should be notified, at the earliest opportunity, of any
action undertaken by a State to correct a deficiency.
3.18 States concerned with an act of unlawful interference should provide ICAO with all pertinent information
concerning the security aspects of the occurrence as soon as practicable after the act is resolved. States should,
whenever appropriate, provide copies of reports prepared for ICAO to other States that may have an interest. The
categories of incidents that should be reported include:
a) unlawful seizure of an aircraft;
b) attempted unlawful seizure of an aircraft;
c) destruction of an aircraft in service;
d) unlawful act against the safety of civil aviation, including acts of sabotage and malicious damage, and
the placing of bombs and other explosive devices or substances in airports, aircraft, air navigation
facilities, baggage, cargo or mail;
e) attempted unlawful act against the safety of civil aviation; and
f) any other act of unlawful interference, including armed attacks at airports, acts directed toward
off-airport personnel, facilities or vehicles, and acts that have the potential to develop into a threat to
international civil aviation.
3.19 States should consider ways in which they can improve their existing systems for sharing information
internally and to industry. For example, some States occasionally issue information bulletins on matters that may be
relevant to the threat and risk to aviation, and circulate them at an unclassified level. Others review classified information
and, if it is deemed useful to the wider aviation security community, rework it at a lower level of classification to enable
its wider dissemination.
RESTRICTED
3.20 At the same time, care must be taken to avoid or limit the public dissemination of sensitive information,
including its availability on the internet, where this may potentially assist perpetrators in researching, preparing or
conducting attacks against aviation. This includes information about the capabilities or vulnerabilities of security systems.
While security information, if used correctly and carefully, can have a significant and important deterrent effect, attention
must be paid to the risk that some information, for example, vulnerabilities, may facilitate or even inspire attacks.
______________________
RESTRICTED
APPENDIX B
TERMS OF REFERENCE FOR THE AVIATION SECURITY PANEL

WORKING GROUP ON THREAT AND RISK
1. MANDATE
1.1 In light of new and evolving threats to civil aviation and in accordance with the recommendations of the
Nineteenth Meeting of the Aviation Security Panel, which met in Montréal from 26 to 30 May 2008, the following terms of
reference were developed for the Group:
a) conduct a thorough analysis of potential civil aviation targeting means and methods through a
risk-based process, informed to the greatest extent possible by intelligence and law enforcement
information volunteered by Member States;
b) produce and maintain a global aviation security Risk Context Statement, which will include a risk
assessment methodology for aviation security, will identify threats and potential threats to civil aviation
on the basis of this methodology, and will contain recommendations on how these threats might be
addressed;
c) provide risk assessment advice to ICAO and its Aviation Security Panel as needed, and in particular
provide swift advice to ICAO on new and emerging threats in the light of incidents, intelligence, or
other events in the aviation security world; and
d) encourage collaboration among States to establish an ongoing information-sharing mechanism to

identify new and emerging threats.
2. REPORTING
2.1 The Group shall report to the Aviation Security Panel and its working groups on the progress of its work as
appropriate.
______________________
RESTRICTED
B-1
APPENDIX C
SUMMARY OF WGTR RISK ASSESSMENTS

FOR ALL THREAT SCENARIOS
The following provides a high-level assessment of the relative risk from each major threat category, as
currently assessed by the WGTR. A single threat category will normally cover many separate scenarios or
sub-scenarios, which have been analysed individually using the methodology outlined elsewhere in this document.
Under each threat category is an explanation of the general scenario, as well as findings with regard to
each threat scenario, specifically the likelihood, consequences, mitigating measures, residual vulnerability, and residual
risk.
Keep in mind that these risk results reflect the global picture and not a regional or national picture.
1. PERSON-BORNE IMPROVISED EXPLOSIVE DEVICES (PBIEDs)
1.1 This scenario covers person-borne improvised explosive devices (PBIEDs), whether borne by crew or
passengers, IEDs placed in hold bags and IEDs placed in an aircraft by a non-travelling staff member. PBIEDs may be
concealed and/or detonated while on the body of a terrorist or in the possessions they are carrying, such as cabin
baggage, in a suicide attack. This remains a highly likely and favoured modus operandi among some terrorist groups,
who continue to devote considerable innovative effort to developing novel forms of construction, concealment, and
conveyance of such IEDs. The principal target for this type of attack is assessed to be an aircraft in flight, but an IED
may also be deployed to attack airport targets in landside or, less likely, in controlled airside environments. Noting the
relatively high number of such plots and attacks (e.g., the shoe bomber of 2001, the 2006 liquid explosives plot, the
attack on NW253 in 2009, the second underwear bomber plot in 2012, the 2014 toothpaste explosives plot, the Daallo
airlines attack in 2016, and the Sydney, Australia plot in 2017) and current technical detection capabilities, the following
have been identified as key variables for consideration within this threat category:
a) means of concealment and conveyance — directly as a PBIED either on the body or in a possibly
cluttered cabin bag, in large complex electronic devices, or in a hold bag or hidden elsewhere on the
aircraft;
b) whether the IED is brought to the airport fully assembled or taken through security controls in
component form, possibly using ingenious and challenging forms of concealment for later assembly;
c) perpetrator: passenger or member of staff (in which the latter may also facilitate the former);
d) construction: low- or no-metal content (LNMC) or metallic parts; and
e) the use of liquid or solid explosives.
RESTRICTED
C-1
C-2 Aviation Security Global Risk Context Statement
1.2 The risk assessments in the scenario used for the RCS therefore identify specific scenarios to take these
various factors into account in different combinations. These produced a range of residual risks and the following broad
conclusions:
a) IEDs using liquid explosives are harder to construct than those using solid explosives;
b) metallic components are currently easier to detect than devices with low or no metallic content;
c) the concealment potential of a complex IED in cluttered cabin baggage is considerable; and
d) the use of passengers to deliver such devices appears rather more likely than the use of insiders.
1.3 Low- or no-metal content PBIEDs containing solid explosives carried by passengers or staff, and those
placed in hold bags are the most obvious and key threat scenarios as currently assessed by the WGTR. PBIEDs carried
by passengers, including those in electronic and electromechanical devices, represent the greatest concern, with intent
and capability present leading to a likelihood assessment ranging from MEDIUM to HIGH depending on the nature of the
explosives. Clearly, insiders may collude or be coerced into taking similar action, although the WGTR is not aware of
any recorded examples of this or of such attack planning (with the exception of the bombing of Daallo Airlines Flight 159
in February 2016, which appeared to involve insider facilitation). As such, the current overall likelihood of scenarios
involving insiders is assessed to be lower than for passengers for this threat type.
1.4 Taking a reasonable worst-case scenario, the consequences of an attack using a PBIED are considered
HIGH, as it is highly likely that detonation of an IED on an aircraft in flight, as over Lockerbie, Scotland in 1988, would
produce catastrophic consequences, resulting in the death of all on board, loss of the aircraft, and considerable
collateral damage on the ground, especially if the location at the point of detonation is taken into account, as in the
attempted attack on flight NW253 in 2009.
1.5 Key current mitigating measures include control of access to the target, guarding and searching of aircraft,
and screening of passengers and staff and their possessions. It is however recognized that such devices are unlikely to
be detected at a “traditional” screening point where the focus is on metal detection, especially if the device, or its
component parts, are ingeniously and challengingly concealed. The vulnerability at the global level is therefore assessed
to be MEDIUM-HIGH.
1.6 In the specific case of IEDs concealed in large electronic devices such as laptops, tablets or larger mobile
phones, or in larger electromechanical items such as household equipment containing electrical motors, which some
terrorist groups are known to have been actively exploring in efforts to defeat some common current security measures,
