Bogoda

Cybersecurity of Air Traffic
Management and Aviation Systems:

A Systems Engineering Approach to
Risk Mitigation
A thesis submitted in fulfilment of the requirements for the degree of
Doctor of Philosophy
Lanka Bogoda
MSc(Telecom & Network Engineering)-RMIT
MSc(Engineering Management)- RMIT
School of Engineering
College of Science, Technology, Engineering and Maths
RMIT University
October 2022
This page is intentionally left blank
i
DECLARATION
I certify that except where due acknowledgement has been made, this
research is that of the author alone; the content of this research submission is
the result of work which has been carried out since the official
commencement date of the approved research program; any editorial
work, paid or unpaid, carried out by a third party is acknowledged; and,
ethics procedures and guidelines have been followed.
In addition, I certify that this submission contains no material previously

submitted for award of any qualification at any other university or institution,
unless approved for a joint-award with another institution, and acknowledge
that no part of this work will, in the future, be used in a submission in my name,
for any other qualification in any university or other tertiary institution without
the prior approval of the University, and where applicable, any partner
institution responsible for the joint-award of this degree.
I acknowledge that the copyright of any published works contained within

this thesis resides with those works' copyright holder(s).
I give permission for the digital version of my research submission to be made

available on the web via the University’s digital research repository unless
permission has been granted by the University to restrict access for a period
of time.
I acknowledge the support I have received for my research through the

provision of an Australian Government Research Training Program
Scholarship.
Lanka Bogoda
27 October 2022
ii
ACKNOWLEDGEMENTS
First and foremost, I want to express my gratitude to my research supervisor and
systems engineering lecturer, Professor John Mo, for encouraging me in line with
the industry requirement to attain a higher level of competency in systems
security engineering. Following the anecdote “to perceive innovation as an
extension of an ardent imagination leading to profound excellence and deep
satisfaction towards the benefit of mankind”, I wholeheartedly thank Professor
John Mo for his infinite insights and encouragement throughout my doctoral
work. I also want to thank Professor Cees Bil for his wisdom and encouragement
throughout my research at the University.
I take this opportunity to acknowledge the study leave assistance offered by
Airservices Australia (ASA), Michelle Bennetts (Executive Manager – Technical
- 2016), and my work colleagues. I also want to thank my managers at Thales
Australia for their support during the final phase of the epic journey.
Many thanks to the Higher Degrees by Research (HDR), the milestone review
panel committee members, for their constructive feedback during the course
of the university review process. The scientific quest and support that I always
received from my fellow research colleagues and compadres: Dr Boyd
Nicholds, Dr Subramanian Ramasamy, and others at RMIT University, has been
highly instrumental during my doctoral work.
I extend my gratitude to the technical and administrative staff of RMIT
University, who made the resources available for my research in a timely
iii
manner and facilitated my international conference participation and travel
arrangements and to the Government of Australia through the Postgraduate
Research Program.
Being a fellow member and Charted Professional Engineer (CPEng) of
Engineers Australia, I participated in various forums, met engineers from diverse
backgrounds, and shared their knowledge related to my research area.
Participating in international conferences, especially the ICNS conference in
the USA, and Aerospace conferences in Australia, allowed me to associate
and share insights into cybersecurity issues with high-calibre researchers and
big players from FAA, NASA, EUROCAE, Airbus, Boeing, L3Harris, Thales and
MITRE. Even though I am not able to recognise them individually for their
wisdom, it is always lovely to see them all on my LinkedIn account to foresee
the industry’s future from their regular updates.
The research work presented in this thesis is a part of a project which received
funding from the Australian government under the Grant Agreement
Commonwealth Government Research Training Scheme (RTS). Being a
Certified Information Systems Security Professional (CISSP), Certified Information
Systems Auditor (CISA) and Certified Cloud Security Professional (CCSP)
certification holder, I had the privilege to use a significant amount of
cybersecurity resources from the respective security bodies. While working as
an engineer at Thales Australia (Systems Security Engineer - ATM systems),
Airservices Australia (Australian Air Navigation Service Provider [ANSP]), and
Airport & Aviation Services Sri Lanka Ltd (AASL)- ANSP of Sri Lanka, I received
iv
over 80 technology-based training and engaged in various engineering
projects. The training material compiled by original equipment manufacturers,
the learning academy of Airservices, and the civil aviation training centre of Sri
Lanka were invaluable resources to the research.
The system-based training I received during my tenure with the two prominent
ANSPs enabled me to grow my competency in every aspect of system
engineering. The situation was evident when I had to discharge my duty as an
engineer and technologist, which eventually eased my research journey and
is highlighted in the following table.
Domain System Organisation
Communication Satellite systems, VSCS, AASL

systems Microwave radio systems, Airservices
VHF radio systems, AFTN, Australia
AMHS, Multiplexers, Radar &
Voice recorder systems
Navigational- ILS (GP & Localiser), DVOR, AASL
aid systems DME, Marker beckons and
NDBs – Sri Lanka
Surveillance Primary Surveillance Radar Airservices
systems Secondary Surveillance Australia
Radar
Surface Movement Radar
MLAT and A-SMGCS
Air Traffic Eurocat ATM – Sri Lanka AASL
Management Civil Military Air Traffic Thales
(ATM) Systems Management System Australia
(CMATS)/OneSky - Australia
The Nectar Research Cloud is a service of the Australian Research Data
Commons (ARDC); it enables the Australian research community and industry
access to nationally significant, data-intensive digital research infrastructure
and platforms. The ARDC facilitated the final stage of my research work with
the cloud infrastructure facility. I also want to extend my gratitude to Monash

v
university for allocating resources from their cloud quota. Also, RMIT University
provides well-guided research supervision through Professor John Mo and
Professor Cees Bil [1]. Also, the university allowed me to use various resources
such as Laboratory facilities, Software, Nectar research cloud, Library facilities
and other research-related training to carry out the doctoral work.
Also, I would like to thank the ICNS expert panel who assessed my conference
paper and presented me with the best student paper award on the occasion.
This award has given me great enthusiasm to continue my research work with
higher intensity and commitment.
Best Paper Awards for ICNS 2019

https://i-cns.org/2019/best-paper-awards-for-icns-2019/
I also wish to thank my family (Nelie, Oneli and Kenod) for their support and
understanding during the course of my six years as a father, part-time
researcher and full-time professional engineer.
vi
Table of Content
DECLARATION _____________________________________________________________________ ii
ACKNOWLEDGEMENTS _____________________________________________________________ iii
Table of Content ___________________________________________________________________ vii
List of Tables _______________________________________________________________________ xv
List of Figures ______________________________________________________________________ xvii
Glossary of Terms, Abbreviations, and Acronyms ____________________________________ xxi
Abstract ____________________________________________________________________________ 1
Chapter 1: Introduction ___________________________________________________________ 5
1.1 BACKGROUND ______________________________________________________________ 9
1.1.1 THE ICAO INITIATIVE IN ADDRESSING CYBER SECURITY _______________________ 12
1.1.2 ICAO CYBER ICT SECURITY REQUIREMENTS __________________________________ 12
1.1.2.1 SECURITY BY DESIGN ____________________________________________________ 13
1.1.2.2 NETWORK SEPARATION __________________________________________________ 14
1.1.2.3 REMOTE ACCESS _______________________________________________________ 14
1.1.2.4 ICT SECURITY CONTROL CATEGORIES _____________________________________ 14
1.1.3 EVOLUTION OF AEROSPACE INFORMATION TECHNOLOGY, DATALINK AND

SECURITY ________________________________________________________________________ 15
1.1.4 AVIATION INDUSTRY-MAIN ACTORS ________________________________________ 16
1.1.4.1 INTERNATIONAL AVIATION GOVERNING BODY AND ROADMAPS ___________ 16
1.1.4.2 INTERNATIONAL REGULATORY AND SUPERVISORY BODIES ( ITU, IEEE, INCOSE.)

16
1.1.4.3 NATIONAL AVIATION REGULATORY ORGANISATIONS ______________________ 17
1.1.4.4 EQUIPMENT SPECIFICATION (ARINC, RTCA, EUROCAE) _____________________ 18
1.1.4.5 AIR NAVIGATION SERVICE PROVIDER (ANSP) AND AIR TRAFFIC SERVICE
PROVIDER (ATSP) _________________________________________________________________ 19
1.1.4.6 AERONAUTICAL DATA SERVICE PROVIDERS (ADSPS) _______________________ 20
vii
1.1.4.7 CIVIL-MILITARY COMBINED AVIATION OPERATIONS _______________________ 20
1.1.5 AVIATION DATALINK COMMUNICATION STANDARDS AND SECURITY __________ 20
1.1.5.1 FANS 1/A ______________________________________________________________ 21
1.1.5.2 ATNB1 _________________________________________________________________ 21
1.1.5.3 ATN BASELINE 2 (SC-214/WG-78) ________________________________________ 22
1.1.5.4 AEEC 623 ______________________________________________________________ 24
1.2 AERONAUTICAL INFORMATION TECHNOLOGY, SYSTEMS AND APPLICATIONS ____ 24
1.3 THE PROBLEM _______________________________________________________________ 25
1.4 RESEARCH OBJECTIVES ______________________________________________________ 25
1.5 REASERCH SUMMARY _______________________________________________________ 27
1.6 RESEARCH QUESTIONS ______________________________________________________ 28
1.6.1 RESEARCH QUESTION 1 ____________________________________________________ 28
1.7 IMPLICATIONS OF THE RESEARCH ____________________________________________ 29
1.8 ORGANISATION OF THIS THESIS ______________________________________________ 30
Chapter 2: Literature Review _____________________________________________________ 31
2.1 SECURITY ENGINEERING _____________________________________________________ 31
2.2 SECURITY BY DESIGN ________________________________________________________ 32
2.3 THIRD-PARTY SERVICES - CLOUD AND SECURITY AS A SERVICE__________________ 34
2.4 SECURITY ASSESSMENT, TESTING AND AUDITING _______________________________ 35
2.5 SECURITY CAPABILITY TESTING OR PENETRATION TESTING ______________________ 35
2.6 SECURITY OPERATIONS ______________________________________________________ 36
2.7 ARCHITECTURE FRAMEWORKS________________________________________________ 37
2.7.1 NIST CYBER SECURITY FRAMEWORK (CSF) NIST SP 800-53 _____________________ 37
2.7.2 ISO/IEC 27001 ____________________________________________________________ 37

viii
2.7.3 COBIT ___________________________________________________________________ 38
2.7.4 THE EUROPEAN UNION AGENCY FOR CYBERSECURITY (ENISA) ________________ 39
2.7.5 PROTECTIVE SECURITY POLICY FRAMEWORK (PSPF)- AUSTRALIA_______________ 40
2.7.6 CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) ______________________ 41
2.7.7 PROJECT MANAGEMENT INSTITUTE (PROJECT MANAGEMENT BODY OF

KNOWLEDGE) ____________________________________________________________________ 42
2.7.8 3PE FRAMEWORK _________________________________________________________ 42
2.7.8.1 RISK MANAGEMENT _____________________________________________________ 42
2.7.8.2 OPERATIONAL SAFETY, SUITABILITY AND EFFECTIVENESS ____________________ 44
2.8 AHP AND ITS APPLICATIONS _________________________________________________ 44
2.9 FUZZY LOGIC AND ITS APPLICATIONS _________________________________________ 45
2.10 GROUND RADIO NAVIGATION _____________________________________________ 46
Chapter 3: Research Methodology _______________________________________________ 48
3.1 METHODOLOGY ____________________________________________________________ 48
3.1.1 CISSP - CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL __________ 49
3.1.2 THE SECOND ONE IS CISA - CERTIFIED INFORMATION SYSTEMS AUDITOR ______ 49
3.1.3 THE THIRD ONE IS CCSP - CERTIFIED CLOUD SECURITY PROFESSIONAL _________ 50
3.2 RESEARCH DESIGN __________________________________________________________ 52
3.3 INTELLIGENCE COLLECTION__________________________________________________ 52
3.3.1 AIRCRAFT SYSTEM (DOMAIN 1) ____________________________________________ 53
3.3.1.1 TASK AUTOMATION SYSTEMS ____________________________________________ 55
3.3.2 AIR TRAFFIC MANAGEMENT SYSTEM (DOMAIN 2) ____________________________ 58
3.3.2.1 SURVEILLANCE EQUIPMENT ______________________________________________ 64
3.3.2.2 SURVEILLANCE DATA SERVICE ___________________________________________ 64
3.3.2.3 DEPENDENT AND INDEPENDENT SURVEILLANCE ____________________________ 64
3.3.2.4 PRIMARY SURVEILLANCE RADAR (PSR) ____________________________________ 64
3.3.2.5 ADVANCED SURFACE MOVEMENT GUIDANCE AND CONTROL SYSTEM (A-

SMGCS) 66
ix
3.3.2.6 MULTILATERATION (MLAT) _______________________________________________ 66
3.3.2.7 SURFACE MOVEMENT RADAR (SMR) SYSTEM ______________________________ 69
3.3.2.8 THE AUTOMATIC DEPENDENT SURVEILLANCE - BROADCAST (ADS-B) _________ 70
3.3.2.9 VHF VOICE AND DATA LINK COMMUNICATION SYSTEMS ___________________ 74
3.3.2.9.1 VHF OVER AN ANALOGUE NETWORK ___________________________________ 74
3.3.2.9.2 VOICE OVER INTERNET PROTOCOL (VOIP) FOR ATM _____________________ 76
3.3.2.10 HF COMMUNICATION SYSTEM ___________________________________________ 77
3.3.2.10.1 GROUND – AIR VOICE COMMUNICATION SYSTEM _______________________ 77
3.3.2.10.2 AERONAUTICAL DATA SERVICES _______________________________________ 79
3.3.2.10.3 VOICE SWITCHING AND CONTROL SYSTEM (VSCS) ______________________ 79
3.3.3 AIRPORT COLLABORATIVE DECISION MAKING (A-CDM) (DOMAIN 3) _________ 85
3.3.3.1 AUTOMATED WEATHER OBSERVING SYSTEM (AWOS) _______________________ 87
3.3.4 SYSTEM WIDE INFORMATION MANAGEMENT (SWIM) (DOMAIN 4) _____________ 89
3.3.4.1 SWIM OPERATION ______________________________________________________ 89
3.3.4.2 AIR TRAFFIC FLOW MANAGEMENT (ATFM) SYSTEM _________________________ 94
3.3.5 THE GROUND RADIO NAVIGATION/LANDING AIDS (DOMAIN 5) ______________ 97
3.3.5.1 INSTRUMENT LANDING SYSTEM (ILS) ______________________________________ 97
3.3.5.1.1 NON-DIRECTIONAL BEACON (NDB) ____________________________________ 97
3.3.5.1.2 MAKER BEACONS_____________________________________________________ 99
3.3.5.2 DISTANCE MEASURING EQUIPMENT (DME) ________________________________ 99
3.3.5.3 DOPPLER VHF OMNI DIRECTIONAL RANGE (DVOR)/VOR __________________ 100
3.3.5.4 MICROWAVE LANDING SYSTEM (MLS) ___________________________________ 102
3.3.5.5 GROUND BASED AUGMENTATION SYSTEM (GBAS) ________________________ 105
Chapter 4: Planning and Analysis _______________________________________________ 108
4.1 DESK SURVEY ______________________________________________________________ 108
4.2 HOW AHP WILL BE USED (RQ4) ______________________________________________ 110
4.3 HOW FUZZY LOGIC WILL BE APPLIED (RQ5) ___________________________________ 111
4.4 BUSINESS CONTINUITY PLAN AND DISASTER RECOVERY PLAN __________________ 111
x
4.5 INCIDENT IDENTIFICATION __________________________________________________ 112
4.6 PARTICIPANTS _____________________________________________________________ 112
4.7 INSTRUMENTS ______________________________________________________________ 113
4.8 SUMMARY POINTS _________________________________________________________ 113
Chapter 5: Risks Identification Prioritization in Cybersecurity ______________________ 115
5.1 UNIDENTIFIED THREATS AND SYSTEM VULNERABILITIES _________________________ 115
5.2 SYSTEM AVAILABILITY REQUIREMENT AND SECURITY RAMIFICATIONS ___________ 115
5.3 AMBIGUOUS NATURE OF RISK ATTRIBUTES ____________________________________ 116
5.4 USE OF AHP OVER ANP AS A MCDM METHOD ________________________________ 116
5.5 UNCERTAINTY IN RISK ASSESSMENT __________________________________________ 117
5.6 SECURITY ANALYSIS USING A HOLISTIC METHODOLOGY ______________________ 117
5.6.1 ENTERPRISE ARCHITECTURE (EA) FRAMEWORK: _____________________________ 118
5.6.1.1 ZACHMAN FRAMEWORK MODEL ________________________________________ 118
5.6.1.2 THE OPEN GROUP ARCHITECTURE FRAMEWORK (TOGAF) MODEL __________ 119
5.6.1.3 SHERWOOD APPLIED BUSINESS SECURITY ARCHITECTURE (SABSA) MODEL ___ 119
5.6.1.4 DEPARTMENT OF DEFENSE ARCHITECTURE FRAMEWORK (DODAF ___________ 120
5.6.1.5 THE BRITISH MINISTRY OF DEFENCE ARCHITECTURE FRAMEWORK (MODAF) __ 120
5.6.2 INFORMATION TECHNOLOGY SERVICE MANAGEMENT METHODOLOGY: _____ 120
5.7 AVIATION INFORMATION SYSTEMS SECURITY FRAMEWORK ____________________ 121
5.7.1 AVIATION PLAYERS AND SYSTEMS _________________________________________ 122
5.7.2 INFORMATION SECURITY GOVERNANCE ___________________________________ 123
5.7.3 INFORMATION SECURITY MANAGEMENT ___________________________________ 124
5.7.4 SECURITY OPERATING CENTRE (SOC) ______________________________________ 124
5.7.5 SECURITY TESTING AND AUDIT_____________________________________________ 125
5.7.6 REGIONAL AND INTERNATIONAL BODIES, REGULATIONS AND DIRECTIVES ____ 125
5.8 CYBER-SECURITY RISK CLASSIFICATION ______________________________________ 125
5.9 THE BIGGER PICTURE OF CYBERSECURITY ____________________________________ 126
5.10 SECURITY RISK ATTRIBUTES ________________________________________________ 128

xi
5.11 SECURITY RISK DYNAMICS AND DEPENDENCIES ____________________________ 128
5.12 PROPOSED SECURITY RISK ASSESSMENT METHODOLOGY ____________________ 131
5.13 ANALYTICAL HIERARCHY PROCESS (AHP) __________________________________ 132
5.13.1 RISK PRIORITISATION WITH AHP _________________________________________ 133
5.13.2 DECOMPOSITION AND PAIRWISE COMPARISON __________________________ 134
5.13.3 CONSISTENCY INDEX (CI) AND CONSISTENCY RATIO (CR) ________________ 136
5.13.4 NORMALISATION AND WEIGHING RISK ATTRIBUTES _______________________ 138
5.13.5 MEASURING AND PRIORITISING BUSINESS RISK ___________________________ 146
5.14 SUMMARY ______________________________________________________________ 147
Chapter 6: Risks Quantification and Assessment _________________________________ 149
6.1 FUZZY EXPERT SYSTEM (FES) _________________________________________________ 149
6.1.1 COMMON PITFALLS OF AVIATION SYSTEM SECURITY RISK ASSESSMENTS ______ 150
6.1.2 ADAPTATION OF FES TO DEFUZZIFY SECURITY RISK DATA _____________________ 151
6.1.3 THE OPERATION _________________________________________________________ 152
6.1.4 FUZZIFICATION INTERFACE ________________________________________________ 153
6.1.5 INFERENCE ENGINE ______________________________________________________ 153
6.1.6 DE-FUZZIFICATION PROCEDURE ___________________________________________ 154
6.1.7 INTERPRETATION - RISK MATRICES TO IF-THEN RULES ________________________ 154
6.1.8 AGGREGATION OF OUTPUTS ______________________________________________ 155
6.1.9 CENTROID METHOD ______________________________________________________ 155
6.1.10 THE WEIGHTED AVERAGED OUTPUT ______________________________________ 156
6.1.11 THE HIERARCHICAL IMPLEMENTATION ___________________________________ 157
6.1.12 COMBINED RISK ASSESSMENT WITH MULTIPLE THREAT VECTORS ____________ 158
6.2 LINGUISTIC INTERPRETATION OF SECURITY RISK ATTRIBUTES ____________________ 159
6.2.1 ASSET IDENTIFICATION ___________________________________________________ 159
6.2.2 THREAT AND VULNERABILITY IDENTIFICATION _______________________________ 159
6.2.3 PROBABILITY OR THE LIKELIHOOD OF OCCURRENCE ________________________ 159
6.3 MATHLAB MODELLING AND SIMULATION ____________________________________ 160

xii
6.3.1 TEST SCENARIO __________________________________________________________ 167
6.3.2 THE CONTEXT ____________________________________________________________ 167
6.3.3 RESULT __________________________________________________________________ 169
Chapter 7: Discussion __________________________________________________________ 173
7.1 THE IMPLEMENTATION OF THE FRAMEWORK __________________________________ 173
7.2 RESEARCH OUTCOME ADDRESSING RESEARCH QUESTION 1 ___________________ 175
7.7 EVALUATION OF THE PROPOSED SECUIRTY FAMEWORK AGAINST A SPECIFIC

CRITERIA ________________________________________________________________________ 179
7.8 IMPLEMENTATION OF PROPOSED SECURITY FRAMEWORK ______________________ 180
7.9 OPERATION OF PROPOSED SECURITY FRAMEWORK ___________________________ 181
7.10 USABILITY OF THE PROPOSED SECURITY FRAMEWORK _______________________ 181
7.11 AUDITING AND COMPLIANCE ____________________________________________ 182
7.12 GLOBAL IMPEMENTATIP OF THE FROAME WORKSECURITY FRAMEWORK _______ 183
Chapter 8: Conclusion _________________________________________________________ 185
8.1 MEETING THE RESEARCH OBJECTIVES ________________________________________ 185
8.2 CONTRIBUTION TO KNOWLEDGE ____________________________________________ 186
8.3 CONTRIBUTIONS TO THE PRACTITIONERS _____________________________________ 187
8.4 RESEARCH LIMITATIONS AND STUDY BOUNDARIES ____________________________ 190
Chapter 9: Summary ___________________________________________________________ 192
9.1 FUTURE RESEARCH _________________________________________________________ 194
9.1.1 MOBILE INTERNET ________________________________________________________ 195
9.1.2 THE NETWORK CONVERGENCE ____________________________________________ 195
9.1.3 CLOUD TECHNOLOGY IS BECOMING A MAJOR DRIVING FORCE FOR BUSINESS

EFFICACY. ______________________________________________________________________ 195
xiii
9.1.4 INTERNET OF THINGS(IOT)_________________________________________________ 195
References _______________________________________________________________________ 196
Appendix A: Domianwise Cybersecurity Risk Assessment ____________________________ 215
Aircraft (Avionics) System ______________________________________________________215

Air Traffic Management System ________________________________________________217
Airport, Airline and ANSP Network ______________________________________________218
System Wide Information Management (SWIM) _________________________________220
Ground Navigational and Landing Aid__________________________________________222
Appendix B: Cybersecurity Industry Certifications gained by the author ______________ 223
Certified Information Systems Security Professional ______________________________223

Certified Cloud Security Professional____________________________________________223
Certified Information Systems Auditor ___________________________________________223
Appendix C: Best Student Paper - Award Cybersecurity Risk Assessment _____________ 224
Best Paper Awards for ICNS 2019 _______________________________________________224
Appendix D: MATLAB Code - MATLAB & Simulink - MathWorks________________________ 225
Appendix E: Peer-reviewed published research papers______________________________ 231
xiv
List of Tables
Table 1. Aeronautical Information Technology, Links and Avionics Applications .............. 23
Table 2. Analysis of literature ................................................................................................... 46
Table 3. The ATM systems and services................................................................................... 59
Table 4. The ATM systems vulnerabilities ................................................................................. 62
Table 5. ICAO ADS-B parameter list ........................................................................................ 71
Table 6. The VSCS threats and vulnerabilities ......................................................................... 80
Table 7. The CNS threats and vulnerabilities ........................................................................... 83
Table 8. The Aircraft systems threats and vulnerabilities........................................................ 83
Table 9. The SWIM threats and vulnerabilities ......................................................................... 92
Table 10. Number of comparisons ......................................................................................... 133
Table 11. Pairwise comparison-rating assignment ............................................................... 133
Table 12. Saaty's random index ............................................................................................. 136
Table 13. Pairwise compression of cyber-attack on civil aviation systems ....................... 139
Table 14. Comparison matrix of cyber-attack on civil aviation systems derived from the
pairwise comparison in Table 13 ........................................................................................... 140
Table 15. Comparison matrix of cyber-attack on civil aviation systems by an injection . 141
Table 16. Comparison matrix of cyber-attack on civil aviation systems by a Denial of

Service (DoS) attack ............................................................................................................... 142
Table 17. Comparison matrix of cyber-attack on civil aviation systems by Security

Misconfiguration...................................................................................................................... 143
Table 18. Comparison matrix of cyber-attack on civil aviation systems by Remote code
execution................................................................................................................................. 144
Table 19. Eigenvector derived from cyber attack comparison criteria ............................ 145
Table 20. Eigenvector matrix multiplication for civil aviation systems and cyber-attacking
mechanisms ............................................................................................................................ 145
Table 21. Matrix multiplication ............................................................................................... 146
Table 22. The system ranking based on the severity of cybersecurity based on four (4) out
of six (6) attacking methods .................................................................................................. 146
xv
Table 23. Descriptors of Likelihood of Occurrence for Threats ............................................ 159
Table 24. Descriptors of the consequence of the realisation of threats ............................. 160
Table 25. Threat level- Likelihood matrix for Threat Occurrence Factor (TOF) ................... 161
Table 26. Vulnerability assessment criteria ........................................................................... 163
Table 27. TOF- Vulnerability matrix for Threat Realization Factor (TRF) ............................... 163
Table 28. TRF – Asset value matrix for Loss Expectancy (LE) ................................................ 165
Table 29. Loss expectancy – ARO matrix for Annualized Loss Expectancy ....................... 166
Table 30. Test data input for the cyber-attack scenario for simulation .............................. 169
xvi
List of Figures
Fig. 1. Information exchange model: Avionics and Ground-based aviation systems.......... 6
Fig. 2. Domain 1 - Aircraft avionics and information processing systems in the cockpit. .... 7
Fig. 3. A typical air traffic control position (or console) (picture credit: Airservices). ........... 8
Fig. 4. Aviation information technology and system design procedure. ............................. 19
Fig. 5. Aeronautical communication architecture between cockpit and ground systems

(adopted from Airbus). ............................................................................................................. 22
Fig. 6. Source: Cyber-security application for SESAR Final Report[109]. ............................... 33
Fig. 7. ENISA Information Security Management framework. ................................................ 40
Fig. 8. C2M2 Information Security Management framework. ................................................ 41
Fig. 9. Product Process People Environment (3PE) model...................................................... 43
Fig. 10. The methodology adopted to solve the problem. .................................................... 48
Fig. 11. Domain 1 - Aircraft Information Processing Systems and Interconnections. .......... 54
Fig. 12. Aircraft Information System Architecture. ................................................................. 55
Fig. 13. FIR and Sectorisation of airspace for efficient Air Traffic Management. .................. 59
Fig. 14. Domain 2 - A typical configuration of an Air Traffic Management (ATM) system. . 61
Fig. 15. ANSP communication and surveillance system antenna (a) Secondary radar (b)
Primary radar (c) Microwave radio (d) VHF -stacked folded dipoles (e) VHF radio Single
folded diploe – Melbourne Airport Radar station. .................................................................. 63
Fig. 16. Primary and secondary radar systems used for civil aircraft surveillance. ............. 65
Fig. 17. Multilateration – processing delay (DOD attack )effect on the accuracy of aircraft
location information.................................................................................................................. 67
Fig. 18. Multilateration systems used for civil aircraft surveillance. ...................................... 68
Fig. 19. Surface movement radar (SMR) used in Melbourne airport for airport surveillance.
.................................................................................................................................................... 69
Fig. 20. ADS-B surveillance network. ....................................................................................... 71
Fig. 21. Typical VHF radio network connection between aircraft and the ATM services. ... 74
Fig. 22. Various communication links used for VHF services. ................................................ 75
xvii
Fig. 23. VHF retransmission: cybersecurity effect on a more significant ATC sector. .......... 76
Fig. 24. VHF voice data and possible cybersecurity exposure points. ................................. 77
Fig. 25. Nextgen VOIP VHF network. ........................................................................................ 80
Fig. 26. Airport Collaborative Decision Making (A-CDM) architecture. ............................... 85
Fig. 27. AWOS network connections with IoT, PLC and SCADA. ............................................ 87
Fig. 28. SWIM operation model. ............................................................................................... 90
Fig. 29. SWIM Functional architecture. .................................................................................... 91
Fig. 30. ATFM operational architecture[224]. .......................................................................... 94
Fig. 31. The ground radio navigation and landing aids. ........................................................ 98
Fig. 32. DME interrogation pulse separation and width measurements. .............................. 99
Fig. 33. DME operation principle. ........................................................................................... 100
Fig. 34. (a) En-route DME (b) DVOR system with Alford loop antenna array (c) Glide path
system antenna (d) Localiser system antenna array. .......................................................... 101
Fig. 35. Cybersecurity effect: Compromised IoT, effect on DVOR operation. ................... 102
Fig. 36. Cybersecurity effect: Compromised IoT, effect on MLS vertical operation ......... 103
Fig. 37. Cybersecurity effect: Compromised IoT, effect on MLS horizontal operation. ..... 103
Fig. 38. Melbourne airport GBAS installation (a) Receiver antenna (picture credit:
Honeywell Training notes) (b)Processor equipment (picture credit: Honeywell training
notes) (c) Transmit antenna - VDB data broadcast – Melbourne Airport........................... 105
Fig. 39. Cybersecurity effect: Compromised IoT, effect on GBAS operation. ................... 106
Fig. 40. Keyword network visualisation. ................................................................................ 108
Fig. 41. NVivo System generated word cloud on 16 publications under four
transdisciplinary X4.0 systems of systems artifacts. ............................................................. 109
Fig. 42. Cybersecurity Framework key risk attributes and interaction. .............................. 110
Fig. 43. The Proposed Aviation Systems Security Framework. ............................................. 121
Fig. 44. Visualising aviation cybersecurity artefacts through a mind map. ....................... 127
Fig. 45. Information exchange model at state and domestic level.................................... 129
Fig. 46. Information exchange model at regional level networking with regional entities.
.................................................................................................................................................. 130
xviii
Fig. 47. Application of Information exchange model when applied at the global level. . 131
Fig. 48. Security risk assessment process - civil aviation systems. ...................................... 132
Fig. 49. Pairwise assessment of security risk .......................................................................... 135
Fig. 50. The stepwise process of pairwise comparison in obtaining consistency. ............. 137
Fig. 51. Security risk assessment process - civil aviation systems. ...................................... 149
Fig. 52. Conventional (a) and Fuzzy logic method (b) in risk assessment. ........................ 151
Fig. 53. The fuzzy logic method: numerical interpretation. .................................................. 151
Fig. 54. The underlying architecture of a fuzzy expert system............................................. 153
Fig. 55. Aggregation of a two-input, Mamdani Fuzzy inference process with crisp inputs.
.................................................................................................................................................. 155
Fig. 56. Centroid method output. ........................................................................................... 156
Fig. 57. Weighted averaged output. ...................................................................................... 156
Fig. 58. Four-stage hierarchical fuzzy system security risk assessment. ............................. 157
Fig. 59. Layered multiple instance architecture of Mamdani fuzzy system computation. 158
Fig. 60. The use of If-Then_else rules for Threat level- Likelihood matrix of Threat
Occurrence Factor (TOF)........................................................................................................ 161
Fig. 61. Matrix interpretation of the fuzzy rule. ...................................................................... 162
Fig. 62. MATLAB graphical modelling for Threat Occurrence Factor(TOF) with the variation
of threat level & the likelihood of occurrence parameters. ................................................ 162
Fig. 63. MATLAB graphical modelling of ToF with threat & likelihood variation. ................. 162
Fig. 64. MATLAB, graphical modelling, for Defuzzification of ToF & vulnerability. .............. 164
Fig. 65. MATLAB the graphical modelling for threat realisation factor (with ToF &
vulnerability variation). ........................................................................................................... 164
Fig. 66. MATLAB, graphical modelling for Defuzzification of TRF & Asset value. ................. 165
Fig. 67. MATLAB, graphical modelling for Loss Expectancy (with the TRF & Asset value
variation).................................................................................................................................. 165
Fig. 68. MATLAB, graphical modelling for Defuzzification of Loss Expectancy & ARO. ..... 166
Fig. 69. MATLAB graphical modelling for Annualised Loss Expectancy with Loss
Expectancy & ARO. ................................................................................................................ 167
xix
Fig. 70. The proposed risk assessment criteria are modelled in the Fuzzy Logic toolbox of
MatLab Simulink. ..................................................................................................................... 168
Fig. 71. The aggregated output of Mamdani fuzzy model output for ALE on the Matlab Rule
viewer with LE=23.5 & ARO=8. ................................................................................................ 169
viewer with LE=75 & ARO=8. ................................................................................................... 170
viewer with LE=23.5 & ARO=75. .............................................................................................. 170
viewer with LE=LE=75 & ARO=75. ............................................................................................ 170
xx
Glossary of Terms, Abbreviations, and Acronyms
Term Meaning
2FA 2-factor Authentication
3PE Product, Process, People & Environment
A/G Air/Ground
AAA Authentication, Authorization, and Accounting
AAMS Australian Aeronautical Messaging System
AASL Airport and Aviation Services (Sri Lanka) Ltd
ACA Airports Coordination Centers
ACARS Aircraft Communications Addressing and Reporting System
CAS Airborne Collision Avoidance System
ACC Area Control Centre
A-CDM AIRPORT COLLABORATIVE DECISION MAKING
ACID Aircraft Identification
ACL Access Control Lists
ACL ATC Clearance
ACM Airport Capacity Management
ACM ATC Communication Management
ACP ATM Collision Prevention
AD Active Directory
ADEP Airport Departure
ADIN Aeronautical Data Interchange Network
ADMS Aeronautical Data Management System
ADS-A Automatic Dependent Surveillance – Address
ADS-B Automatic Dependence Surveillance- Broadcast
ADS-C Automatic Dependent Surveillance - Contract
ADSP Aeronautical Data Service Providers
ADS-R Automatic Dependent Surveillance – Rebroadcast
AEEC Airlines Electronic Engineering Committee
AERIS Automatic En-route Information Service
AES Advanced Encryption Standard
AFCS Automatic Flight Control System
AFS Aeronautical Fixed Service
AFTN Aeronautical Fixed Telecommunications Network
AHM Airplane Health Management System / Aircraft Health Monitoring
AHP Analytical Hierarchy Process
AI Artificial Intelligence
AIDA-NG Aeronautical Integrated Data Exchange Agent- New Generation
AIDC Air Traffic Service Interfacility Data Communications
AIM Aeronautical Information Management
AIP Aeronautical Information Package
AIRSEP Air-to-Air Self Separation
xxi
Term Meaning
AIS Aeronautical Information Service
AIXM Aeronautical Information Exchange Model
ALARP As low as reasonably practicable
ALAS ADS-B Link Augmentation System
ALE Annualised Loss Expectancy
ALR Alerting - ICAO message in Emergency messages
AMHS Aeronautical Message Handling System
ANSP Air Navigation Service Provider
AO Aircraft Operators
AOC Airline Operation Centre
AP Access Point
AP/FD Auto-Pilot and Flight Director
Aeronautical Passenger Communications / Air Passenger
APC
Communications
APDU Application Protocol Data Unit
API Application Programming Interfaces
APO Airport Operator
APOC Airport Operations Centres
APPR Approach
APT Advanced Persistent Threat
ARINC Aeronautical Radio INC
ARO Annual Rate of Occurrence
ASBU Aviation System Block Upgrades
ASCII American Standard Code for Information Interchange
A-SMGCS Advanced Surface Movement Guidance and Control Systems
ATA Air Transport Association
ATC Air Traffic Control
ATCC Air Traffic Control Centre
ATCo Air Traffic Controller
ATCRBS Air Traffic Control Radar Beacon System
ATCWPs Air Traffic Controller Working Positions
ATFCM Air Traffic Flow and Capacity Management
ATFM Air Traffic Flow Management
ATIS Automatic Terminal Information Service
ATM Air Traffic Management
ATN Aeronautical Telecommunication Network
ATS Air Traffic Services
ATSB Australian Safety Transport Bureau
ATSC Air Traffic Services Centre
ATSP Air Traffic Service Provider
AV Antivirus
AV Asset Value
AWOS Automated Weather Observing System
xxii
Term Meaning
AWS Automatic Weather Station
BADA Base of Aircraft Data
BCP Business Continuity Planning
BER Bit Error Rate
BGP Border Gateway Protocol
BIA Business Impact Analysis
BIOS Basic Input and Output System
BIS Boundary Intermediate System
BITE Built-In-Test Equipment
BLOB Binary Large Object
BMS Battlefield Management Systems
BoF Buffer Overflow
BoM Bureau of Meteorology
BYOD Bring Your Own Device
CA Certification Authority
CAA Civil Airworthiness Authority
CAA Civil Aeronautics Authority
CAIQ Consensus Assessments Initiative Questionnaire (by CSA)
CASA Civil Aviation Safety Authority
CASR Civil Aviation Safety Regulations
CAT Category (Instrument Landing)
CATIS Computerised Automatic Terminal Information Service
CBoK Common Body of Knowledge
CC Common Criteria
CCSP Certified Cloud Security Professional
CCTV Closed Circuit Television
CD Collision Detection
CDA Continuous Descent Approach
CDM Collaborative Decision Making
CDS Cross-Domain Solution
CDTI Cockpit Display of Traffic Information
CFIT Controlled Flight Into Terrain
CI Critical Infrastructure
CI Consistency Index
Continuous Integration and either Continuous Delivery or
CI/CD
Continuous Deployment
CIA Confidentiality, Integrity, Availability
CIO Chief Information Officer
CIP Critical Infrastructure Protection
CISA Certified Information Systems Auditor
CISO Chief Information Security Officer
CISSP Certified Information Systems Security Professional
CL Network Layer Connectionless
xxiii
Term Meaning
CLI Command-line Interface
CLNP Connectionless Network Protocol
CM Conflict Management
CMDB Configuration Management Database
CNR Combat Net Radio
CNS Communications, Navigation, Surveillance
COBIT Control Objectives for Information and Related Technologies
COBT Calculated Off Blocks Times
COCR Communications Operating Concept and Requirements
CONOPS Concept of Operations
COTS Commercially Off The Shelf
CPDLC Controller Pilot Data Link Communications
CPL Current Flight Plan
CPS Commercial and Prototypes Standards
CR Consistency Ratio
CRD Clearance Request and Delivery
CSA Cloud Security Alliance
CSN Channel Sequence Number
CSS Core Sub System
CTMS Central Traffic Management System
CVE Common Vulnerabilities and Exposures
CVSS Common Vulnerability Scoring System
DAM Dynamic Airspace Management
DAP Departure and Approach Procedures
DAST Dynamic Application Security Testing
Flight, Surveillance, Aeronautical, Meteorological,
Data
Capacity/demand and ATFCM information in the raw format
DATO Denial of Authorization To Operate
DBMS Database Management Systems
DCL Departure Clearance
DCS Distributed Control System
DDM Difference of Depth of Modulation
DDoS Distributed DoS attack
DES Digital Encryption Standard
DFS Deutsche Flugsicherung GmbH (German ANSP)
DISA Defence Information Systems Agency
DLIC Data Link Initiation Capability
DLP Data Loss Prevention
DLS Data Link Service
DME Distance Measuring Equipment
DNS Domain Name Server
DoD Department of Defence
DoDAF Department of Defence Architecture Framework
xxiv
Term Meaning
DoS Denial-of-Service attack
DR Disaster Recovery
DRP Disaster Recovery Planning
DSA Digital Signature Algorithm
D-TAXI Data Link Taxi
DVOR Doppler VHF Omni Range
DYNAV Dynamic Route Availability
EASA European Aviation Safety Authority
EDI Electronic Data Interchange
EFB Electronic Flight Bag
EIGRP Enhanced Interior Gateway Routing Protocol
EMG Emergency - AIDC message
EOL End of Life
EOS Embedded Operating System
ES Extended Squitter
ESDS Electronic Strip Display System
ESM Enterprise Service Management
EUROCAE European Organisation for Civil Aviation Equipment
FAA Federal Aviation Administration
FANS-1 Future Air Navigation System implemented by Boeing
FANS-A Future Air Navigation System implemented by Airbus
FAR Federal Aviation Regulations
FAS Final Approach Segment
FDP Flight Duty Period
FES Fuzzy Expert Systems
FIR Flight Information Region
FIS Flight Information Service
FIS-B Flight Information Service – Broadcast
FISMA Federal Information Security Management Act
FIXM Flight Information Exchange Model
FMECA Failure Modes Effects and Criticality Analysis
FMS Flight Management System
FPGA Field Programmable Gate Array
FPL Flight Plan
FTA Fault Tree Analysis
FW Firewall
GAMMA Global ATM Security Management
GBAS Ground-Based Augmentation System
GEO Geostationary Orbits
GLObalnaya NAvigatsionnaya Sputnikovaya Sistema (Russian
GLONASS
alternativ to GPS)
GNSS Global Navigation Satellite System
GP Glide Path
xxv
Term Meaning
GPS Global Positioning System
Global Positioning Satellite Receiver Autonomous Integrity
GPS RAIM
Monitoring
GPWS Ground Proximity Warning System
GUI Graphical User Interface
HF High Frequency
HFCS High Frequency Control System
HFDL HF Data Link
HIDS Host based IDS (Intrusion Detection System)
HMI Human Machine Interface
HTTP HyperText Transfer Protocol
HUD Head-Up Display
HVAC Heating, Ventilation and Air Conditioning
I/O Input/Output
IaaS Infrastructure as a Service
IATA International Air Transport Association
ICAO International Civil Aviation Organisation
ICMP Internet Control Message Protocol
ICS Industrial Control System
Integrated Communications, Navigation and Surveillance Systems
ICNS
(ICNS) Conference
ICT Information, Communication and Technology
IDM Identity Management
IDRP Inter Domain Routing Protocol
IDS Intrusion Detection System
IEC International Electrotechnical Commission
IER Information Exchange and Reporting
IETF Internet Engineering Task Force
IFE In-flight entertainment
IFER In Flight Emergency Response
IFF Identify Friend or Foe
IFR Instrument Flight Rule
ILS Instrument Landing System
INCOSE International Council on Systems Engineering
INS Inertial Navigation System
INSACSs Interstate airway communication stations
IoT Internet of Things
IP Internet Protocol
IPS Intrusion Prevention System
IPSec Internet Protocol Security
IRP Incident Response Plan or Policy
IS Intermediate System
ISACA Information Systems Audit and Control Association
xxvi
Term Meaning
ISAKMP Internet Security Association Key Management Protocol
ISDN Integrated Services Digital Network
ISM Information Security Manual (Australia)
ISO International Standards Organisation
ISP Internet Service Provider
IT Information Technology
ITIL Information Technology Infrastructure Library
ITP In Trail Procedure
ITU-T International Telegraph Union - Telecommunications
KAM Keep Alive Messages (during the flight when there is no traffic)
KC Kill Chain
KL Kali Linux
LAN Local Area Network
LDACS L-band Digital Aeronautical Communication System
LDAP Lightweight Directory Access Protocol
LE Loss Expectancy
LEO Low Earth Orbit
LIDAR Light Detection and Ranging
LoS Line-of-Sight
LPI Low Probability of Intercept
MAC Mandatory Access Control
MAC Media Access Control (MAC address)
MAC Message Authentication Code
MAC Mid-Air Collision MAG DEV (Magnetic Deviation)
MASPS Minimum Aviation System Performance Standard
MATS Mobile Aircraft Tracking System
MCDU Multi-Function Control and Display Unit
MDPDS Meteorological Data Processing and Display System
MET Meteorology
MFA Multi-Factor Authentication
MHS Message Handling System
MIDCAS Mid Air Collision Avoidance System
MIME Multipurpose Internet Mail Extensions
MIS Meteorological Interface System
MITM Man-in-the-middle attack
MJATS Manual of Joint Air Traffic Services
MLAT Multilateration
MLS Microwave Landing System
Mode A ATC Transponder Mode signifying aircraft call sign
ATC Transponder Mode signifying aircraft call sign and altitude
Mode C
Mode S
MOPS Minimum Operational Performance Standards
MSK Minimum-Shift keying
xxvii
Term Meaning
MSSR Mono-pulse Secondary Surveillance Radar
NAIPS National Aeronautical Information Service
NASA National Aeronautics and Space Administration
NAT Network Address Translation
NATS National Air Traffic Services
NCASP National Civil Aviation Security Programme
NDA Non-disclosure agreement
NextGen Next Generation Air Transport Management System (USA)
NFR Non-functional Requirement
NGFW Next-Generation Firewall
NGS Navigation and Guidance System
NIC Navigation Integrity Category
NIDS Network IDS (Intrusion Detection System)
NIPS Network IPS (Intrusion Prevention System)
NIST National Institute of Standards and Technology
NOC National Operations Centre
NOTAM Notice to Airman
NPDU Network Protocol Data Units
NPER NAIPS Equipment Room
NSAP Network Service Access Point
NVD National Vulnerability Database
OCL Oceanic Clearance
OSI Open System Interconnect
OT Operational Technology
OWASP Open Web Application Security Project
OWP Operator Working Position
P2P Peer to Peer
PaaS Platform as a Service
PABX Private Automated Branch Exchange
PBC Performance-Based Communication
PBN Performance-Based Navigation
PBS Performance-Based Surveillance
PFD Primary Flight Display
PKI Public Key Infrastructure
PLA Programmable Logic Array
PLC Programmable Logic Controller
PPI Plan Position Indicator
PPP Point-to-Point Protocol
PPPoE PPP over Ethernet
PR Position Report
PRD Prohibited Restricted Danger
PRNAV Precision Area Navigation
PSR Primary Surveillance Radar
xxviii
Term Meaning
PT Penetration Test
QAR Quick Access Recorder
QNH Question Nil Height [mean sea level pressure (MSLP)]
RADAR Radio Detection And Ranging
RBA Risk-based Assessment
RBAC Role-Based Access Control
RCA Root Cause Analysis
RCE Remote Code Execution
RCMS Remote Control and Monitoring Systems
RCP Required Communication Performance
RDP Remote Desktop Protocol
RDP Radar data processor
REST Representational State Transfer (web services)
RFC Radio Communications Failure
RMF Risk Management Framework
RNAV Area Navigation
RNP Required Navigation Performance
RoC Risk-of-Collision
ROI Return on Investments
RPA Remotely Piloted Aircraft
RSA Rivest-Shamir-Adleman (encryption)
RSP Required Surveillance Performance
RTCA Radio Technical Commission for Aeronautics
RTO Recovery Time Objective
RVR Runway Visual Range
RVSM Reduced Vertical Separation Minima Required Time of Arrival
SA&CA Separation Assurance and Collision Avoidance
SaaS Software as a Service
SABSA Sherwood Applied Business Security Architecture
SAR Search And Rescue
SARPs Standards and Recommended Practices
SC-31 Special Committee 31
SCADA Supervisory Control And Data Acquisition
SDLC Software Development Lifecycle
SDN Software-Defined Networking
SESAR Single European Sky ATM Research
SHA Secure Hash Algorithm
SIEM Security Information and Event Management
SIGMET Significant Meteorological Information
SiS Signal in Space
SITA Société Internationale des Télécommunication Aéronautiques
SLA Service-Level Agreement
SLE Single Loss Expectancy
xxix
Term Meaning
SMR Surface Movement Radar
SMTP Simple Mail Transfer Protocol
SNACP System Network Architecture Control Protocol
SNMP Simple Network Monitoring Protocol
SOA Service Oriented Architecture
SOAP Simple Object Access Protocol
SOE Standard Operating Environment
SPFIB Special Pre Flight Information Bulletin
SQL Structured Query Language (database system)
SQLi SQL injection
SRF Serverside Request Forgery
SSDLC Secure Software Development Lifecycle
SSE System Security Engineering
SSH Secure Shell
SSL Secure Sockets Layer
SSO Single Sign-on
SSR Secondary Surveillance Radar
STAR Standard Terminal Arrival Route
Stuxnet A type of malicious computer worm
SWIM System-Wide Information Management
T&E Test and Evaluation
TACAN Tactical Air Navigation
TACAS Traffic Alert and Collision Avoidance System
TAM Total Airport Management
TAWS Terrain Avoidance Warning System
TBO Trajectory-Based Operations
TCA Terminal Control Areas
TCAS Traffic Collision Avoidance System
TCER Terminal Communications Equipment Room
TCU Terminal Cellular Unit (Boeing GateLink)
TDMA Time Division Multiple Access
TDOA Time Difference of Arrival
TIS-B Traffic Information Service – Broadcast
TIS-B(ADS-
Terminal Information Service-Broadcast or ADS–Rebroadcast
R)
TKIP Temporal Key Integrity Protocol
TLS Transport Layer Security
TMA Terminal Manoeuvring Area
TMI Traffic Management Initiatives
ToF Threat Occurrence Factor
TOGA Take Off/Go Around
TOGAF The Open Group Architecture Framework
TPM Trusted Platform Module
xxx
Term Meaning
TRF Threat Realisation Factor
TSL Transport Layer Security
TWLU Terminal Wireless Lan Unit
UAS Unmanned Aerial Systems
UAT Universal Access Transceiver
UAV Unmanned Aerial Vehicles
UTC Universal Time Coordinated
VASIS Visual Approach Slope Indicator Systems
Virtual Digital Aircraft condition monitoring system (ACMS)
VDAR
Recorder
VDB VHF Data Broadcast
VDL Very-High-Frequency Data Link
VDL2 VDL Mode 2
VHF Very Hight Frequency
VLAN Virtual Local Area Network
VM Vulnerability Management
VMF Variable Message Format
VoIP Voice over Internet Protocol
VOLMET Meteorological Information for Aircraft in flight
VOR VHF Omni-directional Ranging Radio
VPN Virtual Private Network
VSCS Voice Switching and Control System
WAF Web Application Firewall
WAKE Wake Turbulence
WAM Wide-Area Multilateration
WAN Wide Area Network
WP Waypoint
WRDDS Weather Radar Data Display System
WXXM Weather Information Exchange Model
WXXM Weather Information Exchange Model
XOT X.25 over TCP/IP
XSS Cross Site Scripting
ZPZQ A system for Automatic AFTN redirection
xxxi
Abstract
Autonomy in flight operations has reconceptualised the aerospace
cybersecurity paradigm to a new era. Cybersecurity is about preventing or
mitigating malicious acts undertaken to either compromise systems directly
or access valuable information that could be subject to criminal misuse. The
cybersecurity of Communication, Navigation, and surveillance / Air Traffic
Management (CNS/ATM) systems aims to control the effects of such threats
and enhance the safety of flying passengers. Besides, complicated risk
management issues have impacted the cyber resilience of state-of-the-art
CNS/ATM and avionics systems. The security of legacy aviation and airport
infrastructure has been curtailed owing to their annexure to public networks,
which constitute a significant risk to the aviation industry and the general
public as a whole.
The industry and the governing bodies such as International Civil Aviation
Organization(ICAO) and Civil Air Navigation Services Organisation (CANSO)
recognise that digital transformation is a definite requirement for the industry
to evolve and provide efficient services. However, this effort introduced new
constraints to aircraft manufacturers, airlines, air navigation service providers
and air traffic service providers; cybersecurity.
Aviation cybersecurity issues have remained despite the enormous effort to
remediate multiple openings to breaches. Numerous incidents have been
reported with the intention of gaining financial advantages and causing
malicious acts to take lives on some occasions. This scenario is far from a
1
worst-case scenario where malevolent players take control of a securely
connected aircraft or ATM system. The growth of the digital aviation
landscape also paves the way for potential security vulnerabilities owing to
information sharing and open telecommunication and network architecture.
To defend against possible breaches and enhance resilience in the security
space, regional aviation authorities have reportedly updated their
information system security frameworks on many fronts, including event
management and new standards dedicated to systems. The aerospace
system suppliers, manufacturers, and academia also strive to curb cyber
threats.
The prevailing control mechanisms in place, with the aim of assuring
Confidentiality, Integrity, and Availability (CIA) of information, have a
multitude of deficiencies in deciding the extent of vulnerability of systems, the
severity of impact and subsequently, overall risk rating. Weaknesses in some
of the security controls which are intended to mitigate the impact of cyber-
attacks also contribute to this issue. A risk-based system engineering solution
is envisioned for managing today's cyber-physical systems, which may
comprise interwound Systems of Systems (SoS). This research investigates
threats to aviation assets and vulnerabilities of aviation systems and
recommends a holistic approach to mitigate possible risks. The thesis also
proposes a novel framework to manage risks by enhancing the consistency
and accuracy of risk attributes of CNS/ATM systems, Avionics and Airport
systems.
2
In order to meet the objectives specified, a significant effort was put into
studying the usage of systems engineering products, processes, people and
environment (3PE) in the context of aviation-related IT/OT and their
interaction. As a part of this process, exploitable cyber security vulnerabilities
were investigated in the key domains: Aircraft, CNS/ATM and Airport systems.
Cybersecurity threat hunting was performed as part of intelligence
collection. The information on the Dark Web has been an excellent source
for attacking methods and exploits that are potentially successful in
compromising systems. Threat hunting has been a labour-intensive
assignment by an analyst – interpreting the context. A large portion of the
thesis comprised intelligence collection and can be used as a body of
knowledge by security professionals in the industry. Successfully exposing any
of these vulnerabilities using penetration test techniques can be used as new
threat signatures for IPS and IDS solutions to protect aerospace systems.
In meeting one of the primary research objectives, an effective risk
assessment technique is developed to improve how risks are appropriately
identified and determine an effective method to prioritise risks. Mainly the
approach is discussed, analysed and applied using test cases and
described. This process involved security governance principles, testing and
audit, risk classifications and attributes, and measuring and prioritising
business risk. It also examined the external threat to aviation systems, how
these threats impede operations, and the possible consequences of a cyber
attack, and they are listed for future research.
3
The research also investigated various system security architecture
frameworks that can systematically improve the identification of risks and
mitigate them effectively. A further in-depth study has demonstrated why the
standard (non-aviation related) security framework does not fully address
specific threats against current and potential vulnerabilities in the aerospace
industry and describes implications.
The identified deficiencies in the existing frameworks are described while
proposing changes to minimise the impact of cyber incidents by reducing
the uncertainty of cyber security risk attributes. For this purpose, a broad
investigation of the literature was performed and ranked the severity of risk
attributes based on their industry acceptance and minimising the impact by
reducing uncertainty.
The research also presents the pragmatic industry-specific risk management
framework for aviation systems that could be employed and enhance the
security risk management process. The section describes the application of
the framework and attributes of risk parameters and various methodologies
that can be utilised to improve security attributes.
4
Chapter 1: Introduction
The aviation industry remains a key driver of international tourism, trade and worldwide
economic growth. Reliable and secure air transportation for passengers and freight has
become the backbone of the day. Given the importance of flying passenger safety and
security, critical aviation infrastructures require a high degree of protection that is always
challenging to ensure. The provision of aviation services, as prescribed by the International
Civil Aviation Organization (ICAO) regulations, is a public service that serves national as
well as international interests. The global impact of aviation in both manned and
automated(unmanned) systems, and its aging legacy systems, propitiatory systems, and
public network infrastructure lead to particularly complicated but interdependent systems
of air, land, and space.
The aviation system architecture, as depicted in Fig. 1, is composed of five major domains:
(1) Aircraft or avionics, (2) ATM systems, (3) Airport and Airline networks [2, 3], (4) System
Wide Information Management (SWIM), and (5) Ground radio navigation and landing
aids[4, 5].
Rapid technological advancements are changing how we manage the aviation business,
enabling more efficient delivery of services and developing cost-cutting technology
strategies. Cloud computing, Artificial Intelligence(AI), big data and network convergence
are vital for deploying IT services to support these business objectives[6, 7]. However,
current business demands and an emphasis on operational improvements have left a
significant gap in establishing a better cybersecurity incident management adroitness [8].
Traditionally, aviation security is focused on the physical security of aircraft and ground air
navigation infrastructure, and this security environment has transformed into a new era of
information security (or cybersecurity)[5]. The cybersecurity threat landscape is becoming
increasingly sophisticated, and hackers and terrorists are now focused on malicious intent
ranging from general disruptions of safety-related information to catastrophic incidents
which could lead to loss of life[8].
5
Fig. 1. Information exchange model: Avionics and Ground-based aviation systems.
Many aviation systems manufacturers use proprietary hardware, software, and encryption
technology, which becomes a safety and security risk for aviation systems. This situation
leads to the risk assessors' restricted mastery of the devices' internal information
architecture or processing algorithms for objective assessments. Aircraft (Fig. 2) and ATM
systems (Fig. 3) operate in a highly volatile and irresolute environment, requiring a higher
degree of integrity. The systems are designed with redundant features to avoid any single
6
point of failure (SPOF) and to provide a higher level of availability and reliability, also known
as a non-functional requirement (NFR) in the systems engineering of aerospace, aviation,
telecommunication, and defence systems. However, this schema does not assure that the
systems are protected from possible cyber-attacks or unlawful entry into the systems [9-12].
Fig. 2. Domain 1 - Aircraft avionics and information processing systems in the cockpit.
Security risk assessments must cover all scenarios, including geographic and situational
changes, when an aircraft cruises from one environment to a diverse condition in another
country[3]. A similar approach must be adopted for ATM systems when dealing with aging
aircraft and various aircraft models (manufacturers), country of operation and avionic
functionalities when managing risks. Countermeasures involve not only specific protective
mechanisms and applications but often regional and international cooperation among
the industry partners and platforms, as the need for responsiveness extends well beyond
the constraints of a single aircraft or flight information region (FIR)[13, 14].
7
Fig. 3. A typical air traffic control position (or console) (picture credit: Airservices).
According to the Telstra Cyber Security Survey 2017, 22% of Australian respondents and
26% of Asian businesses experienced an advanced persistent threat (APT) attack on a
monthly basis. Mandiant, a FireEye company, collects statistics, studies trends, publishes
case studies, builds upon evidence-based research, and shares insights into the evolving
threat landscape. The survey results further indicate that the time to remediate and
recover from an APT attack is becoming increasingly complicated and time-restricted [15].
Organisations use enterprise-class network security systems with stateful inspection firewalls,
Virtual Private Networks (VPN)s, Intrusion Prevention Systems (IPS), Data Leakage Protection
(DLP) and proxies to mitigate many known cyber-attacks. The most prominent issue is that
8
these systems must work cooperatively across company boundaries and varying risks in the
security hierarchy. The growing complexity is the industry's worst enemy, and
interconnected (wired or wireless) systems are always vulnerable to malicious constructs.
It is vital to develop a novel risk identification and analysis methodology to eliminate the
confusion in different types of security risks and to reinforce the existing enterprise
cybersecurity framework. This research adopts a systems engineering approach to analyse
the security of aviation systems against emerging complex, advanced cyber threats and
demonstrates the validity of the proposed mechanism. This information is used to develop
a new risk identification and analysis framework
1.1 BACKGROUND
Civil aircraft, while in different phases, in-flight, transit, or aerodrome control, global
surveillance and network infrastructure, which we define as the Air Traffic Management
(ATM) system, is expected to ensure the safety and security of the flying passengers.
Digital transformation is the process of acclimatising business practices to new digital