the overall vulnerability for this specific scenario is assessed to be HIGH.
1.7 The overall residual risk for PBIEDs as a category is therefore assessed as HIGH.
IEDs in hold bags
1.8 For IEDs in hold baggage, the WGTR has developed different scenarios for commercial (e.g., military) and
homemade explosives (HMEs). Materials for HMEs are not considered difficult to acquire, and instructions for building
them are easily accessible. The WGTR notes an increase in the general use of HMEs by terrorists, although none to
date in hold baggage. The residual risk for scenarios involving HMEs ranges from MEDIUM to MEDIUM-HIGH. The
WGTR also notes that adversaries have previously chosen to use commercial explosives based on known tactics,
techniques and procedures. Although these explosives are potentially more powerful than HMEs, they are more difficult
to acquire, and the residual risk from these scenarios is assessed as MEDIUM. The overall residual risk for IEDs in hold
bags is currently assessed as MEDIUM.
RESTRICTED
Appendix C. Summary of WGTR risk assessments
for all threat scenarios C-3
Possible additional measures
1.9 Other possible mitigating measures include:
a) the employment of enhanced screening methods to detect a wider range of explosives types and
plausible IEDs (both commercial and HMEs) and preserving the integrity of the baggage along the
chain of custody between screening of hold baggage and loading onto the plane. In particular, closer
examination could be given to IEDs with low- or no-metal content, that may be ingeniously concealed,
most probably within everyday items, including through the use of random and unpredictable
screening methods;
b) upgrades to new explosives detection systems (EDS) that have enhanced capability due to more
advanced algorithms with a higher probability of detection and lower probability of false alarms; and
c) training of ground security officers and flight crew in the detection, reporting, and disruption of post-
security assembly of IEDs. This is one aspect of suspicious activity that behavioural detection
techniques might identify.
2. VEHICLE-BORNE IEDs
2.1 Vehicle-borne IEDs are devices concealed and detonated inside a vehicle, may come in various forms,
and do not need to be a suicide attack. The target for this form of attack could either be an airport facility or, less likely,
an aircraft; attacks against landside targets are generally much easier to perpetrate than those within the airside. Four
main scenarios have been considered:
a) attack by the ramming of a vehicle-borne IED into an airport facility, particularly a packed passenger
terminal (as attempted at Glasgow Airport, UK in 2007);
b) attack by the detonation of an IED in a parked vehicle at an airport facility (as seen at Madrid Airport,
Spain in 2006);
c) “insider” attack, with legitimate access or the use of a fake emergency or liveried vehicle to pass a
vehicle screening checkpoint, with the intent of attacking parked or moving aircraft on the airside; and
d) physical breach of airside perimeter with intent to detonate a vehicle-borne IED next to a parked or
moving aircraft.
Likelihood
Noting the precedents for this form of attack that took place at Glasgow and Madrid airports, across all scenarios the
general likelihood of this type of attack is currently assessed as MEDIUM.
Consequences
2.2 The consequences of an attack may be extremely high, considering the ability of perpetrators to effect
massive levels of harm and damage to people and critical facilities. Overall, the consequences are MEDIUM-HIGH.
RESTRICTED
Mitigating measures
2.3 Possible mitigating measures are available including:
a) integration of security considerations into the design and construction of airport facilities, or
modification of existing ones. Vulnerability to ram-raid-type attacks, and to VBIEDs in parked vehicles
may be significantly mitigated by the creation of substantial stand-off distances for vehicles via
barriers, relocation of car-parks away from terminal buildings and vehicle management procedures, as
well as by the use of designs and materials to mitigate the destructive impact of a bomb blast, such as
strengthened glazing;
b) for attacks involving vehicles breaching the airside perimeter, strengthened fencing and traffic
management measures at points of vulnerability, as well as effective detection and response
measures can mitigate the risk; and
c) for insider vulnerabilities, access control, checkpoint screening of staff and vehicles, airside vehicle
management, and background checks, can all provide some mitigation if implemented effectively.
Residual vulnerability
2.4 Annex 17 is not prescriptive on requirements to respond to vehicle-borne IED threats, and there is no
confidence that the above measures are in general effect at the global level. The overall vulnerability to such an attack is
therefore considered to be MEDIUM-HIGH.
Residual risk
2.5 The overall risk of such an attack is currently assessed to be MEDIUM.
3. IEDs IN CARGO
3.1 This scenario involves an IED concealed in and taken to its target in an item of cargo. Prior to 2010 there
had been little direct evidence of interest from terrorists in exploiting this route, in spite of much commentary about
perceived vulnerabilities in the cargo system. However, the attempted attacks through the cargo system in October 2010
provided clear evidence of intent and capability to carry out attacks of this kind, and there have been further indications
of intent in recent years.
3.2 The majority of cargo travels on passenger aircraft, which may be regarded as a more attractive terrorist
target than all-cargo aircraft. However, the 2010 event showed that the latter may be a target too. Freight may be
considered higher risk if it comes from an unknown or private consignor, containing a mix of items, so as to make
detection of an IED more difficult, or originates from a location where terrorists are known to be active.
RESTRICTED
Likelihood
3.3 The fact that cargo often travels by indirect routes with multiple sectors, and that the routings and timings
may be difficult to predict, make it more difficult for terrorists to target a particular flight or type of flight. On the other
hand, terrorist groups have sent “dummy” parcels for the purposes of tracking routes and times (as well as to test
screening). The perpetrators could be private consignees of cargo, or insiders with access that would enable them to
interfere with it post-security but before it is loaded on to an aircraft. Given the previous examples and continued interest
in this attack path, the overall likelihood is currently considered MEDIUM-HIGH.
Consequences
3.4 An IED in cargo is capable of having similar consequences to other IEDs in flight if detonated on board a
passenger aircraft. An attack could result in the death of all passengers and crew on an aircraft, destruction of the
aircraft, and damage and possible casualties on the ground. On a cargo-only aircraft, the consequences are likely to
include substantially fewer deaths on board the aircraft, but could still cause collateral damage and possible casualties
on the ground, as well as significant economic damage arising from loss of confidence at the global level in air cargo
security. Accordingly, the reasonable worst case consequences for this type of attack are assessed to range from
MEDIUM-HIGH to HIGH.
Mitigating measures
3.5 Possible mitigating measures include:
a) controlling access to areas where cargo is processed, screened and stored;
b) screening individuals entering such areas for items that could be inserted in cargo;
c) applying appropriate screening methods to cargo that are capable of detecting plausible IED types
within the type of cargo consignment in question;
d) identifying cargo categorized as high-risk and applying more rigorous screening methods to it;
e) implementing effective known consignor and regulated agent regimes;
f) ensuring effective security controls and/or screening are implemented by appropriate entities
throughout the secure supply chain to prevent insertion of an IED in a consignment;
g) ensuring that the security history of an item can be verified by entities for the entirety of the supply
chain once the item has been identified as air freight;
h) cooperating with other agencies such as customs and border control in the sharing of information that
might identify items of concern being consigned for carriage by air or weaknesses in security
arrangements; and
i) pre-load checking or analysis of cargo data to identify possible anomalies or other factors of concern.
RESTRICTED
3.6 The latest amendments to Annex 17 and the associated revisions to the guidance in the Aviation Security
Manual have incorporated many of the above mitigations, significantly enhancing previous SARPs that, if and when fully
implemented, could reduce vulnerability. However, at this stage there is limited confidence that these measures are yet
in general effect at the global level.
3.7 The current overall vulnerability of such an attack is considered MEDIUM-HIGH.
Residual risk
3.8 The overall global residual risk of such an attack against an aviation target is considered MEDIUM-HIGH.
4. MANPADS (AND OTHER WEAPONS REPRESENTING A SIMILAR THREAT