means to keep up with rapidly changing operational demands. As this transformation of
aviation proceeds at a fast pace, ATM is evolving in parallel to deliver novice services cost-
efficiently. National aviation regulators and ATM stakeholders are working collaboratively
to ensure the systems are resilient to cyber-attack[16].
Even though airports, airfields and aerodromes are familiar places for the flying public, they
are not knowledgeable (or aware) of aviation systems engineering, including Air Traffic
Management (ATM) systems and other guiding and communication systems that support
aircraft from its departure to destination. The IT infrastructure orchestrates these integrated
services using information, physical, and logical assets, while human assets interact in
complex systems to make a clear air corridor for flights[17].
The architecture includes Communication, Navigation, and Surveillance (CNS) systems, Air
Traffic Management (ATM) systems, airports, airlines and third-party services provider
systems that support aerodrome operations. The diverse nature of systems, complex
operation procedures and unpredictable human behaviour and attitude may have
significant implications for cybersecurity in the environment[18].
The digital transformation of aviation is cruising rapidly and is primarily driven by users'
needs and making the most of data. The virtualisation of services and provision of
information as a managed service through cloud deployment is another instance where
9
ANSP leverage their aeronautical and weather information capabilities. Big data and
blockchain technology further complement these processes. Big data analytics uses
techniques and technologies, including Artificial Intelligence (AI) and machine
learning(ML), to combine and analyse massive datasets to identify patterns and develop
actionable insights.
This new transformation would eventually deliver greater flexibility in managing all
operations and, in doing so, provide a multitude of services to airspace users seamlessly
and cost-effectively. Aircraft will be a network element in the digital space supported by
various digital services such as Electronic Flight Bags and handheld intelligent devices. This
technology is no longer confined to conceptual ideas, but reality, and aircraft
manufacturers and airlines introduce new features to attract and build their customer
base. However, these new services deployed on the passenger's handheld devices must
be resilient to current and emerging security threats[19].
Any potential security breach causes congestion, delays or service termination. In a worst-
case scenario, the impact on passengers or including stress, injury, or fatalities. Civil air
operations' disturbance could also have a broader societal impact, affecting the industry.
Such disruptions could affect a large geographical area and could be propagated over
highly interconnected network infrastructure.
Some significant aviation-related cybersecurity incidents reported during the past few
years are publicly available in the media. According to CSO, it is vital to highlight that most
cybersecurity and data breaches go unreported[20].
▪ British Airways faces record $329m fine over data breach – July 2020
o Source: https://www.webberinsurance.com.au/data-breaches-
list#eighteen
▪ Air New Zealand - Customer information was stolen and breach of data privacy –
Aug 2019
o Source: https://www.manageengine.com/log-management/phishing-
attacks/air-new-zealand-data-breach.html
▪ Airport Security Identity Cards (ASICs) -Australia - data hack – July 2018
10
o Source: https://www.securitynewspaper.com/2018/07/14/data-breach-at-
australian-airport-identity-security-system/
▪ Cathay Pacific Airways - The stolen data included names, nationalities, birth dates,
phone numbers, addresses, passports & identity card numbers – Oct 2018
o Source: https://techmonitor.ai/technology/cybersecurity/cathay-pacific-
hack
▪ WestJet Dealt With 'Hundreds of Thousands' using credential stuffing attacks – 2018
o Source: https://www.aviationtoday.com/2018/09/07/westjet-dealt-
hundreds-thousands-cyber-attacks/
▪ Alaska Airlines is hacked - using Apache Struts vulnerability – 2017
o Source: https://www.aviationtoday.com/2018/08/28/alaska-hack/
▪ The International Civil Aviation Organization (ICAO) was a victim of a large-

scale watering hole attack in 2016.
o Source: https://securityaffairs.co/wordpress/81790/apt/icao-hack-2016.html
▪ Vietnam Airlines, hackers took over the website - in July 2016
o Source: https://www.theguardian.com/world/2016/jul/29/flight-information-
screens-in-two-vietnam-airports-hacked
▪ Saudi aviation agency - Hackers destroy computers - November 2016
o Source: https://www.nytimes.com/2018/03/15/technology/saudi-arabia-
hacks-cyberattacks.html
Threat actors predominantly are cyber-criminals and state-sponsored groups to a lesser

extent. Their motive is to disrupt airways operations for financial and political gain and
access the intellectual property content of expensive devices.
11
Open-source attacking software packages such as Karli Linux and Python code libraries
are available in the public domain for free download, influencing attackers to attempt
many offensive methods while being anonymous.
The primary role of any cybersecurity professional in the industry is to bolster the existing
defence mechanism and protect aviation systems from any potential attack. They must
conduct risk assessments regularly and advise system owners of the effective
implementation of security controls to mitigate identified risks and potential vulnerabilities.
One of the many challenges that need to be addressed immediately is the unique nature
of the ANSP and aviation industry in contrast to other sectors. Many security professionals
are perplexed by the complicated system architecture and legacy systems retrofitted with
multiple layers of IoT devices.
The thesis investigates significant facets of aviation systems and attempts to unfold many
cybersecurity attributes that could be used as vital inputs to the proposed novel
framework.
1.1.1 THE ICAO INITIATIVE IN ADDRESSING CYBER SECURITY
As per ICAO doc 9985, Aviation security means safeguarding civil aviation assets against
malicious acts. The organization plans to reach this goal by combining control and human
and material resources[21].
1.1.2 ICAO CYBER ICT SECURITY REQUIREMENTS
The identification of appropriate security measures for critical cyber ICT systems
maintained by aviation operators of ICAO member states is outlined in Doc 8973-
Restricted. These measures become the minimum ICT security requirements to fulfil as an
obligation imposed on ATSPs and ANSPs. Further, a list of critical cyber ICT systems is
identified in the documents;
The responsibility of identifying critical IT assets relies on the ATSPs (this includes all
application, hardware, and network devices) operated in their organisational system
architecture, which includes:
12
• Air traffic control systems or sub-components;
• Security operating centre;
• Control, event and monitoring systems;
• CCTV surveillance systems;
• All information databases; and
• All the communicating, storing and processing information on cyber-

physical infrastructure (e.g., standalone PCs, laptops, corporate smart
handheld devices and servers etc.).
Protection of cyber-physical infrastructure: The ANSPs (as well as ATSPs) should enforce
organisational ICT security policies and procedures for the specified IT assets as per the
National Civil Aviation Security Programme (NCASP). The objectives of these measures are
to:
• protect unauthorised access to ATMs and associated ICT infrastructure;
• prevent interfering or meddling with the operations; and
• identify cyberattacks as they occur.
1.1.2.1 SECURITY BY DESIGN
The ATSP/ANSPs are expected to ensure that organisational security policies are in place
during the proposed cyber-physical systems' plan, execution, and operation phases,
including the secure decommissioning of systems, storage media and application
software. Manufacturers and vendors( Supply chain security) of the systems should be
mandatory to deliver components on how securely the information is managed on the
system. The airport system preventative maintenance should be scheduled to verify
security patch updates are performed per the vendor guidance and be securely handled.
The number of individuals assigned for the system software and hardware support and
maintenance work should be limited and provided with restricted access. The system
engineering teams should plan network cable runs to protect essential IT systems from
infiltrations or unauthorised sniffing[22].
13
1.1.2.2 NETWORK SEPARATION
It is paramount that ICT systems be investigated at regular intervals so that the installations
adhere to security policies. This protection would eliminate them from exposure to rampant
or open-access communications between network elements and separate them from
publicly accessible networks. Also, the network planning team must use applicable
procedures and guidelines to reduce the number of cable routes to the lowest needed
(security hardening)[23].
1.1.2.3 REMOTE ACCESS
The ATSP/ANSPs are essential to assuring that remote access to any ICT systems is
authorised under secure means. For example, VPN, multi-factor authentication(MFA) and
IPSec, and that third parties do not have unauthorised access to such systems once the
systems are in operation. Audit and logging abnormal system activity through the SIEM
function should accompany all ICT systems to generate reports when such events occur.
Similarly, the daily and weekly event and activity logs should be reviewed to prevent any
isolated critical incidents do not go unnoticed[24].
1.1.2.4 ICT SECURITY CONTROL CATEGORIES
The security controls are categorised into nine classifications according to the
organisation’s functions[25].
• Organizational Policy Controls and directions,
• Organization, Culture, and Management Controls,
• Human Resources Controls,
• Physical and Environmental Security Controls,
• Operation of ICT Systems Controls,
• Technical Means, Asset and Infrastructure Security Controls,
• Development and Acquisition Controls,
• Monitor and Auditing, and
• Regulatory compliance.
As per the ICAO document, once a security risk has been accepted, the next step is
communicating all the associated attributes among concerned parties. Sharing increases
14
the ability to assess the threat landscape at the local level and would assist the
management in taking appropriate actions.
1.1.3 EVOLUTION OF AEROSPACE INFORMATION TECHNOLOGY, DATALINK AND SECURITY
The aviation industry has matured, over a hundred years, from a few entrepreneurs flying
rudimentary aircraft to the sophisticated network of manufacturers, air navigation service
providers (ANSPs) and airlines that comprise today’s industry.
In the early days, all civil aircraft operations were supervised during the daytime with
unobstructed flying circumstances. The primary procedure of “see, be seen and avoid’
became the fundamental way of flight navigation, which is today known as visual flight
rules (VFR). Over time, the aircraft gained speed, and visually avoiding other aircraft in the
sky had become a considerable risk, leading to th e establishment of organised Air Traffic
Control (ATC) systems along congested flight routes and between busy airports. The
earliest form of traffic management required a flight operator to stay in a notable location
on the airfield with a set of coloured flags to signal the pilot.
Cleveland airport in Ohio in the US was the first air traffic control tower with 15W
communication radios that allowed voice communication with pilots over a distance of
25kms in 1930. The controllers used the new systems to provide traffic advisories, landing
directions, and weather information to the pilots of radio-equipped aircraft[26].
The rapid progress in aircraft control, navigation and communication, owing to World War
II (WWII) communication system development, pave the way for adopting military solutions
in civil air traffic spheres. In 1942, in the US, the Civil Aeronautics Authority (CAA) established
interstate airway communication stations (INSACSs) that were strategically placed to offer
flight advisory services, and the INSACs were crewed by air traffic controllers who
communicated directly with aircraft by radios to pass weather information, navigation and
landing instructions[27].
In 1947, the Radio Technical Commission for Aeronautics (RTCA) formed a task force to
study the requirements of the future ATM system and formed a Special Committee 31 (SC-
31), which recommended that a universal ATC system be developed that would deliver
the essential prerequisites of civilian air traffic operations[28].
However, with the rise in the number of aircraft in operation, a more efficient and
unambiguous pilot controller communication system became necessary. Also, radio
technology was progressing, and it became feasible for aircraft to carry radio transceivers
15
on board. Until 1978, all civil aircraft had to carry multiple VHF and HF radio systems for the
line of sight and beyond the line of sight operation, respectively. In the same year, a
company by the name of ARINC introduced a datalink called Aircraft Communications
Addressing and Reporting System (ACARS) to communicate the reports over existing VHF
voice radios using minimum-shift keying (MSK) technology[29, 30].
The continued evolution and expansion of the data link communication to improve the
efficiency of flight operations and safety while easing congested aeronautical voice
channels is a significant improvement. Aviation stakeholders, and the general public, in
particular, benefited from this development to a greater extent.
1.1.4 AVIATION INDUSTRY-MAIN ACTORS
The aviation sector is distinct in that it is the only regular means of passenger and cargo
transport and an economic engine to many stakeholders is evident in the ICAO statistics.
1.1.4.1 INTERNATIONAL AVIATION GOVERNING BODY AND ROADMAPS
In order to provide a safe atmosphere for aircraft passengers and all the stakeholders
involved in the industry, it is mandatory to regulate, regularly monitor and deal with safety
and security measures promptly. In this backdrop, the International Civil Aviation
Organization (ICAO) was established, as a United Nations(UN) specialised agency, to
manage the administration and governance of international civil air operations[31]. The
aforementioned goals are achieved by reaching consensus among industry groups and
member states on civil aviation Standards and Recommended Practices (SARPs) and
policies assuring a safe, secure, efficient, economically sustainable and environmentally
sustainable aviation industry[32, 33].
1.1.4.2 INTERNATIONAL REGULATORY AND SUPERVISORY BODIES ( ITU, IEEE, INCOSE.)
International regulatory bodies deal in the areas of administration, engineering operation,

and technology to enforce rules and regulations for the well-being of the flying public in
general. The presence of international independent regulatory agencies is rationalised by
the complexity of specific legal and managerial tasks that require mastery at a
geographical level to avoid political interferences.
The International Telecommunication Union (ITU) is the United Nations' specialised

information and communication technology agency tasked with allocating global radio
16
spectrum and satellite orbits. The ITU also produces the technical specifications that ensure
technologies and new systems interconnect and endeavour to improve access to
Intelligent Telecommunication System communities worldwide[34].
The Institute of Electrical and Electronics Engineers (IEEE) is a leading international

organisation that develops industry standards in a comprehensive range of disciplines,
including telecommunications, electric power, information technology, consumer
electronics, transportation and aerospace.
The International Council on Systems Engineering (INCOSE) organisation’s mission is to

contribute to the progress of the futuristic practice of systems engineering. The organisation
achieves this goal by promoting interdisciplinary, expandable approaches to produce
technologically pertinent safe and secure engineering designs that meet societal
needs[35].
1.1.4.3 NATIONAL AVIATION REGULATORY ORGANISATIONS
The ICAO Standards and Recommended Practices (SARPS) are not legally enforceable;
however, the practices form the foundation of national regulations. The member states
develop their federal civil aviation regulations based on the ICAO SARPs, which have legal
status by an act of parliament of the country in most cases. Along these lines, civil aviation
regulations are harmonised around its member states, with some variances based on the
specific national level and domestic requirements. These regional variances are then
informed in return to the agency and circulated for reference[36-39].
The Federal Aviation Administration (FAA) acts as the Civil Aviation Authority of the USA
and is the authority for establishing aviation conventions known as Federal Aviation
Regulations (FARs). Besides its role as the regulator, the FAA is also tasked with the upkeep
of air navigation facilities infrastructure and is responsible for air traffic management in the
US Airspace. In the US, the National Aeronautics and Space Administration (NASA) is a
significant contributor to Future Communication Studies (FCS), with the primary
responsibility for technology evaluations[40-42].
The European Aviation Safety Agency (EASA), established in 2002 by the European
Commission, drafts aviation safety legislation and provides technical recommendations to
the EU Member States and the European Commission (EC) regarding airworthiness and
type certification of aircraft and aircraft parts for aircraft, approval of aircraft design
organisations worldwide. Over time, the EASA's breadth was extended to include aircraft
17
operations, maintenance, licensing, safety, security and certification/design specifications
for all categories of aircraft manufactured in the region[43-45].
In Australia, under section 8 of the Civil Aviation Act (CAA) 1988, the Civil Aviation Safety
Authority (CASA) was established as an independent statutory authority to develop the
safety regulation of civil air procedures in Australia and the operation of Australian aircraft
overseas. Further, the Civil Aviation Regulations 1988 and the Civil Aviation Safety
Regulations (CASR) 1998 provide general regulatory controls for the safety of air
navigation. These acts authorise CASA to issue civil aviation directions on complicated
regulation issues, including security. The CASRs authorise CASA to issue Manuals of
Standards (MoS) which support regulations by providing comprehensive technical
content.
The UK Civil Aviation Authority (CAA) regulates Air Navigation Service Providers (ANSPs)
and Airports countrywide and guides the certification process and aviation infrastructure
development.
The European Organisation for the Safety of Air Navigation, generally recognised as
Eurocontrol, is an international body that works to accomplish safe and unified operations
of civil aircraft over the Europe region[46]. Eurocontrol comprises 41 constituent states (as
of May 2022), and the European Union has allotted regions of its Single European Sky
regulations to Eurocontrol. The agency is the main body for the administration and
development of safe and secure ATC and airworthiness regulations for all of Europe.
The EUROCAE is also the primary European entity in developing worldwide industry
standards for civil aviation in the European region. The organisation also produces
Minimum Operational Performance Standards (MOPS) and guidance documents with
RTCA, Inc[47].
1.1.4.4 EQUIPMENT SPECIFICATION (ARINC, RTCA, EUROCAE)
Aeronautical Radio, Incorporated (ARINC) and SITA are the primary aeronautical data
services and allied applications providers to ANSPs, airlines and airport authorities. ARINC
developed many industry communication standards in the early stages of the aviation era
and is currently a primary provider of transport communications and delivers engineering
solutions for the air transportation industry [48, 49].
The systems engineering and technology screening procedure of the above organisations
are portrayed in Fig. 4.
18
The information technology evaluation and design procedures involve;
• Study of avionics and CNS/ATM service providers' capabilities,
• Needs identification through Communications Operating Concept and

Requirements (COCR) and ICAO consensus documentation[50],
• Analysis of Commercial and Prototypes Standards(CPS),
• Analysis of Commercial and Prototypes Standards(CPS),
• Application of ITU, ICAO, RTCA, EUROCAE and local aviation regulatory

guidelines, and
• Identifying cybersecurity vulnerabilities and proposing mitigation

mechanisms within the specified constraints.
Fig. 4. Aviation information technology and system design procedure.
1.1.4.5 AIR NAVIGATION SERVICE PROVIDER (ANSP) AND AIR TRAFFIC SERVICE PROVIDER
(ATSP)
In Australia, Airservices is certified to provide air navigation and air traffic services by Civil
Aviation Safety Authority (CASA), principally through Civil Aviation Safety Regulations,
including parts 65, 99, 139, 143, 171, 172, 173 and 175 and the sections 8 and 9 of Air Services
Act 1995. In some countries, air traffic and navigational services are provided by two
19
organisations, which are authorised by local regulations. The FAA, National Air Traffic
Services (NATS), Deutsche Flugsicherung GmbH (DFS) and Nav Canada provide similar
services in the US, Germany, the UK and Canada, respectively [51-55].
1.1.4.6 AERONAUTICAL DATA SERVICE PROVIDERS (ADSPS)
Civil aviation aeronautical data service providers, as the name implies, provide essential
CNS and Air Traffic Management (ATM) safety-critical data on ATSPs Flight Information
Region (FIR) and aircraft. This service includes aircraft position reports, intent, performance
reports and crew administrative reports.
1.1.4.7 CIVIL-MILITARY COMBINED AVIATION OPERATIONS
Defence aircraft and aerospace system operators engaged in complex development,

integration and through-life-support projects in global military projects and platforms.
Military air traffic controllers apply the standards published in the national Manual of Joint
Air Traffic Services(MJATS) to both civil and military aircraft. The MJATS specifies separation
standards and detailed procedures of special manoeuvring and operations specific to
military aircraft in civilian airspace[56, 57].
Military ATM utilises highly secure Voice/Data encryption methods, frequency agile, spread
spectrum and Low Probability of Intercept (LPI) bearers for information exchange. Tactical
Datalinks include Combat Net Radio (CNR), Variable Message Format (VMF), Link11,
Link16, Battlefield Management Systems (BMS) and fixed secure terrestrial networks[58-60].
1.1.5 AVIATION DATALINK COMMUNICATION STANDARDS AND SECURITY
The data links have evolved to provide slow-speed data exchange between airline
operating centres and aircraft. These non-critical short messages use VHF, HF radio or
satellite services as the communication medium. Initially, these data links have been
operational in oceanic and remote flight phases with FANS 1/A standards through the
ACARS network to deal with unreliable HF communications. The rapidly congested
airspace led to the implementation of Aeronautical Telecommunications Network (ATN)
standards in these airspace sectors to increase the capacity. The ATN Baseline 1 (ATNB1)
implementation enhanced ATC procedures by improving data communications and not
precisely the security aspect of operations[61-64].
20
1.1.5.1 FANS 1/A
The Future Air Navigation System (FANS) 1/A; FANS-1 is Boeing's solution, while FANS-A is the
Airbus solution, provides ACARS network connectivity to oceanic and remote flights. The
emergence of FANS 1/A standards was primarily based on ACARS, and the standards rely
on the ICAO concept but did not comply with the entire ICAO specifications. Furthermore,
FANS 1/A specifications define Automatic Dependent Surveillance Contract (ADS-C) and
Controller–Pilot Data Link Communications (CPDLC) operation principles are based on
ACARS and are entrenched in the Aeronautical Telecommunications Network
standard[65-67].
1.1.5.2 ATNB1
The ATNB1 standards are predominantly used in high-density continental areas, and it was
developed with the objectives set by the ICAO CNS/ATM package 1[68-70]. The main
difference with FANS 1/A standards is ACARS for FANS 1/A standards and ATN for ATN B1
standards(Fig. 5).
The CPDLC on ATN is introduced as a supplementary means of communication to the use

of voice communications in high-density continental airspace sectors. The controller will
make a selection of either voice or CPDLC. However, the flight crew made the selection
based on the critical nature of communication, as CPDLC cannot be used for security or
safety-critical communications for its inherent delay and poor communication security.
21
Fig. 5. Aeronautical communication architecture between cockpit and ground systems
(adopted from Airbus).
Aircraft compliant with FANS 1/A and ATN B1 is also known as bilingual aircraft, and the
seamless CPDLC transfer from FANS 1/A to ATN setting and vice versa is ensured by the
FANS 1/A-ATN interoperability standards[71].
1.1.5.3 ATN BASELINE 2 (SC-214/WG-78)
EUROCAE Working Group 78 (WG-78) and RTCA Special Committee 214 (SC-214) specify
air traffic data services standards. Their primary role is to standardise and harmonise the
future ATS supported by data communications.
22
Table 1. Aeronautical Information Technology, Links and Avionics Applications
Frequency(f), Data
Technology rate(DR) Application
Uplink(UL), Downlink(DL)
f: 129-136.9 MHz
ACARS AOC Logistics, aircraft status data, fuel usage and Air Traffic Service(ATS)
DR: 2.4 kbits/s
f: 118-136.97 MHz
VHF ATC-Pilot Communication, URCO (future)
DR: N/A (Analogue)
f: 118-136.97 MHz
VDL1 Bit-oriented ATS
DR: 2.4 kbits/s
f: 118-136.97 MHz Bit- & character oriented ATS
VDL2
DR: 31.5 kbits/s (ICAO doc 9776)
f: 118-136.97 MHz Data & Voice no operational data at present
VDL3
DR: 31.5 kbits/s (ICAO doc 9805)
f: 118-136.97 MHz
VDL4 Data & Surveillance (ICAO doc 9816)
DR: 31.5 kbits/s
f: 3-30 MHz
HFDL ACARS & Data (Polar region), NOTAM, KAM
DR: 1.8 -2.4 kbits/s
f: 1030MHz (UL)f: 1090MHz (DL) Secondary Surveillance Radar (SSR) data
SSR
DR: 4 Mbits/s (UL) Traffic/Airborne Collision Avoidance Systems
Mode S/A/C
DR: 1 Mbits/s (DL) (TCAS/ACAS), In-Trail Procedure (ITP)
f: 2700-2900 MHz
PSR Primary Surveillance Radar (PSR) – Non-cooperative flying objects in TMA
DR: N/A
f: 1090(ES)MHz ITP, ADS-B (OUT), ADS-B (IN), AIRSEP,
ADS-B
DR: 1 Mbits/s TCR (intent)(DO-242A/DO-260B), Trajectory Change Point (TCP) (DO-260B)
f: 978MHz
UAT(US) FIS-B, TIS-B, ADS-R, EFB
DR: 1 Mbits/s
f: 5091-5150 MHz Data & VoIP (inside airport), EFB, D-SIG, D-Taxi,
AeroMACS DR: UL =2.15Mbits/s TWLU, QAR, VDAR, AHM, OTIS, SIGMET, RVR, D- TIS-B(ADS-R), WAKE, NOTAM
[Proposed] DR: DL+1.24 Mbits/s (with (RTCA DO-346)
16QAM1/2) [Aircraft access is possible if the speed <50NM/h]
3G/4G/5G/LTE
Cellular f & DR: Variable (country EFB, TWLU, QAR, VDAR, AHM
dependent)
802.11 b/g
GateLink (TCU)
f: 2.4GHz ISM band, AHM, LSAP, VDAR, EFB
(Boeing)
54 Mbits/s (max)
Freq. Division Duplex(FDD)
LDACS1 f: 960-1164 MHz Air-ground data communication, VoIP preferably in TMA,
[Proposed] DR: up to 1.3Mb/s (FL) TBO (future), SIGMET, RVR, DYNAV, WAKE, TIS-B(ADS-R), NOTAM
DR: up to 1.04 Mb/s (RL)
TDD Division Duplex(TDD) TBO, Air-ground data communication
LDACS2
f: 960-975 MHz VoIP preferably in TMA, TBO (future), SIGMET, RVR, DYNAV, WAKE, TIS-B(ADS-
[Proposed]
DR: 270 kb/s per channel R), NOTAM
Aircraft Ad-hoc Network (AANET) Distributed flight information among
AANET Variable
aircraft by forming a high-speed air-to-air network [75]
f: 1616-1626.6 MHz (user)
Iridium f: 29.1-29.3GHz (UL) ATC & AOC (Voice and data), Global tracking,
66 LEO Satellites f: 19.1-19.3GHz (DL) CPL, DYNAV, NOTAM, KAM [76]
DR: 2.4-9.6 kbits/s
Globalstar f: 1614MHz and 2490MHz An alternate delivery path for the ADS-B signal
24 LEO Satellites DR: 9.6 kbits/s (Space-based ADS-B or ALAS), Global tracking, CPL, DYNAV, NOTAM, KAM
Inmarsat Aero f: 1,546 MHz (Sat to AC) Aircraft Communication And Reporting System (ACARS), Future Air
H/H+ 3,615 MHz (Sat to Ground) Navigation System(FANS) and ATN [77]
4 GEO Satellites DR: 10.5 kbits/s Global tracking, CPL, DYNAV, NOTAM, KAM
Inmarsat Swift f: 18-26GHz (Ka-Band)
Voice & data, Global tracking, CPL, APC, TIS-B(ADS-R)
Broadband DR: < 450 kbits/s
f: 18-26GHz (Ka-Band)
Inmarsat Aviation’s
To AC: 4.5 - 12.0 Mbits/s Broadband, Global tracking, CPL, IFE
Global Express
From AC: 0.7 - 1.8 Mbits/s
AC: Aircraft, ACAS: Airborne Collision Avoidance System, ADS-R: Automatic dependent surveillance – Rebroadcast (Radar, ADS-B, ASMGCS)
AHM: Airplane Health Management System, AIRSEP : Air-to-Air Self Separation, ALAS: ADS-B Link Augmentation System,
APC: Air Passenger Communications, ATFCM: Air Traffic Flow and Capacity Management, ATFM: Air Traffic Flow Management,
ATN: Aeronautical Telecom. Network, CPL: Continuous Parameter Logging, Data: Flight, Surveillance, Aeronautical, Meteorological and ATFCM
D-SIG: Datalink Surface Information and Guidance, DYNAV: Dynamic Route Availability, EFB: Electronics Flight Bag, ES: Extended Squitter,
LEO: Low Earth Orbit, FIS-B: Flight Information Service–Broadcast, GEO: Geostationary Orbits, HFDL: HF Data Link, IFE: In-flight entertainment,
NOTAM: Notice to Airman, ISM: Industrial, scientific, and medical radio band, PSR: Primary Surveillance Radar,
KAM: Keep Alive Messages (during the flight when there is no traffic), LSAP: Loadable Software Airplane Parts - Boeing 787, RVR: Runway Visual
Range, OTIS: Operational Terminal Information Service, QAR : Quick Access Recorder, SIGMET: Significant Meteorological Information,
SSR: Secondary Surveillance Radar, TACAS: Traffic Alert and Collision Avoidance System, TCP: Trajectory Change Point, TCR: Trajectory Change
Reports,
TCU: Terminal Cellular Unit, TIS-B(ADS-R): Terminal Information Service-Broadcast or ADS–Rebroadcast, TWLU: Terminal Wireless Lan Unit,
UAT: Universal Access Transceiver, URCO : Urgent Contact, VDAR:Virtual Digital Aircraft Condition Monitoring System(ACMS),
VDL: Very-High-Frequency Data Link, VDL2: VDL Mode 2, VoIP: Voice over Internet Protocol, WAKE: Wake Turbulence
23
The WG-78/SC-214 group is delegated to establish the safety, security performance, and
interoperability requirements for future ATS data communication applications[72]. It also
ensures that ATS is consistent with the operational requirements defined by NextGen and
the SESAR research programme. The WG-78/SC-214 predominantly addresses the following
ATS and avionics requirements;
• Data Link Initiation Capability (DLIC),
• ATC Communication Management (ACM),
• ATC CLearance (ACL),
• Clearance Request and Delivery (CRD),
• Departure Clearance (DCL),
• Oceanic Clearance (OCL),
• Data Link Taxi (D-TAXI),
• Information Exchange and Reporting (IER),
• Position Report (PR), and
• In Trail Procedure (ITP).
1.1.5.4 AEEC 623
The Airlines Electronic Engineering Committee (AEEC) 623 standard sets out a protocol for
text-based traffic messages that can be communicated over the ACARS network and that
are not part of FANS 1/A and ATN B1 standards[73]. The AEEC 623 is predominantly used
for Departure Clearance (DCL), Oceanic Clearance (OCL) and Digital – Automatic
Terminal Information Service (D-ATIS).EUROCAE ED85A has superseded the AEEC 623
specification for DCL, D-ATIS and OCL applications, ED89A and ED106, respectively[74].
1.2 AERONAUTICAL INFORMATION TECHNOLOGY, SYSTEMS AND

APPLICATIONS
Many technologies, applications and systems are employed in the aviation industry,
outlined in Table 1 with the corresponding operating frequencies.
24
1.3 THE PROBLEM
In recent years, the increased number of attacks on large to medium-level critical

infrastructures of all kinds and state institutions with different levels of sophistication have
caused various disruptions, as outlined in Section 1.1.
The aviation industry is not an exception to transportation, and particularly in aviation,

there is a crucial safety issue that could end up losing lives. The inherent complexity has
posed a challenge as the avionic and ATM operations software may have vulnerabilities
that cannot be tested and verified by standard vulnerability scanners and pentesting
methods.
The industry relies on a complex infrastructure integrated into multiple systems that must be
individually and holistically protected.
Insider threat also makes the problem more critical, and these include lack of training and
management pressure on business operation over mitigating cybersecurity threats.
Besides, there are no role-based access controls or appropriate security clearance to
specific airport or aircraft areas.
A decade ago, aviation-specific knowledge and software use in aviation systems were
hard to come by, and the growth of this knowledge base over the internet has created
substantial challenges. Commercial off-the-shelf hot-swappable systems and solutions can
exemplify this.
The tendency towards expanding systems with air networked with IP technology is a must
for the expected level of an overarching system of interoperating subsystems.
This modernisation and digital transformation work make sense from an operation and
safety standpoint, but it exposures unforeseen vulnerabilities.
Every new feature or functionality would eventually add a new dimension to attack
vectors.
1.4 RESEARCH OBJECTIVES
Motivated by the acute demands of the industry for the mastery to manage cybersecurity
risks in aviation systems with a systematic and structured approach, the objectives of this
research are thus defined as follows:
• Navigate all aviation systems engineering products, processes, people and

environment (3PE), including IT/OT and their interaction from the perspective of
cyber attack to investigate the exploitable cyber security vulnerabilities: Aircraft,
CNS/ATM and Airport systems. This process requires an in-depth investigation of
25
system interactions through wired network or wireless means using Radio
Frequency(RF) and other means through VHF, HF and Satellite communication.
Making the system available for continual operation is paramount, and redundancy
is built into the IT/OT equipment at the requirements gathering stage of the systems
engineering life cycle to preserve the availability component of the CIA triad.
Therefore, one of the primary objectives is to research all systems vulnerabilities
intrinsic to Aircraft, CNS/ATM and Airport systems in the context of physical, logical,
and administrative security control mitigation strategies.
The above situation can be exemplified by the Alaska Airlines Apache Struts
vulnerability – 2017, as outlined in Section 1.1, where authorities failed to implement
logical and administrative security controls for IT/OT equipment.
• Exploring effective risk assessment techniques to improve how risks are appropriately
identified and determine an effective method to prioritise risks. This process is
significant due to the adoption of new state-of-the-art technologies and ongoing IT
automation and modernisation programs. Another primary objective is to examine
the external threat to the above systems, how these threats hamper the system
operations, and the possible consequences resulting from a cyber attack. Some of
the future services will be provided as managed services and hosted in the public
cloud environment, and it is also required to explore vulnerabilities associated with
this new architecture.
The industry does not have an established risk assessment methodology owing to
the dynamics of business operations and its globally interconnected nature, and
each country of operation adheres to a multitude of standards and frameworks. In
the worst-case scenario, some countries do not even have a single security
standard except the essential security guidelines enforced by the ICAO[61]. Against
this backdrop, it is paramount that the industry can adopt a simple and
accomplishable risk assessment technique to balance business goals while
protecting the infrastructure.
• Investigate some form of universal system architecture that can systematically

improve the identification of risks and mitigate them effectively. Besides, identify
why the current security framework does not fully address specific threats against
current and potential vulnerabilities in the aerospace industry. Identify deficiencies
in the existing framework while proposing changes to minimise the impact of cyber
26
incidents by reducing the uncertainty of cyber security risk attributes. This objective
requires a broad investigation of the literature on this topic and ranking risk attributes
based on their industry acceptance and effectiveness in minimising the impact by
reducing uncertainty.
This requirement is highlighted by the cyber incidents demonstrated in Section 1.1

with British Airways and Air New Zealand cases, where the organisation did not have
an appropriate industry-related security policy framework. As a result, managers
leaned toward achieving economic goals through business operations over
security, making way for exposing their systems to external security threats. Failing
to identify vulnerabilities and threats in the aviation industry leads attackers to
exploit them, causing heavy business losses in the form of fines and compensations.
• Develop a pragmatic industry-specific risk management framework for aviation

systems that could be employed and would benefit risk management. This process
involves further study of attributes of risk parameters and various methodologies that
can be utilised to improve the accuracy and consistency of security attributes.
1.5 REASERCH SUMMARY
This PhD project aims to investigate various aerospace systems security vulnerabilities and
external and internal threats to systems operations from the point of safety. The project also
delves deep into scenarios where existing risk assessment methodologies need to meet the
expected level of protection. Aviation organisations need to see a considerable return on
investment in their security implementations by simplifying the processes and procedures.
The main focus is identifying why the security assessment framework fails in the domain. The
aviation system operations are distinct compared to IT solutions deployed in the health,
financial, and telecommunication sectors. The systems deployed in the aerospace sector
are dynamic in nature (mobility over different geographical regions) and are comprised
of diverse systems of systems with legacy and proprietary technologies.
The identified issues are discussed at length and form a set of research questions to
develop a security risk assessment framework specific to addressing security risks in the
aviation industry. The research problems/questions provide a noteworthy context to the
research and link the investigation results, issues, mathematical analysis and simulations.
27
1.6 RESEARCH QUESTIONS
This section describes five (5) research questions that the research will be focused on
addressing. It provides some context why each question has been formed and why it is
essential and relevant to the study.
Further details are also provided on the research objectives, and the research
methodologies are defined in Chapter 3 of the thesis. The ultimate intent of the questions
is to search for outcomes that will meet the research objectives (1.4).
1.6.1 RESEARCH QUESTION 1
What are the exploitable cyber security vulnerabilities: Aircraft, CNS/ATM and
Airport systems?
This question research all the information technology (IT) and operational
technology (OT) systems in use and their interaction within the aviation systems
landscape. The system interaction may be through a wired network or wireless
means using Radio Frequency(RF). The information exchange is predominantly
through VHF, HF and Satellite communication from the aircraft front, while ground
systems use copper (ethernet), optical fibre, and point-to-point radio links.
Each land-based aviation system under study is unique in operation and governed
by a strict set of rules and parameters imposed by the governing body ICAO. The
redundancy is built into the systems to preserve the availability component of the
CIA triad. However, being the passive elements, antenna systems of radar (aircraft
surveillance) and navigational-aid landing equipment ILS, DVOR, DME, GBAS and
NDB) are not equipped with failover mechanisms.
The research question investigates all systems vulnerabilities inherent to Aircraft,

CNS/ATM and Airport systems by considering their operational aspects and possible
cyber attack. The finding will be listed under each system domain component.
What are the cyber security threats to aviation systems and their effect on ongoing
IT automation and modernisation programs?
This question examines the external threat to the above systems and how these
threats interfere with the system operations and possible impacts. The modernisation
28
programs include the incorporation of new technology and redundant network
connectivity. Some of the services are provided as managed services and hosted
in the public cloud environment.
The identified threats are presented along with systems vulnerabilities under each
system domain component.
How do aviation threats be evaluated against current and potential vulnerabilities

to develop a security framework for the aerospace industry?
The question deals with devising a method to evaluate threats and develop a
common framework for aviation cybersecurity.
How to minimise the impact of cyber incidents by reducing the uncertainty of

cyber security risk attributes?
Investigate and review the literature on this topic and rank risk attributes based on
their industry acceptance and effectiveness in minimising the impact by reducing
uncertainty.
How to improve the accuracy and consistency of cyber risk assessments?
Study attributes of risk parameters and various methodologies that can be

employed to improve the accuracy and consistency of security attributes.
1.7 IMPLICATIONS OF THE RESEARCH
The literature review emphasised the fact that there is a significant research gap in
cybersecurity risk management of aviation systems engineering. Notably, this is a result of
various attributes inherent to the industry and the nature of the business operation. Not
many academic researchers have much hands-on experience in the operation aspects,
including avionics, ATM and airport operation, to understand the risk entirely. Much of the
internal operational information is restricted to the personals of these government and
29
defence agencies. When it comes to private entities such as airline operators, they adopt
a non-open approach to address their risk internally. As the stake is high, the aviation
operators believe that revealing system vulnerabilities for a research purpose may have a
negative impact on their systems and could negatively affect public perception and
reputation. This phenomenon has led to a situation where many researchers in aerospace
engineering did not get to visualise a holistic picture of the internal system architecture or
limit the scope of their work to a restricted space. Against this backdrop, the author of this
thesis could not come across much literature in the area of his investigation and notably
emphasise a significant gap.
The author has been discharging his duties in the capacity of a senior engineer in air traffic
management, navigational aids and airport environments for over 25 years. He received
training and was involved in the systems engineering process from the requirement analysis
to the maintenance and disposal stage. The author firmly believes that the information
presented in the thesis will fill the research gap and positively impact addressing
cybersecurity issues and mitigating the risk. The study will ultimately contribute to protecting
human lives, physical assets and aviation stakeholders to achieve their economic goals.
1.8 ORGANISATION OF THIS THESIS
This thesis begins with Chapter 2, an exhaustive review of the near-past and present
literature and an investigation into security engineering, security by design procedures,
and other applicable technology employed in the industry. Based on the analysis, five
research questions are raised and defined.
Chapter 3 deals with research, methodology, intelligence collection in all five domains of
aviation systems and further research details, including desk surveys.
The main contribution of this research is presented in Chapters 4 through 6. Each chapter
is dedicated to a significant research section that builds up to the proposed cybersecurity
risk framework.
Chapter 7 discusses the contribution to the technology and holistic application of the
framework in the context of addressing cybersecurity risk in the industry.
Finally, Chapter 8 details some insight into possible further research.
30
Chapter 2: Literature Review
Information security (IS) management sets up the groundwork for a proactive security
program to ensure the preservation of information-related assets [78-81].
The foremost objective of security management is to protect the CIA of information assets,
whether in processing, storage, and transmission[25]. The control measures are employed
through the establishment of procedures, policies, baselines, standards, and guidelines.
The process involves information classification, security risk assessments, categorising
threats, and identifying system vulnerabilities. Also, the likelihood of realisation of any of
these attacks is estimated, and appropriate controls to mitigate each risk item are
identified and prioritised. Risk management minimises the loss of information assets due to
undesirable events (intentional or accidental). It incorporates the comprehensive security
posture, risk analysis, selection and evaluation of controls, cost-benefit analysis, and
employment of adequate controls along with ongoing reviews [82-86]. The industry
standards such as NIST, ISO 27001 series, ISC2, and ISACA security guidelines and
certification programs were thoroughly studied and appraised to gain insight into standard
security practices.
2.1 SECURITY ENGINEERING
Security systems engineering encompasses the concepts, structures, and standards to

design secure systems and applications. Network infrastructure and security devices
provide connectivity and required protection for information, respectively, during data
transfer. The systems engineering process employs a comprehensive method of executing
an organisation’s information requirements through a system design process to align the IT
products and applications with the organisation’s core goals and strategic directions.
Security design implementation includes cryptography, hashing, link encryptions, access
controls, network segregations, authentication servers, code reviews, implementation of
web proxies, secure user interfaces and application programming interfaces (APIs). The
system operation and maintenance stages comprise patch management, zero trust
architecture (ZTA), intrusion detection and prevention systems, firewalls, security incident
and event management (SIEM) and penetration testing. Besides, artificial intelligence(AI),
machine learning(ML) and big data will also become standard practice in future
endeavours [87-98].
31
Managing complex data is a significant challenge for any organisation – whether a
government agency, airframe manufacturer, airline or aviation information service
provider. Data models are typically produced to characterise transactions and analyse
the information gathered, used, and stored to address these challenges[99]. The Open
Web Application Security Project (OWASP) is an effort to improve software security based
on the reported cybersecurity incidents worldwide. They have published the top 10
application security risks, which have been used as a reference in this research [100].
Cloud Security Alliance (CSA) also presents Security, Trust & Assurance Registry (STAR) Self-
Assessment to document compliance with CSA-published best practices and Consensus
Assessments Initiative Questionnaire (CAIQ) for cloud security.
2.2 SECURITY BY DESIGN
Building accurate threat models for all threat scenarios, which will help define and describe
potential attacks that could compromise the safety, or put aeronautical data at risk, is
essential for an effective cybersecurity foundation[101]. The process of constructing these
models can be rolled out by contemplating how the SWIM network can be struck and
identifying the most vulnerable areas of the infrastructure for possible attacks [102].
The current industry standards for aircraft IT security is derived from DO-326, 355, 366(RTCA),
ED-202 / ED-203 (EUROCAE) and ARINC 811/822/823 and aviation equipment
manufacturers use them as guidelines for their products. However, these documents are
required to assimilate aircraft information security operational concepts and narrate
methods to establish logical and physical security [103-108].
Designing a system to cater for all dynamic threat environments is challenging. When a
network-capable aircraft moves from a secure environment to an airport with poor security
at a remote end of the world, there is a high risk that hackers would exploit any residual
vulnerabilities.
The ATSP/ANSPs adhere to systems engineering fundamentals and provide security control
undertakings during the design, implementation, and operation phases of new aerospace
cyber-physical systems; this includes the disposal of hardware, media and applications in
a secure manner. Developers and suppliers of aviation systems will abide by the law as to
how information on these systems is secured. The number of individuals assigned for
software and hardware support and maintenance work is limited and provided with
restricted access. The network infrastructure and equipment installations are designed to
prevent the infiltration of critical ICT systems.
32
The aeronautical and aircraft surveillance data is continuously updated in real-time as
aircraft move from A to B, and this information is exchanged among multiple stakeholders,
so airports and airspace can be efficiently managed. It is the responsibility of the data
owners to provide adequate security to the IT infrastructure and the information
exchanged based on the data classification (Fig. 6). The Single European Sky ATM
Research (SESAR) program is highly concerned about the level of network security and
data services and highlighted significant issues on their recent report titled ”SESAR
Addressing airport cyber-security”[109]. The report raises its concern that compromised
Airport Operations Centres (APOC) will update the more comprehensive network and
could ‘pollute’ the whole European ATM Network in a single attack[110-116]. In the worst-
case scenario, the local network will be updated with incorrect information and
propagate this to other parts of the network. This scenario is a contravention of the essential
principle of information security: to provide confidentiality, integrity and availability
protection for critical assets[117].
Fig. 6. Source: Cyber-security application for SESAR Final Report[109].

Based on this development, the degree of controls applied to improve cyber-security
resilience directly impacts SWIM: System Wide Information Management, APOC: Airport
33
Operations Centre, TAM: Total Airport Management, and A-CDM: Airport Collaborative
Decision Making.
The SESAR and NextGen, in collaboration with ICAO, are deploying data-dependent SWIM
capabilities, which are the essence of managing busy airports in the wake of the
evolutional cyber-physical system[109]. Global ATM Security Management (GAMMA) is
another project that stems from the growing need to address new threats and
vulnerabilities to ATM systems that rely on ground and space-based networks and
distributed enterprise computing[118].
Sophisticated cyber incidents such as Artificial Intelligence(AI) based attacks bypass

traditional security tools and monitoring mechanisms, and there is no way one can know
their system has been compromised by a well-disguised exploit[119]. Organisations require
industry best practices for searching out these sophisticated attacks and enumerating
them before they can damage valuable information assets.
2.3 THIRD-PARTY SERVICES - CLOUD AND SECURITY AS A SERVICE
The cloud paradigm provides faster, expedient information computing services and
network-centric storage, with multiple computing resources virtualised as services and
delivered over the Internet. Besides, the architecture heightens availability, collaboration,
agility and scalability to adapt to demand variations [120].
Cloud computing uses the internet infrastructure to allow clients to access information on
a pay-per-use basis. Cloud Service Providers (CSPs) offer IT support in multiple
configurations and provide web-based service access. The cloud services enable
convenient, universal, on-demand network availability to a distributed cluster of
information technology assets (e.g., networks, storage, infrastructure, platform, and
software) that can be rapidly provisioned and discharged with minimal management
effort[121-125].
In the cloud organisation model, the business owners do not own the actual physical IT
infrastructure, and CSPs provide access to the IT resources. The primary objective is to
reduce data centre expenditures like hardware, software, network, heating, ventilation,
and air conditioning (HVAC) services. Cloud users can reduce their substantial investment
in building these infrastructure services. Recent studies have shown that major IT
companies achieved, on average, an 18% saving in their IT budget by deploying their
services on cloud architecture[126].
34
Cloud services offer the potential to bring numerous benefits to aviation stakeholders due
to economies of scale, commoditisation of IT infrastructure, a pay-per-use model, and high
geographic availability factor. The aviation organisations will need to make decisions
based on; security policy, degree of information security and affordability of employing
highly skilled security professionals and cloud adoption strategies[127, 128]. Federal
Aviation Administration (FAA) has adopted a cloud computing strategy to enhance its
aviation systems and minimise critical IT infrastructure costs [129]. The Security as a Service
(SECaaS) is another business paradigm in which a service owner procures its security
services into originations’ IT infrastructure on the criticality of the risk[130-132].
2.4 SECURITY ASSESSMENT, TESTING AND AUDITING
The network boundaries and interconnections of aircraft, ATM systems, airports and CNS
ground infrastructure require a broad range of ongoing security testing and verification to
ensure they are safe for operations[133].
During the Test and Evaluation (T&E) stages of the systems engineering process, it is
necessary to specify[134, 135];
• the systems knowledge required to manage security risks,
• the empirical and test data to validate proper system operations in the
wake of a security breach, and
• the operational effectiveness and survivability of the system in a

compromised state.
The discovery of problems late in the T&E phase or at the operation stage can have
enormous cost and safety impacts as well as significant operational reverberations.
Besides, the incremental addition of network and IT system capabilities, which is now the
norm, would further create security flaws. Therefore, maintaining an effective T&E strategy
under emerging technology with new system architecture would be challenging [51, 136-
139].
2.5 SECURITY CAPABILITY TESTING OR PENETRATION TESTING
Today's digital business is more than a communication link between two points but multiple
redundant connections with many-to-many configurations. In this method, organisations
deliver value-added services by connecting to their partners who are dispersed
geographically around the world[140]. As the amount of data and the number of users
35
and services grows, so does the need for organisations to remain vigilant and responsive
to cyber-attacks [141-144].
Being proactive is a crucial component of any robust security program. Having a matured
security capability mechanism and running regular security testing would consolidate the
foundation of the security architecture of the business. It allows organisations to expose
and manage vulnerabilities and avoid costly downtime and destructive reputational
impact[145-149].
Penetration testing, a.k.a. pentesting, is a security testing methodology or process that

allows cybersecurity experts to simulate the techniques of a hacker attempting to exploit
information systems or associate networks. There are several different penetration testing
lifecycle models in use and mainly consist of five phases; Reconnaissance, Scanning,
Gaining Access, Maintaining Access, and Covering' Tracks[150-152].
The new software is deployed regularly on various aviation systems. The changes are made
to networks, configuration updates are performed to IT systems, and they need to be
periodically tested as a part of security assurance. How often a business should perform
security tests depends on several factors[153-155] ;
• Laws, regulations, and compliance[156-159],
• Organisation size,
• Budget allocation, and
• Level of IT infrastructure deployment.
2.6 SECURITY OPERATIONS
The primary focus of the security operations is to manage tasks required to maintain
security services operating reliably and efficiently. Besides, the concepts of business
continuity planning (BCP), incident response planning (IRP) and disaster recovery planning
(DRP) deal with the preparation, processes, and practices required to secure the
protection of the organisation against a significant cybersecurity disruption[160, 161].
Aviation business operations face unique challenges in protecting lives and enterprise
assets during an unplanned security incident or event. The BCP, IRP, and DRP involve the
implementation of processes required to protect critical functions from the consequences
of the system and network disruptions and to ensure the restoration of essential operations
promptly[162].
The crucial elements of the incident response plan are to;

36
• Identify and estimate the extent of a compromise,
• Contain the incident, and
• Determine whether the systems are still vulnerable.
It needs a great deal of skill, expertise, and experience in responding to a breach. It is also
necessary to know how to use data about an incident to help prevent similar attacks in
the future and share the same information with peer ANSPs, Airlines and Airports.
2.7 ARCHITECTURE FRAMEWORKS
Architecture frameworks are practices, methods, and tools that provide a systematic
approach to designing, implementing, and managing complex systems or solutions. They
aim to guide architects and stakeholders in making informed decisions that align with
organizational goals, standards, and best practices.
2.7.1 NIST CYBER SECURITY FRAMEWORK (CSF) NIST SP 800-53
The National Institute of Standards and Technology (NIST) is a physical science laboratory
and the United States Department of Commerce agency. Its primary objective is to
promote industrial competitiveness while guiding organisations within critical infrastructure
sectors to reduce cybersecurity risk.
The NIST Cyber Security Framework for Critical Infrastructure Framework (CSF) integrates
industry standards and best practices to assist organisations in managing their
cybersecurity risks on multiple fronts. The framework gained much recognition due to its
deployment effectiveness. The information security community and many organisations in
the US and worldwide are currently implementing or aligned to the NIST information security
frameworks.
The framework substance is comprised of a series of security risk assessment tasks. These
tasks are grouped into subcategories which are again grouped into functional categories
based on the main principles: Identify, Protect, Detect, Respond, and Recover[163].
2.7.2 ISO/IEC 27001
International Organization for Standardisation and the International Electrotechnical

Commission (ISO/IEC) jointly publish and update ISO 27001: Information security
management standard, which prescribes structures for how organisations should manage
37
risk associated with cybersecurity threats, including policies, procedures and training. The
ISO is an independent non-governmental organisation and the world's largest originator of
voluntary international standards. The IEC is the leading global organisation that develops
publications of international standards for electronic, electrical, and related technologies.
Within the standard are guidelines, requirements intended to protect an organisation's

data/information assets from loss or unauthorised access and identified means of
demonstrating their adherence to information security management through certification
and auditing process. The standard includes a risk assessment process, organisational
structure, Information classification, physical and technical safeguards, Access control
mechanisms, and monitoring and reporting guidelines[164].
While the standard provides companies with the necessary techniques for protecting their
most valuable IT assets, they can also get certified against ISO 27001 and, in this way,
ascertain to their consumer base and stakeholders their due diligence. The objective of
ISO 27K is to defend the security CIA triad of information by performing a risk assessment
and determining suitable mitigation methods to prevent such problems from happening.
The ISO/IEC 27000 (27K) series of standards profile many controls and mitigation
mechanisms to enable organisations to keep information assets secure while providing a
framework to strengthen policies and procedures with legal, physical, and technical
reigns[165, 166].
2.7.3 COBIT
The COBIT (for Control Objectives for Information and Related Technology) is a framework
created by the ISACA (Information Systems Audit and Control Association) for IT
governance and management. The framework was developed as a corroborative tool for
business owners to bridge the crucial gap between business risks, technical issues, and
control requirements[167].
The framework is a guideline that can be applied to any organisation in any industry and
ensures the quality, control, and reliability of information systems which is also the most
critical aspect of every modern business.
It also provides diverse maturity models and metrics that measure the attainment while
identifying associated business commitments of IT processes[168]. The process-based
framework model is subdivided into four specific domains, including:
• Planning & Organisation,
• Delivering and Supporting,

38
• Acquiring & Implementation, and
• Monitoring & Evaluating.
IT governance is a sub-component or sub-set of corporate governance. It includes various

regulations, laws, processes, principles and systems based on which an organisation is
monitored, regulated and operated.
IT governance, on the same token, enables organisations to align their strategy and
business strategy and measure their performance in achieving organisational goals. Most
importantly, the governance practice helps to ensure that investments in its strategy
generate business value for the organisation.
The governance framework is a pre-designed scheme that can be tuned per the
organisation's size and needs. Firstly, it is required to determine how the IT department
functions. Secondly, how it takes care of the critical metrics management needs and what
it is giving back to the business from its investments.
COBIT 2019 has evolved from its predecessors to be more prescriptive to steer businesses
in developing a governance strategy to allow organizations to tailor the governance
strategy comfortably. It also defines the essential components of governance principles:
policies and procedures, processes, enterprise structures, information flow between
business units, skills, infrastructure, and culture.
2.7.4 THE EUROPEAN UNION AGENCY FOR CYBERSECURITY (ENISA)
The ENISA has put forward an Information Security Management strategy in the region to
enforce the appropriate measures to minimise the impact of diverse cybersecurity threats
and vulnerabilities.
Legal and regulatory hands and enforcement are required to protect sensitive or personal
data and compel business owners to commit to due diligence and prioritise information
security risks.
Under these circumstances, the only alternative is developing and implementing a

separate and independent management process, namely an Information Security
Management System(ISMS ), according to ENISA.
39
Fig. 7. ENISA Information Security Management framework.
As shown in Fig. 7, the ENISA ISMS framework demands the following six steps:
• Definition of Security Policy,
• Definition of ISMS Scope,
• Risk Assessment (as part of Risk Management),
• Risk Management,
• Selection of Appropriate Controls, and
• Statement of Applicability.
2.7.5 PROTECTIVE SECURITY POLICY FRAMEWORK (PSPF)- AUSTRALIA
The PSPF represents better practice for corporate Commonwealth entities and non-
government organisations that access security classified information. The appropriate
application of protective security ensures the operational environment necessary for the
secure conduct of government businesses[169].
40
To support the accountable authority, the PSPF requires the appointment of a Chief
Security Officer who has oversight and is empowered to make decisions on all elements of
the framework[170].
2.7.6 CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2)
The national and economic security of the United States depends on the reliable
functioning of the Nation's critical infrastructure in the face of cybersecurity threats(Fig. 8).
The C2M2 focuses on implementing and managing cybersecurity practices associated
with the information technology (IT) and operational technology (OT) assets and the
environments in which they operate and support organisations of all sectors, types, and
sizes to evaluate and improve their cybersecurity programs.
The C2M2 is a free tool to help businesses assess their security capacities and allocate
appropriate investments for mitigation controls that target IT and OT assets and
environments. The tool, available in the two venues, allows security practitioners to record
results and automatically produce detailed dashboards[171-173].
Fig. 8. C2M2 Information Security Management framework.

The model intends to strengthen cybersecurity capabilities, evaluate them effectively, and
benchmark them. The model further includes sharing knowledge, best practices, and
41
relevant references across organisations to enable businesses to prioritise actions and
investments to improve cybersecurity[174].
The critical infrastructure service providers have diverted to C2M2 to provide a framework
for evaluating and reporting their cybersecurity readiness. The model's significant feature
is that it enhances the maturity and effectiveness of controls to secure critical
infrastructures. The model further traces a succession of various maturity levels for a set of
elements and symbolises an anticipated evolution path (desirable and typical for the
environment) of these elements shaped as discrete stages.
Accordingly, this evolution should be sequential and set out with a clearly defined time
frame and a criterion to measure its effectiveness. The literature review highlights that
C2M2 has been used for specific enterprise sectors, while government agencies'
implementation mechanisms vary slightly based on various factors and regional appetite.
The literature further emphasises the gap in the existing cybersecurity models and their
weakness in measuring maturity over time.
2.7.7 PROJECT MANAGEMENT INSTITUTE (PROJECT MANAGEMENT BODY OF KNOWLEDGE)
PMBOK is the complete collection of best practices, processes, and guidelines accepted
as project management standards. It is valuable for companies as it enables them to
standardise techniques across various business units, sew their procedures to serve specific
requirements, and complete projects successfully[175-178].
2.7.8 3PE FRAMEWORK
2.7.8.1 RISK MANAGEMENT
Risk management and its counterweight must be appropriately addressed. For this systems
engineering lifecycle costing, reliability data provide significant input into the model (Fig.
9). During the development phase, it is proposed that the issues related to risk are
managed at the requirement gathering stage[179, 180].
However, there have been many issues in studied cases; therefore, support solutions have
been categorised into two broad groups. According to the study, the first situation is fully
understood the residual risk associated with the contract and product. The second one is
the risk is not fully realised[181].
42
Fig. 9. Product Process People Environment (3PE) model.
According to the 3PE model, the environment should cater to accommodate all planned
activities. This atmosphere is subject to changes over time to suit transformations in activities
and keep costs to a minimum while subjecting to continuance optimization in the long run.
The 3PE model is a framework for understanding the factors contributing to a product's
successful development and implementation. The model's three "P"s stand for Product,
Process, and People, while "E" represents the environment.
Product refers to the product or service being developed or offered. It includes features,
design, and functionality. Process refers to the methods and techniques used to develop
and deliver the product. It includes project management, quality control, and testing.
People refer to the individuals and teams involved in product development and delivery.
It includes stakeholders, customers, and employees. Environment refers to the external
factors that may impact the product development and delivery process. It includes market
conditions, regulations, and competition.
43
The 3PE model is useful for identifying potential issues and opportunities in the product
development and delivery process and for making decisions to improve the chances of
success. The model also suggests that an organisation's success depends on the effective
management of these three elements and their alignment with the external environment.
It is a holistic approach to management that emphasises the importance of considering
all aspects of an organisation in order to achieve optimal performance and success. The
model is a framework for understanding and analysing the factors that contribute to the
success or failure of a product or project. By considering each of these factors, the 3PE
model helps organisations to identify and address potential issues and improve the overall
performance of the product or project.
2.7.8.2 OPERATIONAL SAFETY, SUITABILITY AND EFFECTIVENESS
Despite being a temporary or permanent installation, the system's operational safety and
security must be preserved for all modifications. These modifications must be reviewed by
the authorised Change Management Board (CMB) and be approved appropriately by
the business and engineering manager before the system commission[182].
Various research on this topic performed and established a framework for developing
architecture in supporting system transitions. The subject framework predominantly relies
on enterprise integration and modelling methodologies, including examining various
transition stages.
The subject case study demonstrates that the support system for aircraft can be
characterised by an enterprise model that contains four fundamental elements: product,
process, people and environment(3PE model). The outcome of this research is presented
as a structure for developing a capability assessment model[49].
2.8 AHP AND ITS APPLICATIONS
The AHP is a crucial decision-making process used to set preferences among diverse
attributes and obtain ratio scales from paired comparisons.
The process is most useful where teams of security professionals and assessors work on
complex problems, especially those with high risks, involving human decisions and
perceptions that have long-term consequences and stakes[183-185]. Predominantly, the
decisions are made from subjective opinions such as satisfaction, feelings and
preferences[186-190].
44
Since its inception and application in various scenarios, the AHP has been an instrument
for researchers and decision-makers, owing to its multi-criterial decision-making
mechanism. The theory's validity can be exemplified by the numerous outstanding works
published in process optimisation, conflict resolution, and simplifying complex algorithms
with multiple inputs and outputs.
When multiple entities assemble the same ranking (or order), their preference may vary
based on their skill, experience, intuition and various courses of action and sometimes
changes very distinctly according to the individual's personality.
The AHP is commonly used for project prioritisation and selection. It lets decision-makers
capture their strategic goals as weighted criteria used to gauge projects measurably and
objectively. The result is a ranked list of tasks - each item having a score between two
figures that one can use to navigate their project selection and resource allocation
judgments[191].
2.9 FUZZY LOGIC AND ITS APPLICATIONS
A fuzzy system is closer to human perception and is applied here for risk assessment. The
rationale behind this approach is that fuzzy logic has shown a great potential to be a better
approach to dealing with operational risk[192-195].
The fuzzy logic is not logic that is fuzzy but the logic that is used to express fuzziness.
Numerous other illustrations are presented in published papers that can be used to
comprehend the fundamental concept. Lofti A. Zadeh first introduced Fuzzy logic in 1965
in one of his papers, "Fuzzy Sets"[196].
The fuzzy logic theory is standard in various fields, from controlling algorithms to artificial
intelligence. It was developed to make the intelligent agent (PC or microcontroller)
determine the scenarios which could neither be logic true nor false. This behaviour also
can be attributed to human reasoning. The prominent advantages of the theory are;
convenient commercial deployment with a little effort in consumer products
accuracy, robustness, and the ability to self-modify or alter operation behaviour. The main
applications are in automobiles (Anti-lock brakes, Auto transmission and cruise control),
home appliances (Dishwashers, washing machines and domestic security systems),
industrial applications (High-tech manufacturing) and aviation.
The literature was analysed (Table 2) in various security disciplines as part of the literature
review of the research.
45
2.10 GROUND RADIO NAVIGATION
Ground radio navigation is a method of navigation that uses radio signals emitted from
ground-based transmitters to determine the position of an aircraft and guide it to its
destination. These signals are received by the aircraft's navigation equipment, such as a
VHF Omnidirectional Range (VOR) receiver or an Instrument Landing System (ILS) receiver.
Some examples of ground radio navigation systems include VOR, DME, ILS, TACAN, NDB
and VHF communications. These systems are typically found at airports and along airways,
and they provide the pilot with information such as bearing, distance, and altitude,
allowing them to navigate safely and efficiently[65].
Advances in navigational methods using radio frequencies and the development of

aeronautical maps with location information and their frequencies pave the way for
uncomplicated ground-based navigation for aircraft.
The maps with VOR, Nondirectional Radio Beacon (NDB) and GPS information and evolved
flight display systems from analogue to digital make it possible for air navigators to steer
aircraft with precision to almost any point desired. The accuracy of air navigation is
attainable through the proper use of electronic equipment to decode (or demodulate)
signals received from ground-based radio transmitters, which continuously radiate location
and radial information.
Table 2. Analysis of literature
# Analysis of literature
1 Security engineering (Section 2.1) [87-98],[90],[100]

2 Security by Design (Section 2.2) [101],[102], [103-108]
3 Security Patterns: Integrating security and systems engineering [87],[9-12],[35]
Systems Engineering framework for cyber-physical security and resilience
4
[45],[95],[171],[216]
Information security management (software/hardware and firmware) (Section
5
2.7.4)[34],[78],[118],[165]
6 Risk assessment for airworthiness security (Section 1.1.4.3) [43-45],[104]
Model-based security engineering of distributed information systems using
7
UMLsec [98],[118],[121]
Integration, verification, validation, test, and evaluation (IVVT&E) framework
8
(Section 2.4) [133],13,135]
Security Governance–compliance management vs operational
9
management(Section2.7.3)[167],[168]
10 Decision Science and Social Risk Management (Section 2.7.2)[164],[165],[166]
46
# Analysis of literature
11 Third-party services - cloud and security as a service (Section 2.3)[120],[121-125]

12 Artificial intelligence and intrusion detection [19]
13 Security assessment, testing and auditing (Section 2.4) [133],[134,135]
14 Security capability testing or penetration testing (Section 2.5) [141-144],[145-149]
15 Security operations (Section 2.6)[160,161],[162]
16 Cloud computing (Section 2.3)[120],[121-125]
Information security maturity model for NIST cyber security framework (Section
17
2.7.6)[171-173]
18 Architecture frameworks/ Cybersecurity frameworks (Section 2.7)[164],[165,166]
Security Architecture: Design, Deployment, and Operations (Section 2.2)
19
[101],[102], [103-108]
20 Nist cyber security framework (CSF) nist sp 800-53 (Section 2.7.1)[163]
21 Iso/iec 27001(Section 2.7.2)[164],[165,166]
22 3PE framework (Section 2.7.8)[179,180],[181],[182]
23 AHP and its applications (Section 2.8)[183-185],[186-190],[190]
24 Fuzzy logic and its applications (Section 2.9)[192-195],[196]
47
Chapter 3: Research Methodology
3.1 METHODOLOGY
The detailed literature review indicates significant gaps in research that are definitive and
highlighted in many forums such as Single European Sky ATM Research (SESAR) of
EUROCONTROL and the USA's next generation of ATM systems research program[197].
The methodology (Fig. 10) adopted in this dissertation addresses cybersecurity issues in the
industry and proposes a pragmatic solution through a novel framework[198].
Fig. 10. The methodology adopted to solve the problem.
The identified research gaps are multidimensional and started with an intelligence
collection process covering all five domains. The initial objective of the intelligence
collection was to gain the current status of the threat landscape. The author's 25 years of
experience in aerospace engineering, covering all five domains both at the technical and
engineering level, was invaluable to the thesis. The experience was complemented by
equipment-based training by the product manufacturers, and the author gained multiple
Technical Certifications(TechCert) in the systems. As per Part 171 of the Civil Aviation Safety
Regulations (CASR), Australia sets out the rules and standards for aeronautical
telecommunications, including air traffic and radio navigation services[199-203].
To gain an in-depth idea of cybersecurity industry-specific procedures and processes, the

author studied for three major security certifications as a part of the research and
achieved certifications on the first attempt (Appendix B).
48
3.1.1 CISSP - CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL
The course focuses on securing all enterprise data, mobile & cloud security and protecting
information assets.
The certification covers multiple domains of cyber security. They include all aspects of the
cybersecurity landscape management and modern security framework[204].
• 100s of essential cybersecurity attacking methods including Zero-Day

Exploit, Phishing, SQL Injection, DOS, Cryptojacking, Malware, Man-in-the-
Middle Attack, Insider Threat and Watering Hole Attack,
• Security Risk Management is a necessary process that describes the

ongoing process of identifying and implementing plans to address security
risks,
• Asset Security; A data classification strategy enables organizations to

assign a monitory value to its information assets based on its sensitivity to
loss (or disclosure and its criticality),
• Security Architecture and Engineering; The technology that organisations

have in place to secure it IT assets. Security architects and engineers
design and develop cost-effective solutions for the business.
• Communications and Network Security; implements secure design

principles in network architectures,
• Identity and Access Management(IAM); ensures that the appropriate

individuals and job roles in organizations can access the tools they need to
know basis. The IAM allows the business to manage employees' access to
systems and applications,
• Security Assessment and Testing; includes code reviews, vulnerability scans,

Pen testing log reviews, misuse case testing, regress testing, attack
simulations and compliance checks
• Security Operations; guides to a business incorporating internal IT security

and operations practices to improve collaboration, reduce risks, and
perform through a security operating centre (SOC), and
• Software Development Security.
3.1.2 THE SECOND ONE IS CISA - CERTIFIED INFORMATION SYSTEMS AUDITOR
This certification primarily covers,
49
• Information System Auditing Process, includes obtaining the background
information about information systems, comprehending the appropriate
controls, devising an audit plan, verifying whether the controls comply with
the governing rules, using analytical methods to summarise the evidence,
and submitting a report[205],
• Governance and Management of IT, specify the accountability framework

and furnishes oversight to ensure the risks,
• Information Systems (IS), Acquisition, Development and Implementation

provide pertinent details on IS maintenance procedures, systems
engineering development practices, application hardening, and best
practices for auditing risk mitigation[206],
• Information Systems Operations and Business Resilience, and
• Protection of Information Assets ensured the continued availability of IT

systems and data while securing the integrity of the information stored on
the systems, in transit, and at rest.
3.1.3 THE THIRD ONE IS CCSP - CERTIFIED CLOUD SECURITY PROFESSIONAL
This certification primarily covers,
• Cloud Concepts, Architecture and Design state the elements and

subcomponents embedded in it along with service and deployment
models[207, 208],
• Cloud Data Security is typically the protection of information through

backups, cloud storage, and business continuity/disaster recovery
methods, all of which are supposed to ensure that data remains within an
organization's possession in the event of a breach or data loss in one
location.
• Cloud Platform & Infrastructure Security is a grouping of security

benchmarks designed to protect cloud-based infrastructure, applications,
and data predominantly using user and device authentication, access
control, and privacy protection mechanisms,
• Cloud Application Security is a policy, process, and control method that

enables businesses to protect applications and data deployed in the
cloud.
50
• Cloud Security Operations, which covers the essentials for designing,
planning, enforcing, maintaining and overseeing the physical and logical
cloud infrastructure and
• Legal, Risk, and Compliance enunciate legal necessities and unique risks
within the cloud environment.
3) A significant amount of effort is put into understanding the issues associated with each
domain. However, the author's work experience in the industry, associations with various
parties ranging from engineers, stakeholders and equipment manufacturers, and easy
access to user/installation manuals of the equipment pave the way for successful
information gathering.
4) Every aspect of cybersecurity issues is considered from a logical, physical and

administrative control point of view. This effort eventually led to identifying all possible
security issues in all five domains, tabling them, and assessing risk (Appendix A).
5) The information under investigation needs to be generalised and inconsistent with

industry standards. This process makes the analysis much more manageable and prioritises
various risks and vulnerabilities more efficiently. As a consequence of analysing the
gathered information, it was required to devise multiple methods to enhance their
accuracy and reduce certainty.
6) Based on the analysis performed on the gathered evidence of various risks and
vulnerabilities, it is required to develop a framework. This study includes simulation testing
of the framework with multiple scenarios, including the following dependencies.
• Aviation players and systems,
• Information security governance,
• Information security management,
• Security operating centre (SOC),
• Security testing and audit, and
• Regional and international bodies, regulations and directives.
51
3.2 RESEARCH DESIGN
The objective of identifying, quantifying the level of impact and managing the risk within
complex aviation systems interconnected with various other significant subsystems is
worked out by proposing a framework that employs the 3PE model developed to improve
risk analysis. In this backdrop, ISO/IEC 27K, NIST SP 800-53, ENISA, and ISM are also studied
for their practical implementation in the general IT/OT environment.
This research aims to remove the uncertainty of risk attributes and propose a technique
that can be adopted to achieve the highest possible probability of success.
A qualitative risk assessment methodology was adopted to develop a baseline that could
then be used to analyse further and investigate risks surrounding the operations.
As a stepping stone, a comprehensive list of risks (a partial risk register from an enterprise
operation perspective)is developed by taking the 3PE model as a basic founding
framework.
The primary approach was to broaden the generic risk cluster and to look at the issues with
a fresh pair of eyes, including:
• Literature review (published after 2016),
• Reviewing the risk registers (if available with the organisation or published in the
public domain) of historical and current projects,
• Multiple brainstorming sessions, and
• Case studies are presented in the reference textbooks for cybersecurity

certification; CISSP, CISA and CCSP.
In order to manage and focus the investigation, some of the duplicated (in multiple
domains) and shallow category risks were ruled out of the research. However, this does not
imply that the identified low category risks have no probability of compromising any of the
systems whatsoever. As a result of this ruling out process, the identified risks have been
scaled down only to low through to catastrophic risk profiles leaving out the very low-risk
profiles.
3.3 INTELLIGENCE COLLECTION
There is a wide range of commercial and open-source tools for collecting and analysing
known cyber threats and new exploits (including threat intelligence sources). The
52
Common Vulnerabilities and Exposures (CVE) database is used to identify sophisticated
attacks and comprehend new risks before they hit a system[209, 210]. The information on
the Dark Web is also an excellent source to identify attack methods and exploits that are
potentially successful in compromising systems. As technology changes rapidly at the
same time, new vulnerabilities emerge, and new threats surface [211-213].
Cybersecurity solutions cannot be considered a once ticked checklist but rather an

ongoing system lifecycle process built into a product or service. While there are many
legacy aircraft where cybersecurity was not thought of from requirement definition
through design phases, any upgrades or retrofits were not performed with cybersecurity in
mind either. As new threats materialise, there should be a process to ascertain the latest
threats or a mechanism to collect intelligence, understand the risk, and subsequently
mitigate and monitor. The process is significantly similar to regular safety assessments where
critical pieces of equipment are closely monitored whether they function outside their
operational thresholds.
Threat hunting in cybersecurity is an essential component of intelligence collection. This

process involves several activities that security administrators can perform to discover
enterprise-wide threat vectors[214, 215]. The threats are, to a certain extent, from intelligent
operators who acclimate to the new defence mechanism in the network, and they always
have workarounds to break a network or IT system. Therefore, security control needs to get
vigorous and use a wide-ranging arsenal of hunting techniques to uncover threats. Threat
hunting is always a labour-intensive job by an analyst – both for interpreting the context
more deeply and possibly utilising statistical and big data analysis tools for exceptional
cases. The successful hunts can be used to generate new threat signatures, and
automated signals can be annexed to improve aerospace systems' resilience[216].
3.3.1 AIRCRAFT SYSTEM (DOMAIN 1)
The aircraft system (aviation domain) includes aircraft (avionics and associated
information system), Ground-based CNS/ATM systems and airport IT systems and network
infrastructure(Fig. 11). The Aircraft Information System Architecture depicted in Fig. 12 (The
airport systems, last element of the three) is not examined in this research as they include
common IT infrastructure in any data centre.
53
Fig. 11. Domain 1 - Aircraft Information Processing Systems and Interconnections.
54
3.3.1.1 TASK AUTOMATION SYSTEMS
The main intention of deploying an automation system is to reduce the crew workload and
enable the least amount of crew engagement by managing as many tasks as appropriate
so that the role of crew members is to supervise and monitor system functions. The functions
and management roles of automation functions are outlined in the undermentioned
paragraphs.
Flight management comprises all the radio navigational aid system operations and the
assortment of various data from all the navigational sensors. The inertial navigation system
(INS) and GPS functions provide the best reasonable estimate of the aircraft position
information, lateral speed, and track. The system drives the steering commands for the
autopilot so that the aircraft automatically heeds the planned navigation route while
making adjustments to the heading along the particular waypoints(flight route) toward the
destination. It should be noted that the flight management system (FMS) (if installed) carries
out this function).
Fig. 12. Aircraft Information System Architecture.
The Autopilots and Flight Management Systems in commercial aircraft are grouped
together to form a single functional block because of the very close degree of integration
between these systems on modern civil aircraft. It should be noted, however, that the
Autopilot is a ‘stand-alone’ system, and not all aircraft are equipped with an FMS.
55
The autopilot eases the pilot's need to fly the aircraft with the consequent monotony and
exhaustion by enabling him to concentrate on other tasks associated with the primary
mission. The modern state-of-the-art high integrity autopilot systems are capable of
providing precise control of the aircraft flight track along the glide path and localizer signal
for automatic landing in zero visibility conditions to the runway touchdown point, provided
that the airport is equipped with Cat III or higher Instrument Landing System (ILS) categories.
FMS carries out the following automation tasks, and they could be affected by cyber-
attack:
• On board flight planning,

• Navigation and information management,
• Engine Control and Management Systems,
• Aircraft is at the planned 3D or 4D position within the time slot provided by air traffic
control,
• Fuel management system (Minimised fuel consumption by using continuous
descent approach),
• Cabin/cockpit pressurisation systems,
• The environmental control system,
• Hydraulic-system management,
• Electrical-system management,
• Warning systems, and
• Maintenance and monitoring systems.
The following system elements in the aircraft domain could be affected by a cyber-attack:
• Passenger own devices,

• Flight Control Computers,
• Primary Flight Displays,
• Flight Management Computers,
• Navigation Displays,
• Automatic Flight Guidance/Control(Autopilot),
• Passenger and In-flight Entertainment (IFE),
• On board external comm systems (HF, VHF, UHF and Satcom),
• On board internal comm systems,
• Flight Attendant terminals,
• Maintenance access devices,
• Avionic interfaces,
56
• Sat com systems,
• Resource & sensor management systems,
• Human Machine Interfaces (HMI),
• Network management systems,
• The cockpit voice and data storage,
• The environmental control system,
• Routers/switches,
• Wireless bridge and access points,
• Cabin support functions,
• Embedded control functions, and
• Passenger device interface.
The significant threats and vulnerabilities that could exploit aircraft systems and associated
IT infrastructure ( as depicted in Domain 1) (Fig. 11) are;
• Zero-day attack on flight management System (FMS): Hackers exploit software

vulnerability and influence flight plan data, navigational aid points, coordinates of
trajectories, and weather information,
• Insufficient network segregation among the In-Flight Entertainment (IFE) system, the
FMS, and passenger wireless network ( as a result of a poorly managed aircraft
maintenance management system),
• Virus, Malware, Trojans, Bots or worm attack to FMS,
• ADS-B flight identification spoofing (Altered Aircraft ID),
• Malware attacks the Aircraft Communications, Addressing and Reporting System

(ACARS) system. Controller Pilot Data Link Communication [CPDLC] message
alteration or deletion to compromise flight route reporting points, aeronautical and
weather information,
• Stuxnet (or Malware) attack on aircraft radar transponder (modified Aircraft ID and
altitude),
• Global Navigation Satellite System (GNSS) Jamming and spoofing (through

Malware),
• Unlawful access to Electronics Flight Bag (EFB) and Navigational-aid databases

through insecure ports, transmission lines (copper or fibre) and unencrypted wireless
means,
57
• Use of manufacturer's proprietary encryption algorithms between aircraft and
ground control centres for data communication,
• Compromised private keys being used between avionics and air traffic
management systems when using Public Key Infrastructure (PKI) for information
exchange,
• ADS-C and CPDLC login credentials privilege escalation,
• Denial-of-Service (DoS) or Distributed DoS (DDoS) attack on aircraft datalink

applications,
• State regulations require disclosure of secret key(or private key of PKI) and
encryption algorithms to the country’s authority (when cryptosystems are being
used for Avionic Ground data link communication),
• Use of unsecured Industrial, Scientific, and Medical (ISM) radio band (802.11 b/g) to
update aircraft information system software (AHM, LSAP, VDAR, EFB) (Table 1) using
Boeing GateLink Terminal Cellular Unit (TCU),
• Use of open (or plaintext communication) wireless dataloaders to update

databases and configuration of the avionics system,
• In-flight data update using the Internet via a satellite link with no SSL/TSL or VPN
connection,
• No active intrusion detection and dynamic attack response mechanism (such as

firewall & IPS) to counter any in-flight cyber-attack,
• Regulation and internal organisation policy constraints – delay in important security

updates pending approval from authorities, and
• Use of default system login (use of default username and passwords set by
equipment manufacturers).
3.3.2 AIR TRAFFIC MANAGEMENT SYSTEM (DOMAIN 2)
The ATM mission systems are based on a distributed architecture implemented over a wide
area network between main ATC centres and neighbouring Flight Information Regions
(FIR)(Fig. 13). Each ATM component is based on the same architecture and includes the
same core systems supplemented by additional subsystems. The voice and data are
exchanged between external communication systems via various interfaces and in diverse
data formats. The primary operational functions provided by an air traffic mission system
are:
58
• Prevent a collision involving aircraft,
• Provision of a safe and expeditious passage for air traffic,
• Supports air defence missions to avoid conflict with civil aircraft.
• Observing procedures and minima enforced by regulatory authorities, and
• Assist aircraft when an emergency has been declared.
Fig. 13. FIR and Sectorisation of airspace for efficient Air Traffic Management.
An air traffic control position is typically used for the following tasks by ATCs:
• Issue landing and takeoff instructions to flights,

• Monitor and advise the movement of aircraft on the ground and in the air, using
situational air display, computer decision aids and visual references,
• Control all airfield traffic (only by aerodrome controllers).
The ATM system comprises various subsystems, servers, database systems and network
infrastructure. The voice and data are exchanged between external communication
systems via multiple interfaces and in different data formats. The following systems (Table
3) and services are predominantly connected to the ATM system.
Table 3. The ATM systems and services
# Systems and services connected to the ATM system