TO AIRCRAFT AT OR NEAR AN AIRPORT)
4.1 This threat type involves attacks against civil aviation using MANPADS and other stand-off weapons such
as machine guns, anti-aircraft guns and grenade launchers. Although these represent two distinct modes of attack,
particularly with regard to mitigations and responses, their location and target present sufficient similarities for them to
be presented together.
4.2 There have been no recent deliberate attacks against civil aviation using MANPADS — the last one was in
Mogadishu in 2007 — but this remains a potential method of attack for terrorists. This applies particularly in areas of the
world where MANPADS are readily available. The geographical extent of such areas may be growing given MANPADS
proliferation in recent years, although the majority of the world would not fall into this category.
4.3 The most likely civil aviation target for this type of attack is a large passenger aircraft that is airborne,
whether during take-off or landing, or in mid-flight at lower altitudes. Terrorists have not used MANPADS for attacks
against airports and other ground-based targets, given the existence of a wider choice of more effective weapons for
these types of attacks. The locations for an attack using MANPADS are likely to be external to the airport environment,
and the perpetrators will therefore not need to be passengers, crew or airport staff.
4.4 Attacks against civil aviation using stand-off weapons other than MANPADS may not receive the same
international notoriety, nor have as great a negative economic impact. However, such attacks have the benefit of using
weapons that are in greater supply, usually much less expensive to procure and easier to operate. Trafficking of small
arms and light weapons, which includes most types of stand-off weapons, continues throughout the world. Such
weapons have been used against civil aviation with varying success, notably at airports in Pakistan (2014) and
Turkey (2015) resulting in fatalities and damage to aircraft.
Likelihood
4.5 Clear distinctions in threat levels can be drawn between conflict zones or other areas with proliferation of
MANPADS or other comparable weapons, and those areas where such weapons are not readily available. Because the
threat levels vary so significantly, the WGTR has not assessed a single global risk score, but has considered it
necessary to differentiate between these two types of area.
RESTRICTED
4.6 In addition, clear distinctions in capability levels can be drawn between attacks using first-generation,
second-generation, third-generation and fourth-generation MANPADS. First-generation MANPADs are currently much
easier to obtain in areas of proliferation. The later-generation MANPADS have a greater range and are less dependent
on the position and angle of aircraft, climate, time of day or night, terrain and weather conditions.
4.7 The likelihood is therefore assessed as MEDIUM-HIGH for first-generation MANPADS in a proliferation
zone. In a non-proliferation zone, it is MEDIUM-LOW. The likelihood is lower in each zone for later-generation
MANPADS because of their more limited availability, which is, however, being monitored closely.
4.8 The likelihood is MEDIUM-HIGH for other stand-off weapons in conflict zones and MEDIUM-LOW in non-
conflict zones.
Consequences
4.9 While an aircraft might survive (e.g., as at Baghdad in 2003), the consequences in a reasonable
worst-case scenario of a MANPADS attack would involve the loss of an aircraft and all on board. Whether the aircraft is
downed or not, the economic and political consequences would be high in all scenarios, but especially if the attack were
to occur outside a conflict zone. Overall the consequence is assessed as HIGH.
4.10 The consequences of an attack using other stand-off weapons are assessed as MEDIUM, or MEDIUM-
HIGH in scenarios where an aircraft is targeted at low altitude.
Mitigating measures
4.11 Possible mitigating measures are as follows:
a) conducting airport neighbourhood vulnerability assessments, to identify higher-risk launch areas;
b) implementation of patrolling and community awareness;
c) secure storage and transportation of MANPADS;
d) implementation of non-proliferation measures;
e) training of pilots to use in-flight countermeasures (although they are limited, and there may be no
opportunity to use them); and
f) implementation of air traffic control measures, e.g., avoiding the overflight of vulnerable locations such
as elevated ground.
4.12 The vulnerability to a MANPADS attack is assessed as being from MEDIUM (first generation), to MEDIUM-
HIGH (second generation) to HIGH (third and fourth generations), depending on the MANPADS type.
4.13 Vulnerability to attacks using other stand-off weapons in conflict zones also ranges between MEDIUM, and
HIGH if an attack targeting aircraft on the ground comes from the landside.
RESTRICTED
4.14 Vulnerability in non-conflict zones ranges from MEDIUM-LOW to HIGH, depending on the generation of
the device and the location of the attack.
4.15 Overall vulnerability is assessed as MEDIUM-HIGH.
Residual risk
4.16 The risk associated with a MANPADS attack is considered to be MEDIUM-HIGH in conflict and other
proliferation zones, and MEDIUM-LOW elsewhere (that is, in the majority of the world).
4.17 The risk associated with an attack using other stand-off weapons in conflict zones is similarly assessed to
be MEDIUM or MEDIUM-HIGH if an attack targeting aircraft on the ground comes from the landside. It is MEDIUM-LOW
in non-conflict zones.
5. AIRBORNE THREATS
5.1 This type of threat covers both:
a) the commandeering of a small or large, commercial or general aviation aircraft for use as a weapon of
mass effect, i.e., an 11 September 2001-style suicide attack; and
b) the commandeering of an aircraft to perpetrate a conventional hijack where hostages are taken and
demands made which may be resolved by negotiation or force.
Aircraft as a weapon
5.2 The use of an aircraft as a weapon remains an attractive modus operandi among terrorists, given its
spectacular and devastating use on 11 September 2001, and would clearly achieve terrorists’ aims. Such a scenario
may involve the use of any aircraft capable of having large scale impacts on a ground-based target as a result of the
kinetic energy generated by its size, speed and weight and, possibly, by any additional fuel or explosive, chemical, or
other materials on board. Smaller, slower, and lighter aircraft generate less kinetic energy and are capable of carrying a
smaller payload, but the reputational and other implications may mean that the use of such an aircraft in this way might
still be attractive to terrorists. The perpetrators could feasibly be passengers or stowaways on cargo-only aircraft, who
would need to commandeer the aircraft; those renting or chartering private aircraft; cabin crew, who would have periodic
legitimate access to the flight crew compartment; or flight crew themselves, who are in control of the aircraft and have
the necessary skills to attack a pre-determined target.
5.3 Despite big reductions in the number of hijacks compared to previous decades, multiple hijackings of
aircraft continue to be reported each year. While these may generally be for personal motivations or gain rather than a
deliberate act of terrorism, this highlights the possibility for passengers with little to no technical capabilities to exploit
gaps in security measures to take control of an aircraft.
RESTRICTED
Likelihood
5.4 The WGTR considers the most likely scenarios involve seizure of a larger commercial aircraft, and
understands that terrorist groups have shown a renewed interest in attempting this sort of attack in recent years. The
WGTR therefore currently assesses the likelihood of a passenger or passengers attempting such an attack to be
MEDIUM-HIGH, and a similar attack by crew to be MEDIUM-LOW.
Consequences
5.5 The consequences remain HIGH in human, political and economic terms. Depending on the size of the
aircraft, the human consequences may vary, but the political and reputational consequences will still be high, especially
if the incident is associated with a high profile target or event.
Mitigating measures
5.6 The most significant single mitigating measure is certainly the use of lockable reinforced cockpit doors on
larger passenger aircraft, and seizures of aircraft have declined considerably since these were generally introduced.
However, their effectiveness as a mitigation is heavily dependent on crews observing correct procedures around cockpit
door security during flight. Other measures to mitigate airborne threats may include both security screening to prevent a
weapon or IED being taken onto an aircraft in order to commandeer it, and air-defence measures to respond to a
hijacking. On the basis of risk assessment, tolerance and management, consideration should be given to which aircraft,
such as lighter and smaller general aviation aircraft, may be exempt from such measures by Member States.
5.7 Possible additional mitigating measures could include:
a) installation and operation of lockable flight crew compartment doors on any aircraft felt to be a
potential threat, including, but not necessarily limited to, all aircraft over 45.5 tonnes;
b) installation of secondary cockpit doors to make breaches even more difficult;
c) recruitment, training and potential deployment of an in-flight security officer capability, as per Annex
17, which may have a significant deterrent effect whether such officers are deployed or not and are
able to react to an incident or not;
d) application of current passenger screening and access control, as per Annex 17, to more categories of
general aviation aircraft;
e) background checks on recruitment of, and aftercare during employment of air crew, including
procedures for identifying and reacting to suspicious behaviour;
f) regular training of crew on appropriate response procedures, as per Annex 6, and associated
guidance;
g) promotion of passenger awareness in identifying and reporting any suspicious behaviour; and
h) consideration of guidance on response planning and preparedness to deal with renegade aircraft.
RESTRICTED
5.8 Even assuming effective implementation of current measures, the WGTR identified a number of remaining
vulnerability factors: the opening of the cockpit doors in flight for operational reasons; that multiple attackers will make it
more difficult for crew and other passengers to intervene; and that if the cockpit is breached then it protects the
attacker(s) and hinders attempts to disrupt the attack. The vulnerability score has therefore been assessed as MEDIUM.
Residual risk
5.9 The overall assessed risk reflects the fact that protection against such attacks is generally good on large
commercial aircraft and an assumption that the measures in place are generally being properly implemented. It is
recognized though that greater vulnerabilities exist on business jets, etc., while accepting that the consequences of the
use of smaller, lighter and slower aircraft as a weapon are likely to be lower. The current residual risk of such an attack
against an aviation target is currently assessed as MEDIUM.
Hijacking
Likelihood
5.10 In terms of the threat of a “traditional” hijack where the aircraft and those on board are used as a
bargaining counter to demand a specific outcome, the WGTR noted that such incidents are regularly reported to ICAO
(for example five in 2015 and two in 2016), and that others may be going unreported. Given that such attacks continue
to take place on an annual basis, albeit at relatively low levels compared to previous eras, the likelihood score for such a
hijack is assessed to be HIGH, while recognizing that the motivation in many cases is primarily for reasons other than
those associated with international terrorism.
Consequences
5.11 The consequences of a conventional hijack are relatively LOW as there is no or limited loss of life or
destruction of the aircraft in most cases, but there may be considerable disruption in the air and at the reception airport
and some loss of public confidence.
5.12 The WGTR again assesses the vulnerability score to be MEDIUM, recognizing that cockpit doors may be
opened in flight for operational reasons, that multiple attackers will make it more difficult for crew and other passengers
to intervene, and that if the cockpit is breached it then protects the attacker(s) and will hinder attempts to disrupt the
attack for a lengthy period of time.
Residual risk
5.13 As a result, the abovementioned factors, in particular the on-going relatively high likelihood of hijack
attacks taking place, the residual risk of such an attack is considered to be MEDIUM.
RESTRICTED
6. CYBER THREATS
General overview
6.1 A cyber-attack refers to an attack against civil aviation perpetrated on or through cyberspace, i.e., the
interdependent network of information technology infrastructures, including the internet, telecommunications networks,
computer systems, and embedded processors and controllers. Cyberspace may be seen as a target for attack or as a
vector or facilitator for other forms of attack.
6.2 The WGTR has considered only terrorist-related attacks, i.e., deliberate, malign acts intended to cause
loss of life and/or significant disruption and economic damage to the aviation sector, in its risk assessments to date. The
assessments cover direct attacks on IT-based air traffic management (ATM) systems, aircraft systems and airport
systems. They do not address wider, less-targeted attacks that may inadvertently affect aviation or other forms of
unlawful interference such as “hacking” to gain access to systems or cause embarrassment or minor disruption,
espionage, attacks for commercial gain or activities by State actors, although these may point to vulnerabilities and can
create possibly unintended safety or security concerns.
6.3 While there is some evidence of intent by terrorist organizations to use cyber means to commit acts of
terrorism of the sort that could seriously endanger aircraft, at present their capability to do so appears relatively limited.
Low-level (i.e., relatively crude) cyber-attacks against aviation entities occur frequently, as for many sectors, and a small