1 Surveillance information on situational air displays,
2 Flight data management,
3 Coordination functions between adjacent sectors,
4 Conflict detections,
5 Arrival / Departure management,
6 Aeronautical data management,
7 Workload management function,
8 Ground facilities management,
9 Voice switching for Air/Ground and Ground/Ground Communication,
59
Graphical Airports (Runway, taxi lights, PAPI and indicator makers and sign
10
controls),
11 Radar data processor (RDP),
12 ATC console system,
13 Electronic flight strip display system,
14 Radar data recording,
15 ATC voice recording,
16 Data switches,
17 Fallback system,
18 Switches/Routers and associated network devices,
19 Human Machine Interface (HMI),
20 Meteorological data processing system,
21 Aeronautical Fixed Telecommunication Network (AFTN),
22 Aeronautical Message Handling System (AMHS),
23 Controller–pilot data link communications (CPDLC) interfaces,
24 Satellite phone system,
25 GPS-RAIM feed,
26 Flight information systems,
27 Aeronautical Information Services (AIS),
28 Met data console,
29 Aircraft noise monitoring console,
30 Runway viewing system,
31 Fire and crash alarm,
32 Automatic Weather Stations (AWS) information,
33 Search and rescue system,
34 Oceanic flex track system,
35 D-Taxi system (For aerodrome operation only),
Integrated voice communication system (HV, VHF, UHF, Satellite and VoIP)
36
between ATC centres and aircraft,
37 Voice Switching function with touch screen facility,
38 Air situation display with decision aids (Radar, ADS-B, ADS-C and ASMGCS),
39 Secondary ADS-B /Radar,
40 HF Warnings (day/night time restriction frequency assignment),
Aviation Weather Services (Lightning strikes, Real-time wind, Graphical
41
QNH),
60
A Notice to Airmen (NOTAM) system – disseminate com, nav, surveillance
42 and airport system serviceability status to among ANSP partners using ATN,
AMHS, AFTN network,
43 Airspace (routes and reporting points Mosaic database),
44 Aircraft (information database),
45 Charts, systems and functional information,
46 Web interfaces (SkyVector etc.),
47 ATFM and A-CDM web interface and APIs, and
48 Automatic Terminal Information Service (ATIS).
The ATM system safeguard includes internal security services furnished and consumed by
the ANSPs, which include;
• Cyber security services to protect information systems and network infrastructure,

• Physical security provides to protect facilities, and
• Unlawful interference to aircraft communication on-air traffic control (ATC)
frequencies.
Fig. 14. Domain 2 - A typical configuration of an Air Traffic Management (ATM) system.
61
The identified significant threats and vulnerabilities during the intelligence collection
process that could exploit air traffic management systems, as depicted in Domain 2 (Fig.
3 and Error! Reference source not found.), are listed in Table 4;
Table 4. The ATM systems vulnerabilities

# Vulnerability
Misconfigured or inadequate network segregation: ATM, corporate,
1
publicly accessible network infrastructure,
2 Information seepage through a covert channel (timing or storage) attack,
Replay (ADS-B) + Man-in-the-middle (MITM) attack where altered ADS-B
3
aircraft location data is fed into the ATM system,
Open (or unencrypted) voice (VoIP) and data communication over a
4
publicly shared network between ATM centres,
Insufficient network endpoint and perimeter security controls (which could
5
lead to encrypted malware deployment),
Database or SQL injection (SQLi) attack (Flight route, flight plan, reporting
6 points, aircraft parameter, weather, and aeronautical information
databases),
7 ATM system privilege escalation attack,
Inadequate endpoint security and application protection (no control
8 mechanism to address virus, worms, Trojan, rootkit, spyware, blended
threat, and adware deployment),
Session hijacking via remote access (Admins use remote VPN to
9
troubleshoot ATM systems and networks),
10 The ACARS (ADS-C and CPDLC messages) Privilege escalation,
No software patch management mechanism for ATM systems (leading to
11
Zero-day and remote code execution attacks),
No Business Continuity Plan (BCP) or Disaster Recovery Plan (DRP) for ATM
12
mission support systems,
No Security Information and Event Management (SIEM) machinery for
13
ATM system and associated network infrastructure,
14 Notice to Airmen (NOTAM) system privilege escalation,
Unlawful interception or interference to wireless ATC information
15
exchange,
Denial-of-Service attack on core or distribution layers of the network
16
connecting adjacent ATSP facilities,
Known plaintext, Chosen plaintext or Chosen ciphertext attack
17 (Symmetric-key attack) between avionics and ATM system when using
encrypted data communication,
18 Insufficient physical security and access controls for ATM systems,
19 No patching on GPSRAIM servers, and
20 No incident response plan for possible cyber-attacks on air traffic systems.
62
Fig. 15. ANSP communication and surveillance system antenna (a) Secondary radar (b)
Primary radar (c) Microwave radio (d) VHF -stacked folded dipoles (e) VHF radio Single
folded diploe – Melbourne Airport Radar station.
63
3.3.2.1 SURVEILLANCE EQUIPMENT
The surveillance services provide two and three-dimensional (2D and 3D) location
information of aircraft’s position so that air traffic controllers can maintain safe separation
between aircraft. Surveillance systems are categorised into Non-Cooperative
independent surveillance systems (PSR and SMR with the 2D view), Co-operative
Independent Surveillance systems (SSR and MLAT with the 3D view), and Dependent
Surveillance systems (ADS-C and ADS-B with the 4D view [including time paramater]). Fig.
15 depicts a typical ANSP communication and surveillance(primary and secondary radar
installation) system with other aeronautical communication antenna systems.
3.3.2.2 SURVEILLANCE DATA SERVICE
Information derived from surveillance systems supports efficient, safe and effective Air
Traffic management. Radar is the primary tool Air Traffic Controllers use to provide many
vital services to aircraft, such as radar vectoring, traffic separation and sequencing. The air
traffic controllers are presented with an on-display map of the area of responsibility
showing the aircraft's position within the plan position indicator (PPI or radar display).
3.3.2.3 DEPENDENT AND INDEPENDENT SURVEILLANCE
Dependent surveillance methods rely totally on the aircraft’s navigation aid to determine
aircraft position. The pilot, via radio (Manual) or avionics (automatic), transmits its current
position status as determined from on board the aircraft. Independent surveillance system
uses ground-based systems to locate aircraft without aircraft intervention. Primary
surveillance radar uses reflected signals off aircraft to establish their position and range.
Automatic Dependent Surveillance-Broadcast (ADS-B) and ADS-Contract (ADS-C) are
examples of automatic dependent surveillance, and they rely on the information provided
by the subject aircraft.
3.3.2.4 PRIMARY SURVEILLANCE RADAR (PSR)
The PSR is considered a non-cooperative independent surveillance technique as it does

not rely on airborne transponder equipment.
64
Fig. 16. Primary and secondary radar systems used for civil aircraft surveillance.
PSR relies on transmitting RF waves and listening for echoes. The amount of radar signal
reflected from an object also depends on the shape of the object. An echo indicates the
presence of an object, and the PSR filters only moving objects for processing. The range
to the moving object is established by measuring the time the echo returns. Primary radar
has evolved from pulse radar technology to pulse compression with linear FM technology,
which yields accurate aircraft bearing. The PSR used in ATC applications can typically see
a 60 Nm range from the airport, and the maintenance and installation cost of primary
radar is significantly high compared to other surveillance systems.
65
The bearing or direction of aircraft from a radar head is determined by rotating the dish
antenna, a typical rate between 15 revolutions per minute for PSR and two revolutions per
second for Surface Movement Radar (SMR). Fig. 16 depicts a functional block diagram of
a PSR co-located with an SSR.
3.3.2.5 ADVANCED SURFACE MOVEMENT GUIDANCE AND CONTROL SYSTEM (A-SMGCS)
A-SMGCS differs from an SMGCS in providing full service over poor weather conditions,
traffic density and complex aerodrome layouts. More operational details can be found in
the ICAO Doc 9476 for SMGCS and DOC 9830 for A-SMGCS.
The A-SMGCS is an airport traffic management system that provides a broad surveillance
picture of the airport surface and aerodrome control zone. Data from the coverage
volume, including the position and identity of aircraft and vehicles, is processed and
displayed at the Air Traffic Controller Working Positions (ATCWPs).
The system uses a combination of Surface Movement Radar (SMR) and transponder
multilateration (MLAT) sensors to establish the positions and identities of the aircraft and
vehicles on and around the airport surface. Integrating the multilateration sensors with the
surface movement radar provides data with accuracy, update rate and reliability suitable
for improving airport safety in all weather conditions.
A-SMGCS comprised the following subsystem in the installation:
• Multilateration (MLAT),
• Surface Movement Radar (SMR) system,
• Multistatic Dependent Surveillance Subsystem,
• Multi-Sensor Data Processor Subsystem,
• Communication network infrastructure, and
• Power subsystems.
3.3.2.6 MULTILATERATION (MLAT)
Multilateration allows locating co-operative aircraft (who respond to the interrogations) by

multistate measurements using the Time Difference of Arrival (TDOA) RF signal received at
several ground stations. MLAT is used for en route, terminal area and airport surface
surveillance. Civil aircraft transmit mode A/C and mode S replies for SSR interrogation and
spontaneous periodic transmission (squitter) by a Mode S transponder of a specified
66
format, including the aircraft ID, to permit passive acquisition. The signal need to be
received by at least three ground stations for 2D view and four ground stations for 3D view.
If the aircraft’s altitude is derived from mode C replies, the absolute location of the target
is determined using three signals acquired from the receiving stations.
MLAT requires a reference time pulse (synchronised) to resolve the relative Time of Arrival
(TOA) of the received signal at the ground stations, and this signal is time‐stamped by a
shared high precise clock signal derived from a GPS before the targets are retransmitted
for processing.
Fig. 17. Multilateration – processing delay (DOD attack )effect on the accuracy of aircraft
location information.
𝑑1 = 𝐶. 𝑇𝑂𝐴1 ; 𝑑2 = 𝐶. 𝑇𝑂𝐴2 ; 𝑑3 = 𝐶. 𝑇𝑂𝐴3 − − − − − −(3.1)
Where C = speed of light
Ground stations (GS) determine the precise time of arrival (TOA) of received signals, and
the multilateration server calculates the TOA difference of each pair of GSs. In Fig. 17, the
two GSs (A & B) both receive a signal from the aircraft and the Time of Arrival (TOA) of the
signal is stamped onto the target.
The time difference TOA1-TOA2 corresponds to the distance difference

𝑑2 − 𝑑1 = 𝐶. (𝑇𝑂𝐴2 − 𝑇𝑂𝐴1 ) − − − − − − − − − −(3.2)
At a given time, the Aircraft is on the locus of points having the distance 𝑑2 − 𝑑1 . Several
ground stations in the vicinity receive the signal transmitted by aircraft. And third GS (C)
gives two more differences, and thus two more hyperbolas follow.
𝑑2 − 𝑑3 =. (𝑇𝑂𝐴2 − 𝑇𝑂𝐴3 ) − − − − − − − − − −(3.3)
𝑑1 − 𝑑3 = 𝐶. (𝑇𝑂𝐴1 − 𝑇𝑂𝐴3 ) − − − − − − − − − −(3.4)
67
Knowing the speed of light (C), the aircraft can be located at the intersection(s) of the
hyperbolas, as shown in the diagram. A fourth GS provides a 3D view of the target, and
receiving from more than four GSs helps improve the location information's accuracy.
Fig. 18. Multilateration systems used for civil aircraft surveillance.
Two or more interrogators are used (on 1030MHz ) in regions where adequate replies are
not received from aircraft for processing. Only one interrogator is in operation at any given
time, and the standby interrogator takes over when the main fails. Unlike SSR, interrogators
do not use a rotating antenna; instead, an omnidirectional antenna is used. Short-range
interrogators (with low power) are employed to acquire low-level aircraft on an approach
that falls below the coverage of the existing terminal approach radar. As terminal areas
are constantly congested, aircraft on approach could benefit from frequent interrogations
and higher update rates, improving accuracy and probability of detection. Some
interrogators employ selective interrogation (selectively address aircraft by their modes S
ID) in order to reduce unwanted replies.
The Mode S enhanced surveillance (ES) ADS-B technique provides sufficient transmissions
for MLAT and required operational data (Mode S ID, height and speed). Except for
accuracy improvement and obtaining rapid updates, there should never be a need to
actively interrogate a Mode S aircraft equipped with 1090 MHz ES capability.
Please note: It is a requirement to leave the transponder selected to STANDBY when pilots
operate a Mode A/C transponder at a radar-controlled aerodrome. They have to adhere
68
to this procedure until the aircraft enters the departure runway and chooses the
transponder to STANDBY or OFF soon after landing on arrival to avoid SSR frequency
congestion. More details on MLAT operation on ICAO Doc 9924 Appendix L. Fig. 18 depicts
a typical Multilateration system architecture used for civil aircraft surveillance.
3.3.2.7 SURFACE MOVEMENT RADAR (SMR) SYSTEM
The SMR is the most widely used surveillance system (operating in the X-band frequency
range) for airport surveillance(Fig. 19), and its operation is similar to the primary radar
system. It provides surveillance cover for the aircraft and vehicle maneuvering area of the
airport with a high update rate. The SMR antennas are often mounted on the control tower
or a mast located in the airfield, which has good visibility of the aircraft maneuvering area.
The target labelling on the displays may not be possible when SMR is used in standalone
mode; hence, ATCs use visual identification of aircraft by looking out the tower window.
Fig. 19. Surface movement radar (SMR) used in Melbourne airport for airport surveillance.
The MLAT system provides target label functions for transponder-equipped vehicles and
aircraft on the airfield with an A-SMGCS track fusion function (The MLAT fusion function
reduces the risk when the airport is at low visibility and can easily identify runway intrusions).
69
Once the targets are acquired, they are passed to a fusion processor. The typical range
of SMR is 500 to 14,000 feet, and its rotation speed is 1Hz.
A typical SMR installation is comprised of the following subsystems:
• Local Area Network (LAN) Switches,
• Media Converters (or data format converters),
• Antenna structure,
• Radar Data Processors (RDPs) - Perform target processing and tracking,
• Main and standby power,
• Communication devices - Pass tracks to the fusion processors and ATC display,
and
• Compressor and dehydrator - make radar waveguides moisture-free.
3.3.2.8 THE AUTOMATIC DEPENDENT SURVEILLANCE - BROADCAST (ADS-B)
ADS-B is a surveillance system for aircraft equipped with ADS-B transmitters in non-radar
airspace. The ADS-B Ground stations are strategically located to cover a wide range of
(overlapping) geographical areas to receive ADS-B transmissions along with other
surveillance systems (such as SSR, MLAT and ADS-C). The ground stations are duplicated
for redundant purposes and equipped with high-gain omnidirectional antennas(Fig. 20).
Also, the ground stations are fed by radar-like site monitors for ADS-B system integrity
monitoring. ADS-B can be used to cover a range of 200NM, which varies with the aircraft's
altitude.
An ADS-B Ground Station can be described as follows:
• Each site contains two ADS-B receivers, which use redundant networks to connect
back to the ATC centre core network,
• The ADS-B network uses terrestrial and satellite links to carry its payload of aircraft
data from remote sites to the nearest ATC centre( There is a delay of
approximately 270ms - the time taken for the information to travel 35,800 km into
space and return from the satellite),
• The typical bandwidth used for ADS-B is 128-64kbps, and
• Many ADS-B remote sites are also co-located with VHF / HF radios, radar and third-
party telecommunication services providers.
70
Fig. 20. ADS-B surveillance network.
ADS-B Out transmits location information (derived from a GNSS) to ADS-B ground stations
and to other aircraft equipped to receive ADS-B broadcasts(Table 5). Accordingly, all
aircraft flying in Flight Level 180 and above (Class A airspace) are required to transmit on
the 1090ES MHz link.
MOPS for 1090 MHZ ES ADS-B can be found in DO-260/260B with Corrigendum 1.
Table 5. ICAO ADS-B parameter list
Parameter Data type

Aircraft ID ICAO Code (24bits)
Time of Report 0.0078125 (1/128 resolution) Seconds (16 bits)
Latitude & Longitude 100 meters resolution
Altitude GPS and/or Barometric
Heading Magnetic or True
Airspeed Knots
Target Status Emergency, Comm. failure and hijack etc
Integrity and Accuracy For position, altitude, velocity, NIC/NAC/SIL
Selected Altitude
Additional parameters Altimeter Setting
Selected Heading
71
Parameter Data type
Autopilot Engaged
VNAV Mode Engaged
Altitude Hold Engaged
Approach Mode Engaged
LNAV Mode Engaged
Capability Codes (UAT RX, TCAS/ACAS
Operational, etc.)
Operational Modes (Receiving TCAS/ACAS,
IDENT, etc.)
process that could exploit surveillance systems;
• Unplanned shutdown;
▪ Denial of service by compromising physical power connections to remote
sites,
▪ Reduced service availability,
▪ Extra cost for airlines – the go-around procedure requires aircraft to consume
extra fuel for the thrust and be deployed on a holding pattern,
• For radar and ADS-B: Unauthorized access to site monitors located remotely will
negatively impact the surveillance service. Possible DOS attack for an extended
period,
• Poor network segregation allows attackers access and changes radar data and
possible configuration changes and injection attack,
• MITM attack can inject or alter aircraft ID, altitude, position and speed data
confusing ATCs,
• MLAT: Attack on servers, which calculate the Time Difference of Arrival (TDOA), will
show erroneous flight and vehicle position on surveillance displays,
• Spoofing of ADS-B data. Spoofing is an attack wherein false data is inserted into the
standard data link between aircraft and ADS-B ground receiver or between ADS-B
remote site to ATC centre(when strong encryptions are not employed),
• GNSS spoofing attack; GNSS provides accurate synchronised timing data and WGS-
84 positional data. The surveillance (ADS-B, ADS-C, Multilateration),
Communications (CPDLC) and Navigational services, and augmentation of data
(GBAS and SBAS) supply higher levels of accuracy as a result of GNSS data. The
GNSS spoofing will cause;
▪ Erroneous landing and navigational guidance for GBAS and SBAS,
▪ Erroneous target and track output from MLAT system to ATM system,
▪ Radar, ADS-B and MLAT overlapping confusions,
72
• ADS-B’s lack of encryption and authentication vulnerability exposes various cyber-
attacks mentioned in the thesis[217],
• The use of USB thumb drives to transfer/update software and operating system to
equipment and to store status reports downloaded from the Remote Control and
Monitoring Systems (RCMS) has created a potential introduction of malware or
other threats from personal USB devices by technical personnel,
• Exposed to more security vulnerabilities as a result of poor security patch updates
procedure owing to the fact that the majority of equipment is located remotely,
• Poor password selection, management, organizational use and privileged access
policy have created a new threat landscape across the board,
• Telnet (an unsecured open plain-text communication method) for remote
administration allows attackers to sniff data and perform a replay attack. Secure
Shell (SSH) provides encryption for remote configuration and access,
• Poor event log and alarm management: This situation impedes taking real-time
action to prevent further system damage due to a cyber-attack. Event monitoring,
real-time alerts & notification are compulsory for surveillance systems equipped with
information technology and provide undeniable audit trails to conduct forensic
investigations. Event management offers the following details to system
administrators[218];
▪ System Account Management,
▪ Directory Service Access Attempts,
▪ Logon Failures – Active Directory,
▪ Logon Failures – Local Logins,
▪ Object Access Attempts – Success/Failure,
▪ Object Deletions,
▪ Password Reset Attempts by Users,
▪ Password Reset Attempts by Administrators or by Account Operators,
▪ Process (Program) Usage,
▪ User Activity in Auditing Categories,
▪ Successful Network Logons – Workstations and Servers,
▪ Policy Change - Success/Failure,
▪ Account Management – Success/Failure,
▪ Directory Service Access - Success/Failure, and
▪ System Events - Success/Failure.
• The use of SNMPv1 and SNMPv2c for network management. These two versions are
considered insecure network management protocols and are not recommended
for safety and security-critical applications. The proposed SNMP V3 uses
73
authentication and privacy features to encrypt the message's payload to ensure
unauthorized users cannot read it. The main threats and vulnerabilities of SNMP
versions 1 and 2c are;
▪ An attacker could prevent the device from sending SNMP traps for the failed
authentication, and subsequently, the attacker could crack the admin
password for the device without being noticed,
▪ SNMP queries unintentionally allow packet filters and firewalls so that remote
network sniffers could be able to obtain the exact filter rules of the network,
▪ Remote packet capturing for the extraction of system information, and
▪ Unauthorized access to some SNMP variables using hidden SNMP
communities.
• No cross-domain security; the ADS-B traffic crosses various network and domain
boundaries, including transmission to foreign systems, such as Radar and ATM
systems, and is prone to replay and injection attacks.
3.3.2.9 VHF VOICE AND DATA LINK COMMUNICATION SYSTEMS
3.3.2.9.1 VHF OVER AN ANALOGUE NETWORK
The characteristics of the air-ground VHF communication system (Fig. 21) and applicable
requirements are set out in ICAO Annex 10 (Volume III chapter 2), ICAO Doc 4444 ATM/501,
ICAO Annex 11 and for Australian airspace in CASR 171 and 172 and associated Manuals
of Operating Standards [MOS] and Operations Manuals.
Fig. 21. Typical VHF radio network connection between aircraft and the ATM services.
VHF communication is considered short-range because objects, mountains or the earth’s
curvature usually limit the distance covered, and the upper atmospheric layers do not
74
reflect VHF signals to communicate to areas beyond line-of-sight. Remote areas are
covered by ground stations, connected by satellite links to the major centres, and some of
the larger sectors operate several different frequencies simultaneously, giving continuous
communication with aircraft several hundred kilometres apart.
Fig. 22. Various communication links used for VHF services.
The VHF system provides 2-way voice (simplex or half-duplex) communications between
aircraft and air traffic control for the channelling of information relevant to the flight(Fig.
22). VHF requires line of sight (LOS) operation, and therefore VHF transceiver antennas are
mounted on high ground and free from RF interference. VHF operates in 118 to 137MHz
band using double-sideband amplitude modulated (DSB-AM) with 8.33/25 kHz channel
spacing based on the Flight Information Region (FIR)and RF congestion/interference level.
The 8.33 kHz channel separate yields a theoretical 2280 channels (practically, this number
cannot be achieved due to several reasons such as coverage and range of services etc.)
and by careful planning, these frequencies can be reused over a broad geographical
region to facilitate aeronautical communication services.
In an operational environment, only one transmitter could be operated on the channel at

any one time using Push-to-Talk (PTT) button. Squelch control on a VHF receiver reduces a
receiver’s background static and noise. The communication is broadcasted to all the users
in the range on the frequency, which provides added operational advantage to the
remaining aircraft in the sector and enhances pilot situational awareness.
75
The VHF Service comprises primary, secondary and tertiary radios at multiple locations on
a common frequency that are individually selected and used as required by ATC. In
addition, VHF is used to broadcast Aeronautical Enroute Information Service (AERIS) and
Aeronautical Terminal Information Service (ATIS) [219].
Fig. 23. VHF retransmission: cybersecurity effect on a more significant ATC sector.
When it is required to provide ATS over a large geographical area (more significant than
an area that a single VHF frequency can cover), multiple VHF frequencies are employed,
and these VHF services may be grouped into retransmission networks. A signal received by
one radio member of the network will be broadcasted by all other frequencies in the
network, as shown in Fig. 23. Retransmission allows an ATC to communicate on all
frequencies associated with the airspace under control. Retransmission is achieved within
the voice control switching system or Audio and Communication Exchange (VCX). Also, it
is a common practice to form one sector by combining 3 or 4 sectors together and
administer them by a single ATC due to lower air traffic movements at night.
The transmitter power level varies according to the operational region or the sector of FIR.
For example, 50 w transmitters (for the 200NM range) are used en route and in the oceanic
areas, while 20W and 10W transmitters are used in approach and terminal maneuvering
area (TMA) controls due to the short range and small size of the sector.
3.3.2.9.2 VOICE OVER INTERNET PROTOCOL (VOIP) FOR ATM
Convergence of voice and data into one media network has become the popular choice
in the advent of TCP/IP suite. Following this trend, the majority of aeronautical services
(radar and intercom) have already been migrated to IP, and as a result, voice services
(VHF and HF ) are in the process of transitioning to voice over the internet protocol (VOIP)
technology.
76
3.3.2.10 HF COMMUNICATION SYSTEM
In oceanic and some en-route control areas outside the range of ground VHF stations, HF
is used as primary communication for air/ground operations. The HF band provides long-
distance air to ground communications using the ionosphere's refractive properties. The
ionosphere's refractive, reflective and absorptive properties vary with changes in solar
energy, affecting the sky wave path lengths to the receiving station.
HF is very susceptible to interference, degrading reception quality, and unreliable

coverage due to different frequencies being affected to varying extents by the
Ionosphere.
SELCAL = Selective calling system
It is difficult to silence the aircraft’s HF receivers during ‘no signal’ periods because of
continuous annoying ‘hash’ when substantial interference is present (ICAO Annex 10
Volume III). As a solution for this, each aircraft's radio receiver is fitted with a SELCAL
decoder. The decoder alerts the crew by displaying a light (or sounding a chime) when
the receiver acquires a signal containing its own assigned SELCAL code. Based on the
number of digits used, the possible acceptable codes are restricted to 10,920, and the
assigned codes are aircraft-specific and are entered on the flight plan notification.
3.3.2.10.1 GROUND – AIR VOICE COMMUNICATION SYSTEM
Fig. 24. VHF voice data and possible cybersecurity exposure points.
The voice is delivered to ATC centres in the form of data packets using the VoIP
technology, and this information is vulnerable to network-based attacks. In addition, the
same information is improvised using digital signal processing techniques so that low-level
signals are amplified and noise removed. The system has several external connections,
which include;
• Remote & local radios,
77
• ISDN Telephony,
• Private Automatic Branch Exchange (PABX),
• Audio monitoring,
• VoIP radio and telephone,
• Voice Recorder, and
• Time synchronization.
process that could exploit VHF & HF communication systems;
• Inadequate network security by design,

• No removable storage media prevention mechanism (deliver malware into voice
communication system through the insertion of malicious removable storage
media)
▪ Malware that is capable of auto-execution may attempt to run and infect
servers and workstations,
▪ Exploit vulnerabilities in an organization’s information systems,
▪ Check-in/out procedure for removable storage media, and
▪ Introduction of unauthorized software or hardware,
• No virus/ malware scanning procedure in place,
• Inadequate physical security for remote radio stations,
• Inadequate cross-domain security,
• Ad-hoc authorisations, security clearances and briefings for third-party
maintainers,
• No software patch management for operating systems and application software,
• Multi-party access to the same cabinet which hosts radio equipment (both in
remote sites and data centres),
• Inadequate or no link encryption between remote and central sites,
• Poor security configuration management of the system,
• Inadequate security for cable and other associate accessories of the system,
• Ineffective security policy and procedure guidelines for the systems,
• The cross-domain security policies are not implemented or are ineffective,
• Inadequate physical security to remote installation, and
• Poor or no event logging and auditing.
78
3.3.2.10.2 AERONAUTICAL DATA SERVICES
Aeronautical data service providers (ADSP) include organisations or individuals who held
a Civil Aviation Regulation approval and were authorised to publish aeronautical
information or charts that pilots could use as an alternative to the Integrated Aeronautical
Information Package (AIP) and aeronautical charts posted by the ADSPs. The updated
aeronautical information is kept in databases maintained by airlines and airports,
depending on the nature of the operating model. When aircraft arrive at the terminal gate
of an airport, it establishes a wireless (or cellular) connectivity via an API to this airline
database to update the aircraft's navigational database and other aeronautical
information. The Electronic Flight Bag (EFB) is typically used for this purpose.
process that could exploit Aeronautical data services;
• Unencrypted wireless connection between aircraft and airline/airport systems,

• Network-based attacks,
• Database attacks,
• Web-based attacks and bogus certificates (self-signed” SSL certificates),
• API weakness (Lack of TLS/SSL),
• XML encryption issues and external entity attacks (XXE),
• Billion laughs attack - a type of denial-of-service (DoS), and
• Insecure Endpoints.
3.3.2.10.3 VOICE SWITCHING AND CONTROL SYSTEM (VSCS)
The VSCS provides voice communications access between and within Airdrome, Area
control centres and approach control centres. It permits air traffic operations staff to
achieve the communications functions necessary to support air traffic management from
en-route centres and area control units(Fig. 25).
79
Fig. 25. Nextgen VOIP VHF network.
The ICAO WGI (Internet) is proposing to reference the EUROCAE EDs as part of the future
publication of ICAO standards for VoIP in aeronautical communication. EUROCAE
document ED-137A prescribes the telephony ground applications. In addition, part 2 of
Interoperability Criteria for VoIP ATM Components provides further information. EUROCAE
Working Group 67 (WG-67) has defined criteria, requirements and guidelines based upon
operational needs and constraints such as security, Quality of Service (QoS), and
convergence[220] (infrastructure, protocol, and applications).
The identified significant threats and vulnerabilities (Table 6) during the intelligence
collection process that could exploit Voice Switching and Control System (VSCS);
Table 6. The VSCS threats and vulnerabilities
# Vulnerability
1 Inadequate network security by design

No link encryption between the satellite remote and the hub/in-flight
communication system. Inadequate or no link encryption between remote and
2 central sites,
3 A data centre insider introduces malware to information systems,
Inadequate system and personnel Authorisations, Security Clearances and
4 Briefings,
5 Inadequate cross-domain security,
6 Inadequate external supplier security,
80
# Vulnerability
7 Poor or no event logging and auditing,

8 Privilege escalation from client applications and web interfaces,
DoS, Web interface or SQL attack on hosted data communication solution
components from the internet, clients, partner systems/networks, shared support,
9 monitoring or system administration components,
No removable storage media prevention mechanism (Malware that is capable of
10 auto-execution may attempt to run and infect the workstation),
11 No media sanitation,
12 No virus/ malware scanning procedure in place,
13 Inadequate physical security,
14 Application software Zero-day attack,
15 Missing patches for critical operating system security updates,
16 DoS attack - request excessive messages needing the network or server resources,
Loss of system logs results in an incomplete audit trail or degrades the ability to
17 enforce non-repudiation,
Lack of properly configured firewalls, intrusion prevention and detection of
18 unauthorised devices, or unauthorised (attempted) outbound traffic,
Inadequate security incident management and monitoring, including the need for
19 a Security Information and Event Management (SIEM) capability,
20 Inadequate network segregation between test and production system,
21 Use of weak credentials for database, server and network applications (Zabbix),
22 Missing security updates for network devices,
23 Reuse of the same or the default password in the system environment,
24 Unrestricted permissions to files and directories of the communication system,
25 Unrestricted usage of multiple network-based protocols,
26 Shared credentials,
27 Unlocked (with no time-out function) workstations across all sites,
Usage of FTP for file access allowing clear text information exchange (without using
28 FTP with TLS/SSL),
Usage of early unsecured versions (v1, v2 and v2c) of SNMP in network
29 management and monitoring,
30 Use of OpenSSH services for remote access
In addition, the use of OpenSSH services for remote access lacks provisioning,
termination, and oversight processes for SSH keys, compromised and legacy SSH keys, no
key rotations are performed often enough, and malware packages have been
collecting SSH keys[221].
Summary of Possible security threats and vulnerabilities of all CNS systems;
81
• The legacy equipment and devices' firmware cannot be upgraded from its current
vendor, or the original manufacturer is not in business. This vulnerability exposes
ANSP equipment to:
▪ Software that is no longer supported by the vendor, including the provision of
bug and vulnerability fixes,
▪ Being on a uniform release of software reduces effort when resolving issues.

Different versions have different patches, fixes, tools, and reporting to assist in
troubleshooting,
▪ Introducing a change in the environment that is not supported by an older

software version, resulting in an upgrade or having to back the change out
indefinitely,
▪ Introduces delays or unforeseen costs as a result of old, unsupported versions of

software in the environment,
▪ Support staff unfamiliar with older versions may cause issues when trying to
implement changes,
▪ Forced to upgrade to support new server requirements by the management or

other needs without having adequate time for testing.
• Legal requirements to have security clearance (NV1 in Australia) for staff in order to
access the premises without escort and to escort third-party vendors if required.
ANSPs may not have adequate numbers of cleared staff to meet operational
requirements on a rotating 24x7 basis, which could delay the resolution of activities
and impact the availability of business services,
• Antivirus vendors seize support for earlier versions of operating systems, and the
continuing presence of Windows 2003 / XP systems created a vulnerability where
the ANSP systems are increasingly exposed to new threats,
• Software compliance requirements are changing as a result of some of the ANSP
data services being migrated into a cloud environment. This scenario affects
operating systems, Database management systems (DBMS) and applications.
System management plans developed for such systems do not exist or are
outdated. This situation may impact technical teams' ability to provide support as
an accurate picture of systems is unavailable and may also affect the availability
of services due to inadvertent actions of technical staff or may cause delays in
recovery activities.
82
Relevant system threats are taken from the security risk management plan(SRMP)
template and identified in Table 7.
Table 7. The CNS threats and vulnerabilities
# Vulnerability
Manufacturers of old equipment are no longer in business, and there is no way the
1 equipment user receives security solutions for emerging vulnerabilities,
2 No privilege separation in the embedded operating system(EOS),
3 Buffer overflow,
4 SQL injection,
5 Web interface attack,
6 Malware deployment,
7 Zero-day attack,
8 Backdoors and holes in the network perimeter,
9 Vulnerabilities in propriety protocols,
10 Use of propriety encryption methods,
11 Man-in-the-middle attacks,
Cinderella attack: An attack that disables security software by advancing the
internal clock time, so a security software license expires prematurely, rendering
12 the system vulnerable,
13 Port scan (or enumeration) for the possible open port for exploitation,
14 Denial of Service (DoS),
15 Code Execution,
16 Cross-Site Scripting (XSS),
17 Memory sharing or corruption,
18 Cross-Site Request Forgery,
19 Serverside Request Forgery
20 SCADA/PLC (https://scadahacker.com/) )[222]
Cyber security alerts and notifications and vulnerabilities published for 2017-22[223] are
listed in Table 8.
Table 8. The Aircraft systems threats and vulnerabilities
# Vulnerability
1 in GATE E2 – Cross-site scripting (CVE-2018-18997),

2 in GATE E2 – No Access Control (CVE-2018-18995),
83
# Vulnerability
in CP400 Panel Builder TextEditor 2.0 - Vulnerability associated with Improper Input
3 Validation,
4 in M2M Ethernet,
5 in CMS-770,
6 in eSOMS LDAP Integration,
7 in Panel Builder 800 - Improper Input Validation,
in License Manager Sentinel HASP/LDK used in MicroSCADA Pro SYS600,

8
9 in Pluto Manager - DLL Hijacking,
10 in Ellipse v8 - Local File Inclusion,
Missing Session Management in welcome IP-Gateway + Command Injection,
11 clear text passwords in cookies,
12 in PCM600 and SAB600 - Hasplms service,
13 Terminal reboot in Relion® 630 series version 1.3 and earlier,
14 MMS path traversal in Relion® 630 series version 1.3 and earlier,
Weak database encryption in Relion® 630 series version 1.3 and earlier,
15
16 in ADMS netCADOPS - Bounds checking vulnerability,
17 Improper access control in MicroSCADA Pro SYS600 9. x,
18 in Ellipse8 - Ellipse Authentication to LDAP/AD,
19 in ABB TropOS wireless mesh products - WPA2 Key reinstallation,
20 in FOX515T v1.0 - Local file inclusion,
21 legacy Remote monitoring tools for drives in SREA-01 and SREA-50,
22 Wi-Fi Logger Card in ABB VSN300,
23 Cybersecurity notification in - Meltdown & Spectre,
24 TRITON/TRISIS malware,
25 NotPetya ransomware,
26 CrashOverride/Industroyer malware,
27 MicroSCADA Pro SYS600 and CRASHOVERRIDE,
28 WannaCry ransomware,
29 CCLAS input validation vulnerabilities.
The following threat considerations assist in determining risk:
• Confidentiality: The system has no confidentiality requirements,

• Integrity: Recorded data needs to be accurate in order to be able to conduct
scheduling activities. If impacted, there is a high probability that service-providing
capability be severely compromised within multiple (airspace) sectors without
alarming for an extended period (moderate),
84
• Availability: System and data need to be available to perform scheduling activities.
If impacted, there is a greater possibility that the services are significantly
compromised within one or more airspace sectors without warning for a significant
time (moderate);
3.3.3 AIRPORT COLLABORATIVE DECISION MAKING (A-CDM) (DOMAIN 3)
A-CDM is improving operational efficiency to reduce delays, improve the predictability of

aviation-related events and optimise the use of resources and infrastructure. This process is
achieved through sharing and dissemination of information and using the same
information to make collective decisions (Fig. 26).
Predominantly, A-CDM is about obtaining the correct information about a flight’s status
and relaying it to the appropriate user at the precise time. During a flight's progress, the
most up-to-date information is typically only available to the critical players managing the
flight. In the past, it was difficult for this information to be shared with other parties involved
in managing the flight owing to operational restrictions.
The A-CDM information will be continually monitored and updated, underpinned by

improved collaborative processes to ensure efficient operational planning and decision-
making.
Fig. 26. Airport Collaborative Decision Making (A-CDM) architecture.
85
process that could exploit A-CDM;
• DoS, Web interface or SQL attack on hosted A-CDM solution components from the
internet, clients or partner systems/networks or shared support, monitoring or system
administration components,
• Unauthorised information access/disclosure from client applications and interfaces,
• Privilege escalation from client applications and web interfaces,
• Unavailability of the A-CDM service due to cloud data centre outage or DDOS attack,
• Failure of logical or physical security controls results in database compromise due to a

lack of full disk encryption and encryption at rest,
• Raised as a risk due to non-compliance with standardised cryptographic equipment

and encryption software provides data recovery to allow for circumstances where the
encryption key is unavailable due to loss, damage or failure,
• Unauthorised use of administrative accounts,
• Raised as a risk due to non-compliance with the approved access method to systems;
applications and information is removed or suspended after one month of inactivity,
• Impact on system availability targets due to the use of a single cloud service
provider(unavailability of redundant provider),
• Unauthorised or privilege escalation/network changes due to lack of segregation of

duties controls for network and system administration staff,
• Data from primary or subsystems are introduced without being sanitised or filtered for
malware,
• Inadequate/effective change control and configuration management for all software

and ICT services,
• Insufficient hardening and review (periodic or after significant changes) for the
Standard Operating Environment(SOE) baseline configurations used for business servers
and desktop systems. This situation includes standardised naming conventions, removal
of unnecessary services, and removing any default accounts (and passwords),
• Loss of system logs resulting in an incomplete audit trail or degrading the ability to
enforce non-repudiation,
• Lack of properly configured firewalls, intrusion prevention and detection of

unauthorised devices, or unauthorised (attempted) outbound traffic,
86
• Inadequate security incident management and monitoring, including the need for a
Security Information and Event Management (SIEM) capability,
• Failure to promptly apply security patches and use of short-term workarounds (hotfixes,
feature lockout, harmful-code removal) to prevent vulnerabilities from being exploited,
• Failure to monitor vendor released security updates, vendor notices, airworthiness

directives and government advisory information for implementing industry best
practices.
3.3.3.1 AUTOMATED WEATHER OBSERVING SYSTEM (AWOS)
The AWOS is an airport weather system that provides real-time information and reports on
airport weather conditions(Fig. 27). Airport authorities or aviation service providers
generally maintain and control the stations.
Fig. 27. AWOS network connections with IoT, PLC and SCADA.
87
Depending on the configuration, AWOS measure a combination of the following
parameters:
• Wind speed, wind gusts, and wind direction,
• Barometric pressure,
• Visibility and variable visibility (Using Runway Visual Range (RVR),
• Temperature and dew point,
• Sky condition and liquid precipitation accumulation,
• Type of precipitation identification,
• Thunderstorm detection, and
• Runway surface conditions.
The elements of AWOS are:
1. End user displays (user terminals at ATC consoles),

2. Local Area Network (LAN),
3. Central and data analysing processors,
4. Weather information database,
5. Communications infrastructure, and
6. Remote information gathering equipment (sensors).
AWOS distribute weather information in an assortment of methods:
• Digitised voice messages are broadcast via radio transmitters (using ATIS broadcast)
to aircraft in the vicinity of an airport. This broadcasting is a real-time updating system
at least once per minute.
• In addition, up-to-date weather information is disseminated via ground data link in

METAR format(METAR is a format for reporting weather information); sometimes, end
users can access this information directly from the weather database using an
application programming interface (API).
process that could exploit AWOS;
• Inadequate network security by design,
88
• Inadequate physical security for remote weather stations,
• Inadequate cross-domain security,
• Multi-party access to the same cabinet which hosts radio equipment (both in remote
sites and data centres),
• Inadequate or no link encryption between remote and central sites,
• Inadequate system and personnel authorisations, security clearances and briefings,
• Inadequate software patching,
• No cross-domain security,
• Inadequate external supplier security, and
• Poor or no event logging and auditing.
3.3.4 SYSTEM WIDE INFORMATION MANAGEMENT (SWIM) (DOMAIN 4)
The concept of SWIM presented a complete change in how information is managed along
its entire lifecycle and across the world ATM systems(Fig. 28).
Implementing the core concepts of SWIM enable the provision of quality information
delivered to the right aviation stakeholder at the right time. The inherent transversal nature
of SWIM encompasses all ATM systems, data service domains, and business operation
phases (planning, execution, and post-execution). Global interoperability and
standardisation are essential physiognomies of SWIM and are based on Service Oriented
Architecture (SOA).
ATM functions provide specific functionality, such as ATM automation, flow management,
and meteorological data systems(Fig. 29).
Enterprise Service Management (ESM) facilitates operations and manages the information
services associated with providers and consumers. It also includes monitoring and
rectifying faults, configuration, accounting, performance, and security.
3.3.4.1 SWIM OPERATION
IP Network Connectivity
Allows SWIM network elements to intercommunicate with one another on the Internet
Protocol security (IPSec ), which can provide tunnels, encryption, and access control
capabilities at the network layer security level.
89
Fig. 28. SWIM operation model.
Incident Detection and Response
Monitors the network elements for security breaches, events, intrusions or incidents and
allows remedial actions when such happenings are alarmed.
Naming and Addressing
Delivers a domain name system security (DNSSec), which includes the provision and
allocation of IP addresses and IP address management.
Identity, Access and Credential Management (IACM)
The support for authentication, authorisation, accounting and access controls (AAAA) by
managing identity information, access and credentials are achieved through IACM.
90
Fig. 29. SWIM Functional architecture.
Main stakeholders of SWIM
• Pilots – taking off/landing and navigating,
• Airport Operations Centres – managing departures/ arrivals, taxi/runway/airfield and

gate movements,
• Airline Operations Centres – planning schedules, flight routings and fuel uplift,
passenger connections and reducing the impact of delays,
• Air Navigation Service Providers (ANSPs) – managing the airspace and airfield,
• Meteorology Service Providers – providing weather updates and forecasts,
• The type of information shared by SWIM,
▪ Aeronautical – organized and processed (assembled, analysed and formatted)

aeronautical data,
▪ Flight trajectory –four dimensions (4D) longitude, latitude, altitude and time,
▪ Aerodrome operations – status reports different characteristics of the airport,

including runways, taxiways, approaches, gates and aircraft turn-around
information,
91
▪ Meteorological operations; current and predicted circumstances of earth's
atmosphere related to traffic operation,
▪ The traffic movement, traffic movement management, and monitoring are

necessary to understand to act appropriately to contingencies,
▪ Surveillance; Aircraft position data from radar, ADS and satellite-navigation

systems, and
▪ Capacity and demand; efficient and effective management of airspace

meeting all stakeholder's needs.
The identified significant threats and vulnerabilities (Table 9) during the intelligence
collection process that could exploit SWIM operations;
Table 9. The SWIM threats and vulnerabilities
# Vulnerability
1 Inadequate network security by design,

No link encryption between the satellite remote and hub/in-flight communication
2 system,
3 Inadequate or no link encryption between remote and central sites,
4 A data centre insider introduces malware to information systems,
Inadequate system and personnel Authorisations, Security Clearances and
5 Briefings,
6 No software patching policy and processes and inefficient execution,
7 Inadequate cross-domain security,
8 Insufficient supply chain security,
9 Poor or no event logging and auditing,
10 Unauthorised information access/disclosure from client applications and interfaces,
11 Privilege escalation from client applications and web interfaces,
DoS, Web interface or SQL attack on hosted data communication solution
components from the internet, clients, partner systems/networks, shared support,
12 monitoring or system administration components,
13 Unavailability of the data service due to cloud datacentre outage or DDOS attack,
Failure of logical or physical security controls results in database compromise due
14 to a lack of full disk encryption and encryption at rest,
Risk due to non-compliance with cryptographic equipment and encryption
15 standards,
Privilege escalation or unauthorised network changes due to lack of segregation
16 of duties controls for network administration staff,
92
# Vulnerability
No removable storage media prevention mechanism (Malware that is capable of

17 auto-execution may attempt to run and infect the workstation),
18 No media sanitation procedure is in place,
19 No virus/ malware scanning procedure in place,
20 Inadequate physical security to data centre infrastructure or equipment,
21 Ad-hoc personnel authorisations, security clearances and briefings,
22 No software patch management for operating systems and application software,
23 Missing patches for critical operating system security updates,
24 DoS attack - request excessive messages exhausting network or server resources,
25 Inadequate network segregation between development and production system,
26 Use of weak credentials for database, server and network applications,
27 Missing security updates for network devices,
28 Plaintext credentials are stored in configuration files and other script files,
29 Running an obsolete kernel and with known flaws (The working dead),
30 Inadequate security for storage of password hashes,
31 Reuse of the same or the default password in the system environment,
32 Insecure versions of software installed on application servers,
33 Unrestricted permissions for files and directories,
Unrestricted usage of multiple network-based protocols (i.e. Finger service allows
34 enumeration of user information and determines whether that user is currently
logged in, as well as the status of their log sessions.),
35 Shared credentials,
36 Unlocked (with no time-out function) workstations across all sites,
Usage of FTP for file access allowing clear text information exchange (without using
37
FTP with TLS/SSL),
Usage of early unsecured versions (v1, v2 and v2c) of SNMP in network
38
management and monitoring,
Data from primary or subsystems are introduced without being sanitised or filtered
39
for malware,
Ineffective change control and configuration management for all software and ICT
40
equipment,
Insufficient initial hardening and review (periodic or after significant changes) for
41
the SOE baseline configuration used for all server and desktop systems,
Loss of system logs resulting in an incomplete audit trail or degrading the ability to
42
enforce non-repudiation,
Lack of properly configured firewalls, intrusion prevention and detection of
43
Inadequate security incident management and monitoring, including the need for
44
a Security Information and Event Management (SIEM) capability,
93
# Vulnerability
Failure to apply critical security patches and use of short-term workarounds

45 (hotfixes, feature lockout, harmful-code removal) in a timely manner to prevent
vulnerabilities from being exploited,
Failure to monitor industry security updates, vendor notices airworthiness directives
46 and government advisory information for best practices, new vulnerabilities, and
workarounds (hotfixes, feature lockout, harmful-code removal).
Use of OpenSSH services for remote access will cause a lack of provisioning,
termination, and oversight processes for SSH keys while leading to Compromised
and legacy SSH keys. Another security risk that can be highlighted is that no key
rotations are performed often enough, and malware packages have been
47 collecting SSH keys.
3.3.4.2 AIR TRAFFIC FLOW MANAGEMENT (ATFM) SYSTEM
The ATFM is a system that provides demand and capacity management to airports and
airspace sectors. These services are delivered as a managed service on ANSP
infrastructure. External stakeholders such as airlines and airport authorities use the web or
direct access using Secure Sockets Layer (SSL), a standard security technology for
establishing an encrypted link between a server and a client via an API.
Fig. 30. ATFM operational architecture[224].