number of these have been linked to terrorist groups. False reports about cyber-attacks, as well as claims by hackers
and others about specific vulnerabilities and their wider implications often appear in the media. For example, there have
been reports of claims by cybersecurity researchers to have ‘hacked’ aircraft systems. However, there is little or no
evidence of being able to do this in a “real world” environment. Aviation authorities and aircraft manufacturers have said
it is not possible to take full control of an aircraft using cyber techniques. While the coverage may bring the issue to the
attention of extremists wishing to compromise aviation safety, the WGTR understands it is unlikely that they would
possess in the near future the level of technical skill to exploit any vulnerabilities that do exist, without direct insider or
State-level assistance.
6.4 That being the case, the current overall likelihood of a terrorist cyber-attack on civil aviation is currently
assessed to be LOW. However, the potential consequences — i.e., those which could result in the loss of an aircraft in
the worst case scenario — are assessed as HIGH. As regards vulnerabilities, while many mitigations are in place,
important residual vulnerabilities have been identified in certain scenarios. The hope is that work can be done to address
these before they can be exploited, and overall the residual vulnerability is currently assessed as MEDIUM-LOW
(although work in this area is on-going).
6.5 Based on the above, and in particular on the current threat likelihood, the overall relative residual risk of a
terrorist attack (a malicious attack with the intent to endanger the safety of aviation) using cyber means is currently
assessed to be LOW.
6.6 Nevertheless, as technology progresses and the integration of systems moves forward, the feasibility for
exploitation may change, and manufacturers and regulators will need to stay ahead of hostile actors. The WGTR
remains of the opinion that the growing complexity, connectivity and integration of ATM, aircraft and airport systems
means that cybersecurity is increasingly becoming an issue in the design and operation of civil aircraft. The following
general factors, individually or collectively, may increase the vulnerabilities which may be exploited by an able attacker:
a) increasing reliance on digital technology and information systems for safety-critical functions;
RESTRICTED
b) increasing connectivity with and dependence on embedded software, which may have a high safety
assurance but an unknown level of security; and
c) greater inter-connectivity, both within aircraft and with external sources, either via remote data links or
devices brought on board the aircraft. This includes increased internet connectivity and the use of
commercial-off-the-shelf (COTS) equipment and remotely deployed software updates. This may
increase the chance of inadvertent attack on aviation, i.e., an attack on a system and/or non-aviation
target which has unplanned or unintended consequences for civil aviation using the same system.
6.7 This is especially true for “e-enabled” aircraft. However, while older “legacy” aircraft may appear to be less
vulnerable due to more limited external connectivity and proprietary systems, they are also being retrofitted with more
modern systems or maintained using newer techniques (such as wireless data loaders) where the security impact may
be less well understood by manufacturers and regulators.
6.8 Cybersecurity cannot be confined to aircraft alone. ATM security is becoming a more integrated operating
environment where the “connected aircraft” is one element in a complex and interconnected system composed of
multiple airborne and ground-based elements. The increased internet connectivity and bandwidth available in the latest
SATCOM systems potentially allow the traffic to be profiled and manipulated. Aircraft are increasingly dependent on the
security of the connections to the ground and airborne and satellite systems. Previously these communications were
confined to proprietary or government regulated infrastructure but are increasingly making use of public networks and
local or cellular wireless connections.
6.9 It continues to be strongly recommended that individual entities such as airport and aircraft operators
undertake their own detailed risk assessments for their own operations, which will vary considerably.
6.10 Because this is a relatively new area that is currently being addressed by ICAO, within States and by
industry, a further, more detailed summary of the specific assessments carried out by the WGTR to date for ATM,
aircraft and airport systems is given in Appendix E — though it should be noted that work on these assessments,
involving subject matter experts across a range of sectors, remains on-going.
7. CHEMICAL, BIOLOGICAL AND RADIOLOGICAL (CBR) THREATS
7.1 The use of chemical weapons in past terrorist attacks against non-aviation targets and on the battlefield in
recent conflicts has underlined both the potential consequences of attacks involving the use of chemical agents and the
importance of conducting assessments of the risk of attacks on civil aviation using CBR agents.
7.2 The WGTR has conducted a detailed risk assessment with input from subject matter experts in a number
of States. Because of the extremely wide range of agents that could potentially be used, the assessment is based on a
number of “marker” chemical and biological agents which were considered to be representative of a particular group of
agents with broadly similar characteristics and effects, and/or those most likely to be used. In selecting these marker
agents, consideration was given to a wide range of factors including the physical nature of the substance, its toxicity,
persistence and lethality, ease of production or acquisition, and ease of transportation, concealment and dispersal. The
same factors were also taken into account in conducting the risk assessments.
RESTRICTED
Likelihood
7.3 CBR agents are by their nature most effective in closed and weather-proofed environments. Therefore,
threat scenarios involving the distribution of CBR agents in the aircraft cabin or in closed and crowded places such as
airport terminals have been identified as plausible scenarios. The use of aviation as a means of dispersal of such agents
has also been considered.
7.4 The use of common chemical agents for warfare evolved during the last century, and has further
developed since. Chemical agents have also been used by terrorist groups for attacks on critical infrastructures in the
past (e.g., the 1995 attack on the Tokyo underground). The recent use of chemical agents on the battlefield has
enhanced the possibility for certain terrorist groups to gain access to CBR agent stocks and/or knowledge on how they
may be used.
7.5 Terrorist groups are known to have an interest in developing and using chemical weapons. However, there
is no clear indication that they currently have the expert knowledge, resources or technical means to deliver more
complex CBR plots. This suggests scenarios involving cruder devices and more readily available substances that can
easily be purchased and/or produced.
7.6 Although aviation may be a target for use of CBR agents in a terrorist attack, other confined and/or
crowded places may be perceived as easier and therefore more attractive targets. Aircraft are less likely to be preferred
targets for non-suicide attacks, or for attacks using slow-acting biological or radiological agents.
7.7 Terrorists have shown interest in the past in obtaining and using CBR agents in landside attacks. Most
recently, in July 2017, the Australian authorities disrupted the activities of a terrorist cell which included attempting to
detonate an IED on board an aircraft departing Sydney. The Australian Federal Police also reported the discovery of
attempts by the plotters to construct an “improvised chemical dispersion device” using readily available materials to
produce a compound that could easily be used to release highly toxic gases. No indication was given of the likely target
of such a device, and none is currently available on open sources. However, as noted above, while there may be easier
and more readily accessible targets, an attack against aircraft using such materials is an entirely plausible scenario
which cannot be discounted.
7.8 In light of this the WGTR increased its assessment of the overall likelihood of a CBR attack against
aviation to MEDIUM.
Consequences
7.9 Consequences vary extensively from one threat scenario and agent used to another, but many scenarios
are assessed potentially to cause loss of life and considerable economic and political damage. Overall, taking account of
the wide range of scenarios but based on these which are currently assessed as more likely, the consequences are
considered as MEDIUM-HIGH.
Mitigating measures
7.10 While most current aviation security measures are not specifically aimed at the detection or prevention of
CBR attacks, they do offer some potential to deter, detect or disrupt such attacks, particularly attacks against aircraft.
These include, for example, restrictions on the carriage of liquids within the aircraft cabin. Safety-related measures such
as restrictions on the carriage of dangerous goods on aircraft and the provision of separate air supplies in the flight deck
and passenger cabin may also be partial mitigating factors.
RESTRICTED
7.11 Banning the carriage in the aircraft cabin of certain substances by making them prohibited items could be
considered, but given the wide range of agents that could be used, and the relatively small amounts required in some
cases, detection is likely to be challenging. The possible use of detection algorithms for particular substances for use on
x-ray equipment alongside automatic explosives detection systems may offer some mitigation in the future, as might
explosives trace detection equipment and explosives detection dogs, if suitably adapted.
7.12 In scenarios where, due to the nature of the CBR agent used and the modus operandi chosen, prevention
of attacks with the current baseline security measures may be unlikely, emergency response procedures are important
in limiting the consequences of the attack. In the event of CBR attacks, the correct and quick handling of the situation
through effective response plans can make a significant difference in the number of casualties that will be incurred.
Therefore, while there may in some cases be limited mitigation against the attack occurring, effective measures can be
put in place in order to limit or reduce the consequences. ICAO guidance on response plans exists for CBR incidents
both on board aircraft and in airports.
7.13 Prevention of certain types of CBR attacks is challenging under existing security arrangements. And while
some airports and aircraft operators may have emergency response procedures in place for CBR attacks, more may
need to be done to ensure that they are generally in place and could be implemented effectively.
7.14 So while vulnerability to CBR attacks differs significantly depending on the agents and method used,
overall it is currently assessed as MEDIUM-HIGH.
Residual risk
7.15 The general conclusion that is drawn from the risk assessment conducted by the WGTR is that the relative
global risk of an attack on civil aviation using CBR agents is currently MEDIUM. However, the likelihood of such attacks
in particular should be kept under close review.
8. THREATS TO THE LANDSIDE
8.1 Attacks on the landside area of an airport for these purposes include attacks using a person-borne IED
and/or an armed assault (VBIED and CBR attacks have been considered separately). If an attack is launched in the
public area of an airport outside the security restricted area, the attackers do not need to defeat the measures in a
security cordon.
8.2 Two recent examples of such attacks occurred in 2016. In March, terrorist-affiliated attackers detonated
two IEDs in the check-in area of Brussels’ Zaventem Airport. In June, in an attack at Istanbul’s Ataturk Airport, two
assailants armed with firearms and explosives belts approached the security checkpoint, opened fire, and detonated the
bombs on their persons. A third attacker set off an explosion in a parking lot across the street from the terminal. In
January 2017, an individual opened fire in the arrivals hall of Fort Lauderdale, United States. All three attacks caused
multiple deaths and injuries, and, in the case of Brussels, substantial damage to the airport and disruption to its
operations.
RESTRICTED
Likelihood
8.3 The likelihood of a landside attack is assessed as HIGH. Not only have several such attacks occurred
recently at airports, but there is evidence of intent among terrorists to conduct further similar attacks in a range of
crowded places. These types of attack are relatively simple to perpetrate, and do not require the level of planning
associated with attacks on aircraft, because of the absence of the need to defeat airport and aircraft security access
control and search measures.
Consequences
8.4 The consequences of such attacks are considered to be MEDIUM-LOW to MEDIUM. While the attacks in
Moscow (in 2011), Brussels and Istanbul have shown that the human costs may well be dozens of deaths, and there is
the possibility of significant physical damage to facilities, the reputational and other consequences of such an attack may
not be as high as those associated with, for instance, a successful attack on an aircraft. This is because a landside
attack would be more closely associated in the public mind with other types of attacks on crowded places, and without
the additional fear factor that may be associated with a successful attack on an aircraft in flight and the defeat of aviation
security measures designed to prevent this.
8.5 In the case of an attack by multiple shooters or bombers, as in Fort Lauderdale and Brussels, both human
and economic consequences will naturally tend to be more severe, with attack strategies potentially evolving to
maximize both.
Mitigating measures
8.6 Recently introduced Annex 17 Standards 4.8.2 and 4.8.3 require security measures to be taken in landside
areas and to be coordinated across relevant national and other entities. The primary mitigation measure at most airports
is likely to be a strong law enforcement presence that can both deter and respond rapidly to an attack. Other possible
mitigating measures include:
a) training of staff to spot anomalous behaviours or actions;
b) random and unpredictable screening measures (likely to be effective as deterrents and/or disruptions
rather than for detection);
c) increased law enforcement patrols;
d) other visible deterrents, such as dog teams;
e) public awareness;
f) design of airports to disperse crowds and thus reduce the casualties from a blast, such as by
dispersing self-check-in points rather than creating centralized check-in queues;
g) screening of all passengers before entry into the terminal (though such screening can be challenging
to deliver effectively and may serve only to displace the threat); and
h) the development and regular testing of escalation plans in periods of heightened threat, and response
and recovery plans in the event of an incident.
RESTRICTED
8.7 The vulnerability to a landside attack is currently assessed as MEDIUM-HIGH.
Residual risk
8.8 The overall global residual risk of an attack against a landside aviation target is assessed as
MEDIUM-HIGH.
9. IED, WEAPON OR TOXINS CONCEALED IN CATERING OR OTHER SERVICES
9.1 The WGTR assessed six scenarios related to two broad themes that included the introduction of an IED,
weapon or toxins (i.e., poison) into catering supplies and aircraft services to target passengers and/or crew on a
commercial aircraft. The assessment included risks related to catering items such as food and beverages (including
liquor) provided by the aircraft operators, as well as in-flight supplies (e.g., pillows and blankets).
9.2 The WGTR assessed the risks associated with the introduction of these threat items via “on-airport”
facilities that operate within or have direct access to security restricted areas and ‘off-airport’ facilities within the supply
chain that are not located on airport premises.
Likelihood
9.3 There is known capability to construct and detonate IEDs and conduct armed attacks and it is possible to
conceal such prohibited items and take them on board as part of the servicing of aircraft on the ground, for example
inside catering trolleys. However, catering and other supplies are not known to have been used as a means of
concealment to date and there is no current indication of intention in this regard, possibly due to the difficulty in targeting
a specific flight and a high level of uncertainty regarding timing and delivery of catering and supplies to an aircraft from
off-site locations. The possibility of the coercion or collusion of individuals to hide a device inside catering or other on-
board supplies cannot be discounted, however. The likelihood of an insider carrying out an IED attack via catering or
other services is currently assessed as MEDIUM-LOW.
9.4 While there may be interest in carrying out poison attacks generally, there is no known interest in targeting
aviation specifically. A degree of skill would be required to produce or procure and handle toxins (see CBR section
above). Poisoning scenarios are not consistent with current preferred terrorist modus operandi. Given this and the
challenges associated with this type of attack, the likelihood of an insider carrying out a poison attack on a passenger
aircraft via catering is considered LOW.
Consequences
9.5 The detonation of an IED successfully introduced onto an aircraft in catering and in-flight supplies could be
expected to destroy the aircraft in a reasonable worst case scenario. This would result in hundreds of lives lost, and
far-reaching and sustained economic damage. It is likely there would also be a loss of public confidence in the security
of air travel.
RESTRICTED
9.6 Given the attendant loss of life, economic consequences and reputational costs associated with a
successful insider IED attack, the consequences of an insider attack using a concealed IED in catering supplies are
considered HIGH.
9.7 Poisoning scenarios are expected to result in fewer consequences, including perhaps dozens of deaths.
The number of human casualties would depend largely on the poison used and the length of time it would take
individuals to exhibit symptoms or have their lives threatened. While some toxins are fast acting, others may lead to
early symptoms that may allow for an aircraft to be diverted in order for medical attention to be sought. Potential victims
would be only those who directly ingest the toxin and, unless all of the pilots were affected, it could reasonably be
assumed that the aircraft would not be destroyed. If this were the case, there might be the opportunity to take
emergency measures to land the aircraft once symptoms became apparent. The consequences of these scenarios are
therefore assessed to be MEDIUM-LOW.
Mitigating measures
9.8 Measures such as staff screening, background checks, and the inspection and protection of supplies in
transit and at the airport each provide an opportunity to detect IEDs or an insider intending to contaminate catered
goods with toxins, although many of these measures may not be applied at off-site facilities located outside the security
restricted area, where ICAO SARPs may not be applied.
9.9 Additional mitigations to be considered might include:
a) establishing secure supply chains, and assuring the security of those supply chains by regulation and
other means, as for cargo;
b) location of catering facilities within the SRA;
c) comprehensive intelligence-based background checks, both initial and recurring, on staff with direct
access to catering and flight supplies;
d) physical security and access controls for staff, catering and in-flight supplies;
e) staff screening at supplier premises and for goods in transit, as well as for those staff with direct
access to items destined for the aircraft;
f) employee awareness campaigns;
g) application of appropriate security controls on different types of supplies;
h) limiting access to relevant flight information for caterers and other suppliers to make targeting of
specific flights more difficult; and
i) ensuring meals intended for flight crew are not specifically categorized as such.
9.10 Significant vulnerabilities may exist from catering and other supplier facilities located outside the SRA,
given that these operate outside ICAO SARPs, especially if supplies are delivered and introduced directly to aircraft with
RESTRICTED
no or limited further checks, or where those checks may easily be circumvented by a knowledgeable insider. The
highest residual vulnerability was assessed to be around the introduction of IEDs into catering by insiders during the
transport/loading of materials brought in from off-site. Even where SARPs apply, there is limited confidence in the
effective application of mitigating measures at the global level. Overall, the residual vulnerability related to an insider
introducing an IED into catering and aircraft supplies is currently assessed as MEDIUM.
9.11 Measures to detect an insider intending to contaminate catered goods with toxins may be of limited
effectiveness and may not be applied at off-site facilities located outside the security restricted area, which raises the
possibility that contamination may not be detected. However, pilots have separate food and individual flight crew
members often eat at different times, thus reducing the possibility of targeting an entire crew. The overall vulnerability
related to an insider introducing poisons into catering and aircraft supplies is considered MEDIUM.
Residual risk
9.12 The overall residual risk associated with an attack against aviation from catering and aircraft supplies is
currently assessed to be MEDIUM-LOW.
10. REMOTELY PILOTED AIRCRAFT SYSTEM (RPAS) THREATS
10.1 From an emerging vulnerability perspective, the WGTR continues to review the possible terrorist related
risks posed by remotely piloted aircraft systems (RPAS), across a range of potentially plausible scenarios, but focusing
particularly on those where smaller RPAS (drones) could be used by terrorists to conduct an attack, for example by
attaching a payload to them. Such attacks may be directed at aviation targets or more broadly at crowded places or
infrastructure (even though technically the latter may not be regarded as “acts of unlawful interference” against civil
aviation).
10.2 To date the WGTR has assessed only attacks using smaller aircraft, which are freely available and now
very widely used, whereas larger RPAS are currently much more difficult to acquire, though these may create
significantly higher risks if they were to become available to terrorist organizations.
Likelihood
10.3 Smaller RPAS are now widely used for both commercial and recreational purposes. To date, the major
concern for civil aviation has arisen from the reckless use of drones in airspace around airports, which, although may
pose safety and operational implications, is more likely to occur through ignorance than for malicious reasons.
10.4 The capability and ease of use of small drones have also increased rapidly over recent years. The use of a
drone as a conveyance for an IED has been seen in conflict, for example in an attack in Iraq in October 2016 that killed
two and injured two. Use of RPAS may also be attractive because it can be carried out remotely and could potentially
circumvent security controls on the ground. While the capability does exist, there is currently no known intent to utilize
RPAS as a conveyance in attacks targeting civil aviation or outside of conflict zones. Direct targeting of an aircraft in
flight would also be challenging to carry out successfully. The likelihood of an RPAS attack against an aviation target
intended to cause loss of life is currently rated as LOW, although the use of RPAS under some scenarios to attack other
targets is assessed as MEDIUM-LOW.
RESTRICTED
Consequences
10.5 In general terms, the larger the RPAS, the greater the potential for structural damage caused by explosion,
or loss of aircraft and all on board. The WGTR has classified the reasonable worst case consequences of a successful
attack on in-flight aircraft with an RPAS carrying an IED payload as HIGH. The consequences for other scenarios are
assessed as MEDIUM-HIGH or lower.
Mitigating measures
10.6 The primary mitigation measures for RPAS-themed attacks against aviation are surveillance of areas
surrounding airports that may be potential launch sites and pilot/crew reaction measures to IED attacks. Other measures
are currently under development but not yet generally available.
10.7 The inherent difficulty in preventing the acquisition and malicious use of RPAS devices, in addition to the
limited ability to track and prevent use near airports, results in an overall higher risk vulnerability. The WGTR has
assessed vulnerability to attacks on aviation facilities as MEDIUM-HIGH, while for certain other scenarios it is currently
assessed as HIGH.
Residual risk
10.8 The risk continues to evolve as the technology (and possible mitigation methods) develop, but the residual
risk of an attack on aviation targets is currently assessed MEDIUM-LOW. However, the overall risk from the malicious
use of RPAS under some other scenarios is currently assessed as MEDIUM.
11. OTHER POSSIBLE THREATS
Long range surface-to-air missiles (SAMs)
11.1 Following the loss of Flight MH17 in July 2014, the WGTR carried out an assessment of the risk to civil
aviation from overflying conflict zones.
11.2 The assessment concluded that, unlike MANPADS, SAMs remain predominantly under the control of State
actors with effective command and control in place, and can only be operated as designed by fully trained personnel.
They are, however, present in many countries and it is likely that some have passed or may pass into the hands of non-
State actors. The WGTR concluded that the risk to civil aviation from a deliberate SAM attack was currently LOW.
11.3 However, the WGTR also concluded that should such groups succeed in acquiring SAMs and the
capability to operate them, the risk to overflying aircraft would become relatively high, even at cruising altitudes above
30 000 feet, bearing in mind their high vulnerability to such weapons. In such circumstances the only effective mitigation
would be to avoid airspace within range.
RESTRICTED
11.4 The WGTR also assessed the risk factors associated with accidental SAM attacks on civil aircraft, which
could occur because of lack of appropriate command and control leading to misidentification or failure to hit intended
targets. Although rare, there have been examples of such occurrences, and the Group considered that overflying areas
of armed conflict was likely to involve heightened risk (albeit still low in statistical terms), particularly where certain
factors were present. These risk factors included the use of aircraft in the conflict (either in a combat role or for
transportation), lack of command and control over the weapons, operation by poorly trained or inexperienced personnel
(e.g., non-State actors), absence of effective ATM or oversight in the area, and routing over locations or assets of high
strategic importance.1
Sabotage
11.5 Sabotage in this context is taken to mean the carrying out of deliberate and hidden damage to aircraft or
aviation facilities with a view to causing an apparent accident when the aircraft or facilities are put into service.
11.6 Physical sabotage is plausible but currently not a likely threat. The possible methods of sabotage are
limited only by the imagination, but the majority would cause only limited harm before they would be identified through
existing safety processes, and those which might cause catastrophic damage would, in general, be difficult to carry out
with any prospect of success, not least because they should be apparent during pre-flight checks and other existing
safety and security measures. Measures such as access control, and screening and vetting of staff may have mitigating