94
The Air Traffic Flow Management (ATFM)[225] system processes information associated with
air traffic management initiatives (TMI). The TMI is comprised of Calculated Off Blocks Times
(COBT) and Airports Coordination Centers(ACA) functions. However, the Collaborative
Decision Making (CDM) data exchange requirements are also categorised under the
above functions(Fig. 30). Airport gate availability, ATC time slot allocation, delays and
airline maintenance windows are exchanged among stakeholders. The process
information is shared for optimum management of airport and airspace operations. The
main features of ATMF are;
• Airspace and airport demand prediction over ATM network infrastructure,
• Integration and dissemination of current and predicted weather information,
• Management for flight data from multi-source,
• Manipulation of information based on decision aid requirement (for multi-display and

load graph-histogram maps),
• System-supported network optimization,
• Air-Ground network resource management (space sectors and airports) and related
optimization,
• Supports standard SWIM interfaces, protocols and data formats (AIXM, FIXM, WXXM,
AFTN/AMHS, RTCA, ARINC and EUROCONTROL).
Manual on Collaborative Air Traffic Flow Management – ICAO presents risks and controls
for the ATFM through the proposed delivery of the sub-system ( for example, Harmony) as
a Managed Service on ANSP’s infrastructure. The Central Traffic Management System
(CTMS) and Safety Management Plan (SMP) highlight two types of access Web Access
and Direct Access (SSL), and only SSL is encrypted.
The Harmony sub-system allows an Air Navigation Service Provider (ANSP) such as
Airservices to plan air traffic management using Flow Management Initiatives (FMI). It is a
decision support tool to exchange air traffic data between the ANSP and the Aircraft
Operators (AO) to better plan and improve air traffic at an airport. Harmony is a sub-
system of ATFM and was initially deployed in 2010.
The system provides web services that permit the querying, swapping and creating of air
traffic data. These connections are via the ANSPs gateway. While access to the service is
authenticated, the authentication mechanism sometimes does not correctly function,
essentially making access unauthenticated. The authentication model also drops one of
95
two simultaneous service requests while restricting IP access at the firewall level, preventing
writing to the Harmony database.
process that could exploit ATFM operations;
• Unauthorised access - privileged users access information (without role-based access),

including access to sensitive or personal data,
• Privileged users can add rights (including self-administration) to provide unauthorised

access (to information or systems),
• Data from primary or subsystems are introduced without being sanitised or filtered for
malware,
• Inadequate or ineffective change control and configuration management for all

software and ICT equipment,
• Insufficient initial hardening and review (periodic or after major changes) for the
Standard Operating Environment baseline configuration used for all server and
desktop systems. This scenario includes standardised naming conventions, removal of
unnecessary services, and removing any default accounts (and passwords),
• Loss of system logs results in an incomplete audit trail or degrades the ability to enforce
non-repudiation,
• Lack of properly configured firewalls, intrusion prevention and detection of

• Inadequate security incident management and monitoring, including the need for a
Security Information and Event Management (SIEM) capability,
• Failure to apply critical security patches, and near-term workarounds (hotfixes, feature
lockout, harmful-code removal) in a timely manner, to prevent vulnerabilities from
being exploited,
• Failure to monitor industry security updates, vendor notices, airworthiness directives

and government advisory information for best practices, new vulnerabilities, and
workarounds (hotfixes, feature lockout, harmful-code removal).
96
3.3.5 THE GROUND RADIO NAVIGATION/LANDING AIDS (DOMAIN 5)
Navigational-aid systems are located on the ground and transmit or receive continuous or
pulsed information to/from aircraft for the purpose of position identification of aircraft.
3.3.5.1 INSTRUMENT LANDING SYSTEM (ILS)
ILS enables a suitably equipped aircraft to make a precision approach to the assigned
runway (based on the direction of the wind and its speed). The precision approach is
provided in the form of vertical and tracking guidance transmitted, as shown in Fig. 31.
An ILS predominantly consists of four main components:
• Localiser - provides track guidance (either left or right to the runway) along the
extended centreline of the approach path to the runway. Its transmitting antenna
array is positioned at the far end of the runway towards the landing direction and is
typically located about 1,000 from the runway threshold, The localiser transmits two
highly directional RF beams on the VHF band between 108.10 and 111.95 MHz, which
are modulated at different frequencies (150Hz and 90Hz) and overlap. Aircraft look
for the Difference in Depth of Modulation (DDM=0) of these two frequencies as LOC
guidance,
• Glidepath (Glideslope) - provides descent path guidance (vertical guidance above

or below) to the runway touchdown point, usually a slope of approximately 2.5° to 3°
to the horizon. The glide path signal is transmitted on the UHF band using a principle
similar to the localiser of two overlapping lobes modulated at different frequencies
(90 Hz and 150 Hz) to provide GP guidance,
• Two marker beacons (namely middle and outer markers) provide accurate distance
fixes along the approach path with aural confirmation,
• Approach lights (VASIS -visual approach slope indicator system),
3.3.5.1.1 NON-DIRECTIONAL BEACON (NDB)
An NDB is a radio beacon operating in the aviation spectrum's medium frequency(MF) or

Low Frequency (LF). The beacon station transmits a signal containing a Morse-coded
station ident of equal strength in all directions. The NDBs are often associated with Non-
Precision Approach procedures and are used with radar bearing. The aircraft onboard
Automatic Direction Finding (ADF) equipment uses bearings from NDBs for navigation
purposes.
Displacement from the glide path is generally shown on the aircraft’s primary flight display.
97
Fig. 31. The ground radio navigation and landing aids.
98
• Glidepath (Glideslope) - provides descent path guidance (vertical guidance above
or below) to the runway touchdown point, usually a slope of approximately 2.5° to 3°
to the horizon. The glide path signal is transmitted on the UHF band using a principle
similar to the localiser of two overlapping lobes modulated at different frequencies
(90 Hz and 150 Hz) to provide GP guidance,
• Two marker beacons (namely middle and outer markers) provide accurate distance
fixes along the approach path with aural confirmation,
• Approach lights (VASIS -visual approach slope indicator system),
3.3.5.1.2 MAKER BEACONS
Middle Marker (MM) beacon antenna is a log-periodic dipole antenna that transmits a
75MHz beam and possesses properties of high gain (8 dB or more) and directivity. The
performance of the antenna conforms to the ICAO Annex 10 Item 3.1.7. The MM is located
vertically beneath the localiser course line at a distance of 1050m from the threshold.
The outer Marker (OM) beacon antenna is a dual Yagi antenna possessing properties of
high gain, and each of the Yagis is separated by a distance of 2.8 meters. The
performance of the antenna conforms to the ICAO Annex 10 Item 3.1.7.
3.3.5.2 DISTANCE MEASURING EQUIPMENT (DME)
As the name implies, DME provides a slant range between the aircraft and the DME station.
The DME operation is similar to secondary surveillance radar, and the aircraft interrogates
the ground DME equipment with a series of pulse pairs. Aircraft transmit a pair of pulses, as
shown in Fig. 32.
T1 T1
T2
Fig. 32. DME interrogation pulse separation and width measurements.

These interrogations use frequencies from 1,025 to 1,150 MHz, and the DME transponder
transmits with the correct interval and reply pattern to its original interrogation pattern on
962 to 1,213 MHz band after 50µs delay (the 50µs delay is universal across DME)(Fig. 33).
99
Fig. 33. DME operation principle.
Calculation of distance,
Total time taken for interrogation and reply = tT
2 × 𝑡 − 50µ𝑠
𝑡𝑇 =
2
2 × 𝑡 − 50µ𝑠
∴ 𝑆𝑙𝑎𝑛𝑡 𝐷𝑖𝑠𝑡𝑎𝑛𝑐𝑒 (𝐷) = 3 × 108 [ ]
2
∴ 𝐿𝑎𝑡𝑒𝑟𝑎𝑙 𝑑𝑖𝑠𝑡𝑎𝑛𝑐𝑒 = √𝐷2 − 𝐻 2
3.3.5.3 DOPPLER VHF OMNI DIRECTIONAL RANGE (DVOR)/VOR
VOR and DVOR predominantly provide bearing information to the aircraft with reference
to the magnetic north.
The VOR station transmits two radio signals in the VHF bands (108.00 and 117.95 MHz). One
is the reference phase signal transmitted in all directions (Omni), and the second becomes
the variable phase signal rotating uniformly to provide constant phase variation from 0
through to 360 degrees. As shown in Fig. 35, the aircraft approaching the VOR from the
north ( 0°) receive two signals and the onboard aircraft VOR receiver measures the phase
difference. In this case, the aircraft is flown on magnetic north, which is the reference signal
for VOR. The aircraft arriving from the west sees the 90° out of phase signals which means
the aircraft is approaching the VOR on 90° radial.
∆∅ = 90° means the aircraft’s radial is 90° with respect to magnetic north (Fig. 35).
The development of DVOR resulted from the erroneous guided signal received by aircraft
due to uneven terrain and reflections from any building near VOR(Fig. 34).
100
Fig. 34. (a) En-route DME (b) DVOR system with Alford loop antenna array (c) Glide path
system antenna (d) Localiser system antenna array.
Doppler VOR's physical appearance differs from a standard VOR station and is mounted
above a large metal mesh to improve the equipment's performance.
DVOR employs 52 Alford loop antennas (and Fig. 35 shows only 28 antennas for
demonstration) positioned around the transmitter building in a 6.7 meters radius, and each
of these antennas is fed sequentially with the reference phase signal to the aircraft receiver
as the signal appears to move towards the receiver, its frequency appears to be
increasing. As it recedes, the frequency appears to be decreasing. The resultant Doppler
shift is 480 Hz, and for the aircraft VOR receiver, the signals from a DVOR are the same as
those from a VOR.
Many DVORs are paired with a co-located DME ground station. On the cockpit, selection
of the VOR also selects the frequency-paired DME, providing both bearing and distance
information.
101
Fig. 35. Cybersecurity effect: Compromised IoT, effect on DVOR operation.
Every 10 seconds, a code identifier signal is transmitted, modulated at 1,020 Hz, allowing
the pilot to identify the VOR positively. Any co-located DME station will have the same
coded identifier but broadcast about every 30 seconds and modulated at 1,350 Hz. Some
VORs also carry voice transmissions to provide an automatic terminal information service
(ATIS).
3.3.5.4 MICROWAVE LANDING SYSTEM (MLS)
Various physical and technological constraints restrict the ILS operations, and the MLS was
explicitly invented to overcome the limitations and to provide flexibility. This situation occurs
in choosing decent glide angles and approach paths where the fixed-angle guidance
that ILS does not permit this operation.
The MLS employs the frequencies 5.25 GHz and the band 960 to 1215 MHz for the angle
and the ranging (distance), respectively. The precise, narrow shapes beams are
generated by using smaller antennas. This antenna architecture improves the MLS
tolerance to earth abnormalities (terrain conditions).
The MLS is capable of providing accurate elevation, azimuth, and distance parameters in
3D within the aerodrome landing sphere.
102
The angle signal format is based on TDMA, and all the guidance functions are transmitted
in sequence on the same MLS channel. The angle information is derived by measuring the
time difference between the successive passes of the directive, unmodulated narrow fan
beams. Each approach elevation, approach azimuth, flare and back azimuth angle
function beam have its own time slot allocated by the MLS scanning beam.
Fig. 36. Cybersecurity effect: Compromised IoT, effect on MLS vertical operation
Approach and back azimuth guidance antennas each produce a fan-shaped beam that
is narrow in the horizontal plane and wide in the vertical plane. This beam is scanned
(clockwise and then anticlockwise) between the horizontal coverage limits at a constant
rate, as shown in Fig. 36 and Fig. 37. Each angle transmission consists of a TO (clockwise)
scan followed by a FROM (anticlockwise) scan. The azimuth angle with respect to the zero
azimuth line is measured by approximating the elapsed time between the reception of the
TO scan and the FROM scan.
Fig. 37. Cybersecurity effect: Compromised IoT, effect on MLS horizontal operation.
The elevation antenna architecture yields a fan-shaped beam that is broad in the
horizontal plane and narrow in the vertical plane, similar to an azimuth antenna. This
radiation beam is swept vertically ( up and down) between the coverage limits at a
103
constant pace. As with the azimuth function, the elapsed time is approximated using the
receive TO scan, and the FROM scan is directly related to the elevation angle with respect
to the zero horizontal line. A landing DME is used along with MLS to provide improved
distance reading to the touch-down point when high precision is required.
process that could exploit ground-based landing and navigational systems are;
• Malware infection on landing aids and navigational systems (such as DVOR, ILS,
GBAS, DME and NDBs),
• Use of unencrypted (or open) data communication for control and monitor
operation,
• Blended attack (consists of several attacks, with one being prominent),
• Use of legacy PLC, ICS, and SCADA devices on airport IT infrastructure with no patch
management practice or policy,
• Inability to attach firewalls or intrusion detection system. As legacy technology does

not support internet protocol (IP) data packet analysis,
• No firmware or software updates. The security vulnerabilities remain unaddressed

during the period of the system lifecycle,
• Intentional or unintentional damage to ground system antenna and ancillaries

causing a denial of services (DoS),
• Unauthorised personnel having access to ground equipment or facilities,
• Tunnelling: Access restricted information undetected using tunnelling, where one

protocol is used to carry traffic for another protocol,
• Malware infection of landing aids and navigational systems,
• Inadequate supply chain security,
• Pivoting: A technique used to dig deeper into a network by routing through one
poorly configured legacy system to another,
• Fishing, spam, Trojan, and social engineering attack on airport and airline IT
infrastructure,
• Use of internal infectious sources (personal computers) or networks elements as

emitters to conduct botnet attacks,
104
• Integration of insecure legacy technology systems with high-security systems, which
opens the door to intrusion,
• Employees or contractors mishandle classified information either accidentally or

deliberately (e.g., when threatened by terrorists),
• Use of shared credentials in aviation and airport systems (e.g., ramp handling, legacy
operating systems, and maintenance/control systems),
• Use of unaccredited Commercially Off The Shelf (COTS) devices in airport systems,
and
• Inadequate or security misconfiguration for LAN, WAN, IT Equipment Hardware &

Software.
3.3.5.5 GROUND BASED AUGMENTATION SYSTEM (GBAS)
GBAS SARPS are set outs in ICAO annex 10 volume I (Chapter 2.4/3.7). Further information
and operational parameters are elaborated in RTCA DO-217/DO-246D documents and
EUROCAE ED-144. ARINC 424 explains the GBAS message structure.
Fig. 38. Melbourne airport GBAS installation (a) Receiver antenna (picture credit:
Honeywell Training notes) (b)Processor equipment (picture credit: Honeywell training
notes) (c) Transmit antenna - VDB data broadcast – Melbourne Airport.
105
GBAS is a satellite-based precision landing system used in airports to provide an enhanced
level of service, replacing old landing systems ILS and Microwave Landing Systems (MLS).
GBAS accommodate a curved approach to any runway from any direction to any
touchdown point and is certified for CAT-I operations. Research is going on to validate
standards for proposed ICAO GBAS CAT-III requirements.
Aircraft receive GNSS Signal in Space (SiS) and measure pseudo range from satellites. The
satellite signal received by the aircraft GNSS receiver is subjected to various error sources,
such as multiple reflections and atmospheric effects. At the landing phase of the aircraft,
a correction to ranging information is provided by a GBAS ground station (GS) sub-system
(Fig. 38). GS uses GNSS receivers to calculate pseudo ranges for all satellites in the region
and calculate the differential correction for each range measurement based on its
Geodetic location information. The GS also assess the integrity and quality of the ranging
and transmits Final Approach Segment (FAS) path construction data using a VHF Data
Broadcast (VDB). VDB service operates in the 108.00 to 117.975 MHz bands.
Fig. 39. Cybersecurity effect: Compromised IoT, effect on GBAS operation.
106
The aircraft GNSS subsystem uses a VDB signal to correct its location data with improved
accuracy and integrity to construct a precise approach path to the touch-down point, as
shown in Fig. 39. GBAS can cover a 23NM radius and serve multiple runways in the range.
process that could exploit GBAS systems are;
• Unplanned shutdown;
▪ Denial of service,
▪ Reduced availability, and
▪ Extra cost for the airline – the go-around procedure requires aircraft to
consume extra fuel for the thrust and deployed on a holding pattern.
• For all old nav-aid equipment, old windows operating systems (such as Disk Operating
System [DOS] or Windows 3.1) are vulnerable to hundreds of security threats. No
security updates are available from the software developers, and cumulative security
updates are impossible due to storage restrictions.
• No event logging and auditing: there is no way of detecting an attack or conducting

a forensic investigation.
• Remote control and monitoring of the nav-aid equipment use radio modems that use
open, unencrypted communication means. The old nav-aid retrofitted
communication equipment is receptive to injecting attacks. This situation will cause
the system to shut down abnormally or change service direction without ATCs and
pilots being unnoticed.
• Incorporation of Intent of Things (IoT) to navigational aid equipment. Most of the

navigational and landing aid equipment has been in operation for over 40 years and
is in good operating condition. As a result, airport authorities and ANSPs are reluctant
to replace these systems even though they have passed their end of life. It is
observed that these systems were retrofitted with IoT devices to monitor and control
operations so that the operator can log events and alarms remotely for
investigations. The wireless connectivity between remote sites and the main centres,
using the default usernames and passwords and third-party access to these systems,
has created a new threat landscape.
• GNSS spoofing causes incorrect location information, leading to critical safety issues.
107
Chapter 4: Planning and Analysis
The research planning and design refer to the techniques and strategies which cover the
entire decision, from broad hypotheses through the methods of collecting data to the
data analysis.
The research methodology adopted in this work is a pragmatic approach, including a

combination of the development of theoretical modelling methods (MATLAB simulation
techniques) in relation to enterprise architecture(EA) recognised internationally. Because
of the problems with the existing architecture, it became necessary to investigate the
current status of uptake of existing EA usage by the aviation industry and its associated
problems.
4.1 DESK SURVEY
A desk survey is a study performed purely by navigating through research (sitting at a desk)
rather than physically engaging with systems and stakeholders.
Fig. 40. Keyword network visualisation.

108
In order to unravel RQ1, RQ2, and RQ3 through journal papers, the keyword network
analysis is performed using an application software called VOSviewer. the application
constructs a map of keywords based on occurrence data (Fig. 40) on 224 research papers.
Node labels and the node's size represent the identified keywords and the relevancy of
the subject matter, respectively. This means that the larger nodes indicate a significant
proportion of the keyword in the literature, while the distance between nodes indicates
the strength of ties between them.
Cybersecurity word cloud
To better understand the articles and keywords represented in the journal papers, NVivo
analysis is employed. The word frequency query generated a word cloud (Fig. 41).
Fig. 41. NVivo System generated word cloud on 16 publications under four
transdisciplinary X4.0 systems of systems artifacts.
The cybersecurity frameworks under review are analysed and run through the same
software to develop a transdisciplinary system and extract various risk attributes, as
depicted in Fig. 42[226-233].
109
Fig. 42. Cybersecurity Framework key risk attributes and interaction.
4.2 HOW AHP WILL BE USED (RQ4)
The Analytic Hierarchy Process (AHP) is a practice of quantifiable analysis in many decision-
making processes. This multi-criterion decision-making approach is based on pairwise
comparisons of alternatives. By utilising this technique, the relative importance of one
criterion over another can be readily assessed.
The hierarchical structure of the AHP enables one to make determinations when the
complexity of objectives is high and murky in a noisy environment. The complexity and
ambiguity could result from a lack of decision-makers' in-depth knowledge of each
attribute under consideration.
The cybersecurity risks investigated and assessed in this thesis fall into the category where
prioritising risk attributes is essential in making managerial decisions to make investment
calls for the organisation to protect valuable assets. Therefore the AHP has been chosen
as the primary method of prioritising various system risk items for the study, and the analysis
is presented in Section 5.13.
The AHP and the Analytic Network Process (ANP) are two classic Multi-Criteria Decision
Making (MCDM) methods devised by Saaty[191].
110
In AHP, when performing pairwise comparisons, if the number of choices exceeds the limit
(three or more), a consistency concern arises. This outcome is evident because humans
cannot keep consistent pairwise decisions when the number of elements grows. This
situation contests the credibility of the comparison outcome, which leads the decision-
maker to improve comparisons manually[234].
The evaluators, who use AHP/ANP in their applications, start working the numbers to lower
the ratio and fulfil the process while gradually paying la less attention to what they prefer.
The deficiencies highlighted in Asadabadi’s 2019 paper[235] refer to the pairwise
comparisons and the associated ranking. AHP and ANP use a similar pairwise comparison
process, and the same scale is used; the AHP method, which is the less complex of the two,
has been chosen for the research discussed in the thesis[236-238].
4.3 HOW FUZZY LOGIC WILL BE APPLIED (RQ5)
Defining the level and significance of a given data set is a multivariate decision-making
problem with parameters that vary considerably, pivoting on which specific elements are
affected and to what degree. It is difficult to estimate the degree to which certain risk
types are exposed owing to the fact that the lack of empirical data and complex causal
relationships.
The aviation systems-specific risks that this research involves do not have an appropriate
probability model that can be adhered to. Adapting fuzzy logic systems or Fuzzy Expert
Systems(FES) helps model the cause-and-effect relationships while consistently assessing
risk exposure and ranking key risks.
The FES is the primary tool to defuzzify security risk data and is presented and discussed
thoroughly in Section 6.1.
4.4 BUSINESS CONTINUITY PLAN AND DISASTER RECOVERY PLAN
The BCP and DRP are methods or strategies a business implements to ensure the
information systems are protected, adequately backed up, and recoverable in the face
of a major disaster. The BCP and DRP involve the implementation of processes and specific
recovery actions necessary to protect people and critical processes from the effects of
significant security incidents and network disruptions. The method further ensures the timely
restoration of aviation operations if substantial outages follow [239-242].
111
While a cyber-incident might occur in the air, the disaster recovery plan or any checks and
balances incorporated into the aerospace system design sets air and ground systems
apart; specifying minimum-security requirements for aviation systems would allow
manufacturers to demonstrate that they are developing secure systems. The evolution of
the industry regulations, notably the International Civil Aviation Organization (ICAO)
towards the aviation industry, has influenced those organisations to recognise the need to
work together, guided by a collective vision, strategy and roadmap to reinforce the
aviation system’s protection and resilience against cyber-attacks.
The risk assessment is part of the risk management process. The risk areas such as physical
security, operations, finance, internal audit, and regulatory compliance should be
assessed in the context of the overall risk management framework applicable to the
business operation. To maintain ongoing operations and recover following a disruption, the
ICAO recommends developing a strategy for governance, safety and security by design,
coordination and information sharing.[239-242].
4.5 INCIDENT IDENTIFICATION
Cybersecurity incident identification aims to systematically recognise and classify all

potential security events of a given cyber-physical system. Various risk analysis techniques
such as Failure Mode and Effect Analysis (FMEA), Fault tree analysis, event tree analysis,
and Monte Carlo simulation analysis applicable across various business sectors can be
used for this purpose[243-245].
4.6 PARTICIPANTS
The main participants of the study are aviation system stakeholders, air navigation service
providers and ATM service providers (Airservices Australia: where the author is an
employee). As an employee, I had the opportunity to collect and analyse critical
information on operational aviation systems with appropriate permissions. In addition, the
author referred to publically available data from aircraft manufacturers (Airbus and Boing)
and airports.
112
4.7 INSTRUMENTS
The author used publicly available open-source application software to simulate various
attack methods and study the impact on various aviation IT infrastructure services
operations.
• Kali Linux for penetration testing (offensive attack tools), which include
▪ Armitage (a scriptable red team collaboration cyber-attack administration

tool),
▪ Nmap (an open port scan tool),
▪ Wireshark (a packet analyser),
▪ Metasploit (pen-testing framework),
▪ John the Ripper (password cracking tool),
▪ Sqlmap (SQL injection and database hacking tool),
▪ Aircrack-ng (pen-testing for wireless LANs), and
▪ Burp Suite.
• OWASP ZAP web application security scanners,
The testing is carried out in isolation and in a Platform as a Service (Paas) cloud
environment. For this purpose, a sandbox environment was created in the Australia
research cloud (Nectar research cloud) with two server instances, one to simulate a system
under attack and the second to carry out an offensive security attack using the
aforementioned tools.
4.8 SUMMARY POINTS
The principal questions among the aviation industry and stakeholders are how susceptible
the aviation industry is to cyber-attack disruptions. How much would a cyber-attack cost
ANSPs, airlines, and airports? Are the current methodologies adequate to address these
issues?
Summary Point 1: Aircraft or aviation systems do not get installed without stringent security
risk assessments. The post installations or retrofitting of IT and network devices will have a
detrimental effect on the integrity of safety in the absence of a risk management process.
Summary Point 2: Existing risk assessment methods are designed to analyse known threats.
However, it is observed that emerging complex systems and deployment of the Internet of
113
Things (IoT) have presented many new threats in recent times that have never been
experienced before. A more holistic approach to assessing threats and mitigating risks is
required for the aviation industry to address these issues to ensure business operation
continuity.
Summary Point 3: Not all security risks are critical. The current methods do not distinguish
risks accurately; hence, security resources are deployed in areas where the controls failed
to provide the intended protection. The methodology needs to be prioritised logically.
The system security assessment ensures that the necessary security controls are integrated
into the process. To accurately assess risks, it is required to identify the most valuable data
to organisations and associated system vulnerabilities. Cyber threats are highly dynamic
and require both strategic and tactical assessment methodologies. Strategic security
evaluation will facilitate comprehending risk exposure, prioritisation, and budget allocation
in the long run for top management who do not necessarily understand the details of
cybersecurity.
The tactical safety assessments are often performed immediately before the operation of
an information system, primarily to understand potential security threats and vulnerabilities
and to mitigate the risks in real-time. Information security professionals, who address
tactical level risk assessment, are expected to be cognisant of emerging threats, attack
vectors, and efficient detection mechanisms. Also, they should be conversant with risk
mitigation methodologies.
Out of the two primary risk assessment methods, qualitative and quantitative, the latter is
predominantly used when the measures are quantifiable, or a precise dollar value can be
assigned to the loss. The assessments are performed in three main spheres to realise the
effects of information system asset loss and their repercussions. The ultimate quantitative
value of any security risk is based on the numerical figures assigned to the threats and
system vulnerabilities. Inaccurate or uncertain figures assign to risk, and vulnerability
parameters return an unrealistic risk quantifiable figure. This value may lead an organisation
to enforce extra precautionary measures to mitigate the risks and bear substantially
additional costs. On the other hand, erroneous lower risk figures assigned to a high-risk asset
result in inadequate security controls exposing vulnerabilities.
114
Chapter 5: Risks Identification Prioritization
in Cybersecurity
The risk identification process assists organizations in determining key business objectives
and then determining the impact of a possible security attack on IT and networking
infrastructure.
5.1 UNIDENTIFIED THREATS AND SYSTEM VULNERABILITIES
Aerospace engineering organisations, aviation industry partners and operators regularly

encounter numerous cyber attacks. With the IT-based asset-intensive CNS/ATM systems
and the locations in which they operate, risk has become a prominent and integral part
of the business[4]. Cyber-security threats and vulnerabilities when anonymous actors
exploit technological weaknesses to disrupt operations are among today's industry's most
critical and least understood risks. Realising the emerging cyber-attack capabilities should
be part of an organisation's enterprise risk management strategy. The primary question is,
"How certain are we about potential threats and how exposed our aviation systems to
these attacks could result in a catastrophic consequence or major operation outages?"
5.2 SYSTEM AVAILABILITY REQUIREMENT AND SECURITY RAMIFICATIONS
According to the ICAO Required Surveillance Performance (RSP) requirements and

Required Communication Performance (RCP) requirements, the member states are
responsible for providing 99.9% availability for safety and 99.99% for efficiency [246]. To
achieve this objective, the ANSPs are required to set goals where the likelihood of
cybersecurity events causing a Denial of Service (DoS), and significant information
breaches, are reduced to as low as reasonably practicable (ALARP). If not addressed
appropriately, the organisations may incur costs through, for example, loss of an aircraft,
some fatalities, damages to critical equipment and services, disruption of services, delay
in operation, increased insurance premiums, legal costs, fines, compensation, and even
loss of organisational reputation.
115
5.3 AMBIGUOUS NATURE OF RISK ATTRIBUTES
Organisations are regularly exposed to new or evolving threat vectors that may affect their
operations. Identification, ascertainment and evaluation of these threats and subsequent
vulnerabilities are the only way to comprehend and gauge the impact of the risk involved.
The outcome of this procedure is highly dependent on the risk data's availability and
accuracy. However, in civil aviation information systems, security professionals often face
a circumstance where the risk data is inadequate or there is high uncertainty associated
with the risk information.
There may be both a scarcity of critical data and an abundance of conflicting

information. In many situations, it may be challenging to conduct a probabilistic risk
assessment to evaluate the likelihood of occurrence of any security incident and the
criticality of its possible consequences because of the underline uncertainty. Therefore,
developing new risk analysis methods is crucial to identify significant cybersecurity
incidents and assess the accompanying risks satisfactorily.
The Analytical Hierarchy Process (AHP) technique is a reliable candidate to be introduced

into the formal risk assessment model to use its advantage in determining the relative
importance of the risk attributes with the pairwise comparison process[247]. This research
presents a novel risk assessment methodology for risk analysis using the AHP technique,
which is intended to reduce uncertainty, and the resulting framework would be a
steppingstone for the risk analysis process.
5.4 USE OF AHP OVER ANP AS A MCDM METHOD
The AHP and the Analytic Network Process (ANP) are two classic Multi-Criteria Decision
Making (MCDM) methods devised by Saaty[191].
In AHP, when performing pairwise comparisons, if the number of choices exceeds the limit
(three or more), a consistency concern arises. This outcome is evident because humans
cannot keep consistent pairwise decisions when the number of elements grows. This
situation contests the credibility of the comparison outcome, which leads the decision-
maker to improve comparisons manually[234].
The evaluators, who use AHP/ANP in their applications, start working the numbers to lower
the ratio and fulfil the process while gradually paying la less attention to what they prefer.
The deficiencies highlighted in Asadabadi’s 2019 paper[235] refer to the pairwise
comparisons and the associated ranking. AHP and ANP use a similar pairwise comparison
116
process, and the same scale is used; the AHP method, which is the less complex of the two,
has been chosen for the research discussed in the thesis[236-238].
5.5 UNCERTAINTY IN RISK ASSESSMENT
Risk assessment and management process uncertainties manifest a critical phantasm in

safety, health and environment-based decision-making. Most information technology
security breaches result from substantial uncertainty in security risk assessments. The recent
cyber-attacks exemplify this situation; British Airways (hacked - credit card information
database) [248], Japan Airline(breach of 750000 customer information)[249], Adobe[250],
The CIA(victim to a cyber-attack)[251], Cellebrite (hacked and 900GB of customer
information were stolen)[252], NHS(Ransomware attack)[253], and Sony. Dealing with such
uncertainty in risk assessment is arguably the most challenging task facing assessors and
managers today.
The early research identified four principal sources of uncertainty in risk assessment,
predominantly in health, safety, and environmental domains. These uncertainties are
primarily about;
• definitions,
• scientific facts,
• risk perceptions and attitudes, and
• quantifiable figures.
Uncertainties about definitions derive mainly from the meaning and interpretation of key
concepts, such as probability and level of impact.
5.6 SECURITY ANALYSIS USING A HOLISTIC METHODOLOGY
International standard organisations have developed various security and process

management approaches, while security organisations publish controls for security
architecture[254, 255]. The ability of secure system design lifecycles to reduce the risk of
cyber-attacks should make them a helpful tool, critical to any organisation that creates
and enhance tech nologies[256]. Based on the research and the literature review
(chapter 2), a conclusion has been reached to employ a holistic approach to security
analysis.
117
Aviation ICT (Information and Communication Technology) systems are critical to the
aviation industry's safe and efficient operation, including airlines, airports, air traffic control,
and other related organizations. These systems are designed to support various functions,
such as flight planning, navigation, communication, and passenger management.
As with any ICT system, aviation ICT systems are vulnerable to cybersecurity threats such as
hacking, malware, and other attacks, which can have severe consequences for the safety
and security of the aviation system. A cyberattack could compromise the system's
integrity, disrupt operations, or even cause accidents. Therefore, it is crucial to assess the
security of aviation ICT systems to ensure their reliability, availability, and safety.
A holistic methodology for security analysis of aviation ICT systems is necessary because it
takes into account the various interrelated components and the entire system. A holistic
methodology considers not only the technical aspects of the system but also the human,
operational, and organizational aspects that impact the system's security.
A holistic approach enables identifying and assessing potential security threats,

vulnerabilities, and risks associated with aviation ICT systems. It also provides insights into
the security implications of the system's interaction with other systems, subsystems, and
components, including human operators and other stakeholders.
Moreover, a holistic approach provides a more comprehensive understanding of the

security risks associated with aviation ICT systems and the measures required to mitigate
them. It also helps to ensure that the security measures implemented are appropriate for
the entire system, not just individual components, and are aligned with the overall
objectives of the aviation system.
Overall, a holistic methodology for security analysis of aviation ICT systems is essential to
ensure the safe and reliable operation of the aviation system, which is critical for the well-
being of the public and the economy.
5.6.1 ENTERPRISE ARCHITECTURE (EA) FRAMEWORK:
According to the Information Systems Audit and Control Association (ISACA), the EA
practice defines the structure and business operation to determine how an organisation
can most effectively achieve its current and future objectives.
5.6.1.1 ZACHMAN FRAMEWORK MODEL
John Zachman developed this enterprise architecture in 1987. The framework has since
been evolved or reworked on multiple occasions by various authors and practitioners
during its application or as a part of ongoing research. The basic framework, however,
118
furnishes a detailed classification scheme for any architecture and is often employed for
defining enterprises owing to its simple application methodology. The Zachman framework
allows companies to create organizations or transform their businesses over time to meet
the requirement of the day. The enterprise architecture comprises a set of models or
blocks, which, if retained and maintained, also serve as a baseline for managing its
evolution. Therefore, the practitioners use the Zachman architecture to communicate
about (and decipher) complex issues that often occur in engineering enterprises[257].
5.6.1.2 THE OPEN GROUP ARCHITECTURE FRAMEWORK (TOGAF) MODEL
The Open Group Architecture Framework (TOGAF) Model and methodology for the
development of enterprise architectures by The Open Group[258]. Like other information
technology management frameworks, TOGAF supports enterprises in aligning IT goals with
overall business objectives while supporting the organisation of cross-departmental IT
endeavours. Another significant feature of TOGAF is that it guides businesses in defining
and organising requirements before a project begins, keeping the process moving quickly
with minimum errors. The framework evolved, and the latest release employs a more
straightforward modular structure to adhere to and execute, making the framework more
effortless to implement in any industry[259]. The TOGAF framework can be categorised into
two groups: the TOGAF fundamentals and comprehensive guidance. The fundamental
content contains all the necessities and best practices that create the foundation. The
framework's comprehensive guidance component comprised directions for intricate
subjects such as agile methods, data, security and information architecture[260].
5.6.1.3 SHERWOOD APPLIED BUSINESS SECURITY ARCHITECTURE (SABSA) MODEL
Sherwood Applied Business Security Architecture (SABSA) model and methodology for
developing information security enterprise architectures[261-263]. SABSA can be treated
as a proven methodology for conceiving business-driven, risk and opportunity-focused
architecture that mainly focuses on security at both organisation and solutions levels and
relies on processes traceably that support business objectives. SABSA comprises a series of
integrated processes, used independently or as a holistic enterprise solution, including;
organisation policy, Business requirements (AKA Attributes Profiling), Risk and Opportunity,
governance, Services-Oriented Architecture and security risk management.
119
5.6.1.4 DEPARTMENT OF DEFENSE ARCHITECTURE FRAMEWORK (DODAF
Department of Defense Architecture Framework (DoDAF), the US defence architecture

framework, ensures systems' interoperability to meet military mission goals[264]. The
framework provides visualization of infrastructure for specific stakeholders' situations
through viewpoints contained by various standpoints. These viewpoints are artifacts for
visualizing, understanding and assimilating an architecture description's broad scope and
complexities through structural, behavioural, or alternative conceptual means. The
Framework is fitted explicitly to large systems with complex interoperability and integration
challenges and is unique in its employment of operational views. These views offer synopses
and components aspired to specific stakeholders within their domain and interacted with
other disciplines in which the system will operate.
5.6.1.5 THE BRITISH MINISTRY OF DEFENCE ARCHITECTURE FRAMEWORK (MODAF)
The British Ministry of Defence Architecture Framework (MODAF) is an architecture

framework mainly for military support missions.[265]. Every business discipline is different,
and each needs a unique information system that fulfils its specific requirements. Designing
and creating an information system from scratch can be a painstaking and expensive task.
MODAF delivers companies with a standardized way of performing enterprise architecture
practice. The stages involve designing, developing, implementing, and governing systems.
By employing this architecture, businesses can save resources instead of starting from
scratch.
5.6.2 INFORMATION TECHNOLOGY SERVICE MANAGEMENT METHODOLOGY:
• The Control Objectives for Information and Related Technologies (COBIT) is an IT

enterprise management and governance practice framework created by the
Information Systems Audit and Control Association (ISACA)[266]
• The IT Infrastructure Library (ITIL) is a set of comprehensive guidelines for IT service
management that focuses on aligning IT services with business needs[267]
• The NIST SP 800-37 Risk Management Framework for Information Systems and
Organisations was developed by the National Institute of Standards and
Technology (NIST).
120
5.7 AVIATION INFORMATION SYSTEMS SECURITY FRAMEWORK
Fig. 43. The Proposed Aviation Systems Security Framework.
The Enterprise security framework is an across-the-board plan for ensuring a business's

overall security using security controls and following local and international regulations
related to information security concepts[36]. Enterprise security is also considered the
instrument for rendering harmonious access to classified information across an organisation
and assuring data integrity [78].
121
Generally, the regulation necessitates suitable information security controls enforced in
organisations where military, financial or safety-critical information is managed and
processed. In the circumstances where there are no or minimum control directives,
business associates, vendors, and other stakeholders may preclude doing business with
organisations unless they employ adequate controls to protect the information.
A significant issue for designing a functional and robust framework is new security
management concepts to inscribe evolving threats. New applications entailing AI,
machine learning, and big data operate on high-power platforms with robust framework
designs to support numerous security techniques and explicit security constraints[268].
For the aviation industry, the security governing principles are mainly derived from
international bodies such as the ICAO and other regional agencies such as EUROCONTROL
and FAA. The local or domestic acts and regulations provide rules tailored to the internal
environment and operating conditions. The framework depicted (Fig. 43) provides people,
product, processes and environments (3PEs) and their influence on the framework. These
four attributes become the main pillars of the foundation of the security framework.
Under this aviation security framework, the international and regional bodies ensure the
threat and vulnerability intelligence is disseminated to cybersecurity units or the individuals
responsible for the security of each country or organisation promptly. The member
agencies are tasked with informing of any anticipated threats and identified vulnerabilities
in their regional reporting centre authorities and counterparts. Security monitoring
capability is key to the framework, and continuous monitoring of the ATM system status
and unauthorised access to restricted information is alarmed.
5.7.1 AVIATION PLAYERS AND SYSTEMS
Aircraft:
As the main entity or one of the primary endpoints of a worldwide network, aircraft operate
through multiple phases from their origin to the specified destination. Namely, Terminal
gate, Lineup, Takeoff, Initial climb, Climb, Cruise, Descent, and Landing. There is a
continuous information flow between the avionics and ground entities, such as flight plan
updates, route, weather and aeronautical information updates. The integrity and the rapid
availability of the information play a significant role from the safety perspective[269].
122
Air Trafic Management (ATM)
The management of air traffic and airspace, including air traffic services, airspace
management and air traffic flow control dynamically and in an integrated fashion, yields
a safe and efficient passage to the destination through the provision of facilities and
seamless services in collaboration with all parties and involving airborne and ground-based
functions (Source: ICAO Doc 4444 PANS-ATM). This process requires radar, ADS-B, ADS-C,
CPDLC and ACARS services to deliver and aggregate information to make tactical and
operational decisions for effective management[270].
Airport
An airport is also called an air terminal, hub, aerodrome, or airfield, site and installation for
the takeoff and landing of aircraft. It manages a tremendous amount of information
ranging from passenger, cargo, catering, aeronautical, airline and airport security
surveillance[271].
Airlines
All major airlines have flight operations, crew scheduling, aircraft maintenance
management, flight planning, and passenger management systems or terminal
connected to their central servers. Rapid provisioning of information is paramount for
prompt decision-making and efficient operations management[272].
Aeronautical data service providers
The services include IT/OT, security, aircraft surveillance (Aireon-ADS-B, satellite

surveillance), Aeronautical data services (SITA/ARINC), third-party service providers, and
defence and military entities[273].
5.7.2 INFORMATION SECURITY GOVERNANCE
Security governance assures that the organisation's security strategy is aligned with
business objectives and inconsistent with legal obligations, international treaties and state-
wide regulations. The main pillars of the governance consisted of oversight, enactment of
policies, accountability, strategic planning and prompt resource allocations.
The sentiment results from the due diligence and duty of care the organisation leaders owe
towards fiduciary requirements. The rationale behind the principle of governance is the
appropriate operational mechanism is in place to protect its critical assets. The
characteristics of effective security governance proposed by the research are crucial for
an effective security program.
123
Security is an organisation-wide issue; all leaders are accountable and view it as a
requirement (or part of the business process). They should adopt a risk-based approach
and define roles, responsibilities and segregation of duties to address and enforce policies.
A system engineering (or software development) life cycle is mandated, and they are
planned, managed, measured, reviewed, and audited regularly. Employees are aware
and adequately trained on various issues arising out of security.
5.7.3 INFORMATION SECURITY MANAGEMENT
The information security management process describes an organisation's information

security and privacy approach. It guides in identifying and addressing the threats and
opportunities around the valuable information and any interconnected assets while
providing a protective shield for any disruption caused by cybersecurity incidents[274,
275].
The management process provides many benefits to aviation operations and business
entities. The strategy is evident in today's more significant and evolving threat landscape,
where robust information security is necessary for all forms of supply chain operations. The
research suggests 24 elements under the Information Security Management(ISM) in the
proposed framework[276].
5.7.4 SECURITY OPERATING CENTRE (SOC)
Managing security is intertwined with business operations, and stakeholders are more
involved than ever and demand to be abreast. Furthermore, with hundreds of incidents
and millions of threat/ negative events daily, incident response teams are often
overwhelmed by business-critical alerts, resulting in high-profile breaches that go
unnoticed due to the enormous volume of information[277].
A SOC is a facility that houses a security team responsible for detecting, analysing, and
responding to incidents using a combination of technology solutions such as machine
learning, artificial intelligence and big data technologies and a robust set of processes.
The SOC team monitor and analyse activity gathered from networks, Intrusion Detection
Systems (IDS), servers, firewalls, Data Loss Prevention Systems (DLPs), endpoints, databases,
applications, websites, Application Programming Interfaces(APIs) and other IT/OT systems.
Predominantly SOC is equipped with Security Information and Event Managemen(SIEM)
system, which looks for anomalous activity that could indicate a security incident or
compromise[278].
124
Security analysts and engineers typically run SOC and work closely with organisational
incident response teams to ensure security issues are contained quickly upon discovery.
Subsequently, possible security incidents are correctly identified, analysed, defended,
investigated, and reported.
5.7.5 SECURITY TESTING AND AUDIT
Security testing is a specialised assessment conducted on information systems to identify

vulnerabilities that adversaries could exploit. There are mainly two testing schemes;
software security testing and system exposure testing. Software testing is performed
statically or dynamically. The system exposure testing is performed using specialised
software tools and comprises two categories; Vulnerability scans and penetration testing
(Pentest). The pentest provides independent validation of an organisation's cybersecurity
posture and presents evidence that the vulnerabilities previously exposed have been
successfully addressed.
A security audit thoroughly assesses an organisation's information system, processes, and

compliance with law, policy, and procedures. Typically, the audit measures the
organisation's security posture against an independent auditing team's audit checklist of
industry best practices, established standards, or federal regulations.
5.7.6 REGIONAL AND INTERNATIONAL BODIES, REGULATIONS AND DIRECTIVES
As aircraft operate beyond geographical boundaries with diverse regulatory structures

(European region and so on), it is imperative their operations and security concerns are
addressed globally by a single organisation of a regional entity. The ICAO plays a
significant role in this context, and they need to bring all stakeholders into a single table to
enforce the controls highlighted in the proposed framework.
5.8 CYBER-SECURITY RISK CLASSIFICATION
The risks are identified using systematic approaches such as FMEA, Fault tree analysis,
Monte Carlo simulation, and event tree analysis. The classification of the risk is performed
pursuant to the above process.
The Common Vulnerabilities and Exposures (CVE) database is a catalogue of publicly

recognised information security vulnerabilities and exposures[209]. The catalogue is
sponsored by the US Department of Homeland Security (DHS), and the threats are grouped
125
into two categories: Vulnerabilities and exposures. Many airports and airlines adopt
standard operating environment (SOE) systems, applications and network infrastructure for
their daily non-critical business applications. As a result, the vulnerabilities and exposures
outlined in the CVE listings also apply to the same aviation domain. However, this is not the
case for aircraft and ATM systems. Correspondingly, ANSP ground radio navigational and
landing systems employ proprietary operating systems and legacy protocols for data
exchange, and the CVE criteria cannot be applied to address these vulnerabilities. As
organisations become further multifaceted in their data gathering and preservation, and
the security personnel become more competent in conducting risk assessments, the
organisations find themself moving more toward perceptible risk assessment methods. The
significance of a quantitative evaluation risk is the numeric nature of the outcome.
Probability, recurrence, impact, remediation effectiveness, asset valuation and various
other aspects of the risk assessment have a discrete value in quantitative analysis, and
assessors can prioritise their risk attributes to facilitate control treatments.
Often, risk assessment involves a combination of quantitative and qualitative techniques.