effects as, depending on their role, insiders would likely have greater knowledge and access to perpetrate a more
successful attack. Therefore, it is prudent for States and other actors to consider the extent to which such measures
could be adapted to prevent sabotage of the kind envisaged above.
12. HOAXES
12.1 A hoax, involving a written or verbal threat against an aviation target, may be the result of a wide variety of
motivations, not necessarily linked to terrorist groups or inspired by an extremist ideology, and the intent may not be
clear. However, they may cause concern and disruption until resolved as a false alarm and are therefore a form of
unlawful interference and in some cases may be considered as an act of terrorism. It is not possible to conduct a generic
risk assessment given the multitude of possible scenarios. However, statistics suggest that such events are common,
and the likelihood of their continuing to occur in the future is HIGH. Depending on what is being threatened, the level of
detail provided on the target, the method and the credibility of the threat made, the reasonable worst-case
consequences in terms of concern and disruption caused have been assessed as MEDIUM.
12.2 States are strongly advised to ensure that they and/or their aircraft and airport operators have trained
threat assessors available at all times of operation in order that the available information can be collated and analysed
correctly. Appendix 38 to the 10th Edition of the Aviation Security Manual (Doc 8973 — Restricted) contains information
on managing response to security threats. Application of the procedures therein may reduce both the residual
vulnerability and risk levels to LOW.
______________________
1. For more information on assessing the threat from SAM attacks, please refer to the Risk Assessment Manual for Civil Aircraft
Operations Over or Near Conflict Zones (Doc 10084).
RESTRICTED
APPENDIX D
INSIDER THREAT
1. INTRODUCTION
1.1 Terrorists consistently look to exploit vulnerabilities in security controls in an attempt to find the path of
least resistance to their targets. This could mean the exploitation of people in the form of employees working in or for the
aviation sector whose role provides them with privileged access to secured locations, secured items or security sensitive
information, thus giving them a potential tactical advantage in perpetrating or facilitating an act of unlawful interference.
This includes flight crew and all ground-based employees in airports or other facilities related to civil air transport and its
supply chains and encompasses contract, temporary or self-employed personnel as well as full- or part-time staff
members.
1.2 The specific vulnerability of aviation to attacks involving the use of insiders in order to by-pass security
controls has long been understood and reflected in risk assessments and mitigation measures. However, recent terrorist
attacks on aviation (including those on Metrojet and Daallo Airlines in 2015 and 2016) have drawn renewed attention to
potential exploitation of those vulnerabilities, and therefore the resultant risks.
1.3 Concern is heightened by well documented indications that terrorist groups are actively looking for insiders
to assist in their attempts to target civil aviation. It is further heightened by the phenomenon of increasingly rapid
radicalization (including self-radicalization over the internet and through social media) of individuals in many parts of the
world, thus reducing the opportunities for their detection by conventional vetting methods, by people close to them, or by
security or law enforcement services.
1.4 It may be assumed that “known” staff represent a lower threat than “unknown” passengers. This is
certainly true in some respects, for example because staff in sensitive positions are usually subject to initial and ongoing
background checks and/or vetting, and because they have established a history of trustworthiness. However, there is
some evidence to suggest that the majority of those who commit illegal acts using insider access or knowledge acquire
the intention to do so only after taking up employment. Initial pre-employment background checks may be ineffective in
such cases. In addition, terrorists may actively seek to place, or more likely recruit, blackmail or coerce individuals in
sensitive roles particularly because they present no history or indications of likely intent.
2. ASSESSING RISKS FROM INSIDER THREATS
2.1 In development of the RCS, the insider threat has not been considered as a separate category. Insiders
are best viewed as one dimension of a particular threat type, and not as a separate threat type in themselves. Instead,
threat types have been considered with an insider element included within each category, where appropriate.
2.2 This approach also makes it easier to identify, and therefore address, through analysis of different attack
scenarios, the tactical advantage and increased vulnerability that an insider represents in the perpetration of that
particular form of attack. For example, in the case of a vehicle-borne improvised explosive device (VBIED), measures
may be established to prevent unauthorized persons driving a vehicle into or close to sensitive areas of the airport. If
such measures are in place and effectively implemented, then the residual risk may reside primarily in scenarios where
RESTRICTED
D-1
D-2 Aviation Security Global Risk Context Statement
an authorized person, with relevant access rights, is involved in driving the vehicle and/or facilitating its access, and
additional mitigations may be developed accordingly. Some aspects of the analysis (e.g., capability, consequences) may
be similar even where the type of perpetrator changes, and also insiders may simply act as facilitators rather than
perpetrators in many scenarios.
2.3 It is suggested that, in developing their own security risk assessments, States adopt a similar approach.
For instance, in considering a threat category, such as a person-borne improvised explosive device (PBIED) used to
attack an aircraft, those conducting an assessment should consider, separately, both PBIED used to attack aircraft and
PBIED introduced by crew used to attack an aircraft.
2.4 The assessment should take into account how the risk from a particular threat may differ when the threat
comes from a staff member and when it comes from a passenger. For example, the:
a) vulnerability associated with insiders might be greater if they have access to the last layer of security
in a way that a passenger does not;
b) likelihood associated with insiders might be less if they have already been subject to vetting and
selection procedures; and
c) consequences of a threat associated with insiders might be greater if an insider has access deeper
within the system. For instance, an insider could perpetrate a more credible and thus more disruptive
hoax.
2.5 The types of attack potentially involving an insider component are wide-ranging, but are considered in
general more likely to be directed at aircraft rather than airports, since attacks on the latter can be carried out in the
public (landside) areas where insider access or knowledge is unnecessary. Current versions of the risk assessment
matrices which underpin the RCS incorporate possible insider involvement scenarios in most types of attack. But they
are particularly prominent in those involving the use of IEDs against an aircraft in flight, whether through insertion in hold
baggage, cargo, or in-flight supplies, or through direct placement in the aircraft. Insiders are also seen as a potentially
important component in the vulnerability to attacks involving the hijack and use of aircraft as a weapon, and in some
types of potential cyber threat.
2.6 Further guidance on identifying and assessing the security concerns presented by insiders across a range
of defined threats is provided below. This includes a list of threat types in Table D-1 and a further list of security-relevant
job roles in the aviation sector in Table D-2. In developing and assessing insider threat scenarios, each relevant role can
be identified and examined to consider whether they offer a tactical advantage in relation to each threat type. In applying
this methodology, it is possible to consider insider vulnerabilities as part of an integrated risk assessment. Consideration
of the risks associated with individual job roles can also be used as a basis for determining where additional mitigations
should be applied, such as enhanced vetting or increased surveillance and supervision.
Definitions
2.7 The following terms have been defined for ease of reference:
a) insiders refers to all staff, including full-time, part-time, self-employed, agency, and contracted
employees;
b) tactical advantage comprises preferential access to restricted locations and information, and situations
where work may be done alone and not subject to quality control, and suspicious behaviour may not
be detected;
RESTRICTED
Appendix D. Insider threat D-3
c) direct attack is a terrorist attack carried out by an insider; and
d) indirect attack is a terrorist attack carried out by a third party facilitated by an insider either positively,
e.g., through the provision of access or information, or negatively, e.g., through neglect of duties.
Principles
2.8 An insider represents a vulnerability and NOT a separate threat. Insiders are potentially one dimension of
a threat scenario; for example, in the case of an IED placed on board an aircraft by a member of staff rather than a
passenger:
a) vulnerability should be measured by role and NOT by the individual, against the baseline of what a
passenger may be able to do, i.e., does a staff member’s tactical advantage give him or her a better
chance of success over and above a passenger?; and
b) the risk assessment process should capture which staff members could:
1) carry out what sort of direct attack, the effectiveness of current security measures to prevent this,
and the resultant residual risk; and
2) facilitate an attack by others, the effectiveness of current security measures to prevent this, and
the resultant residual risk.
Process
2.9 The risk assessment process should involve:
a) devising and agreeing on a list of credible threat scenarios against specific targets, specifically aircraft
and airport infrastructure. A suggested list is provided in Table D-1;
b) devising and agreeing on a list of security-relevant roles in the aviation sector. A suggested generic
list is provided in Table D-2;
c) identifying and scoring the additional tactical advantage of each role against each threat. A possible
scoring system for each role is as follows, depending on whether the role gives:
1) no tactical advantage over being a passenger or member of the public: Score = 1;
2) a tactical advantage and suspicious behaviour that IS likely to be noticed: Score = 2;
3) a tactical advantage and suspicious behaviour that IS NOT likely to be noticed: Score = 3;
4) a major tactical advantage and suspicious behaviour that IS likely to be noticed: Score = 4; and
5) a major tactical advantage and suspicious behaviour that IS NOT likely to be noticed: Score = 5;
RESTRICTED
d) if a tactical advantage is identified, considering the national and local context such as the economic
and political situation, terrorist activity, serious and organized crime and corruption, etc. to gauge the
likelihood, and current mitigating security measures in order to assess the residual risk; and,
e) assessing the vulnerability of existing personnel, and physical, procedural, and information security
measures to being compromised by an insider, in order to identify any increased residual risk arising
from indirect insider facilitation of an attack.
Security measures
2.10 These comprise both personnel and physical security measures. Personnel security requirements include
background checks and references prior to employment, identification card issuance, specific and general security
awareness training, and aftercare once employed. Physical security measures include access control, and screening
and searching of staff. If the residual risk is deemed to be unacceptable, additional and/or differing measures should be
considered for the job role in question. Both the analysis of risks and any subsequent action should be considered
alongside other security risk assessment work. The aim should be to create a multi-layered security regime, avoiding
single points of failure.
Employee involvement
2.11 Employees are a valuable source of information on vulnerabilities and how to address them, and their
opinions should be taken into account whenever possible. They should be motivated and informed through regular
briefings on security issues, and have a clear process for reporting any concerns.
Table D-1. Types of threat scenarios
Threat to airport Threat to aircraft
Vehicle-borne IED (VBIED) parked near terminal Person-borne IED (PBIED)
VBIED parked near air traffic control tower PBIED — liquid
VBIED parked near other facilities, e.g., fuel farm PBIED — solid
VBIED parked near cargo sheds IED in vehicle
VBIED driven into terminal IED in in-flight supplies
VBIED driven into air traffic control tower IED in cargo
VBIED driven into other facilities, e.g., fuel farm IED in cleaning supplies
VBIED driven into cargo sheds IED in hold baggage
IED placed landside IED in aircraft operator mail
IED (solid/liquid) placed airside (carried on foot) IED left on board aircraft
IED (solid/liquid) placed airside (carried in vehicle) Improvised incendiary device
PBIED — landside IED thrown over perimeter fence
RESTRICTED
Threat to airport Threat to aircraft
PBIED (liquid) — airside VBIED detonated near aircraft
PBIED (solid) — airside VBIED detonated near aircraft from outside airport
IED thrown over perimeter fence Ramming of aircraft from inside security restricted area
Improvised incendiary device Ramming of aircraft from outside airport
Armed attack (guns) — landside Armed attack — guns/knives
Armed attack — mortars Armed attack — small knives/no weapons
Chemical — covert/overt; persistent/non-persistent; Armed attack — non-metallic weapons

remote location/crowded place
Biological — deposited/sprayed Armed attack — MANPADS
Radiological exposure device/radiological dispersal device Armed attack — rocket-propelled grenades/mortars

(RED/RDD), remote location/crowded place
Sabotage — power Hijack — conventional
Sabotage — water Aircraft as weapon by flight deck crew
Sabotage — telecommunications Aircraft as weapon commandeered with weapon/IED
Sabotage — electronic (denial of service/importation of Aircraft as weapon — theft

false data)
Hoax Aircraft as weapon — stowaway in cargo-only aircraft
Table 2. Examples of security-relevant job roles in the aviation sector

(depending on the airport, many of these roles may be located in the security restricted area)
Job role Job role
Screening persons and cabin baggage In-flight supply company staff (administration, etc.)
Screening hold baggage Airport supply company staff
Screening and security controls for in-flight Cargo company staff

supplies
Screening and security controls for airport Haulier drivers with access to known cargo
supplies (access secured by third party)
Searching vehicles Account consignors with access to known cargo
Searching/Checking aircraft Check-in staff
Aircraft protection Police/Control authority
Access control (including surveillance and patrols) Emergency services (fire, ambulance)
Security supervisors Air traffic controllers
Security managers Compliance authority personnel
RESTRICTED
Job role Job role
Retail staff Aviation security trainers
Baggage handlers Validators of known cargo consignors
Baggage reconciliation Issuers of airport identification cards or vehicle

passes
Cleaners (terminal) Diplomats
Cleaners (aircraft) Background check counter signatories
Aircraft service providers Public bus drivers
Cargo loader (onto aircraft) Utilities
In-flight supplies loader Airport authority senior management
Dispatcher Drivers of authorised vehicles
Aircrew — passenger aircraft Fuel tanker drivers (to fuel farms)
Aircrew — cargo-only aircraft Airport maintenance (including contractors)
3. INSIDER THREAT MITIGATION MEASURES — ADDITIONAL CONSIDERATIONS
Physical screening
3.1 An increasing emphasis is being placed on the importance of unpredictability of staff screening measures.
For example, staff may be subject to a range of different physical screening methods (including methods designed to
detect explosives, such as the use of explosives trace detection equipment), which may be applied on a random and/or
unpredictable basis. Use of methods that fully match passenger screening, including screening of all staff upon entry
into the security restricted areas (SRAs), can help provide a high level of assurance if done effectively. Screening of staff
at other times and locations (including on a random and/or unpredictable basis), can offer further mitigation by both
increasing the likelihood of detection and potentially having a significant deterrent effect.
3.2 The same applies to the search of vehicles entering SRAs, which present risks which are particularly
difficult to mitigate effectively. A wide range of vehicles have authorized and legitimate entry to SRAs, and these can
provide multiple complex concealment options. Again, varying the search methods in unpredictable ways can improve
both detection and deterrence.
3.3 Beyond the SRAs of airports, physical screening for personnel with access to cargo or in-flight supplies
within secure supply chains or cargo sheds, as well as other security-sensitive facilities such as engineering bases, can
provide additional mitigation where this does not currently occur.
3.4 Understanding and eliminating routes by which insiders engaged in non-terrorist criminal activities — such
as smuggling of drugs, arms or people — seek to by-pass physical security measures at airports can also help to
identify and reduce vulnerabilities.
RESTRICTED
Personnel security measures
3.5 Many States are reviewing their existing procedures for conducting background checks and security
vetting of personnel. This appears to be driven by the perceived need to improve the probability of timely detection of
indicators of possible intent. Potential measures in this area include the creation of national databases of airside passes
and other airport identification documents, the use of enhanced intelligence-based background checks, the introduction
of continuous or perpetual vetting (which may involve the regular interrogation of airport pass databases), behavioural
detection techniques and reporting mechanisms whereby concerns can be reported. Analysis of social media and the
use of data analytics (to examine, for example, airport pass applications, employee records and pass usage) offer
additional ways to help identify anomalies and issues of potential concern.
3.6 Ensuring effective linkages within States between intelligence sources and aviation industry employers has
been identified as an important factor. Concerns have been identified in many States around the need to establish a
sound legal basis for the use of intelligence information to facilitate effective action against an employee who is
suspected of insider activities, particularly where that person may not yet have committed criminal acts.
3.7 Establishing an effective security culture throughout the aviation sector, and especially among those
engaged in security-sensitive functions, is a crucial element in mitigating insider threats. Personnel can be motivated
and informed about the risks through regular briefings on threats and wider security issues, can be trained to identify
anomalous or suspicious behaviours, and should have access to a clear process for reporting any concerns. At the
same time employees can be a valuable source of information on vulnerabilities and how to address them, and their
input should be sought and used whenever possible in the assessment and management of insider risks.
3.8 Other potential additional measures identified by the WGTR that could be considered, where not already in
use, include:
a) limiting access rights to particular areas for airside pass-holders;
b) adequate protection of perimeter and access control points to ensure that staff security screening
cannot be by-passed;
c) supervision protocols and wider use of CCTV for people working alone in sensitive areas;
d) enhanced oversight of, and awareness training for, staff involved in issuing passes or conducting
background checks;
e) oversight of third parties with airside access; and
f) use of anti-tamper technologies.
______________________
RESTRICTED
APPENDIX E
ADDITIONAL DETAIL ON RISK ASSESSMENTS