Entirely quantitative assessment is not feasible owing to the absence of some objective
inputs, such as value or information classification. Value of information is often one of the
most challenging factors to calculate, as in the case of Personally Identifiable Information
(PII) and Protected Health Information (PHI) have different levels of regulatory implications.
The first step in a quantitative risk assessment is to review the information currently available
within the organisation. Secondly, similar business entities collect and verify the data, and
academic establishments perform statistical security data analysis as part of their research.
The Common Body of Knowledge (CBoK) is another source of reference to identify specific
threats sources, including:
• Human – Malicious insider or outsider, saboteur, spy, political or agent of a competitor,

loss of encryption key, personnel and social engineering,
• Technical – Hardware/software failure, malicious code, unauthorised use of

applications, use of untested services, unencrypted wireless applications, and
• Operational – A procedure (manual or automated functions) that affects CIA triads
5.9 THE BIGGER PICTURE OF CYBERSECURITY
In order to achieve higher levels of deliberation and creativity, mind mapping (Fig. 44) is
an effective strategy for identifying cybersecurity risks related to aviation systems.
126
Fig. 44. Visualising aviation cybersecurity artefacts through a mind map.
127
5.10 SECURITY RISK ATTRIBUTES
The quantitative risk attributes include; threat, the likelihood of occurrence, the
vulnerability of the system (or the network), asset value and the rate of occurrence (annual
basis). Besides, the damaging impact (including the severity of consequence), cost of
protection and effectiveness of mitigation strategy are the remaining attributes in any ICT
system; they will be investigated during the later stage of the implementation of security
controls to estimate the return on investments (ROI) to the business. When adopting a
mathematical or quantitative risk analysis, the above quantifiable attributes are entered
into equations to determine overall and residual risks and, consequently, the annual
budget allocations for security controls[279, 280].
The qualitative assessment process is more scenario and opinion-based and uses various
rating indicators to interpret the attributes. Gathering all necessary information that needs
to be entered into the risk analysis process and accurately interpreting the results is an
overwhelming task. The automated risk analysis tools on the market can make this task
much more manageable and provide business owners with an approximate cost of
implementing security controls.
5.11 SECURITY RISK DYNAMICS AND DEPENDENCIES
Historically, aircraft were never designed to connect to the internet like today, and the
operation's safety was mainly considered paramount. Safety is a significant concern in the
aviation industry, which could be affected by various IT security threats and system
vulnerabilities of the e-enabled aircraft. Today, the aviation industry, as a whole, focuses
on both safety and security. Moreover, many organisations, including aviation operators,
are always confused about security and safety. The onboard wireless internet is similar to
any other Wi-Fi network provided by a public library, shopping centre or a café. An
attacker can launch an Evil twin attack by using a fraudulent Wi-Fi access point that
appears to be a legitimate connection provided by the airline (or the aircraft) and
eavesdrops on wireless communications, including the login credentials of passengers[281,
282].
128
Fig. 45. Information exchange model at state and domestic level.
The aircraft information security architecture should ensure that aircraft entertainment and
flight management networks are suitably segregated to prevent any malicious attack on
the flight controls. Similarly, communication between ATM centres, airports, airlines and
other industry stakeholders who are diversely located in a large geographic area should
be secured and free of data interception or replay attacks. As shown in Fig. 45,
aeronautical satellite services, GNSS, and Sat-Nav data services provide a seamless
connection to aircraft globally. The satellite network provides data exchange between
aircraft, airlines and airports for maintenance and operational purposes, including
passenger Wi-Fi[283].
The application of information security control does not change severely between the
terrestrial and airborne spheres, and the same attack vector could also exploit the aircraft
IT infrastructure. ATM service providers (or ANSPs) are highly regulated and, therefore, are
deemed to have protective systems and IT services. However, additional security
considerations are required when interfacing (e.g., for safety, performance and
interoperability purpose) with the neighbouring ATS providers and third-party data service
providers (Fig. 46). Besides, all primary, secondary and tertiary communication links, which
129
carries safety-critical aircraft data, be encrypted using a standardised cryptographic
algorithm and secure keys.
Fig. 46. Information exchange model at regional level networking with regional entities.
The NextGen and SESAR research programs will radically transform the National Airspace
System (NAS) operational framework from an analog to a data-oriented paradigm. The
new design will rely significantly on air-ground functional integration coupled with CNS
data to enable 4-dimensional trajectory-based operation (4DT) for rapid air traffic flow
management[284].
In addition to these features, the program's ambition is to enable flight crew access to
SWIM data for advanced shared situational awareness (SSA) and organised data
exchanged within a comprehensive skeleton of government-private collaboration
centred on the evolution of air-ground data synthesis with complementary enabling
technologies. More specifically, aircraft, ANSPs, and airports will interact with their
neighbouring counterparts (Fig. 47) and centralised automation systems that manage air
traffic through highly dense flight passages[285].
130
Fig. 47. Application of Information exchange model when applied at the global level.
This framework can be applied to most aviation risk analysis processes, but it should be
noted that different agencies might require the elimination of some steps or the inclusion
of extra steps to meet the requirement of the local legislative framework[286].
5.12 PROPOSED SECURITY RISK ASSESSMENT METHODOLOGY
The risk assessment process begins with each system's identified security requirement and
a problem statement. The problem statement stipulates national and international rules
and regulations, e.g., the International Civil Aviation Organization (ICAO) and the Civil
Aviation Safety Authority (CASA) of Australia. The statement should also inscribe
deterministic needs for security, confidentiality, availability, safety, and integrity, along with
the criteria referring to the likelihood of occurrence of severe security breaches or events
and the possible consequences[287-292].
The first step is to collect information on data classifications, system security architectures,
and possible impacts on aviation systems and operations. It would be a daunting task for
organisations, as the gathered information has a variable degree of accuracy and
integrity. Organisations such as EUROCAE, CASA, and FAA may have collected information
related to cybersecurity incidents and shared it mutually to mitigate potential threats
among regional stakeholders.
The statistics related to threat landscapes may not be available first-hand, and assessors
may need to refer to the Civil Aviation Common Body of Knowledge (CBOK) of information
131
security published by the industry partners such as NIST, ISC2 and ISACA for the purpose.
Secondly, experts and security professionals can make rational judgments and develop
qualitative descriptors for the assessment[279, 293-295].
Fig. 48. Security risk assessment process - civil aviation systems.
The next step is to study the information to understand what serious security incidents
occurred in a similar business environment over the years and develop a body of
knowledge. The process that can be adopted is demonstrated in the flow chart (Fig. 48).
5.13 ANALYTICAL HIERARCHY PROCESS (AHP)
The AHP can be adapted to prioritise essential components or attributes of decisions that
are difficult to quantify or compare under normal conditions. The outcome of the process
is significantly accurate and consistent when the skill and proficiency of the team members
are hampered by their unique specialisations, interpretations, or perspectives[296, 297].
132
5.13.1 RISK PRIORITISATION WITH AHP
The first step in AHP is to disassemble and structure into a hierarchy of attacks affecting
aviation systems. The input values are then acquired from actual cybersecurity threats
(such as Injection and DoS) or the level of criticality of the systems in use (such as ATM or
air surveillance data system)[298-300].
The number of comparisons to be performed depends on the number of attributes. Eight

attack types (Injection, DoS, Misconfiguration, Remote code execution, Intrusion or
Hacking, Spoofing, Broken Authentication, and XSS) have been chosen for analysis, and
there are 28 comparisons to be performed (Table 10).
Table 10. Number of comparisons
Number of n 1 2 3 4 5 6 7 8 9 10
attacks
𝑛 0 1 3 6 10 15 21 28 36 45
Number of (𝑛 − 1)
comparisons 2
The comparisons, which correspond to the level of dominance, are scaled from 1 to 9 and
are depicted in Table 11.
Table 11. Pairwise comparison-rating assignment
Rating Description
1—Equal Both alternatives have equal importance.
3—Moderate One alternative is moderately important than the other one.
5—Strong One alternative is strongly important than the other one.
7—Very Strong One alternative is very strongly important than the other one.
9—Extreme One alternative is extremely important than the other one.
The pairwise comparisons use a scale that ranges from equally preferred (importance) to
extremely preferred.
A pairwise comparison matrix;
𝐴 = (𝑎𝑖𝑗 )𝑛×𝑛
𝑎11 𝑎12 𝑎1𝑛
𝑎21
𝐴=[ ⋱ ⋮ ]
𝑎𝑛1 ⋯ 𝑎𝑛𝑛
With 𝑎𝑖𝑗 > 0 expressing the degree of preference of xi to xj. According to Saaty’s theory,
each entry is approximate to the ratio between two weights;

133
𝑤𝑖
𝑎𝑖𝑗 ≈ 𝑤 ∀𝑖,𝑗 - - - - - - - - - - - - - - - (5.1)
𝑗
This signifies that if the figures represent ratios between weights, then the matrix W and A
can be presented in the following form,
𝑤1 𝑤1 𝑤1
𝑤1 𝑤2 𝑤𝑛
𝑤2
𝑤 = 𝑤1 ⋱ ⋮
𝑤𝑛 𝑤𝑛
⋯
[ 𝑤1 𝑤𝑛 ]
𝑤1 𝑤1 𝑤1
𝑤1 𝑤2 𝑤𝑛
𝑎11 𝑎12 𝑎1𝑛 𝑤2
𝑎21
𝐴𝑤 = [ ⋱ ⋮ ] 𝑤1 ⋱ ⋮ - - - - - - - (5.2)
𝑎𝑛1 ⋯ 𝑎𝑛𝑛 𝑤𝑛 𝑤𝑛
[ 𝑤1 ⋯ 𝑤𝑛 ]
As soon as equation (1) is accounted for, consider (2), a situation of multiplicative

reciprocity 𝑎𝑖𝑗 = 1/𝑎𝑖𝑗 ∀𝑖,𝑗 stands, and A can be further written in a simplified form as (3),
1 𝑎12 𝑎1𝑛
1
𝑨= 𝑎21 ⋱ ⋮ - - - - - - - - - - - (5.3)
1
[𝑎𝑛1 ⋯ 1 ]
In other words, the shortened structure of pairwise comparison matrices in this form trails
from the assumption that if, for example, x1 is two times (x2) better than x2, it can be
further deduced that x2 is 1/2 times as good as x1.
5.13.2 DECOMPOSITION AND PAIRWISE COMPARISON
The first step of the AHP process in aviation systems is to identify various cybersecurity risks
associated with individual systems, decompose and compare the problems into a
hierarchy of criteria and evaluate alternatives. The second step is to employ pairwise
comparison to proportion the priority for each measure against every other measure and
the relative priority for each system alongside every remaining system for each
criterion[301-303].
134
Fig. 49. Pairwise assessment of security risk
135
As shown in Fig. 49, the AHP uses pairwise comparisons to establish relative priority based
on the severity of the attack against every other criterion and the relative importance of
each system against every other system based on the operation performed by the subject
system.
Each comparison's results are presented numerically from 1 (equally preferred) to 9

(Extremely preferred), where a higher number means the chosen attribute is considered
strongly preferred to other attributes being compared.
5.13.3 CONSISTENCY INDEX (CI) AND CONSISTENCY RATIO (CR)
According to the result attained from pairwise comparison matrix A, the maximum, λ𝑚𝑎𝑥
(eigenvalue), is equal to ‘n’ only if the matrix is consistent.
In consequence, given λ𝑚𝑎𝑥 , the consistency index, CI, is computed as;
(λ𝑚𝑎𝑥 ) − 𝑛
𝐶𝐼(𝐴) =
(𝑛 − 1)
n: no risk attributes to be compared
The last stage is to compute a Consistency Ratio (CR) to measure how consistent the
judgments have been relative to large samples of purely random adjudications.
Given a matrix of order n, the CR is obtained by dividing the CI by a real number

Random Index (RI), which is an estimation of the average CI obtained from a set of
randomly generated matrices of size n.
𝐶𝐼
𝐶𝑅 =
𝑅𝐼
Where the random index, RI, is a simulated random pairwise comparison for different sizes
of matrices (Table 12).
Table 12. Saaty's random index
n 1 2 3 4 5 6 7 8 9 10
RI 0 0 0.5247 0.8816 1.1086 1.2479 1.3417 1.4057 1.4499 1.4854
According to Saaty, a CR < 0.1 (10%) implies consistency, while if it is not less than 10%,
the judgments need to be revised[304].
The stepwise process of pairwise comparison is outlined in the flow chart (Fig. 50).
136
Fig. 50. The stepwise process of pairwise comparison in obtaining consistency.
137
5.13.4 NORMALISATION AND WEIGHING RISK ATTRIBUTES
• Injection: An SQL injection is an attack where the hacker feeds malicious SQL
commands, thus accessing and manipulating restricted information.
• Denial of Service: DoS is a type of attack hacker attempt to make a system or
network unavailable to the intended purpose by exhausting its resources such as
network bandwidth and processing power.
• Security misconfiguration: This could occur when an information system or a
network is susceptible to attacks due to not following vendor guidance for system
configuration.
• Remote Code Execution: This allows an attacker to execute unauthenticated
arbitrary code and let him take complete control of vulnerable network
equipment, and intercept the traffic.
• Intrusion or hacking: Privilege escalation is used for intrusion (an attack on a
system by cyber impersonators or hackers).
• Spoofing: This is a spear-phishing attack where a hacker impersonates a device or
user on a network to steal data, inject malware, and evade access controls to
compromise businesses.
• Broken authentication: This vulnerability allows attackers to bypass the
authentication methods for logging into an application.
• Cross-site scripting: XSS enables attackers to inject client-side scripts into web
pages.
The set of eight significant attacks listed is used for pairwise comparison and is portrayed
in Table 13.
138
Table 13. Pairwise compression of cyber-attack on civil aviation systems
Injection Denial of Security Remote code Intrusion or Spoofing Broken Cross-Site

Service Misconfiguration execution Hacking Authentication Scripting(XSS)
Injection 1 0.200 0.333 1.000 1.000 0.333 5.000 3.003
Denial of Service 5.000 1 3.003 6.993 5.000 1.000 6.993 6.993
Security Misconfiguration 3.000 0.333 1 5.000 3.003 1.000 9.000 6.993
Remote code execution 1.000 0.143 0.200 1 0.333 0.333 5.000 3.000
Intrusion or Hacking 1.000 0.200 0.333 3.000 1 0.333 6.993 3.003
Spoofing 3.000 1.000 1.000 3.000 3.000 1 9.009 9.009
Broken Authentication 0.200 0.143 0.111 0.200 0.143 0.111 1 1.000
Cross-Site Scripting (XSS) 0.333 0.143 0.143 0.333 0.333 0.111 1.000 1
SUM 14.533 3.162 6.123 20.526 13.812 4.222 43.995 34.001
139
Table 14. Comparison matrix of cyber-attack on civil aviation systems derived from the pairwise comparison in Table 13
Normalised criteria comparison matrix Consistency "Consistency

Criteria Weights Index“
Eigenvector [ws}.[1/w}
Weights sums
Injection 0.068808918 0.063251107 0.054435567 0.04871797 0.072399048 0.078951524 0.113649219 0.088320165 0.07356669 0.616733491 0.071847162 8.383325302 =(λ-n)/(n-1)
Denial of Service 0.344044588 0.316255534 0.490410513 0.340685102 0.361995239 0.236854571 0.158949957 0.205668637 0.306858018 2.720216362 0.316895108 8.864739408 0.063995339
Security 0.206426753 0.105313093 0.163306701 0.243589848 0.217414558 0.236854571 0.204568594 0.205668637 0.197892844 1.708908287 0.199081472 8.635523394
Misconfiguration
Remote code 0.068808918 0.045224541 0.03266134 0.04871797 0.024133016 0.078951524 0.113649219 0.088240669 0.0625484 0.511851181 0.059628762 8.183281809 CR=CI/RI
execution
Intrusion or Hacking 0.068808918 0.063251107 0.054381131 0.146153909 0.072399048 0.078951524 0.158949957 0.088320165 0.09140197 0.785525649 0.091510822 8.594187311 RI=1.41 for 8x8
matrix)
Spoofing 0.206426753 0.316255534 0.163306701 0.146153909 0.217197144 0.236854571 0.204773367 0.264960496 0.219491059 1.841396877 0.214515901 8.389393546
Broken 0.013761784 0.045224541 0.018145189 0.009743594 0.010353064 0.026290857 0.022729844 0.029410615 0.021957436 0.178766817 0.020825671 8.14151602 Consistency
Authentication ratio
Cross-Site Scripting 0.02291337 0.045224541 0.023352858 0.016237699 0.024108883 0.026290857 0.022729844 0.029410615 0.026283583 0.220565845 0.025695102 8.391772219 CR
(XSS)
Checksum 1 1 1 1 1 1 1 1 1 8.583964509 1 8.447967376 0.045386766
The normalised criteria comparison matrix, weight sums, Eigenvector and consistency index for an aviation system cyber attack are
tabulated in Table 14.
140
Table 15. Comparison matrix of cyber-attack on civil aviation systems by an injection
Normalised criteria comparison matrix Consistency "Consistency Index“

Criteria Weights
Eigenvector [ws}.[1/w}
Weights sums
ATM system 0.154408438 0.157654107 0.114124853 0.230255584 0.128572733 0.218720607 0.167289387 1.038330897 0.16439689 6.206794802 =(λ-n)/(n-1)
Surveillance data services 0.154408438 0.157654107 0.114124853 0.230255584 0.214285745 0.218720607 0.181574889 1.139592776 0.180429485 6.276158464 0.051235171
Ground communication system 0.463225314 0.472962321 0.342374558 0.230255584 0.385714341 0.218720607 0.352208787 2.274653982 0.360141495 6.458254487 CR=CI/RI
Aircraft FMS 0.154408438 0.157654107 0.342374558 0.230255584 0.214285745 0.218720607 0.219616506 1.374398634 0.217605835 6.258175474 RI=1.25 for 6x6 matrix)
Aircraft navigation system 0.051468965 0.031530821 0.038041617 0.046051117 0.042857149 0.093840525 0.050631699 0.311811658 0.049368527 6.158427709 Consistency ratio
Aircraft weather services 0.022080407 0.022544537 0.048959562 0.032926548 0.014284288 0.031277047 0.028678731 0.177212885 0.028057768 6.179244205
CR
1 1 1 1 1 1 1 6.316000831 1 6.256175857
0.040988137
The injection cyber-attack could fall into one of the multiple types of attacks, namely; Code injection, CRLF (Carriage Return and Line
Feed) injection, Cross-site Scripting (XSS), Email (Mail command/SMTP) injection, Host header injection, LDAP injection, OS Command
injection, SQL injection (SQLi) or XPath injection. The criteria comparison matrix is depicted in Table 15.
141
Table 16. Comparison matrix of cyber-attack on civil aviation systems by a Denial of Service (DoS) attack

Criteria Weights [ws}.[1/w}
Eigenvector
Weights sums
ATM system 0.088237889 0.088235294 0.125109469 0.088235294 0.064102564 0.097826087 0.091957766 0.554865899 0.090433506 6.033921015 =(λ-n)/(n-1)
CR
1 1 1 1 1 1 1 6.135622984 1 6.087427626
0.01398842
The DoS cyber-attacks could fall into one of the multiple types of attacks: Buffer overflow attacks, Internet Control Message Protocol (ICMP)
flood, SYN flood, Amplification attacks and Teardrop attacks. The criteria comparison matrix is depicted in Table 16.
142
Table 17. Comparison matrix of cyber-attack on civil aviation systems by Security Misconfiguration

[ws}.[1/w}
Criteria Weights
Eigenvector
Weights sums
ATM system =(λ-n)/(n-1)
0.153061225 0.153061225 0.144230977 0.153060529 0.195652141 0.178571409 0.162939584 0.995813283 0.162870436 6.111549181
Surveillance data services 0.017683532
0.153061225 0.153061225 0.144230977 0.153060529 0.195652141 0.178571409 0.162939584 0.995813283 0.162870436 6.111549181
Ground communication system CR=CI/RI
0.459183674 0.459183674 0.432692932 0.45918618 0.326086899 0.321428537 0.409626983 2.515437851 0.411412929 6.140801165
Aircraft FMS RI=1.25 for 6x6 matrix)
0.153061225 0.153061225 0.144229535 0.153060529 0.195652335 0.178571409 0.162939376 0.995812122 0.162870246 6.111549858
Aircraft navigation system Consistency ratio
0.051020408 0.051020408 0.086538586 0.051020125 0.06521738 0.107142953 0.068659977 0.412208419 0.067418828 6.003620146
Aircraft weather services
0.030612245 0.030612245 0.048076992 0.030612106 0.021739105 0.035714282 0.032894496 0.19905895 0.032557125 6.051436421 CR
1 1 1 1 1 1 1 6.114143909 1 6.088417658 0.014146825
Security Misconfiguration could fall into one of the multiple attacks, namely, automatically installed server admin consoles and
inadvertently enabled directory listing. The criteria comparison matrix for security misconfiguration is depicted in Table 17.
143
Table 18. Comparison matrix of cyber-attack on civil aviation systems by Remote code execution

Criteria Weights [ws}.[1/w} {CI}
Eigenvector
Weights sums{Ws}
ATM system 0.127124036 0.1171875 0.195652757 0.1171875 0.195809677 0.166664973 0.153271074 0.943467786 0.153368781 6.155550175 =(λ-n)/(n-1)
CR
1 1 1 1 1 1 1 6.151628643 1 6.102827129
0.016452341
The remote code execution could fall into one of the multiple types of attacks, namely; Common utility libraries located on a remote server,
Dynamic loading of (compiled) classes, Object serialisation, Remote procedure calls (RPC) or remote method invocation (RMI), Device-
specific operational commands, Device-specific control commands (including firmware update commands) and Executable code
embedded in files[305]. The criteria comparison matrix is depicted in Table 18.
144
Table 19. Eigenvector derived from cyber attack comparison criteria
Denial of Security Remote code Intrusion or Broken Cross-Site

Injection Spoofing
Service Misconfiguration execution Hacking Authentication Scripting(XSS)
Criteria
0.071847162 0.316895108 0.199081472 0.059628762 0.091510822 0.214515901 0.020825671 0.025695102
Table 20. Eigenvector matrix multiplication for civil aviation systems and cyber-attacking mechanisms
ATM system 0.16439689 0.090433506 0.162870436 0.153368781 0.071847162 Injection
Surveillance data severs

Denial of Service
0.180429485 0.090415344 0.162870436 0.341083859 0.316895108
* Security Misconfiguration
Ground communication system 0.360141495 0.03674948 0.411412929 0.067437727 0.199081472

Aircraft FMS
Remote code execution
0.217605835 0.090415342 0.162870246 0.341083859 0.059628762

Aircraft navigation system Intrusion or Hacking
0.049368527 0.227025487 0.067418828 0.067427979

Aircraft data comm services Spoofing
0.028057768 0.464960842 0.032557125 0.029597796
145
Table 21. Matrix multiplication
0.16439689 0.090433506 0.162870436 0.153368781 0.082039062
0.180429485 0.090415344 0.162870436 0.341083859 0.071847162 0.094378421
0.360141495 0.03674948 0.411412929 0.067437727 0.316895108 0.123446794
×[ ]=
0.217605835 0.090415342 0.162870246 0.341083859 0.199081472 0.097049398
0.049368527 0.227025487 0.067418828 0.067427979 0.059628762 0.092932741
[0.028057768 0.464960842 0.032557125 0.029597796] [0.157606088]
Table 22. The system ranking based on the severity of cybersecurity based on four (4) out
of six (6) attacking methods
System Priority Ranking

ATM system 0.082039062 6
Surveillance data servers 0.094378421 4
Ground communication system 0.123446794 2
Aircraft FMS 0.097049398 3
Aircraft navigation system 0.092932741 5
Aircraft data comm services 0.157606088 1
5.13.5 MEASURING AND PRIORITISING BUSINESS RISK
Security controls are deployed to protect information assets and networking infrastructure.
If the assets are somehow damaged or compromised, they will impact business operations.
The security controls can be physical, technical or administrative, and these processes
include planning for disaster recovery and implementing a systems security management
mechanism.
The process of identifying business information assets, determining threats to them,

weighing the extent of the impact on the business, and evaluating system vulnerabilities, is
known as operational risk assessment. Applying appropriate security controls to gain
harmony between security, employability, cost and other organisational needs is called
operational risk mitigation. The operational risk assessment is performed based on system
criticality and the severity of consequences of the subject systems following a cyberattack.
In this exercise, AHP has yielded a prioritisation figure for each aviation system domain
based on the presented security threats and is ranked in the order of preference (Fig. 49).
System security risk management is all about distinguishing and categorising risks through
a risk assessment practice and deploying various controls to protect the prioritised system
in line with the organisation's security requirements. Not all risks are worth executing with
extra controls because the possible cost of implementing the controls is higher than the
potential losses. The decision matrices, in turn, are used to determine the selection of risk
mitigation methodologies: broad security control strategies, logical and physical security
146
mechanisms, and eventually, the system security artefacts, instruments and technology
mechanisms upon which the enterprise security architecture is built.
5.14 SUMMARY
Risk identification and prioritisation in cybersecurity involve identifying, analysing, and

prioritising potential security risks and vulnerabilities to an organisation's information
technology systems and data. The objective is to allocate resources effectively and
minimise the potential impact of security incidents.
The following steps are involved in risk identification and prioritisation in cybersecurity:
• Identify assets: Start by identifying the assets that are critical to the organisation, such
as servers, databases, and applications.
• Assess vulnerabilities: Conduct a thorough analysis of the potential vulnerabilities in

the identified assets, such as software vulnerabilities, hardware weaknesses, and
configuration errors.
• Evaluate threat: Assess the potential threat actors and the likelihood of each threat
being realised.
• Determine impact: Establish the impact that each security risk would have on the
organisation, including financial losses, reputational damage, and disruption to
operations.
• Prioritise risks: Based on the likelihood and impact of each risk, prioritise the risks and
allocate resources to address the most critical ones first.
Risk identification and prioritisation is an ongoing process that requires continuous

monitoring and reevaluation to ensure that the organisation stays ahead of evolving
security threats. The chapter investigates the practices employed by various organisations.
The AHP is used to identify and prioritise risks in enterprise architecture for cybersecurity.
AHP involves breaking down complex decisions into smaller, more manageable
components and weighing the relative importance of each element to arrive at a final
decision. In the context of enterprise architecture and cybersecurity, AHP can be used to
evaluate and prioritise the various security risks facing an organisation, such as network
security threats, data breaches, and social engineering attacks. By objectively weighing
each risk's potential impact and likelihood, AHP can help organisations allocate resources
and implement mitigation strategies more effectively.
147
Fuzzy logic allows for modelling uncertainty and handling imprecise information, making it
well-suited for risk analysis in complex systems such as enterprise architecture. In
cybersecurity, fuzzy logic can be used to evaluate the severity of potential risks and
prioritise response actions based on the degree of uncertainty associated with each risk.
The fuzzy logic risk analysis process involves transforming qualitative risk assessments into
quantitative values, using a set of fuzzy rules to analyse the data, and then defuzzifying the
results to arrive at a final decision on risk prioritisation. By utilising fuzzy logic, organisations
can improve the accuracy and consistency of their risk management processes, leading
to better security outcomes.
148
Chapter 6: Risks Quantification and
Assessment
6.1 FUZZY EXPERT SYSTEM (FES)
In this section, FES, based on Fuzzy Logic Theory (FLT), is used to model threat, impact,
likelihood of occurrence, and vulnerabilities. The different ways in which uncertainties are
manifested and the application of FLT in the context of the chosen aviation domain are
described as previously described in Chapter 5 and Fig. 51. The literature review (Chapter
2 ) further highlighted the suitability of fuzzy set theory to de-fuzzify risk attributes.
Fig. 51. Security risk assessment process - civil aviation systems.
The most decisive step in performing a quantitative risk assessment is to revisit the
information currently available within an organisation. Identifying risks includes
systematically understanding the risk sources, areas of impact, possible security events,
149
incidents and their causes, consequences, and severity. When it comes to cybersecurity
risk assessment, ambiguity, the indeterminacy of meaning, disjunction, and lack of
specification have become prominent, and the attributes are interwound with multiple
systems and processes.
On a cautionary note, the NIST Special Publication 800-30 Revision 1 highlighted the
following facts about risk assessment.
“Organizations are also cautioned that risk assessments are often not precise
instruments of measurement and reflect: (i) the limitations of the specific
assessment methodologies, tools, and techniques employed; (ii) the
subjectivity, quality, and trustworthiness of the data used; (iii) the
interpretation of assessment results; and (iv) the skills and expertise of those
individuals or groups conducting the assessments[306].
6.1.1 COMMON PITFALLS OF AVIATION SYSTEM SECURITY RISK ASSESSMENTS
In a real-world scenario, the systems are prioritised in terms of security threats and system
vulnerabilities. Predominantly, risk assessments are performed by security professionals or
risk assessors. Mainly, aviation organisations get security consultants engaged (or
contracted ) to perform this task. In many cases, the assessors are tasked to make decisions
on a tight schedule, with limited access to information. The critical question is whether the
information is adequate or accurate enough to make a value judgement.
On the contrary, the assessor could be an experienced and skilled security professional but
not from the aerospace industry (i.e. the assessor could be from the finance or health
sector). He may have limited exposure to systems use in aerospace engineering. The
outcomes of the assessment may have huge discrepancies, and there is a high probability
that some threats and vulnerabilities may be gone unnoticed. As a result, a company is
tempted to invest a considerable amount of time and funds in protecting a low-value asset
causing a budget overrun with no return on investment. For example, some security experts
are leaning toward protecting databases and applying the highest possible degree of
security controls on databases that have no value to tactical, operational or strategic
aviation operations.
Another factor that affects a risk assessment's attributes is the complexity of aviation
systems and their interaction with other kindred systems[307, 308]. This situation leads to
mystifying most of the security professionals who are tasked to assess aviation system
cybersecurity. Also, the assumptions made during the assessment process are highly likely
to produce ill-suited outcomes and lead the way to open more vulnerabilities.
150
6.1.2 ADAPTATION OF FES TO DEFUZZIFY SECURITY RISK DATA
Fuzzification is a crucial concept in fuzzy logic theory, and it is the process of converting
crisp quantities into fuzzy values[309]. The uncertainties present in the crisp values are
described using various linguistic variables and form corresponding fuzzy values for the
given attributes (Fig. 52 and Fig. 53).
Fig. 52. Conventional (a) and Fuzzy logic method (b) in risk assessment.
The creation of fuzzy values is characterised by membership functions (MF), and it is a
representation (for example, the blue vertical line in Fig. 52) that defines how each point
in the input criteria is plotted to a degree of membership between 0 and 1. Out of the two
main membership functions, Gaussian (or curve) and linear, this research chose the latter
for analysis(Fig. 53).
Fig. 53. The fuzzy logic method: numerical interpretation.

151
1 𝑓𝑜𝑟 0 ≤ 𝑋 ≤ 7.5
𝜇𝑣𝑒𝑟𝑦 𝑙𝑜𝑤(𝑋) = 17.5 − 𝑋
𝑓𝑜𝑟 7.5 < 𝑋 < 17.5
10
{ 0 𝑋 ≥ 17.5
1 𝑓𝑜𝑟 17.5 ≤ 𝑋 ≤ 32.5

𝑋 − 7.5
𝑓𝑜𝑟 7.5 < 𝑋 < 17.5
𝜇𝑙𝑜𝑤(𝑋) = 10
42.5 − 𝑋
𝑓𝑜𝑟 32.5 < 𝑋 < 42.5
10
{ 0 𝑓𝑜𝑟 𝑋 ≤ 7.5 ∀ 𝑋 ≥ 42.5
1 𝑓𝑜𝑟 42.5 ≤ 𝑋 ≤ 57.5

𝑋 − 32.5
𝑓𝑜𝑟 32.5 < 𝑋 < 42.5
𝜇𝑚𝑒𝑑𝑖𝑢𝑚 (𝑋) = 10
67.5 − 𝑋
𝑓𝑜𝑟 57.5 < 𝑋 < 67.5
10
{ 0 𝑓𝑜𝑟 𝑋 ≤ 32.5 ∀ 𝑋 ≥ 67.5
1 𝑓𝑜𝑟 67.5 ≤ 𝑋 ≤ 82.5

𝑋 − 57.5
𝑓𝑜𝑟 57.5 < 𝑋 < 67.5
𝜇ℎ𝑖𝑔ℎ (𝑋) = 10
92.5 − 𝑋
𝑓𝑜𝑟 82.5 < 𝑋 < 92.5
10
{ 0 𝑓𝑜𝑟 𝑋 ≤ 57.5 ∀ 𝑋 ≥ 92.5
1 𝑓𝑜𝑟 92.5 ≤ 𝑋 ≤ 100

𝜇𝑣𝑒𝑟𝑦 ℎ𝑖𝑔ℎ (𝑋) = 𝑋 − 82.5 𝑓𝑜𝑟 82.5 < 𝑋 < 92.5
10
{ 0 𝑋 ≤ 82.5
6.1.3 THE OPERATION
A fuzzy expert system (FES) is a computer-based approach to mimicking the behaviours of

a convoluted process. Out of the prominent three inference systems, namely, Mamdani,
Sugeno and Tsukamoto, the first one is considered in this study. The fuzzy expert system, in
this analysis, consists of four main functional blocks, as shown in Fig. 54. The main
components are Fuzzification & Defuzzification interfaces and an inference engine (a
decision-making logic block). The knowledge base block consists of two information
systems: a ‘rulebase’ (with processing rules) and a database (with the membership
functions of the assessment scenario).
The Fuzzification block transforms the crisp inputs into varying degrees of linguistic values
corresponding to the input risk attributes. The ‘Rulebase’ contains a series of fuzzy if-then
rules corresponding to each input decision matrix, and the inference engine performs the
inference operations based on these rules. The fuzzified “if then” rules and fuzzified
reasoning are the core of the FES. The inference engine then computes the logical value
152
for the predecessor of each rule by using an appropriate inference. The ‘Database’
defines the membership functions of the fuzzy sets used in the fuzzy rules. The defuzzification
block converts the fuzzy results of the inference engine into a crisp output.
Fig. 54. The underlying architecture of a fuzzy expert system.
6.1.4 FUZZIFICATION INTERFACE
The fuzzification involves converting security risk attributes into suitable linguistic variables.
As shown in the diagram, the crisp input is fuzzified, whereby the membership functions are
employed to their actual values to conclude the scale of certainty for each rule
antecedent. The inference engine uses an appropriate assessment matrix to combine all
the fuzzy subsets allotted to each output variable to form a single subset for each output
variable.
6.1.5 INFERENCE ENGINE
The decision-making logic of the inference engine is the heart of the fuzzy expert system.
It has the ability to simulate human decision-making capability based on human thoughts,
and this includes any choices or selection of alternatives. Linguistic variables or natural
language expressions are the building blocks of fuzzy logic, and they are used as variables
whose values are presented as words or phrases[310].
Risk level, for example, may be expressed as a numerical value ranging from 0 to 100% and
linguistic variables ranging from ‘low’ to ‘high’. Each of these linguistic variables is
construed as a label of a fuzzy subset X = [0,100%], whose base variable, x, is the
corresponding risk attribute numerical value.
153
6.1.6 DE-FUZZIFICATION PROCEDURE
Finally, the defuzzification block converts the fuzzy set to a crisp output that best represents
the fuzzy input[311]. In this method, fuzzy logic reasoning is used to enhance the security
risk assessment process while considering various uncertainties in human interpretations of
the presented risk attributes, the likelihood of occurrence of a security event or incident
and its severity. This defuzzified output is significantly accurate since the likelihood of
occurrence and consequence of severity cannot be measured numerically (and also, the
associated risks are harder to measure in crisp terms).
The fuzzy logic approach provides a new approach to dealing with incomplete data and
vague and imprecise circumstances. It also translates the high uncertainty environment
into an unequivocal decision-making process. In this course of action, the gaps are filled
with average values of the window following the antecedent. The research has
demonstrated that the proposed fuzzy logic approach outperforms the various other
decision-making methods where variable degrees of linguistic values are assigned to
numerical attributes of risks[312].
6.1.7 INTERPRETATION - RISK MATRICES TO IF-THEN RULES
The ‘if-then’ rules are used to develop conditional statements comprising fuzzy logic.
A single fuzzy if-then rule with an “AND’ operation assumes the form;
If “Threat Level is Negligible” AND “Likelihood is Medium”, Then “Threat

Occurrence Factor (ToF)” is ”low”.
These rules are defined based on the threat-likelihood matrix for ToF (Table 25).
Similarly, the rule with the “OR’ operation can be written as;
If “Threat Level is High” OR “Likelihood is High”, Then “Threat Occurrence

Factor (ToF)” is ”High”.
Numerous fuzzification methods are employed to convert fuzzy quantities into crisp values.
An entire fuzzy process's output is typically a union of two or more fuzzy membership
functions.
The defuzzification process calculates the defuzzified crisp value, standing for the result of
the fuzzy inference mechanism. The fuzzy logical interpretation is a superset of standard
Boolean logic, where Boolean extremes vary between true (logic ‘1’) and false (logic’0’)
states.
154
6.1.8 AGGREGATION OF OUTPUTS
Since decisions are made on the testing of multiple risk attribute rules, they must be
combined in some way to make a rational composite decision. Aggregation is the process
used to interpret the outputs of each rule and combine them into a single fuzzy set. In this
study, Mamdani Method is used owing to its intuitiveness, widespread acceptance and
close association with human perception.
In the figure(Fig. 55), AND and OR rules have been constructed to illustrate how the output
of each parameter (or attribute) is fused or aggregated into a single fuzzy set.
Out of the seven entrenched aggregation methods, the Centroid and Weighted average
methods are considered for aggregation in this research (Fig. 55).
Fig. 55. Aggregation of a two-input, Mamdani Fuzzy inference process with crisp inputs.
6.1.9 CENTROID METHOD
The centroid method (also called the centre of area or centre of gravity method) is the
most widely used method, which determines the centre of gravity of the aggregated
output[313, 314].
∫ 𝜇𝐴 (𝑥).𝑥𝑑𝑧
𝑋∗ = - - - - - - - - - - - - - (6.1)
∫ 𝜇𝐴 (𝑥)𝑑𝑧
155
The centroid method used in this study is depicted in Fig. 56.
Fig. 56. Centroid method output.
6.1.10 THE WEIGHTED AVERAGED OUTPUT
This approach can only be used in symmetrical output membership functions and cannot
be used in asymmetrical output membership functions. It is one of the more
computationally efficient methods[315].
̅̅̅̅̅.(𝑥)
∑ 𝜇𝐴 (𝑥) ̅̅̅̅̅
𝑋∗ = ̅̅̅̅̅ -
∑ 𝜇𝐴 (𝑥)
- - - - - - - - - - - - - (6.2)
The  indicates the algebraic sum and where 𝑥̅ denotes each symmetric membership
function’s centroid. The weighted average method is presented by weighting each
membership function by its corosponding maximum membership value. The two functions
are portrayed in Fig. 57, manifested in the equation (Eq. 6.2).
Fig. 57. Weighted averaged output.

Since the weighted average technique is restricted to symmetrical membership functions,
values a and b are the centroids of their respective shapes. Therefore, as shown in Fig. 57,
the ‘Threat Occurrence Factor’ (ToF) is calculated as follows.
𝑎𝑚+𝑏𝑛
𝑋∗ = - - - - - - - - - - - - - (6.3)
𝑚+𝑛
156
6.1.11 THE HIERARCHICAL IMPLEMENTATION
In this research, a fuzzy logic system with five risk input attributes is modelled as a
hierarchical or cascaded structure with four outputs (Fig. 58). The number of inputs
resembles the linguistic variables, which describe various risk attributes. The output of each
fuzzy logic subsystem corresponds to a complex assessment and ultimately produces a
crisp value for annualised loss expectancy. This study defines the five input attributes using
the established practice of risk assessments and published research papers[316].
Each block in the hierarchy includes one fuzzy logic subsystem with two inputs deriving one
input from the top-level starting from Subsystem 1. The combined fuzzy logic system
provides the complex assessment of the security risk in the form of annualised loss
expectancy for the subject system based on the three main attributes; threat, the
likelihood of occurrence and system vulnerability. It is further extended to feed two more
inputs (namely, Asset values and Annual Rate of Occurrence), ultimately calculating
annualised loss expectancy (ALE), which can be used as a key business indicator.
Fig. 58. Four-stage hierarchical fuzzy system security risk assessment.
Fuzzification of input parameter process encompasses;
(1) Converting crisp input variables into fuzzy variables,
(2) Fuzzy variable readings depend on the nature of security risk attributes,
(3) Input and output signals are expressed as linguistic variables,
(4) Nine linguistic variables are defined and considered; Threat, Likelihood, TOF,
Vulnerability, TRF, Asset value, Loss Expectancy, ARO and ALE, and
(5) Each linguistic variable has a fuzzy membership value.
157
6.1.12 COMBINED RISK ASSESSMENT WITH MULTIPLE THREAT VECTORS
The proposed FES can be extended to input multiple threat scenarios and vulnerability
instances in a layered architecture, as shown in Fig. 59.
Fig. 59. Layered multiple instance architecture of Mamdani fuzzy system computation.
For a given multiple threat and vulnerability scenario, Mamdani fuzzy system is depicted in
Fig. 59; The main characteristics of this model are;
• Input instances are fuzzified
• Firing points are processed for each rule by the inference engine concerning the
information acquired from the membership function database and rulebase,
• Fired rules are combined, and these combined output sets are defuzzified into a
crisp number,
• If the sets are not combined, centroids of their respective consequent fuzzy sets are
defuzzified into a crisp number[317].
158
6.2 LINGUISTIC INTERPRETATION OF SECURITY RISK ATTRIBUTES
6.2.1 ASSET IDENTIFICATION
The identification process involves verifying assets and their significance to the organisation
in a catastrophic event. In the context of cybersecurity, the organisational asset includes
information, IT equipment, people and corporate reputation. Assigning values to assets
includes;
• Cost to acquire, develop, maintain and protect the asset,

• Importance of assets to owners, users and adversaries,
• Cost to replace the asset if lost in an attack,
• Services or production affected as a result of asset loss, and
• Liability or legal consequences if the asset is compromised.
6.2.2 THREAT AND VULNERABILITY IDENTIFICATION
Threat agents can expose different types of vulnerabilities. In any information system, for
example, malware can exploit the weak security posture of an organisation. The security
risk assessor can use statistics, cyber-security CBoK or mind maps to populate threats–
vulnerability matrix to understand threat vectors in line with the organisation’s information
architecture.
6.2.3 PROBABILITY OR THE LIKELIHOOD OF OCCURRENCE
A security expert can make intelligent decisions on the likelihood of a threat exploiting a
vulnerability (Table 23) and its consequences (Table 24). These values could be derived
from statistics, preferably from Common Vulnerabilities and Exposures[318] or National
Vulnerability Database (NVD) [319].
Table 23. Descriptors of Likelihood of Occurrence for Threats
Likelihood descriptor Matrix reading Description
Almost certain Very High Event occurs more frequently than hourly
Very Likely High Event occurs between hourly and daily
Likely Medium Event occurs between daily and yearly
Possible Low Event occurs between yearly and five

yearly
Unlikely Very Low Event occurs between 5 yearly and 50 years
159
Table 24. Descriptors of the consequence of the realisation of threats
Category Effect on air passengers, crew Overall system effect

and others
Catastrophic • Multiple fatalities owing to an air Incapability to deliver any service for a
crash with another flight (or more extended period.
control aircraft to terrain)
• Significant lessening in the safety

Major Incapability to deliver multiple
boundaries
capacities of service (including
• Grave or fatal injury to a
emergency actions) within multiple
lesser number of people
airspace sectors for a substantial
• Severe physical distress to aircrew
period.
• Safety boundary reduction
Moderate The regular service provision capability
• Major injury or illness
is severely diminished within multiple
• Physical suffering to the public or
airspace sectors for a substantial
occupants
period.
• A subtle decrease in the safety
Minor The regular service provision capability
boundaries
is degraded within (one or) multiple
• Minor illness
airspace sectors.
• Some physical discomfort to
occupants
• Potential for some inconvenience

Insignificant The capacity to deliver regular
operations is not affected. But the,
continuous monitoring and reviewing
are necessary.
6.3 MATHLAB MODELLING AND SIMULATION
Simulation is performed assuming threat and the likelihood conditions stated in Table 23
and Table 24.
The cybersecurity risk assessment(Table 25) involves the assessment of various;
Threat level: All threats with a realistic opportunity of occurrence.
The likelihood or probability of occurrence: Requires research, statistics and

expert knowledge to attain the best guesses.
160
Table 25. Threat level- Likelihood matrix for Threat Occurrence Factor (TOF)
5
MH MH MH H H
Very High
4 M M MH MH H
High
Threat level 3 M M M MH MH
Moderate
2 L L L M MH
Low
1 L L L M MH
Negligible
1 2 3 4 5
Very Low Low Medium High Very High
Likelihood
Threat Occurrence Factor (TOF): A potential likelihood of realisation of a specific

threat
The use of ‘If then rules’ by the inference engine
Fig. 60. The use of If-Then_else rules for Threat level- Likelihood matrix of Threat
Occurrence Factor (TOF).
The If-Then rule reads as
IF (ThreatLevel is high) AND (Likelihood is Medium) THEN (ThreatOccurrenceFactor(TOF) is
medium-high) ".
Under this rule, the membership functions (MFs) can be represented in the Threat level-
Likelihood matrix, as shown in Fig. 60, Fig. 61, Fig. 62 and Fig. 63.
161
Fig. 61. Matrix interpretation of the fuzzy rule.
Fuzzy Logic System1

Threatlevel
Threat level (FLS1)
(Mamdani)
Threat Occurrence Factor (ToF)

Likelihood of Occurrence
Fig. 62. MATLAB graphical modelling for Threat Occurrence Factor(TOF) with the variation
of threat level & the likelihood of occurrence parameters.
Fig. 63. MATLAB graphical modelling of ToF with threat & likelihood variation.
Vulnerability Identification: Identifying weaknesses or gaps in security control is

ranked by severity or criticality of consequence.
162
Threat realisation factor (TRF): the potential likelihood that a specific threat is
being realised. The TRF is a subjective value based on the vulnerability level of
the systems in operation. The vulnerability level is typically determined after
performing a penetration test by an ethical hacker or cybersecurity professional
and is depicted in Table 26, Table 27, Fig. 64, and Fig. 65.
Table 26. Vulnerability assessment criteria
Vulnerability
Criterion
level
The system is fully corresponding to strict
security requirements,
L – Low Properly managed patch update
mechanism or the use of zero trust
architecture.
In general, the system corresponds to the
necessary security controls.
M – Medium
The level of appropriate system
administration preparation is not enough.
The system does not meet the necessary
security requirements
H – High
No patch management process
No zero trust architecture.
Table 27. TOF- Vulnerability matrix for Threat Realization Factor (TRF)
Threat Occurrance Factor (ToF)
5 H VH VH
Very High
4 M H VH
High
3 L M H
Medium
2 VL L M
Low
1 VL VL L
Very Low
1 2 3
Low Medium High
Vulnerability
163
Fig. 64. MATLAB, graphical modelling, for Defuzzification of ToF & vulnerability.
Fig. 65. MATLAB the graphical modelling for threat realisation factor (with ToF &
vulnerability variation).
Loss expectancy (or Impact analysis on assets): Estimating the impact of

specific threats on specific assets(Table 28, Fig. 66 and Fig. 67).
Asset Value (AV): This quantitative figure includes system, people and
reputation. For example, the cost of aircraft, insurance, possible damages to
neighbouring properties, compensation, fines and loss of reputation. Losses
can be due to the unavailability or unreachability of data assets due to
connection loss, theft, alteration, deletion and a DoS attack. This information is
then used to calculate various cost components required to enforce
safeguards. For example, the cost of assets value predominantly depends on
how much it takes to replace the original system and restore operations. When
it comes to a system that directly impacts humans, for example, an aircraft
with passengers, asset value becomes very high as the cost factor of replacing
a human being cannot be determined.
164
Table 28. TRF – Asset value matrix for Loss Expectancy (LE)
Threat Realization Factor (TRF)