FOR CYBER THREATS
1. ATM SYSTEMS
Likelihood
1.1 Relatively few attacks to date have targeted civil aviation directly but, in recent years, terrorists have
displayed heightened interest in cyber-attacks and general intent to carry them out. However, current extremist hacking
activity is characterized by relatively basic “denial of service” attacks. No examples have been found of specific terrorist
cyber threats against aircraft or airports, nor have indications been found that terrorist groups have acquired or are
developing advanced skills, or that they currently envisage this as an effective way to perpetrate a mass effect attack,
particularly when compared to more obvious and proven attack methodologies. However, these possibilities cannot be
excluded, especially in the future. Overall, the current threat likelihood is therefore assessed as LOW.
Consequences
1.2 The potential consequences are of concern in view of the sector’s high and growing reliance on electronic
systems for safety-critical functions, both on board aircraft and on the ground, and the potential consequences of such
an attack on aircraft in flight.
1.3 The majority of attacks to date have caused a temporary and very overt denial of service. A likely outcome
in the event of a successful attack on ATM systems would be a marginal deterioration in the safety environment for
aircraft in the affected airspace, with attendant disruption and reduced capacity in the ATM system for a period of time. It
is also acknowledged that any consequences are very dependent on the volume of air traffic in the airspace concerned.
It is, however, assumed that any terrorist attack would aim to destroy one or more aircraft, with attendant loss of life and
consequent economic damage to, and loss of confidence in, the aviation sector. Taking a reasonable worst-case
approach, under most scenarios the consequences of a successful terrorist cyber-attack on aircraft in flight through ATM
systems are assessed as HIGH.
Mitigating measures
1.4 There is currently a range of different ATM technologies or methods in use which is in itself a mitigation.
However, there appears to be a general trend towards the removal of redundant or back-up systems in favour of new,
cheaper, automated, single-technology solutions, which could potentially increase the overall vulnerability to a
successful attack.
1.5 Broadly speaking, covert attacks involving the importation of false but credible data into a system that
continues to function are of greater concern than more overt denial of service attacks. This is because it may be more
problematic to monitor, recognize and deal with such issues, especially in busy airspace.
RESTRICTED
E-1
E-2 Aviation Security Global Risk Context Statement
1.6 The only completely failsafe barrier is the physical separation of systems. All firewalls, virus scanners and
other logical separations may be considered to be penetrable given sufficient expertise and time. Systems which share
any device, including mobile devices, cannot be considered to be physically separate.
1.7 However, the level of risk of collision is likely to remain very low. Because the systems used in ATM are
safety critical, a variety of mitigations are already in place in many environments in case of loss or disruption of signals.
These mitigating measures include cross-checks, backup systems, built-in redundancy and duplication, IT security
measures, physical security measures, and well-established incident response procedures and contingency plans. Many
rely on the training and skills of pilots and air traffic controllers to monitor situations and react to issues using other, often
non-automated, techniques and procedures.
1.8 Air traffic control systems typically have in place numerous cross-checks and tests, for example
correlations across different surveillance systems and checks against the filed flight plan, that are designed to detect
false or incongruous data received, which can occur for a variety of reasons, including equipment failure. These
arrangements are designed to reduce the impact of such false data to a nuisance rather than a danger.
1.9 In addition, aircraft collision avoidance systems provide an important mitigation against catastrophic
consequences arising from interference with ATM data. It is important to protect these systems from disruption.
1.10 False data will often be evident to, and questioned by, the flight crew. Direct voice communication between
the ground controller and the pilot provides an effective backup in any situation where data flow is interrupted or
interfered with. It is important to protect this form of direct communication and mitigate against spoofing.
1.11 For the majority of the scenarios examined, the vulnerability after mitigation was found to be LOW.
However, this was not so for all scenarios, and further work could usefully be focused on those scenarios where a higher
residual vulnerability was identified.
Residual risk
1.12 The general conclusion from the initial risk assessment conducted by the WGTR is that the residual risk of
a cyber-attack on civil aviation through the ATM system is currently LOW. However, this is a rapidly evolving area. ATM
security is becoming a more integrated operating environment where the “connected aircraft” is one element in a
complex and interconnected system composed of multiple airborne and ground-based elements. For example, the
increased internet connectivity and bandwidth available in the latest SATCOM systems potentially allow the traffic to be
profiled and manipulated. Aircraft are increasingly dependent on the security of the connections to the ground and
airborne and satellite systems. Previously, these communications were confined to proprietary or government regulated
infrastructure but are increasingly making use of public networks and local or cellular wireless connections. These
findings will be kept under close review.
2. AIRCRAFT SYSTEMS
2.1 The growing complexity, connectivity and integration of such systems mean that cybersecurity is
increasingly becoming an issue in the design and operation of civil aircraft.
RESTRICTED
Appendix E. Additional detail on risk assessments
for cyber threats E-3
2.2 An aircraft’s operation can be divided into the three distinct domains below, which separate the safety
critical functions from other less critical information systems:
a) aircraft control systems, i.e., the closed network of safety critical systems required to fly the aircraft
and supporting systems found in the cockpit environment where data corruption or denial of service
could directly impact safety;
b) cabin operational systems, i.e., the private network of systems used to operate the aircraft where data
corruption or denial of service could impact business critical operations and possibly maintenance;
and
c) cabin passenger systems, which are publicly accessible (such as in-flight entertainment) where data
corruption or denial of service has minimal impact on safety.
2.3 This is based on existing industry standards but such segregation may not exist in all aircraft. Also, the
segregation between domains could be compromised via attacks on internal systems/interfaces or where external
connectivity (via communication links or maintenance and supply chains) presents a potential attack vector. The
approach assumes a high level of integration commensurate with recent “e-enabled” aircraft now entering service.
Consequently, not all the scenarios considered will be relevant to older aircraft models — unless they have been
retrofitted or where certain devices are used.
Likelihood
2.4 As with ATM systems, despite broad encouragement for individuals to undertake “electronic jihad”, no
examples of specific terrorist cyber threats against aircraft have been identified, nor is there any evidence of meaningful
advances in terrorist capability in this area that continues to concentrate on more conventional and proven attack
methodologies. Individuals have made claims about the vulnerabilities of aircraft information systems but the WGTR has
seen no evidence that this has influenced terrorist intentions. However, this could encourage terrorists to try to develop
this capability in the future.
2.5 Most of the scenarios were considered to have a low likelihood due to the absence of the levels of skill,
knowledge, access and preparation required to conduct them. Simply connecting or interacting with systems is not the
same as manipulating the function of a safety-critical system to endanger the aircraft. In some scenarios, the uncertainty
around the likely impact of successfully exploiting a particular vulnerability may mean that they have limited appeal to a
terrorist. As ever, the possibilities offered by a skilled insider need to be considered. However, overall, the current threat
likelihood is expected to be LOW.
Consequences
2.6 Overall, the reasonable worst-case consequences of a successful terrorist cyber-attack which endangers
an aircraft, with the associated human, economic and reputational consequences for the aviation sector, is assessed as
HIGH.
Mitigating measures
2.7 The temporary or sustained loss of a system in a denial of service attack is immediately apparent. It would
only present a safety issue if it were a key avionics system (such as the flight management system) and even then
reverting to manual control should effectively neutralize the incident. Pilot awareness and training and their ability to
recognize problems and to intervene where systems fail or are unavailable is therefore vital. This also depends on how
RESTRICTED
E-4 Aviation Security Global Risk Context Statement
busy the airspace is and the availability of means to cross check information (such as ATM communication, visual aids
and other instruments).
2.8 Covert credible corruption of data attacks are of much greater concern as they may affect a safety-critical
system or cause a pilot to act in error and endanger the aircraft. In some cases (such as electronic flight bags), a device
that is also used outside the aircraft could be a means of accessing other systems as well as jeopardizing the
safety-related functions it performs. However, an advanced level of capability and considerable knowledge of the target
aircraft would be needed to conduct a successful attack.
2.9 Maintaining logical or physical segregation between systems using air gaps, firewalls, data diodes and
network extension devices still remains important. Connectivity with enterprise networks operated by a range of
companies is potentially an issue as well as the availability of certain information (i.e., software) on the internet.
2.10 Attacks via passenger or cabin crew facing systems (such as in-flight entertainment and passenger or
crew devices) were not considered to be credible but the WGTR will seek further clarity on the segregation and
effectiveness of the measures in place.
2.11 The WGTR notes that there have been reports of claims by cybersecurity researchers to have hacked
aircraft systems. However, they are usually done under laboratory conditions, with little or no evidence of being able to
do this in the real world. Aviation authorities and aircraft manufacturers have said it is not possible to take full control of
an aircraft using cyber techniques.
2.12 For most scenarios, the vulnerability after mitigation was LOW to MEDIUM-LOW. However, the following
factors, individually or collectively, may in the future increase the vulnerabilities which may be exploited by an able
attacker:
a) increasing reliance on and criticality of some information systems;
b) increasing connectivity with and the dependence on embedded software, which may have an
unknown level of security; and
c) greater inter-connectivity both within aircraft and with external sources either via remote data links or
devices brought on board the aircraft. This includes increased internet connectivity and the use of
commercial off-the-shelf (COTS) equipment and remotely-deployed software updates. This may
increase the chance of an inadvertent attack, i.e., an attack on a system and/or non-aviation target
which has unplanned or unintended consequences for civil aviation using the same system.
2.13 This is especially true for e-enabled aircraft. Current and legacy aircraft may be less vulnerable due to
more limited external connectivity and proprietary systems, but they are also being retrofitted with more modern systems
or maintained using newer techniques (such as wireless data loaders) where the security impact may be poorly
understood. Additional work will be undertaken to reach a firmer conclusion on the effectiveness of existing mitigations.
RESTRICTED
Appendix E. Additional detail on risk assessments
for cyber threats E-5
Residual risk
2.14 Overall, the current likelihood of a terrorist cyber-attack on civil aviation is still assessed to be LOW but the
potential worst-case consequences are assessed as HIGH. Some mitigations are in place so the overall residual risk is
assessed to be LOW at present.
3. AIRPORT SYSTEMS
3.1 The scenarios identified fell into two broad categories:
a) attacks that could facilitate a conventional attack by degrading aviation security measures (screening,
access control, etc.). Despite the claims of various commentators at conferences, etc., it was judged
to be very difficult for an attacker to manipulate the screening technology, usually operated by teams
of security staff at airports, in order to get a prohibited article into a security restricted area. However,
vulnerabilities do exist e.g., disabling access control that may then assist an attacker to perpetrate
another form of attack that the WGTR has analysed elsewhere; and
b) attacks intended to disrupt airport or airline operations, principally around passenger facilitation (such
as departure control, baggage handling, etc.). These are mostly overt denial of service attacks where
the worst case outcome would be disruption to an airport or potentially a number of airports if wider,
possibly international, feeds of data were disrupted. These are matters of operational resilience rather
than conventional aviation security and so should be considered as part of business continuity. Again,
given the range of differently sized operations and the variety of systems and interconnectivity, it is
impossible to produce a single accurate risk scenario.
3.2 Appropriate authorities and industry should consider how security measures they rely on may be disabled
or circumvented in their own risk analyses. Developments in screening technology, the increasing amount of equipment
in use, its interconnectivity and the possibilities offered by remote screening may present future issues so the WGTR will
keep this threat area under review.
— END —
RESTRICTED

Icao Risk Context Statement

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Icao Risk Context Statement

Uploaded by

Copyright:

Available Formats

Doc 10108 — Restricted

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION

For ordering information and for a complete listing of sales agents

First edition, 2018

Doc 10108, Aviation Security Global Risk Context Statement

All rights reserved. No part of this publication may be reproduced, stored in a

Amendments are announced in the supplements to the Products and

RECORD OF AMENDMENTS AND CORRIGENDA

No. Date Entered by No. Date Entered by

Glossary ........................................................................................................................................................... (ix)

Chapter 1. Introduction ................................................................................................................................ 1-1

Chapter 2. The global aviation threat picture ............................................................................................. 2-1

Current global threat .................................................................................................................... 2-1

Chapter 3. Risk assessment results ........................................................................................................... 3-1

Overview of risk assessment results ............................................................................................ 3-1

1. Risk assessment method and process map ......................................................................... A-1

1. Mandate ................................................................................................................................ B-1

1. Person-borne improvised explosive devices (PBIEDs) ......................................................... C-1

Appendix D. Insider threat ........................................................................................................................... D-1

1. Introduction ........................................................................................................................... D-1

Appendix E. Additional detail on risk assessments for cyber threats..................................................... E-1

1. ATM systems ........................................................................................................................ E-1

ATM Air traffic management

b) provide an overview of the current global aviation security threat;

THE GLOBAL AVIATION THREAT PICTURE

a) inflicting mass casualties;

b) causing economic disruption;

c) making a symbolic statement; and

d) generating public anxiety.

CURRENT GLOBAL THREAT

RISK ASSESSMENT RESULTS

OVERVIEW OF RISK ASSESSMENT RESULTS

Table 3-1. Threat-type risk levels

THREAT TYPE Likelihood Consequence Vulnerability RISK

PERSON-DELIVERED IED on the body High High Medium-high to HIGH

LANDSIDE ATTACKS High Medium-low to Medium-high MEDIUM-HIGH

MANPADS in conflict or proliferation zone Medium-high High Medium-high MEDIUM-HIGH

IED IN CARGO Medium-high Medium-high to Medium-high MEDIUM-HIGH

THREAT TYPE Likelihood Consequence Vulnerability RISK

IED IN HOLD BAGGAGE Medium-low High Medium to MEDIUM

VEHICLE-BORNE IED Medium Medium-high Medium-high MEDIUM

AIRCRAFT USED AS A WEAPON Medium High Medium MEDIUM

CONVENTIONAL HIJACK High Medium-low Medium-low MEDIUM

CHEMICAL, BIOLOGICAL, AND Medium Medium-high Medium-high MEDIUM

IED IN SERVICES (catering, in-flight Medium-low High Medium MEDIUM-LOW

ATTACK USING REMOTELY PILOTED Low High Medium-high MEDIUM-LOW

MANPADS (non-conflict or proliferation Medium-low High Medium-high MEDIUM-LOW

CYBER-ATTACKS Low High Medium-low LOW

RISK ASSESSMENT METHOD, PROCESS MAP AND

1. RISK ASSESSMENT METHOD AND PROCESS MAP

b) the assessment of current mitigations and remaining vulnerabilities;

d) recommendations for further risk-based work and possible mitigation.

Figure A-1. Risk assessment process map

Example of an individual threat scenario

Example risk matrix (scenario)

1.7 For likelihood:

Example risk matrix (likelihood)

9/11 scenario: LOW

Impact rating Human Economic Other