5 M H VH VH VH
4 L M H VH VH
3 VL L M H VH
2 VL VL L M H
1 VL VL VL L M
Insignificant Minor Moderate Major Catastrophic

<$100K $100K-$250K $250K-$1M $1M-$5M >$5M
Assest Value
Fig. 66. MATLAB, graphical modelling for Defuzzification of TRF & Asset value.
Fig. 67. MATLAB, graphical modelling for Loss Expectancy (with the TRF & Asset value
variation).
165
The annualised rate of occurrence (ARO): This is an estimate of how often a
specified threat will be successful in exploiting a vulnerability on a system by an
attacker over 12 months (Table 29, Fig. 68 and Fig. 69).
Table 29. Loss expectancy – ARO matrix for Annualized Loss Expectancy
5 M H VH VH VH
4 L M H VH VH
Loss Expectancy
3 VL L M H VH
2 VL VL L M H
1 VL VL VL L M
1 2 4 8 >8
Annual Rate of Occurance (ARO)
Annualised loss expectancy (ALE): This is the product of the yearly estimate for
the exploit and the loss in value of the asset after a loss.
Fig. 68. MATLAB, graphical modelling for Defuzzification of Loss Expectancy & ARO.
The calculation of ALE read as follows:
ALE=SLE x ARO
166
An essential feature of the ALE is that it can be used to perform a cost-benefit analysis.
Fig. 69. MATLAB graphical modelling for Annualised Loss Expectancy with Loss
Expectancy & ARO.
6.3.1 TEST SCENARIO
The fuzzy expert system is tested to calculate an aircraft's annualised loss expectancy(ALE)
due to a cyber-attack on a flight planning server(Fig. 70).
6.3.2 THE CONTEXT
The flight planning system of the flight operation department of an airport is exposed to a
cyber-attack, and the attackers managed to inject a remote code that would change
the time parameters of a flight. The flight operation centres are directly networked with
the ANSPs, and the erroneous flight plan is disseminated to all the stakeholders, including
the ATM system and airport operations.
As a result, the flight was delayed, no gate in the terminal was allocated for the
scheduled time, and the ‘departure flight route time slot’ was allocated to another
aircraft. Consequently, the aircraft is further delayed by 14 hours, and this situation has
led to;
• No line maintenance crew was assigned to the aircraft,

• The aircraft diverted to another airport since it arrived late (within the curfew time
of the airport, and
• The flight crew exceed the flight duty period (FDP).
The cost incurred is;
• The airline requires to organise accommodation for transiting passengers,

• The uncommitted crew overtime payment,
• Loss of reputation, and
• Other flight operation expenses.
167
Fig. 70. The proposed risk assessment criteria are modelled in the Fuzzy Logic toolbox of MatLab Simulink.
168
6.3.3 RESULT
As shown in Fig. 70, with the de-fuzzified Asset Loss (Fuzzy Logic Controller 3), an
organisation can determine the maximum monetary value that can be invested to
mitigate the identified risks in this scenario (Table 30).
Table 30. Test data input for the cyber-attack scenario for simulation
Attribute Linguistic Matrix Fuzzy input

Assessment Reading
Threat level High 4 82
Likelihood Medium 3 65
Vulnerability High 3 77
Asset value <100K 1 10
The annual rate of Occurrence Ve1y low 1 8
The investment in risk mitigation strategy should not be higher than the asset loss.
The Fuzzy Logic Subsystem 4 (controller 4) simplifies the cost of the asset loss divided by its
life span and provides an insight into annual budgetary allocation.
Finally, organisations can compare the cost of the system versus the cost of the mitigation
strategy and make some sensible adjustments concerning the choice of their cost of
countermeasures.
The main objective is to develop a comprehensive list of risks associated with recorded
mishaps and unforeseen events that could conceivably be hit. An across-the-board review
allows a full deliberation of the possible effects of risk on an organisation and facilitates
proper risk management.
Fig. 71. The aggregated output of Mamdani fuzzy model output for ALE on the Matlab
Rule viewer with LE=23.5 & ARO=8.
As depicted in Fig. 71, the annualised loss expectancy (ALE) is 10 or 10%. This situation is
predominantly because of low loss expectancy (23.5) and the low annual rate of
occurrence (8) of the particular security event.
169
Rule viewer with LE=75 & ARO=8.
As also seen in Fig. 72, the value of ALE=30.8 means that the annual loss expectancy is
30.8%, with an asset loss expectancy of 75, and the annual rate of occurrence reads as 8
(with no change from the previous state) according to the risk matrix. The increase in the
loss expectancy by 300% (23.5 -> 75) provides an increase of theALE by 300% (10 →30.8).
Rule viewer with LE=23.5 & ARO=75.
According to Fig. 73, the value of ALE reads as 50, meaning that the annual loss
expectancy is 50%. The asset loss expectancy and the annual rate of occurrence read as
23.5 and 75, respectively. As per the risk matrix, an increase in ARO by 935% (8 ->75)
demonstrate an increase of ALE by 500% (10 -> 50).
Rule viewer with LE=LE=75 & ARO=75.
As shown in Fig. 74, ALE=90 means that the annual loss expectancy is 90%. Both the loss
expectancy and the annual rate of occurrence read as 75. As per the risk matrix, an
increase of the ARO by 93% (8 ->75) and an increase in loss expectancy by 310% (23.5 ->
75) increase the ALE by 900% (10 -> 90). In risk analysis, uncertainty is presented as a
percentage, and a 37% confidence level means it has a 63% uncertainty. An
organisation's risk analysis team should have defined the assessment's objectives, and the
following items are generally made available before the above analysis.
170
• Monitory values assigned to each information asset,
• A comprehensive list of all unforeseen and significant threats identified during a

brainstorming session or through the development of a mind map (Fig. 44),
• Probability of occurrence of each threat item 2),
• Asset loss potential that the organisation could sustain per threat on an annual
basis, and
• Recommended controls need to be enforced based on the ALE.
There is usually considerable detail under each item, and the final report will include
possible monetary losses and necessary cost components to mitigate the outlined risks. The
report should be as descriptive as possible with an executive synopsis so that the senior
management can quickly grasp the overall gravity of the risk analysis.
The risk is treated in many ways, and controls are applied to mitigate the negative
aftereffects. Moreover, the principal security risk parameters used in the research are
pronounced as follows;
Risk treatments
• Risk Avoidance – cease business activity because the organisation do not want to
accept the risk,
• Risk Transfer – handing out the risk to another entity (or insure the asset with a
secondary organisation- an insurance policy, for example),
• Risk Acceptance – live with it and pay the cost of the loss, and
• Risk Mitigation – lessen the effects of the risk by employing control measures.
Possible security controls that can be employed;
• Primary control: or primary cost of control ( should be less than the value of the
asset),
• Preventative controls: This prevents unauthorised action from happening by
employing least privilege techniques, Intrusion Prevention Systems (IPS), Firewalls,
security patches and data encryption techniques,
• Detective controls: These are the measures that detect during or after an attack by
employing Intrusion Detection Systems (IDS), anti-virus/malware, CCTVs and alarms,
• Corrective controls: This modifies the environment after an incident to return it to the
normal operational condition by deploying anti-virus or anti-malware software,
• Recovery controls: This type of control helps to recover after an attack using data
backup/restore methods,
171
• Deterrent controls: These controls deter an attack by deploying fences, security
guards, lights, and warning signs,
• Compensating controls: These are the measures used as alternatives to the
recommended controls and can be an offline replicated system used for testing.
172
Chapter 7: Discussion
This chapter aims to establish whether the research questions were answered and met their
objectives.
The motivation for this research was driven by the need to improve security risk analysis and
the lack of a cybersecurity framework solely for aviation systems when it comes to complex
globally networked mobile entities (aircraft). Many industry stakeholders have and
continue to have a deficiency in risk comprehension, and the recently reported exploits
are strong evidence to support this. However, it is evident that more than 80% of cyber
incidents are not publically reported owing to the negative impact on public perception
of aviation business operations. Most organisations address these issues locally with the help
of original software developers and system manufacturers. This non-reporting
(cybersecurity incident) approach has contributed to zero-day vulnerabilities in many
operational systems. Most state and national lawmakers have passed acts making
mandatory reporting compulsory for their critical infrastructure breaches to their governing
bodies; Australia, The US, and the EU, for example. However, this information is unavailable
to the general public or research activities due to its sensitivity.
7.1 THE IMPLEMENTATION OF THE FRAMEWORK

The research aimed to investigate inherent cybersecurity risks associated with the five
major aviation system domains and develop a universally employable framework that is
agile, scalable and adaptive. However, the study was predominantly restricted to the
significant cases, namely, Aircfat (avionics), ANSP ( air traffic management, air nr
navigation services) and Airports.
This thesis examined the critical components of cybersecurity information and operational
technologies and systems within the realm of 3PEs architectures used by various entities in
the global aviation industry.
Successful employment of a security framework relies on a greater return on investment,

flexible infrastructure design, and safety assurance through the appropriate
implementation of security controls.
The introduction of new technology, cloud-based services deployment, integration and

collaboration cannot depend on conventional processes and procedures. In this
173
backdrop, the research has made a significant contribution to knowledge in the following
areas:
• Investigate aviation systems operations and identify possible methods of security

exploitation in line with modernisation programs to discover risk mitigation strategies.
• The airport's legacy landing and navigation systems cannot replace the new
technology due to economic constraints, vulnerable interfaces, and their
cybersecurity impact.
• Develop a framework for addressing cybersecurity risks.
• Research and present methods to improve decision-making and rank the severity
of the impact and security risk attributes.
A security framework is predominantly driven by many factors such as:
• The organisation's business model and requirements,
• State legal and regulatory compliance,
• International obligations and directives (signatory to the UN agencies such as

ICAO),
• Cost-benefit factors,
• Organisation purpose and objective,
• Stakeholder and shareholder viewpoint,
• Available technology and their change,
• Term planning horizon (operational, tactical and strategic),
• Complexity and scale of engineering systems and project capacity,
• Level of abstraction or acquaintance, and
• The end-user expectation of user-friendliness.
Developing a framework that can be implemented universally for enforcing security

controls to protect multitudes of engineering systems is an uphill task. It is unlikely to meet
multiple entities' varied needs and expectations from an organisation's point of view.
The circumstances become even more complicated when they are globally distributed
and mobile(aircraft) in nature. Since many stakeholders are in multiple geographic time
zones and are from diverse cultural backgrounds, they sometimes have conflicting
interests, and it would become an enormously difficult task to present such a framework.
174
The proposed framework should allow for continuous process and must be updated or
refined when required. The summarisation of intelligence collection (3.3) and lessons learnt
reveals that most industry practitioners, line managers and even IT personnel are not fully
aware of the security vulnerabilities of the systems. Instead, their main focus is improving
enterprise performance, service quality, and problem management. The intelligence
analysis indicates security threats associated with IT personnel's poor security practices,
which lead to the dissemination of malware, phishing, and data leakage by using personal
USB drives to configure systems and download event logs.
It has also been able to ascertain that some of these technical security threats occur due
to individuals' specialised knowledge of cybersecurity issues and their impact on one
specific industry area. This situation suggests a lack of adequate awareness and
comprehension amongst employees on the severity and vulnerability of using unsecured
devices and methods in the work environment, which eventually opens avenues for
attacks.
It can be concluded that some security threats are peculiar to a single domain, whilst some
threats are linked to multiple domains. Besides, some threats are associated with all the
underlined domains; hence a threat classification process is required to understand their
influence on system operation and possible impact.
The proposed framework uses Matlab modelling to simulate all the above threat scenarios
and assign quantitative figures based on threat, the likelihood of happening, vulnerability
level, Asset value and the annual rate of occurrence (0).
7.2 RESEARCH OUTCOME ADDRESSING RESEARCH QUESTION 1
Firstly, this question is answered by collecting intelligence in all five domains: Aircraft, ATM,
Airport, SWIM, and Navigation-aids. The intelligence collection involves referring to system
documents ( installation and maintenance manual), training notes, fault logs, site visits and
published papers. Secondly, the author's thirty years of experience in three domains (ATM,
Airport, and Navigational-aids) has contributed significantly to the in-depth information
analysis of cybersecurity issues.
Each system was studied for possible vulnerabilities in various contexts, such as Application
Programming Interfaces(API), data at rest, data in use and data in transit. Besides, inter-
system interactions, Identity and Access Management(IAM), and control and monitoring
(C&M) circuits over unencrypted communication media were studied to investigate
possible attack vectors.
175
All the identified attacking scenarios, possible data breaches, and negative
consequences have been identified and are listed under each domain by considering
their operational aspects in Section 3.3.
The IT automation and modernisation programs involve leveraging state-of-the-art

technology to improve services and safety. The SWIM, A-CDM, Cloud migration of legacy
technology and heavy use of IoT have contributed to this enhancement. Implementing
such core technology concepts has enabled service providers to deliver quality
information to the right aviation stakeholder at the right time.
Global interoperability and standardisation are essential features of these technologies

using IP Network connectivity, including mobile network elements such as aircraft.
After a deep insight into the system operations, the investigated security threats and
vulnerabilities are listed in the corresponding sections, namely, domain 3 and domain 4. In
addition, the safety impact and possible service disruptions causing financial mishaps to
the aviation industry are also discussed under the respective headings.
The security framework developed and proposed in this thesis is discussed

comprehensively in Section 5.7 and Fig. 43. The investigated security threats and
vulnerability scenarios are harmonised and interspersed with the framework to verify its
appropriateness and effectiveness in addressing the issues. Any framework proposed in
the subject matter needs to be pragmatic and straightforward when implemented in a
corporate environment.
Against this backdrop, aviation players and systems that play a significant role in
operational effectiveness are analysed and evaluated. The information security
governance principles guide the culture in an organisation due to specific actions taken
by the organisation.
The organisation's leadership implements the components of the security framework, such
as policies and technical security measures with which employees adhere and become
their security culture. Organisations can achieve such a high level of success only by
implementing all the required information security components outlined in the framework.
176
Another critical component of the framework, Information Security Management (ISM),
was presented to manage security threats on 24 fronts. These individual elements are put
in the order of their practical implementation and grouped into important cybersecurity
attributes in managing information security. When enabling these activities, various
managerial activities, roles, systems operational analysis, and organisational behaviour
from similar industry partners should be observed and tailored to the organisation's business
requirements.
Security operating centre (SOC), security training and audit are the areas many
organisations overlook, and they need to become integral components of the framework.
Thus, this research makes a novel contribution by reasoning that a more framework-based
approach to information security is needed. The thesis also suggests how organisations'
leadership can play an influential role in information security. This research also extends to
various new avenues for further study.
The fuzzy expert system (FES), based on Fuzzy Logic Theory (FLT), is employed to model
threats, and uncertainties are rectified and explained in Chapter 6:
The technique is efficient and popular among researchers in solving complex and
ambiguous problems characterised by the uncertainty of the environment and the
fuzziness of information.
The fuzzy expert system, in this research, consists of four main functional blocks and is
described in its use to defuzzify the defined risk attributes in the subsequent sections. The
aggregate outcome of the FES provides a value that can be used to make a quantified
judgement for the risk assessment process.
Various attributes of risk parameters and multiple methodologies employed to improve the
accuracy and consistency of security attributes have been studied in addressing this issue.
The analytic hierarchy process (AHP) is chosen and adapted to prioritise essential
components or characteristics of decisions that are difficult to quantify or compare under
normal conditions. The literature review further established that the process result is
significantly accurate and consistent when the skill and proficiency of the team members
are hindered by their unique specialisations, interpretations, or perspectives.
177
The input values are fed from actual cybersecurity threats scenarios (such as Injection and
DoS) or the criticality level of the systems in use. In order to demonstrate the technique,
several comparisons have been performed depending on the number of attributes. Eight
attack types (Injection, DoS, Misconfiguration, Remote code execution, Intrusion or
Hacking, Spoofing, Broken Authentication, and XSS) have been chosen for analysis, and
there are 28 comparisons to be performed.
The use of AHP and its application in the study context is described in Section 5.13.
The quantitative risk attributes, namely threats, the occurrence likelihood, system
vulnerabilities, asset value and occurrence rates, significantly impact the investment an
organisation should make to mitigate any possible breach. It is always a challenging task
for a security assessor to make a call in choosing appropriate mitigating measures owing
to the economic factors involved with the selected controls. Based on the business model,
competitive advantage and operational cost, it was evident that senior management
frowned upon huge cost implications resulting from security measures. The proposed
framework makes a valuable tool for the security architect to perform a risk assessment
based on the proposed methods, giving them a specific numeric figure related to each
risk and financial implication.
Implementing appropriate and cost-effective risk mitigation measures based on the

annual loss expectancy (ALE) will benefit any organisation. In the case of the aerospace
and aviation industry, this is critical as the extra cost of implementing additional security
control has to pass on to the airline passengers.
In the industry, the cost of aircraft design, building, maintenance, training, security and
safety will all be added to the air ticket. In a world of lowering operational costs (to attract
more passengers), the most convenient way is to reduce security budget expenses.
Implementing the proposed framework would encourage all aviation and aerospace
engineering stakeholders to reduce operational costs by managing only the high ALE
assets. Besides, the cost of protection and the effectiveness of the mitigation strategy is the
highlight of the proposed framework. The above quantifiable security risk attributes are
available with any organisation or can be calculated with a risk assessment process. It is a
matter of entering the attributes into the equations to determine overall and residual risks
and, subsequently, the annual budget allocations for security controls.
The test results, through simulation, emphasised the fact that the early stage
implementation of security controls would enhance the return on investments (ROI) to the
business.
178
However, the qualitative assessment process is more opinion-based and uses various rating
indicators to interpret attributes that would not yield a good result towards the implantation
of the framework or any financial benefit to the organisation. Also, sometimes,
gathering all the necessary information that needs to be entered into the risk analysis
process and accurately interpreting the results may be an overwhelming task. One way to
address this issue is to develop an automated risk analysis tool that can make this task much
more manageable and provide business owners with an approximate cost of
implementing security controls.
However, the security risk dynamics and dependencies change in quick succession, which
would influence the above-highlighted security risk attributes and lead to a change in the
ALE either in a positive or negative direction. Therefore it is necessary to review the numeric
figures and make new assessments as part of security management.
7.7 EVALUATION OF THE PROPOSED SECUIRTY FAMEWORK AGAINST A

SPECIFIC CRITERIA
A proposed security framework would be evaluated against specific criteria to

determine its effectiveness and suitability for an organisation. Some standard criteria used
to assess security frameworks include:
• Effectiveness: Evaluate the framework's ability to prevent, detect, and respond to

security threats and incidents. This evaluation includes considering the capabilities
of the framework's security controls and the level of protection they provide.
• Efficiency: Evaluate the framework's ability to deliver security services cost-

effectively. The evaluation includes considering the total cost of ownership of the
framework, including hardware, software, personnel, and training costs.
• Scalability: Evaluate the framework's ability to accommodate future growth and

change in the organisation. The assessment includes considering the framework's
ability to integrate new technologies and accommodate changes in the security
landscape.
• Compliance: Evaluate the framework's ability to comply with relevant regulations,

standards, and best practices related to security and privacy.
• Usability: Evaluate the framework's ease of use for personnel and its ability to
integrate seamlessly with existing systems and processes.
179
• Flexibility: Evaluate the framework's ability to adapt to changing requirements and
security threats. This process includes considering the framework's ability to
integrate new technologies and security controls as needed.
These criteria can be used to evaluate a proposed security framework against an

organisation's specific needs and requirements. By considering these criteria,
organisations can make informed decisions about the best security framework suited to
their needs and determine the most effective way to implement and operate the
framework to achieve the desired security outcomes.
7.8 IMPLEMENTATION OF PROPOSED SECURITY FRAMEWORK
Implementing a proposed security framework involves several steps, including:
• Assessment: Evaluate the organisation's current security posture and determine

how well it aligns with the proposed framework. This evaluation will help identify
gaps that must be addressed during the implementation process.
• Planning: Develop a detailed plan for implementing the framework, including

defining the project's scope, identifying resources and personnel needed, and
establishing a timeline.
• Deployment: Roll out the security framework to the organisation. The deployment
may involve installing new technology, modifying existing systems, and training
personnel on using new security tools and procedures.
• Monitoring and Maintenance: Continuously monitor the effectiveness of the

security framework and make modifications as needed to address emerging
threats and vulnerabilities.
• Compliance: Ensure that the organisation complies with all relevant regulations,
standards, and best practices related to security and privacy.
Once the security framework has been implemented, it must be operated effectively to
ensure that it continues to provide adequate protection for the organisation. The process
involves ongoing maintenance and monitoring of security systems, as well as regularly
updating policies and procedures to stay current with emerging threats and evolving
best practices. Effective security framework operation also requires regular training and
education for personnel to ensure that everyone is familiar with the framework and knows
how to use it effectively.
180
7.9 OPERATION OF PROPOSED SECURITY FRAMEWORK
Operating a new security framework involves several ongoing tasks and responsibilities to
ensure that the framework remains effective in protecting the organization. These tasks
include:
• Monitoring and Maintenance: Continuously monitor the security environment to

detect any threats or incidents and maintain the security controls and systems to
ensure they remain operational and practical.
• Policy and Procedure Development: Regularly update policies and procedures to

reflect changes in the security landscape and emerging threats. This process
includes updating the framework's risk management and incident response
procedures.
• Training and Awareness: Provide regular training and education to personnel to

ensure that they are familiar with the security framework and understand how to
use it effectively. This work includes regular training on security best practices and
the use of security tools and systems.
• Compliance: Ensure that the organization complies with all relevant regulations,
standards, and best practices related to security and privacy. The compliance
activity includes regularly reviewing the framework's policies and procedures to
ensure they are aligned with current regulations and standards.
• Risk Management: Continuously assess and manage security risks, including

evaluating the effectiveness of the security controls and updating risk mitigation
strategies as needed.
By performing these tasks regularly, organizations can ensure that their proposed security
framework is operated effectively and provides adequate protection against emerging
threats and vulnerabilities. It is essential to allocate sufficient resources to the operation of
the security framework to ensure that it is adequately maintained and continuously
improved over time.
7.10 USABILITY OF THE PROPOSED SECURITY FRAMEWORK
Measuring the ease of use of a new proposed security framework is not part of this
research. However, the process involves evaluating the framework's usability and its
impact on the organisation's day-to-day operations. Some ways to measure the ease of
use of a security framework include:
181
• User Surveys: Conduct surveys of personnel who use the framework to gather
feedback on its ease of use. The surveys can include questions about the usability
of the security controls and systems, the ease of performing tasks such as reporting
incidents or managing risks, and overall satisfaction with the framework.
• User Testing: Conduct usability testing with a representative group of personnel to

evaluate the ease of use of the framework and identify any areas for
improvement. The practice can include testing the framework's user interface, the
complexity of the security controls and systems, and the ease of performing tasks
such as reporting incidents or managing risks.
• Adoption Metrics: Measure the adoption rate of the framework by personnel,

including the number of personnel using the framework and the frequency with
which it is used. This matrix can provide a good indicator of the framework's ease
of use and overall impact on the organisation.
• Help Desk Data: Analyse help desk data to identify common questions or issues
using the framework. The help desk can provide valuable insights into areas where
the framework could be improved to make it easier to use.
By using these methods, organisations can gather objective data on the ease of use of
their proposed security framework and make informed decisions about improving its
usability and overall impact on the organisation. The goal should be to ensure that the
framework is easy to use while also providing the level of security that the organisation
requires.
7.11 AUDITING AND COMPLIANCE
The cybersecurity audit, a best practice policy that provides an internal and external
security review, ensures the organisation's security posture to its investors, clients, and the
board that it adheres to the industry-accepted framework. It detects vulnerabilities,
manages risks and threats that organisations face, and understands the influence of such
risks causing across the system, information, operational, system, and physical domains.
An organisation may perform a gap analysis to help determine potential trouble areas to
focus on and compares its practices against the specified framework.
As a starting point, these types of reviews are performed initially by internal auditors or
security professionals with appropriate industry certifications such as CISSP, CISA, and
CCSP. The in-depth analyses are almost always done by external or third parties to assure
that the organisation is audited objectively without potential bias.
182
Some industry compliance standards (such as HIPAA or PCI) may require an outside entity
to perform such an analysis. The proposed aviation system-based framework needs a
similar industry standard with an endorsement from a regulated authority so that
independent auditors can objectively perform the task. The reasoning is that external
security advisors can often detect cracks that would not be evident to personnel working
in the area every day.
A gap analysis is performed against all business functions, from the information security's
strategic, tactical, and operational processes. Typical stages include documenting the
need for such review, acquiring administrative approval for the task, and defining scope,
objectives, and relevant frameworks.
A gap analysis report is developed post-audit review and outlines measurable deficiencies
based on severity. In all cases, the document is required to be signed off by the leadership,
and it will become a powerful tool in their efforts for industry standard compliance.
7.12 GLOBAL IMPEMENTATIP OF THE FROAME WORKSECURITY

FRAMEWORK
Implementing a new proposed security framework globally is challenging due to various

geographical and political constraints. However, the following steps can be taken to
implement some of the fundamental guiding principles:
• Research: Conduct thorough research on the proposed security framework, its

strengths and weaknesses, and its compatibility with existing systems.
• Stakeholder Engagement: Engage with government organizations, security

experts, and private sector organizations to gather their opinions and support.
• Policy Development: Develop policies and guidelines for implementing the

security framework, taking into account the needs and requirements of different
regions and industries.
• Training and Awareness: Provide training and awareness programs for the users
and implementers of the security framework to ensure that they understand its
objectives and can effectively use it.
• Implementation: Plan and execute the security framework implementation in a

phased manner, starting with a pilot phase in selected regions or organizations.
183
• Monitoring and Evaluation: Continuously monitor and evaluate the effectiveness
of the security framework and make adjustments as necessary to ensure that it
remains relevant and meets the evolving needs of the organizations and users.
• Maintenance: Ensure the ongoing maintenance and support of the security

framework to keep it up-to-date and effective.
It's important to note that implementing a security framework internationally is a complex

and lengthy process that requires strong leadership, collaboration, and resources.
184
Chapter 8: Conclusion
8.1 MEETING THE RESEARCH OBJECTIVES
In order to meet the objectives specified, the author put significant effort into studying the
usage of systems engineering products, processes, people and environment (3PE) in the
context of aviation-related IT/OT and their interaction. As a part of this process, exploitable
cyber security vulnerabilities were investigated in the key domains: Aircraft, CNS/ATM and
Airport systems.
Cybersecurity threat hunting was performed as part of intelligence collection. The

information on the Dark Web has been an excellent source for attacking methods and
exploits that are potentially successful in compromising systems. Threat hunting has been
a labour-intensive assignment by an analyst – interpreting the context. A large portion of
the thesis comprised intelligence collection (Section 3.3) and can be used as a body of
knowledge by security professionals in the industry. Successfully exposing any of these
vulnerabilities using penetration test techniques can be used as new threat signatures for
IPS and IDS solutions to protect aerospace systems.
In meeting one of the primary research objectives, the author devised effective risk
assessment techniques to improve how risks are appropriately identified and determine an
effective method to prioritise risks. Mainly the approach is discussed, analysed and applied
using test cases and described in Chapter 5:. This process involved security governance
principles, testing and audit, risk classifications and attributes, and measuring and
prioritising business risk. It also examined the external threat to aviation systems, how these
threats impede operations, and the possible consequences of a cyber attack, and they
are listed for future research.
The research also investigated various system security architecture frameworks that can
systematically improve the identification of risks and mitigate them effectively.
A further in-depth study has demonstrated why the standard (non-aviation related)
security framework does not fully address specific threats against current and potential
vulnerabilities in the aerospace industry and describes implications.
185
The identified deficiencies in the existing frameworks are described while proposing
changes to minimise the impact of cyber incidents by reducing the uncertainty of cyber
security risk attributes. For this purpose, a broad investigation of the literature was
performed and ranked the severity of risk attributes based on their industry acceptance
and minimising the impact by reducing uncertainty.
Section 5.7 presents the pragmatic industry-specific risk management framework for
aviation systems that could be employed and would enhance the security risk
management process. The section describes the application of the framework and
attributes of risk parameters and various methodologies that can be utilised to improve
security attributes.
8.2 CONTRIBUTION TO KNOWLEDGE
• A Systems Engineering Approach to Appraise Cybersecurity Risks Of CNS/ATM and

Avionics Systems. 2019 Integrated Communications, Navigation and Surveillance
Conference (ICNS), IEEE. [9-11 April 2019, Washington, The USA] (Lanka Bogoda,
John Mo, Cees Bil)
▪ https://ieeexplore.ieee.org/document/8735376
• A risk-oriented systems engineering approach addresses cyber security issues of civil

aircraft, air traffic management and airport systems. AIAC18: 18th Australian
International Aerospace Congress (2019) (Lanka Bogoda, John Mo, Cees Bil).
▪ https://search.informit.com.au/documentSummary;dn=319859289434848;re
s=IELENG
• Presentation
• “ATS Data Link - Future Use - A Case Study“. AIAC17: 17th Australian International
Aerospace Congress - Tuesday 28 February- 2 March 2017
• Pending Journal paper
• Cyber Security of Air Traffic Management, Aircraft and Aviation Systems: A Systems
Engineering Approach to Risk Assessment - Progress in Aerospace Sciences - Journal
- Elsevier
This research investigated the underlying cybersecurity threats and system vulnerabilities of
each of the five distinct aviation domains in the context of addressing the issues. In
186
conjunction with the improvisation of certainty and defuzzification of risk attributes, the
proposed framework contributes to addressing the issue.
The prosed methodologies were presented as papers at various conferences and journal
articles. Besides, the framework implementation procedure was further strengthened by
the following advocacies.
• Discussions with various academics, peers and industry representatives in

aviation, especially from the information security discipline around the world,
• Field study in Australia and Sri Lanka
Security practitioners in the industry are primarily unfamiliar with using AHP and fuzzy logic
theory and its application to embrace change and cope with the complex business
environment to refine the quantitive attributes presented in the research. Therefore the
pragmatic and sensible approach for the best implementation of the theory is to
incorporate them into a software-based application where practitioners feed in their
inputs. It will also reduce time consumption and provide a quantitative figure which can
be used to make a business decision.
Also, intelligence collection (Section 3.3) involves an in-depth study of the security
vulnerabilities of various systems used in the aviation industry for aircraft communication,
navigation, and communication.
These findings also corroborate with the Single European Sky ATM Research (SESAR) and
NextGen (US research program) and are essential to the knowledge body.
This research implies that information security professionals and experts now have a new
method of achieving far more significant results by employing the outlined techniques. The
approach is ultimately to gain a higher return on investment for an organisation involved
in the aviation industry by addressing cybersecurity issues effectively.
8.3 CONTRIBUTIONS TO THE PRACTITIONERS
The proposed framework benefits aerospace and aviation systems security specialists in
many facets. Predominantly due to the following features:
• Aviation speciality and unbiased (vendor agnostic approach security assessment). A

vendor agnostic security framework can benefit aerospace and aviation systems in
several ways:
187
1. Flexibility: A vendor agnostic framework allows the use of different security solutions
from different vendors, enabling the flexibility to choose the best solution for specific
requirements.
2. Cost-effectiveness: Using a vendor agnostic framework can help reduce costs by

avoiding vendor lock-in, allowing organizations to choose the most cost-effective
solution.
3. Independence: With a vendor agnostic framework, organizations can avoid being

dependent on a single vendor, reducing the risk of single points of failure.
4. Interoperability: A vendor agnostic framework promotes interoperability between

different security solutions, allowing them to work together seamlessly.
5. Best-of-breed security: A vendor agnostic framework enables organizations to

choose the best security solution for their specific requirements, rather than being
limited to a single vendor's offerings.
• A security framework can benefit aerospace and aviation systems by fostering

enduring security and risk management in several ways:
1. Consistency: A security framework provides a consistent and repeatable approach

to securing systems and managing risk, reducing the likelihood of missed security
controls and vulnerabilities.
2. Compliance: A security framework can help organizations meet regulatory and

industry standards, ensuring compliance with security and risk management
requirements.
3. Risk Assessment: A security framework provides a systematic approach to

identifying, assessing and mitigating risks, reducing the overall risk to the
organization.
4. Continuous improvement: A security framework promotes continuous improvement

by providing a framework for reviewing and updating security controls on an
ongoing basis.
5. Transparency: A security framework provides transparency into the security posture

of systems, enabling organizations to make informed decisions about risk
management.
188
• A security framework can benefit aerospace engineering supply chain security by
catering for ripple effects in several ways:
1. Supply chain visibility: A security framework provides a structured approach to

assess and manage the security risks posed by suppliers and other members of the
supply chain.
2. Standardization: A security framework can provide a common set of security

controls and standards, enabling all members of the supply chain to work to a
consistent standard, reducing the risk of security gaps.
3. Risk management: A security framework provides a systematic approach to

identifying, assessing, and mitigating risk across the entire supply chain, reducing
the overall risk to the organization.
4. Contractual obligations: A security framework can be included as a contractual

obligation for suppliers, ensuring that all members of the supply chain are held to
the same security standards.
5. Continuous monitoring: A security framework provides a structure for continuous

monitoring of the supply chain, allowing organizations to quickly respond to
changes in risk.
• A security framework can benefit aerospace and aviation systems by addressing gaps
among engineering, technical, and business operations in several ways:
1. Holistic approach: A security framework provides a holistic approach to security,

ensuring that all aspects of the organization are covered, including engineering,
technical, and business operations.
2. Collaboration: A security framework promotes collaboration between different

parts of the organization, breaking down silos and encouraging cross-functional
teams to work together to address security risks.
3. Communication: A security framework provides a common language and

understanding of security, improving communication and reducing confusion and
misunderstandings.
4. Alignment: A security framework aligns security and risk management activities with
business objectives, ensuring that resources are focused on the areas that matter
most.
189
5. Risk-based decision making: A security framework provides a structure for risk-based
decision making, enabling organizations to prioritize their security efforts and
allocate resources effectively.
• A security framework can benefit aerospace and aviation systems by its agile nature in
several ways:
1. Adaptability: An agile security framework enables organizations to quickly adapt to

changing security threats and business requirements.
2. Rapid response: An agile security framework provides a structure for rapid response
to security incidents, reducing the impact of security breaches.
3. Continuous improvement: An agile security framework promotes continuous

improvement by providing a framework for reviewing and updating security
controls on an ongoing basis.
4. Iterative approach: An agile security framework provides an iterative approach to

security, allowing organizations to make small changes and improvements to
security controls on a regular basis.
5. Flexibility: An agile security framework provides flexibility, allowing organizations to

adjust security controls and processes as needed, to meet changing requirements.
8.4 RESEARCH LIMITATIONS AND STUDY BOUNDARIES
Aerospace and aviation systems engineering encompasses a massive territory from the
airframe and powerplant to avionics. The research focuses the information security
explicitly. Security includes the physical security of all the information-carrying entities,
whether at rest or in motion. Even though security becomes an integral part of the systems
engineering process from the requirements gathering phase to retirement, the research
does not discuss systems of systems capability development, functional testing or
verifications. However, the security systems engineering process involves security
requirement analysis, verification and validation, and testing. The testing phase concerns
how the built system (or the system in operation) reacts to various cybersecurity attack
methods. The testing methods involve vulnerability scans, regression testing, and
penetration testing.
190
However, due to time constraints, the focus of this research has to be limited to ANSPs-
related domains, primarily in the system development and maintenance phases.
It is essential to note that the study boundary does not include;
• Evaluation or design of risk mitigation actions.
• Context definition, e.g. identification of various
• Aerospace stakeholders and risk assessment methods employed by them,
• Vendor-oriented aerospace platforms
• Database or knowledge base development.
• Discussion of risk associated with vendor-specific aerospace products.
191
Chapter 9: Summary
The research investigated the five primary domains of aviation systems to identify threats
and system vulnerabilities in the context of proposing a framework for addressing ongoing
cybersecurity issues.
As identified and presented in Appendix A, there are many potential impacts of security
incidents in CNS/ATM systems, some of which have consequences for the broader society
and impact third parties outside of the aviation system if not managed expeditiously and
remediated conclusively. Due to the rapidly changing threat landscape, creating an
absolutely risk-free environment is never achievable. The functional enhancement of
systems and technology change would always expose coding failure, represented as zero-
day vulnerabilities. Also, insecure system configurations, lack of training, and negligence
play a significant role in addressing the issue.
The evolving techniques that can be used to exploit systems anonymously are hard to
counter. There is a range of sophisticated techniques used by attackers based on their
capability, return on investment through ransomware extortion, and state sponsorship. As
the name "advanced" implies, one such attack method, an advanced persistent threat
(APT), uses continuous, covert, and sophisticated hacking techniques to gain access to a
system and remain inside for a prolonged period, potentially causing catastrophic
consequences.
With the ongoing digital modernisation programs launched by ANSPs introducing

automation and enhancing systems' functionalities, the industry requires a well-tested
framework that can be applied systematically and holistically to ensure that system
operations remain cyber-resilient.
The highlighted issues are currently being researched and investigated by a multitude of
actors in aviation seeking to harmonise the regulatory framework and provide the
guidance material required by aviation stakeholders to support the concept of security by
design.
The thesis endorses a framework-based approach and offers solutions based on business
risks to battle cybersecurity threats. The framework covers a broad range of significant
issues and can be tailored to specific business requirements and based on the following
four pillars:
192
Protect
Protection measures can differ since protecting the system nucleus, infrastructure,
information pathways, and support are necessary. This function includes secure
architecture design and building, firewalling public-facing systems, identity and
access management systems, operating system hardening and patching, and
system upgrades (for legacy systems with known vulnerabilities).
Detect
Collecting logs, storage, and analysis of data events for aggregation and verifying
data integrity is essential. The objective is to detect any attack vectors before they
reach the security perimeters of the systems concerned.
Respond
Since any systems providing air traffic, navigation assistance, and avionics are
critical and must be continued, any disruption to the services can be avoided with
redundancy mechanisms. The business continuity and disaster recovery (BCDR)
and incident response (IR) terms fall under the larger category of continuity
management, link them to their possible impact on operations, and execute
preventive actions.
Recover
A well-orchestrated and targeted cyberattack might have a higher chance of

exfiltrating multiple defensive mechanisms in place. Faced with this reality,
aviation stakeholders must implement an effective system recovery plan through
the proposed framework.
As aircraft information management becomes ever more complex and interconnected

with ground-based systems, the risk of cyber-attacks grows. Moreover, information security
plays a significant undertaking in the modern air traffic management era, and this can be
exemplified by the ongoing NextGen and SESAR research work in the US and Europe,
respectively. The future aerospace or aviation systems will be governed by millions of
software codes and artificial intelligence. Against this backdrop, what we are confronting
today is close to an asymmetric cyberwar in which it is easier to attack than to defend.
It is evident that security is destined to be built into every segment connected to the
Internet. Although information technology plays a critical role in achieving air travel safety,
the aviation industry is still not mature enough to assimilate common cyber-attacks using
technology. The enterprise risk assessment methodology is an entrenched method for
identifying systemic risk for an organisation [320]. The risk assessment methodology
193
discussed in this research is ubiquitous, and the assessment outcome varies based on threat
vectors, vulnerability scenarios and multitudes of various other factors, including the
aircraft's geographic location and software decision-making tools.
The methodology used here proposes an appropriate mechanism that can be used for
cost-effective investment in cybersecurity based on the ALE ratings. Given that an
experienced security professional performs the risk assessment, a higher risk rating would
constitute a lower risk maturity interpretation.
The assessment needs to be performed by information security professionals who

understand the system functionalities and organisational business objectives. It is also
necessary to perform regular audits to ensure people, products, processes, and
environments (3PEs) adhere to security baselines outlined in the organisation's policy
statement and established security standards. For every modification, irrespective of its
magnitude, a risk assessment must be performed to update the Security Risk Management
Plans (SRMPs) and System Security Plans (SSPs).
Black-hat, Gray-hat and White-hat penetration test techniques are used to identify system
weaknesses and then be exploited by specifically designed malware to be injected into
the targeted system. Disclosing security weaknesses using these methods creates positive
pressure on vendors and system administrators to address these issues more effectively.
Security concerns associated with aviation systems have been evolving throughout the
years, compelling new challenges to be dealt with due to technological enhancements
and dynamic political landscapes around the world.
9.1 FUTURE RESEARCH
While technological changes affect all businesses, the information security domain affects
the most. The significant drifts that are likely to unfold in the days will shape the aviation
industry's information security posture. For many aerospace organisations, some of the
impending technological changes will be headwinds, while the remaining could see
tailwinds.
Various research proposes that the aviation sector generally appears favourably placed
to benefit from the following five influential technological trends:
194
9.1.1 MOBILE INTERNET
The two-thirds of the passengers use mobile devices and the internet, and a growing
percentage now use their smart devices while in flight. This accelerated rise in net users
globally is multiplying the number of endpoints in networks and thrusting the need for
cybersecurity solutions.
9.1.2 THE NETWORK CONVERGENCE
This trend channels to increasingly heterogeneous networks, with growing endpoints and
diverse data types demanding additional cyber defences. The vulnerability of these
consolidated systems creates new demand for sophisticated security solutions and
products.
9.1.3 CLOUD TECHNOLOGY IS BECOMING A MAJOR DRIVING FORCE FOR BUSINESS

EFFICACY.
The elevated use of cloud computing systems managed by third parties has posed a new
landscape of malicious cyber activity and threats. This trend prompts corporations to
adopt a pragmatic and unique approach to securing their systems. Progressively, artificial
intelligence and big data are used to perform tasks that rely on complex analysis, human
perceptions, and ingenious inventions. This scenario will benefit Information technology
professionals as businesses expand their demand for applications to identify, analyse and
manage unauthorised cyber activities. The shift to excessive automation will also increase
the demand for cybersecurity services.
9.1.4 INTERNET OF THINGS(IOT)
The increasing use of smart devices is becoming a network of interconnected things. Also,
the growth in diverse data types and capacity use will intensify the risks of malicious
activities[321]. The extensive use of IoT will create new avenues for researchers and
cybersecurity solutions providers. Most importantly, this development creates more
vulnerabilities that hackers can explore using artificial intelligence.
195
References
[1] C. Bil and L. Thompson, "Aerospace Design Education at RMIT University," in

10th AIAA Aviation Technology, Integration, and Operations (ATIO)
Conference, 2010, p. 9066.
[2] ICAO, "Civil Aviation Cybersecurity Action Plan," CIVIL AVIATION
CYBERSECURITY INFORMATION REPOSITORY pp.
https://www.icao.int/cybersecurity/SiteAssets/ICAO/Civil Aviation
Cybersecurity Action Plan - SIGNED.pdf, 2014.
[3] B. A. Nicholds and J. Mo, "Risk assessment for aviation operations
improvement projects," Journal of Aerospace Operations, vol. 4, no. 1-2, pp.
31-48, 2016.
[4] J. Mo, "Performance assessment of product service system from system
architecture perspectives," Advances in Decision Sciences, vol. 2012, 2012.
[5] L. Bogoda, J. Mo, and C. Bil, "A risk-oriented systems engineering approach
to address cyber security issues of civil aircraft, air traffic management and
airports systems," in AIAC18: 18th Australian International Aerospace
Congress (2019): HUMS-11th Defence Science and Technology (DST)
International Conference on Health and Usage Monitoring (HUMS 2019):
ISSFD-27th International Symposium on Space Flight Dynamics (ISSFD), 2019:
Engineers Australia, Royal Aeronautical Society., p. 48.
[6] S. Dilek, H. Çakır, and M. Aydın, "Applications of artificial intelligence
techniques to combating cyber crimes: A review," arXiv preprint
arXiv:1502.03552, 2015.
[7] B. Taylor, C. Bil, S. Watkins, and G. Egan, "Horizon sensing attitude stabilisation:
A VMC autopilot," in 18th International UAV Systems Conference, 2003.
[8] L. Bogoda, J. Mo, and C. Bil, "A Systems Engineering Approach To Appraise
Cybersecurity Risks Of CNS/ATM and Avionics Systems," in 2019 Integrated
Communications, Navigation and Surveillance Conference (ICNS), 2019:
IEEE, pp. 1-15.
[9] C. Van der Velden, C. Bil, X. Yu, and A. Smith, "An intelligent system for
automatic layout routing in aerospace design," Innovations in Systems and
Software Engineering, vol. 3, no. 2, pp. 117-128, 2007.
[10] C. Bil, M. Simic, and V. Vojisavljevic, "Design of a recharge station for UAVs
using non-contact wireless power transfer," in 54th AIAA Aerospace Sciences
Meeting, 2016, p. 1525.
[11] C. Van der Velden, C. Bil, X. Yu, and A. Smith, "An Intelligent Decision Support
Tool for Automatic Engineering of Aircraft Electrical Wiring Harnesses and
Pipes," in 7th AIAA ATIO Conf, 2nd CEIAT Int'l Conf on Innov and Integr in Aero
Sciences, 17th LTA Systems Tech Conf; followed by 2nd TEOS Forum, 2007, p.
7855.
[12] C. Bil, L. Thompson, A. Sinha, and K. C. Wong, "Advancing UAV Technologies
Through Australian Research," in AIAA International Air and Space
Symposium and Exposition: The Next 100 Years, 2003, p. 2693.
[13] R. I. Abeyratne, Aviation trends in the new millennium. Routledge, 2017.
[14] R. I. Abeyratne, Aviation security: Legal and regulatory aspects. Routledge,
2018.
196
[15] FireEye, "5 Significant Cyber Security Observations and Trends in the Asia
Pacific Region," Report, pp. https://www.fireeye.com/current-
threats/annual-threat-report/mtrends/rpt-2016-asia-pacific-mtrends.html,
2017.
[16] A. Chriki, H. Touati, H. Snoussi, and F. Kamoun, "FANET: Communication,
mobility models and security issues," Computer Networks, vol. 163, p. 106877,
2019.
[17] T. Salmenpää, "Information Security Governance in Civil Aviation," in Cyber
Security: Springer, 2022, pp. 315-336.
[18] X. Ni, H. Wang, C. Che, J. Hong, and Z. Sun, "Civil aviation safety evaluation
based on deep belief network and principal component analysis," Safety
science, vol. 112, pp. 90-95, 2019.
[19] R. Bitton and A. Shabtai, "A machine learning-based intrusion detection
system for securing remote desktop connections to electronic flight bag
servers," IEEE Transactions on Dependable and Secure Computing, vol. 18,
no. 3, pp. 1164-1181, 2019.
[20] C. S. SUMMIT, "Most cybersecurity breaches go unreported, uninsured despite
executive concern: Barclays," Chief Security Officer, pp.
https://www2.cso.com.au/article/595298/most-cybersecurity-breaches-go-
unreported-uninsured-despite-executive-concern-barclays/, 2016.
[21] S. C. Jose Monteagudo, "Aviation Cybersecurity – High Level Analysis, Major
Challenges and Where the Industry is Heading," cyberstartupobservatory,
pp. https://cyberstartupobservatory.com/aviation-cybersecurity-major-
challenges/, 2017.
[22] S. Veloudis et al., "Achieving security-by-design through ontology-driven
attribute-based access control in cloud environments," Future Generation
Computer Systems, vol. 93, pp. 373-391, 2019.
[23] J. C. C. Chica, J. C. Imbachi, and J. F. B. Vega, "Security in SDN: A
comprehensive survey," Journal of Network and Computer Applications, vol.
159, p. 102595, 2020.
[24] P. S. Nyakomitta and S. O. Abeka, "Security investigation on remote access
methods of virtual private network," Global journal of computer science and
technology, 2020.
[25] M. G. John Warsinske, Kevin Henry, Christopher Hoover, Ben Malisow, Sean
Murphy, Charles Oakes, George Pajari, Jeff T. Parker, David Seidl, "(ISC)² CBK
| Common Body of Knowledge," Isc2.org, no. 5th Edition, p.
https://www.isc2.org/Certifications/CBK, 2019.
[26] M. S. Nolan, "FUNDAMENTALS OF AIR TRAFFIC CONTROL," vol. Chapter 1
History of Air Traffic Control, no. FIFTH EDITION, pp. 7-12, 2011.
[27] N. M. S., "FUNDAMENTALS OF AIR TRAFFIC CONTROL," vol. Chapter 1 History of
Air Traffic Control, no. FIFTH EDITION, pp. 7-12, 2011.
[28] F. White, "Air-ground communications: history and expectations," IEEE
Transactions on Communications, vol. 21, no. 5, pp. 398-407, 1973.
[29] ARINC, "IAGS VHF Remote Ground Station Maintenance Manual," no. I, May
27, 2004.
[30] A. C. A. S. Thierry TIN HIN, "FANS: A/G Data link Applications over ACARS &
ATN," ICAO seminar on the implementation of C/G and A/G data link
application in the SAM region, p.
https://www.icao.int/RO_SAM/Documents/DATALINK11/Sesion02%2006%20
AIRBUS%20FANSSolutions.pdf, September 2012.
197
[31] A. Pelsser, "ICAO Emblem and Its History," ed: The Canadian Connection–
ICAO yayını, 1966.
[32] I. C. A. Organization, "Global Operational Data Link Document (GOLD),"
ICAO publication, vol. Second Edition — 26 April 2013, p.
https://www.icao.int/APAC/Documents/edocs/GOLD_2Edition.pdf, 26 April
2013.
[33] C. Bil, "Multidisciplinary Design Optimization: Designed by Computer," in
Concurrent Engineering in the 21st Century: Springer, 2015, pp. 421-454.
[34] M. Tvaronavičienė, T. Plėta, S. Della Casa, and J. Latvys, "Cyber security
management of critical energy infrastructure in national cybersecurity
strategies: Cases of USA, UK, France, Estonia and Lithuania," Insights into
regional development, vol. 2, no. 4, pp. 802-813, 2020.
[35] A. M. Madni and M. Sievers, "Model‐based systems engineering: Motivation,
current status, and research opportunities," Systems Engineering, vol. 21, no.
3, pp. 172-190, 2018.
[36] J. Sherwood, A. Clark, and D. Lynas, "Enterprise security architecture," SABSA,
White paper, vol. 2009, 1995.
[37] L. Allodi and F. Massacci, "Security events and vulnerability data for
cybersecurity risk estimation," Risk Analysis, vol. 37, no. 8, pp. 1606-1627, 2017.
[38] G. Sharkov, "From cybersecurity to collaborative resiliency," in Proceedings of
the 2016 ACM Workshop on Automated Decision Making for Active Cyber
Defense, 2016: ACM, pp. 3-9.
[39] C. Johnson, "CyberSafety: CyberSecurity and Safety-Critical Software
Engineering," in Achieving Systems Safety: Springer, 2012, pp. 85-95.
[40] F. Eurocontrol, "Communications Operating concept and Requirements for
the Future Radio System (COCR)," Eurocontrol/FAA, 2007.
[41] T. Gilbert, J. Jin, B. Jason, and S. Henriksen, "Future aeronautical
communication infrastructure technology investigation," 2008.
[42] B. Phillips, J. Pouzet, J. Budinger, and N. Fistas, "Future Communication Study-
Action Plan 17 Final Conclusions and Recommendations Report," ICAO ACP
WG-T1 WP06, 2007.
[43] C. W. Axelrod, "Applying lessons from safety-critical systems to security-critical
software," in 2011 IEEE Long Island Systems, Applications and Technology
Conference, 2011: IEEE, pp. 1-6.
[44] C. W. Johnson, "Cyber security and the future of safety-critical air traffic
management: identifying the challenges under NextGen and SESAR," 2015.
[45] C. W. Johnson, "Architectures for cyber-security incident reporting in safety-
critical systems," in Disaster Management: Enabling Resilience: Springer, 2015,
pp. 127-141.
[46] J. McInally, "Eurocontrol history book," Brussels: EUROCONTROL. Meeusen, W.,
& van den Broeck, J.(1977). Efficiency Estimation From Cobb-Douglas, 2010.
[47] W. MOPS, "Minimum operational performance standards for global
positioning system/wide area augmentation system airborne equipment,"
RTCA Inc. Document No. RTCA/DO-229B, vol. 6, 1999.
[48] J. P. Mo, "Services and support supply chain design for complex engineering
systems," in Supply Chain Management: IntechOpen, 2011.
[49] J. Mo and K. Downey, "System design for transitional aircraft support,"
International Journal of Engineering Business Management, vol. 6, no.
Godište 2014, pp. 6-7, 2014.
198
[50] J. Gonda, P. Chávez, B. Hung, and G. Anderson, "Joint US-European future
communications operating concept," in 2006 ieee/aiaa 25TH Digital Avionics
Systems Conference, 2006: IEEE, pp. 1-11.
[51] R. De Cerchio and C. Riley, "Aircraft systems cyber security," in 2011 IEEE/AIAA
30th Digital Avionics Systems Conference, 2011: IEEE, pp. 1C3-1-1C3-7.
[52] S. Amin, T. Clark, R. Offutt, and K. Serenko, "Design of a cyber security
framework for ADS-B based surveillance systems," in 2014 Systems and
Information Engineering Design Symposium (SIEDS), 2014: IEEE, pp. 304-309.
[53] P. D. O'Neil and D. Krane, "Policy and Organizational Change in the Federal
Aviation Administration: The Ontogenesis of a High‐Reliability Organization,"
Public Administration Review, vol. 72, no. 1, pp. 98-111, 2012.
[54] R. Abeyratne, "Cyber terrorism and aviation—national and international
responses," Journal of Transportation Security, vol. 4, no. 4, pp. 337-349, 2011.
[55] R. W. Mills and D. R. Reiss, "Secondary learning and the unintended benefits
of collaborative mechanisms: The Federal Aviation Administration's voluntary
disclosure programs," Regulation & Governance, vol. 8, no. 4, pp. 437-454,
2014.
[56] R. J. Fleming, "The use of commercial aircraft as platforms for environmental
measurements," Bulletin of the American Meteorological Society, vol. 77, no.
10, pp. 2229-2242, 1996.
[57] A. Pozzetti, C. Bil, and G. Clark, "Implementation of Performance Based
System Assessment of Military Multi-Mission Platforms," in 27th Congress of the
International Council of the Aeronautical Sciences. Nice, France, 2010.
[58] D. J. Thuente and J. K. Whiteman, "Modified CSMA/Implicit token passing
algorithm for MIL-STD-188-220B," in 2001 MILCOM Proceedings
Communications for Network-Centric Operations: Creating the Information
Force (Cat. No. 01CH37277), 2001, vol. 2: IEEE, pp. 838-844.
[59] D. Gonzales, Network-centric operations case study: the Stryker Brigade
Combat Team. Rand Corporation, 2005.
[60] B. MeandziJa and J. Westcott, "A PROPOSED APPROACH FOR INTEGRATED
NETWORK MANAGEMENT OF THE ARMY TACTICAL COMMAND AND
CONTROL SYSTEM," in Integrated Network Management, I: Proceedings of
the IFIP TC 6/WG 6.6 Symposium on Integrated Network Management,
Boston, MA, USA, 16-17 May, 1989, 1989: North Holland, p. 435.
[61] I. C. A. Organization, "Manual on the Aeronautical Telecommunication
Network (ATN) using Internet Protocol Suite (IPS) Standards and Protocols,"
ICAO Doc 9896, no. Advance Second Edition, 2015.
[62] I. Doc, "9896-AN/469: Manual on the Aeronautical Telecommunication
Network (ATN) using Internet Protocol Suite (IPS) Standards and Protocols,"
2010.
[63] S. Ayaz, C. Bauer, M. Ehammer, T. Gräupl, and F. Arnal, "Mobility options in
the ip-based aeronautical telecommunication network," in Proceedings of
the ICT-Mobile Summit 2008 Conference, 2008.
[64] N. A. Nassif et al., "Challenges and current state of implementation of an IP
platform for Brazil's ATM communications," in Integrated Communication,
Navigation, and Surveillance Conference (ICNS), 2015, 2015: IEEE, pp. Q2-1-
Q2-11.
[65] Airbus, "Getting to grips with FANS (Future Air Navigation System)," Airbus
Flight Operations, no. Issue IV, May 2014.
199
[66] N. Neji, R. De Lacerda, A. Azoulay, T. Letertre, and O. Outtier, "Survey on the
future aeronautical communication system and its development for
continental communications," IEEE Transactions on Vehicular Technology,
vol. 62, no. 1, pp. 182-191, 2013.
[67] N. Fistas, "Future Aeronautical Communications: The Data Link Component,"
in Future Aeronautical Communications: InTech, 2011.
[68] E. Batuwangala, A. Gardi, and R. Sabatini, "The certification challenge of
integrated avionics and air traffic management systems," in ATRF 2016, 2016:
Australasian Transport Research Forum, pp. 1-17.
[69] E. Batuwangala, S. Ramasamy, L. Bogoda, and R. Sabatini, "Safety and
security considerations in the certification of next generation avionics and air
traffic management systems," in 17th Australian International Aerospace
Congress: AIAC 2017, 2017: Engineers Australia, Royal Aeronautical Society,
p. 440.
[70] E. Batuwangala, S. Ramasamy, L. Bogoda, and R. Sabatini, "An
interoperability assessment model for CNS/ATM systems," in ATRF 2016, 2016:
Australasian Transport Research Forum, pp. 1-8.
[71] M. R. Jackson, "RTCA Special Committee 214-Standards for Air Traffic Data
Communication Services," 2007.
[72] V. Melkstam and A. Magnusson, "Using Software-Defined Radio for ATN B1: A
look into CPDLC encoding and VDL Mode 2 transmission," ed, 2022.
[73] P. J. P. ARINC, "ARINC Specification 623: Character-Oriented Air Traffic
Service (ATS) Applications," ARINC Project Paper 658 Internet Protocol Suite
(IPS) for aeronautical Safety Services – Roadmap Document, February 2,
2016.
[74] W. G. N. N. S. N.-. Security, "AEEC Security Status " Aeronautical
Communication Panel - Report, no. Bangkok, Thailand pp.
https://www.icao.int/safety/acp/inactive%20working%20groups%20library/
acp-wg-n-swg4-1/sgn04-01-ip01.pdf, November 2003
[75] F. Besse, F. Garcia, A. Pirovano, and J. Radzik, "Wireless ad hoc networks
access for aeronautical communications," in 28th AIAA International
Communications Satellite Systems Conference (ICSSC-2010), 2010, p. 8795.
[76] O. Ercetin, M. O. Ball, and L. Tassiulas, "Next generation satellite systems for
aeronautical communications," International journal of satellite
communications and networking, vol. 22, no. 2, pp. 157-179, 2004.
[77] I. C. A. ORGANIZATION, "MANUAL OF TECHNICAL PROVISIONS FOR THE
AERONAUTICAL TELECOMMUNICATION NETWORK (ATN)," Dot 9705AN/956, p.
www.icao.int/safety/acp/repository/_%20Doc9705_ed2_1999.pdf, 1999.
[78] H. F. Tipton and M. K. Nozaki, Information security management handbook.
CRC press, 2007.
[79] S. B. von Solms, "Information Security Governance–compliance
management vs operational management," Computers & Security, vol. 24,
no. 6, pp. 443-447, 2005.
[80] M. E. Whitman and H. J. Mattord, Management of information security.
Nelson Education, 2013.
[81] B. Blakley, E. McDermott, and D. Geer, "Information security is information risk
management," in Proceedings of the 2001 workshop on New security
paradigms, 2001: ACM, pp. 97-104.
[82] L. A. Gordon and M. P. Loeb, Managing cybersecurity resources: a cost-
benefit analysis. McGraw-Hill New York, 2006.
200
[83] M. W. Merkhofer, Decision Science and Social Risk Management: A
Comparative Evaluation of cost-benefit analysis, decision analysis, and other
formal decision-aiding approaches. Springer Science & Business Media,
2012.
[84] B. W. Boehm, "Software risk management: principles and practices," IEEE
software, vol. 8, no. 1, pp. 32-41, 1991.
[85] B. Boehm, "Software risk management," in European Software Engineering
Conference, 1989: Springer, pp. 1-19.
[86] D. Kull, R. Mechler, and S. Hochrainer‐Stigler, "Probabilistic cost‐benefit
analysis of disaster risk management in a development context," Disasters,
vol. 37, no. 3, pp. 374-400, 2013.
[87] M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and P.
Sommerlad, Security Patterns: Integrating security and systems engineering.
John Wiley & Sons, 2013.
[88] M. Barni and F. Bartolini, Watermarking systems engineering: enabling digital
assets security and other applications. Crc Press, 2004.
[89] W. Stallings, L. Brown, M. D. Bauer, and A. K. Bhattacharjee, Computer
security: principles and practice. Pearson Education Upper Saddle River (NJ,
2012.
[90] H. Mouratidis, P. Giorgini, and G. Manson, "Integrating security and systems
engineering: Towards the modelling of secure information systems," in
International Conference on Advanced Information Systems Engineering,
2003: Springer, pp. 63-78.
[91] R. Abeyratne, Aviation security law. Springer Science & Business Media, 2010.
[92] P. T. Devanbu and S. Stubblebine, "Software engineering for security: a
roadmap," in Proceedings of the Conference on the Future of Software
Engineering, 2000: ACM, pp. 227-239.
[93] R. Anderson, Security engineering. John Wiley & Sons, 2008.
[94] D. Mellado, E. Fernández-Medina, and M. Piattini, "A common criteria based
security requirements engineering process for the development of secure
information systems," Computer standards & interfaces, vol. 29, no. 2, pp. 244-
253, 2007.
[95] D. DiMase, Z. A. Collier, K. Heffner, and I. Linkov, "Systems engineering
framework for cyber physical security and resilience," Environment Systems
and Decisions, vol. 35, no. 2, pp. 291-300, 2015.
[96] S. Evans, D. Heinbuch, E. Kyle, J. Piorkowski, and J. Wallner, "Risk-based
systems security engineering: stopping attacks with intention," IEEE Security &
Privacy, vol. 2, no. 6, pp. 59-62, 2004.
[97] R. Crook, D. Ince, L. Lin, and B. Nuseibeh, "Security requirements engineering:
When anti-requirements hit the fan," in Proceedings IEEE Joint International
Conference on Requirements Engineering, 2002: IEEE, pp. 203-205.
[98] B. Best, J. Jurjens, and B. Nuseibeh, "Model-based security engineering of
distributed information systems using UMLsec," in 29th International
Conference on Software Engineering (ICSE'07), 2007: IEEE, pp. 581-590.
[99] R. M. Keller, "Ontologies for aviation data management," in Digital Avionics
Systems Conference (DASC), 2016 IEEE/AIAA 35th, 2016: IEEE, pp. 1-9.
[100] T. O. W. A. S. P. (OWASP), "The Ten Most Critical Web Application Security
Risks," OWASP Top 10 2017, no. Release Candidate 2, p.
https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf,
2018.
201
[101] C. M. King, C. Dalton, and S. H. Foreword By-Beck, Security Architecture:
Design, Deployment, and Operations. McGraw-Hill Professional, 2001.
[102] K. Sampigethaya and R. Poovendran, "Aviation cyber–physical systems:
Foundations for future aircraft and air transport," Proceedings of the IEEE, vol.
101, no. 8, pp. 1834-1855, 2013.
[103] P. J. P. Arlen Baker, "Cyber security enhancements for a safety-critical ARINC
653 avionics platform," Wind River, , pp.
https://www.researchgate.net/profile/Paul_Parkinson2/publication/3258962
48_Cyber_security_enhancements_for_a_safety-
critical_ARINC_653_avionics_platform/links/5be5e9574585150b2baaf918/Cy
ber-security-enhancements-for-a-safety-critical-ARINC-653-avionics-
platform.pdf, 2018.
[104] S. G. Casals, P. Owezarski, and G. Descargues, "Risk assessment for
airworthiness security," in International Conference on Computer Safety,
Reliability, and Security, 2012: Springer, pp. 25-36.
[105] D. Christie, "Internet of Things meets the connected aircraft," in 2018
Integrated Communications, Navigation, Surveillance Conference (ICNS),
2018: IEEE, pp. 1-33.
[106] A. ITEM, "RTCA PROGRAM MANAGEMENT COMMITTEE MEETING SUMMARY
September 23, 2014," 2014.
[107] S. G. Casals, P. Owezarski, and G. Descargues, "Generic and autonomous
system for airborne networks cyber-threat detection," in 2013 IEEE/AIAA 32nd
Digital Avionics Systems Conference (DASC), 2013: IEEE, pp. 4A4-1-4A4-14.
[108] G. Pedroza, "Towards Safety and Security Co-engineering," in Security and
Safety Interplay of Intelligent Software Systems: Springer, 2018, pp. 3-16.
[109] SESAR, "Addressing Airport Cyber-security," Final Report, pp.
https://www.sesarju.eu/sites/default/files/documents/news/Addressing_airp
ort_cyber-security_Executive_Summary_.pdf, 2016.
[110] G. Spies, F. Piekert, A. Marsden, R. Suikat, C. Meier, and P. Eriksen,
"Operational Concept for an Airport Operations Center to Enable Total
Airport Management," in Proceedings of ICAS, 2008.
[111] Y. Günther et al., "Total Airport Management (Operational Concept and
Logical Architectur)," 2006.
[112] F. Guillermet and M. Garbini, "SESAR: Future-proofing Europe’s Airports,"
Journal of Airport Management, vol. 9, no. 3, pp. 277-283, 2015.
[113] R. E. EEC, "SESAR DETAILED OPERATIONAL DESCRIPTION," 2008.
[114] H. de Jong, "IMPLEMENTATION OF AN AIRPORT OPERATIONS CENTER (APOC)
AT SCHIPHOL AIRPORT: Improving capacity management?," 2018.
[115] K.-H. Keller, F. Piekert, Y. Günther, M. Schaper, S. Kaltenhäuser, and R. Suikat,
"Total Airport Management."
[116] S. Pickup and D. Huet, "Airport–Collaborative Decision Making (A-CDM) Local
and Network Impact Assessment."
[117] Y. Cherdantseva and J. Hilton, "A reference model of information assurance
& security," in 2013 International Conference on Availability, Reliability and
Security, 2013: IEEE, pp. 546-555.
[118] GAMMA, "Global ATM Security Management Project," pp.
http://www.gamma-project.eu/wp-content/uploads/2013/11/GAMMA-
handbook-web.pdf, 2017.
202
[119] J. Frank, "Artificial intelligence and intrusion detection: Current and future
directions," in Proceedings of the 17th national computer security
conference, 1994, vol. 10: Baltimore, MD, pp. 1-12.
[120] K. Hashizume, D. G. Rosado, E. Fernández-Medina, and E. B. Fernandez, "An
analysis of security issues for cloud computing," Journal of internet services
and applications, vol. 4, no. 1, p. 5, 2013.
[121] M. D. Dikaiakos, D. Katsaros, P. Mehra, G. Pallis, and A. Vakali, "Cloud
computing: Distributed internet computing for IT and scientific research," IEEE
Internet computing, vol. 13, no. 5, pp. 10-13, 2009.
[122] C. Low, Y. Chen, and M. Wu, "Understanding the determinants of cloud
computing adoption," Industrial management & data systems, vol. 111, no.
7, pp. 1006-1023, 2011.
[123] S. Bhardwaj, L. Jain, and S. Jain, "Cloud computing: A study of infrastructure
as a service (IAAS)," International Journal of engineering and information
Technology, vol. 2, no. 1, pp. 60-63, 2010.
[124] B. Wickremasinghe, R. N. Calheiros, and R. Buyya, "Cloudanalyst: A cloudsim-
based visual modeller for analysing cloud computing environments and
applications," in 2010 24th IEEE international conference on advanced
information networking and applications, 2010: IEEE, pp. 446-452.
[125] G. Pallis, "Cloud computing: the new frontier of internet computing," IEEE
internet computing, vol. 14, no. 5, pp. 70-73, 2010.
[126] L. M. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner, "A break in the
clouds: towards a cloud definition," ACM SIGCOMM Computer
Communication Review, vol. 39, no. 1, pp. 50-55, 2008.
[127] N. Gonzalez et al., "A quantitative analysis of current security concerns and
solutions for cloud computing," Journal of Cloud Computing: Advances,
Systems and Applications, vol. 1, no. 1, p. 11, 2012.
[128] C. S. Alliance(CSA), "Top Threats to Cloud Computing Plus: Industry Insights,"
vol. CSA Research, pp. https://cloudsecurityalliance.org/download/top-
threats-cloud-computing-plus-industry-insights/.
[129] F. A. Administration, "FAA Cloud Computing Strategy," no. Final - Version 1.0,
p.
https://www.faa.gov/about/office_org/headquarters_offices/ato/service_u
nits/techops/atc_comms_services/swim/documentation/media/cloud_co
mputing/FAA%20Cloud%20Computing%20Strategy%20v1.0.pdf, May 2012.
[130] C. Senk, "Adoption of security as a service," Journal of Internet Services and
Applications, vol. 4, no. 1, p. 11, 2013.
[131] M. Hussain and H. Abdulsalam, "SECaaS: security as a service for cloud-based
applications," in Proceedings of the Second Kuwait Conference on e-
Services and e-Systems, 2011: ACM, p. 8.
[132] A. Furfaro, A. Garro, and A. Tundis, "Towards security as a service (secaas):
On the modeling of security services for cloud computing," in 2014
International Carnahan Conference on Security Technology (ICCST), 2014:
IEEE, pp. 1-6.
[133] D. J. Landoll and D. Landoll, The security risk assessment handbook: A
complete guide for performing security risk assessments. CRC Press, 2005.
[134] J. P. Mo, "System support engineering: The foundation knowledge for
performance based contracting," in ICOMS 2009: Asset Management
Conference Proceedings: Sydney, 1-5 June 2009, 2009: Asset Management
Council, p. 205.
203
[135] L. Webb and C. Bil, "Systems Support Engineering: Looking Beyond The
Physical," in Improving Complex Systems Today: Springer, 2011, pp. 83-90.
[136] F. Kockler, T. Withers, J. Poodiack, and M. Gierman, "Systems engineering
management guide," DEFENSE SYSTEMS MANAGEMENT COLL FORT BELVOIR
VA, 1990.
[137] S. Luna, A. Lopes, H. Y. S. Tao, F. Zapata, and R. Pineda, "Integration,
verification, validation, test, and evaluation (IVVT&E) framework for system of
systems (SoS)," Procedia Computer Science, vol. 20, pp. 298-305, 2013.
[138] D. Rizzo and M. Blackburn, "Test and Evaluation for Enhanced Security: A
Quantitative Method to Incorporate Expert Knowledge into Test Planning
Decisions," The ITEA (International Test and Evaluation Association) Journal,
vol. 38, no. SAND2017-0748J, 2017.
[139] J. D. Claxton, C. Cavoli, and C. Johnson, "Test and evaluation management
guide," DEFENSE ACQUISITION UNIV FT BELVOIR VA, 2005.
[140] C. P. Pfleeger, S. L. Pfleeger, and M. F. Theofanos, "A methodology for
penetration testing," Computers & Security, vol. 8, no. 7, pp. 613-620, 1989.
[141] N. Choucri, S. Madnick, and J. Ferwerda, "Institutions for cyber security:
International responses and global imperatives," Information Technology for
Development, vol. 20, no. 2, pp. 96-121, 2014.
[142] M. Hathaway, "Cyber readiness index 1.0," Great Falls, VA: Hathaway Global
Strategies LLC, 2013.
[143] J. J. Gonzalez, "Towards a cyber security reporting system–a quality
improvement process," in International Conference on Computer Safety,
Reliability, and Security, 2005: Springer, pp. 368-380.
[144] A. Gupta and D. Zhdanov, "Growth and sustainability of managed security
services networks: an economic perspective," Mis Quarterly, vol. 36, no. 4, pp.
1109-1130, 2012.
[145] B. Chess and B. Arkin, "Software security in practice," IEEE Security & Privacy,
vol. 9, no. 2, pp. 89-92, 2011.
[146] R. L. Jones and A. Rastogi, "Secure coding: building security into the software
development life cycle," Information Systems Security, vol. 13, no. 5, pp. 29-
39, 2004.
[147] A. S. Sodiya, S. A. Onashoga, and O. Ajayĩ, "Towards Building Secure Software
Systems," Issues in Informing Science & Information Technology, vol. 3, 2006.
[148] W. Jansen, Directions in security metrics research. Diane Publishing, 2010.
[149] E. Cole, Network security bible. John Wiley & Sons, 2011.
[150] B. Arkin, S. Stender, and G. McGraw, "Software penetration testing," IEEE
Security & Privacy, vol. 3, no. 1, pp. 84-87, 2005.
[151] H. H. Thompson, "Application penetration testing," IEEE Security & Privacy, vol.
3, no. 1, pp. 66-69, 2005.
[152] P. Xiong and L. Peyton, "A model-driven penetration test framework for Web
applications," in 2010 Eighth International Conference on Privacy, Security
and Trust, 2010: IEEE, pp. 173-180.
[153] J. Roberts, M. Mohammed, W. Wittel, and M. Shepard, "Managing software
updates and a software distribution service," ed: Google Patents, 2009.
[154] M. S. Schaefer, "Method for managing vehicle software configuration
updates," ed: Google Patents, 2009.
[155] D. Muxlow, L. A. Mueller, and S. E. Mead, "Systems and methods for delivering
data updates to an aircraft," ed: Google Patents, 2002.
204
[156] J. Rushby, "New challenges in certification for aircraft software," in 2011
Proceedings of the Ninth ACM International Conference on Embedded
Software (EMSOFT), 2011: IEEE, pp. 211-218.
[157] M. V. Uzumeri, "ISO 9000 and other metastandards: principles for
management practice?," Academy of Management Perspectives, vol. 11,
no. 1, pp. 21-36, 1997.
[158] D. S. Herrmann, Complete guide to security and privacy metrics: measuring
regulatory compliance, operational resilience, and ROI. Auerbach
Publications, 2007.
[159] G. Haunschild, "Online regulatory compliance system and method for
facilitating compliance," ed: Google Patents, 2004.
[160] S. NIST, "800–34 Rev. 1. Contingency Planning Guide for Federal Information
Systems," Gaithersburg, MD, United States: National Institute of Standards &
Technology, vol. 150, 2010.
[161] R. Abeyratne, "Crisis Management Toward Restoring Confidence in Air
Transport-Legal and Commercial Issues," J. Air L. & Com., vol. 67, p. 595, 2002.
[162] C. P. Grobler and C. Louwrens, "Digital forensic readiness as a component of
information security best practice," in IFIP International Information Security
Conference, 2007: Springer, pp. 13-24.
[163] S. Almuhammadi and M. Alsaleh, "Information security maturity model for
NIST cyber security framework," Computer Science & Information Technology
(CS & IT), vol. 7, no. 3, pp. 51-62, 2017.
[164] C. Carvalho and E. Marques, "Adapting ISO 27001 to a Public Institution," in
2019 14th Iberian Conference on Information Systems and Technologies
(CISTI), 2019: IEEE, pp. 1-6.
[165] M. Build, "ISO/IEC 27001:2013 Information Security Management Standards,"
Microsoft compliance regulatory Management Standards, pp.
https://docs.microsoft.com/en-us/compliance/regulatory/offering-iso-
27001, 2022.
[166] S. E. Donaldson, S. G. Siegel, C. K. Williams, and A. Aslam, "Cybersecurity
frameworks," in Enterprise Cybersecurity: Springer, 2015, pp. 297-309.
[167] R. Almeida, R. Lourinho, M. M. da Silva, and R. Pereira, "A model for assessing
COBIT 5 and ISO 27001 simultaneously," in 2018 IEEE 20th Conference on
Business Informatics (CBI), 2018, vol. 1: IEEE, pp. 60-69.
[168] simplilearn, "Understanding What is COBIT and COBIT Framework," pp.
https://www.simplilearn.com/what-is-cobit-significance-and-framework-
rar309-article, 2022.
[169] S. Maynard, T. Tan, A. Ahmad, and T. Ruighaver, "Towards a framework for
strategic security context in information security governance," Pacific Asia
Journal of the Association for Information Systems, vol. 10, no. 4, p. 4, 2018.
[170] C. Australian Government, "Protective Security Policy Framework," 16 Jun
2022, pp.
https://www.protectivesecurity.gov.au/sites/default/files/resources-PSPF-
guidance-for-executives-booklet.PDF, 2022.
[171] S. N. G. Gourisetti, S. Mix, M. Mylrea, C. Bonebrake, and M. Touhiduzzaman,
"Secure Design and Development Cybersecurity Capability Maturity Model
(SD2-C2M2) Next-Generation Cyber Resilience by Design," in Proceedings of
the Northwest Cybersecurity Symposium, 2019, pp. 1-9.
205
[172] P. D. Dixit and K. A. Dill, "Caliber corrected Markov modeling (C2M2):
Correcting equilibrium Markov models," Journal of chemical theory and
computation, vol. 14, no. 2, pp. 1111-1119, 2018.
[173] R. O. Andrade, L. Tello-Oquendo, and I. Ortiz, "Uncertainty and Its Role in IoT
Risk Management," in Cybersecurity Risk of IoT on Smart Cities: Springer, 2021,
pp. 23-43.
[174] J. D. Christopher et al., "Cybersecurity capability maturity model (C2M2),"
Department of Homeland Security, pp. 1-76, 2014.
[175] K. Heldman, PMP: project management professional exam study guide. John
Wiley & Sons, 2018.
[176] J. K. Crawford, Project management maturity model. Auerbach Publications,
2021.
[177] D. Lock, Project management. 2021.
[178] H. Kerzner, Using the project management maturity model: strategic
planning for project management. John Wiley & Sons, 2019.
[179] M. C. Cook and J. P. Mo, "Architectural approach for analysing and
managing innovation in complex system design projects," Product:
Management and Development, vol. 20, no. 1, pp. 0-0, 2022.
[180] M. Cook and J. P. Mo, "Structured Risk Modelling of Naval Aviation Program
Life Cycle Integration and Operation," Journal of Industrial Integration and
Management, vol. 5, no. 03, pp. 291-309, 2020.
[181] J. Mo and R. C. Beckett, "System of Systems Modelling," in Systems
Engineering in Research and Industrial Practice: Springer, 2019, pp. 89-114.
[182] J.-P. A. Yaacoub, O. Salman, H. N. Noura, N. Kaaniche, A. Chehab, and M.
Malli, "Cyber-physical systems security: Limitations, issues and future trends,"
Microprocessors and microsystems, vol. 77, p. 103201, 2020.
[183] T. L. Saaty, "Decision making with the analytic hierarchy process,"
International journal of services sciences, vol. 1, no. 1, pp. 83-98, 2008.
[184] T. L. Saaty, "How to make a decision: the analytic hierarchy process,"
European journal of operational research, vol. 48, no. 1, pp. 9-26, 1990.
[185] T. L. Saaty, Decision making with dependence and feedback: The analytic
network process. RWS Publ., 1996.
[186] S. P. Venkatesan and S. Kumanan, "Supply chain risk prioritisation using a
hybrid AHP and PROMETHEE approach," International Journal of Services and
Operations Management, vol. 13, no. 1, pp. 19-41, 2012.
[187] N. B. Anuar, M. Papadaki, S. Furnell, and N. Clarke, "Incident prioritisation
using analytic hierarchy process (AHP): Risk Index Model (RIM)," Security and
communication networks, vol. 6, no. 9, pp. 1087-1116, 2013.
[188] Z. Yang, A. K. Ng, and J. Wang, "Prioritising security vulnerabilities in ports,"
International Journal of Shipping and Transport Logistics, vol. 5, no. 6, pp. 622-
636, 2013.
[189] P. Boateng, Z. Chen, and S. O. Ogunlana, "An Analytical Network Process
model for risks prioritisation in megaprojects," International Journal of Project
Management, vol. 33, no. 8, pp. 1795-1811, 2015.
[190] D. Yu, G. Kou, Z. Xu, and S. Shi, "Analysis of collaboration evolution in AHP
research: 1982–2018," International Journal of Information Technology &
Decision Making, vol. 20, no. 01, pp. 7-36, 2021.
[191] T. Choice, "The Guide To Analytic Hierarchy Process," Transparent Choice, pp.
https://www.transparentchoice.com/analytic-hierarchy-process, 2016.
206
[192] L. A. Zadeh, "The role of fuzzy logic in the management of uncertainty in
expert systems," Fuzzy sets and systems, vol. 11, no. 1-3, pp. 199-227, 1983.
[193] A. Pozzetti and C. B. G. Clark, "Fuzzy logic application in Performance-Based
Contracting process," Journal of Aerospace Operations, vol. 3, no. 2, pp. 57-
89, 2015.
[194] A. Pozzettia, C. Bila, and G. Clarka, "Fuzzy Logic Application to Performance-
Based Contract Optimisation," 2012.
[195] Z. Omar and C. Bil, "Genetic fuzzy control for autonomous ducted-fan VTOL
UAV," in 26th Congress of the international Council of the Aeronautical
Sciences (ICAS), 2008: International Council of the Aeronautical Sciences.
[196] K. Mittal, A. Jain, K. S. Vaisla, O. Castillo, and J. Kacprzyk, "A comprehensive
review on type 2 fuzzy logic applications: Past, present and future,"
Engineering Applications of Artificial Intelligence, vol. 95, p. 103916, 2020.
[197] B. M. Asenahabi, "Basics of research design: A guide to selecting appropriate
research design," International Journal of Contemporary Applied
Researches, vol. 6, no. 5, pp. 76-89, 2019.
[198] H. Dźwigoł and M. Dźwigoł-Barosz, "Scientific research methodology in
management sciences," Financial and credit activity problems of theory and
practice, vol. 2, no. 25, pp. 424-437, 2018.
[199] K. Peffers, T. Tuunanen, M. A. Rothenberger, and S. Chatterjee, "A design
science research methodology for information systems research," Journal of
management information systems, vol. 24, no. 3, pp. 45-77, 2007.
[200] A. R. Hevner, S. T. March, J. Park, and S. Ram, "Design science in information
systems research," MIS quarterly, pp. 75-105, 2004.
[201] J. Venable, J. Pries-Heje, and R. Baskerville, "FEDS: a framework for evaluation
in design science research," European journal of information systems, vol. 25,
no. 1, pp. 77-89, 2016.
[202] A. R. Hevner, "A three cycle view of design science research," Scandinavian
journal of information systems, vol. 19, no. 2, p. 4, 2007.
[203] S. Gregor and A. R. Hevner, "Positioning and presenting design science
research for maximum impact," MIS quarterly, pp. 337-355, 2013.
[204] C. E. Frank and L. Werner, "The value of the CISSP certification for educators
and professionals," in Proceedings of the 2011 Information Security
Curriculum Development Conference, 2011, pp. 50-53.
[205] D. L. Cannon, CISA certified information systems auditor study guide. John
Wiley & Sons, 2011.
[206] S. Islam, R. Jiang, R. S. Poston, G. Gal, P. Phillips, and T. F. Stafford, "The Role
of Accounting and Professional Associations in IT Security Auditing," 2017.
[207] B. T. O'hara and B. Malisow, CCSP (ISC) 2 Certified Cloud Security Professional
Official Study Guide. John Wiley & Sons, 2017.
[208] G. Carrera, "BUILDING A COMPREHENSIVE CLOUD SECURITY AUDIT
PROGRAM," EDPACS, vol. 66, no. 1, pp. 15-18, 2022.
[209] P. Mell, K. Scarfone, and S. Romanosky, "Common vulnerability scoring
system," IEEE Security & Privacy, vol. 4, no. 6, pp. 85-89, 2006.
[210] S. Frei, M. May, U. Fiedler, and B. Plattner, "Large-scale vulnerability analysis,"
in Proceedings of the 2006 SIGCOMM workshop on Large-scale attack
defense, 2006: ACM, pp. 131-138.
[211] S. Collins and S. McCombie, "Stuxnet: the emergence of a new cyber
weapon and its implications," Journal of Policing, Intelligence and Counter
Terrorism, vol. 7, no. 1, pp. 80-91, 2012.
207
[212] R. Baskerville, "Agile security for information warfare: A call for research," ECIS
2004 Proceedings, p. 13, 2004.
[213] B. Buzan, O. Wæver, O. Wæver, and J. De Wilde, Security: A new framework
for analysis. Lynne Rienner Publishers, 1998.
[214] T. Gallagher, B. Jeffries, and L. Landauer, Hunting security bugs. Microsoft
Press Redmond, 2006.
[215] H. HaddadPajouh, A. Dehghantanha, R. Khayami, and K.-K. R. Choo, "A
deep Recurrent Neural Network based approach for Internet of Things
malware threat hunting," Future Generation Computer Systems, vol. 85, pp.
88-96, 2018.
[216] INFOSEC, "What is threat hunting in cybersecurity defense?," RISK
MANAGEMENT, RELIABILITY AND SECURITY, pp.
https://safecontrols.blog/2017/02/12/what-is-threat-hunting-in-
cybersecurity-defense/, 2017.
[217] K. W. Ramsdell, "Few Answers for ADS-B Security Concerns," BUSINESS
AVIATION, pp. https://www.ainonline.com/aviation-news/business-
aviation/2018-02-14/few-answers-ads-b-security-concerns, 2018.
[218] D. R. Miller, Security information and event management (SIEM)
implementation. McGraw-Hill Higher Education, 2011.
[219] J. N. M. Teixeira, "Voice Communication System Product Description," ISCTE-
IUL, pp. https://repositorio.iscte-
iul.pt/bitstream/10071/20250/1/Master_Joao_Melo_Teixeira.pdf, 2019.
[220] atc-network, "IP Voice Communication Systems for Air Traffic Control," atc-
network, pp. https://www.atc-network.com/atc-showcases/ip-voice-
communication-systems-for-air-traffic-control, 2010.
[221] S. o. w. site, "OpenSSH: SSH key management needs attention," SSH official,
p. https://www.ssh.com/academy/ssh/openssh, 2016.
[222] Belden, "SCADA Security: Securing DNP3 Communications with Defense in
Depth," INDUSTRIAL CYBERSECURITY, pp.
https://www.belden.com/blog/industrial-security/scada-security-securing-
dnp3-communications-with-defense-in-depth, 2016.
[223] ABB, "Cyber security alerts and notifications," ABB Cybersecurity-alerts-and-
notifications, pp. https://new.abb.com/about/technology/cyber-
security/alerts-and-notifications, 2022.
[224] M. A. T. F. M. T. Force, "Air Traffic Flow Management Implementation," The
paper presents at the FWC 2022 ATFM Implementation forum. , vol. ICAO, p.
https://www.icao.int/MID/Documents/2021/ATFM%20TF5/WP6.pdf, 27 May
2021).
[225] Airbus, "AIR TRAFFIC FLOW MANAGEMENT," Metron Aviation, pp.
http://www.metronaviation.com/air-traffic-flow-management/, 2020.
[226] M. A. Hashmi, J. P. Mo, and R. C. Beckett, "Transdisciplinary systems approach
to realization of digital transformation," Advanced Engineering Informatics,
vol. 49, p. 101316, 2021.
[227] C.-H. Lee, C.-L. Liu, A. J. Trappey, J. P. Mo, and K. C. Desouza, "Understanding
digital transformation in advanced manufacturing and engineering: A
bibliometric analysis, topic modeling and research trend discovery,"
Advanced Engineering Informatics, vol. 50, p. 101428, 2021.
[228] K. Kioskli, T. Fotis, and H. Mouratidis, "The landscape of cybersecurity
vulnerabilities and challenges in healthcare: Security standards and
208
paradigm shift recommendations," in The 16th International Conference on
Availability, Reliability and Security, 2021, pp. 1-9.
[229] J. Simola, "Comparing Cybersecurity Information Exchange Models and
Standards for the Common Secure Information Management Framework," in
Digital Transformation, Cyber Security and Resilience of Modern Societies:
Springer, 2021, pp. 137-159.
[230] E.-C. Davri et al., "Cyber Security Certification Programmes," in 2021 IEEE
International Conference on Cyber Security and Resilience (CSR), 2021: IEEE,
pp. 428-435.
[231] P. Wang and H. D’Cruze, "Cybersecurity certification: certified information
systems security professional (CISSP)," in 16th International Conference on
Information Technology-New Generations (ITNG 2019), 2019: Springer, pp. 69-
75.
[232] T. Weil–CISSP, C. CCSP, and P. Audit, "Risk Assessment Methods for Cloud
Computing Platforms."
[233] N. Susila, A. Sruthi, and S. Usha, "Impact of cloud security in digital twin," in
Advances in Computers, vol. 117no. 1): Elsevier, 2020, pp. 247-263.
[234] M. Cinelli, M. Kadziński, M. Gonzalez, and R. Słowiński, "How to support the
application of multiple criteria decision analysis? Let us start with a
comprehensive taxonomy," Omega, vol. 96, p. 102261, 2020.
[235] M. R. Asadabadi, E. Chang, and M. Saberi, "Are MCDM methods useful? A
critical review of analytic hierarchy process (AHP) and analytic network
process (ANP)," Cogent Engineering, vol. 6, no. 1, p. 1623153, 2019.
[236] N. Munier, E. Hontoria, and F. Jiménez-Sáez, Strategic approach in multi-
criteria decision making. Springer, 2019.
[237] W. Ho and X. Ma, "The state-of-the-art integrations and applications of the
analytic hierarchy process," European Journal of Operational Research, vol.
267, no. 2, pp. 399-414, 2018.
[238] A. Cahyapratama and R. Sarno, "Application of Analytic Hierarchy Process
(AHP) and Simple Additive Weighting (SAW) methods in singer selection
process," in 2018 International Conference on Information and
Communications Technology (ICOIACT), 2018: IEEE, pp. 234-239.
[239] S. Snedaker, Business continuity and disaster recovery planning for IT
professionals. Newnes, 2013.
[240] M. Wallace and L. Webber, The disaster recovery handbook: A step-by-step
plan to ensure business continuity and protect vital operations, facilities, and
assets. Amacom, 2017.
[241] K. Doughty, Business continuity planning: protecting your organization's life.
Auerbach Publications, 2000.
[242] A. Hiles, Business continuity: Best practices. Rothstein Catalog On Disaster
Recovery, 2000.
[243] C. Schmittner, T. Gruber, P. Puschner, and E. Schoitsch, "Security application
of failure mode and effect analysis (FMEA)," in International Conference on
Computer Safety, Reliability, and Security, 2014: Springer, pp. 310-325.
[244] M. M. Silva, A. P. H. de Gusmão, T. Poleto, L. C. e Silva, and A. P. C. S. Costa,
"A multidimensional approach to information security risk management using
FMEA and fuzzy theory," International Journal of Information Management,
vol. 34, no. 6, pp. 733-740, 2014.
209
[245] R. Winther, O.-A. Johnsen, and B. A. Gran, "Security assessments of safety
critical systems using HAZOPs," in International Conference on Computer
Safety, Reliability, and Security, 2001: Springer, pp. 14-24.
[246] T. Kraft, "Performance based Administration communication and
surveillance, Introduction to RCP and RSP," RCP and RSP Planning and
Implementation - ICAO, pp.
https://www.icao.int/EURNAT/EUR%20and%20NAT%20Documents/NAT%20D
ocuments/Planning%20documents%20supporting%20separation%20reducti
ons%20and%20other%20initiatives/NATIMG41_PPT01-RCP-RSP%20Intro.pdf, 6-
9 November 2012.
[247] T. L. Saaty, "Analytic hierarchy process," in Encyclopedia of operations
research and management science: Springer, 2013, pp. 52-64.
[248] J. Oates, "UK privacy watchdog threatens British Airways with 747-sized fine
for massive personal data blurt- Half a million records lost? £183m GDPR fine
lined up," theregister.co.uk, p.
https://www.theregister.co.uk/2019/07/08/ico_threatens_ba_with_huge_fin
e_for_huge_data_loss/, 2019.
[249] H. Barwick, "Up to 750,000 Japan Airlines customers’ details leaked Mile club
member details were accessed by someone using an external server, says
airline," Computerworld, pp.
https://www.computerworld.com.au/article/556002/up-750-000-japan-
airlines-customers-details-leaked/, 2014.
[250] T. S. Portal, "Worlds biggest data breaches statistics," vol.
https://www.statista.com/statistics/290525/cyber-crime-biggest-online-
data-breaches-worldwide/, pp.
https://informationisbeautiful.net/visualizations/worlds-biggest-data-
breaches-static/, 2018.
[251] P. Sherwell, "CIA website hacked in attack 'claimed' by shadowy cyber
group Anonymous," telegraph.co.uk, 11 Feb 2012 2012.
[252] J. Cox, "Hacker Steals 900 GB of Cellebrite Data," vice.com, pp.
https://www.vice.com/en_us/article/3daywj/hacker-steals-900-gb-of-
cellebrite-data, 2017.
[253] A. Morse, "Investigation: WannaCry cyber attack and the NHS," National
Audit Office [Электронный ресурс]. URL: https://www. nao. org.
uk/report/investigation-wannacry-cyber-attack-and-the-nhs/(дата
обращения: 09.09. 2018), pp. https://www.nao.org.uk/wp-
content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-
NHS.pdf, 2017.
[254] J. Mo and L. Nemes, "Issues in using enterprise architecture for mergers and
acquisitions," 2010.
[255] M. Z. Gunduz and R. Das, "Cyber-security on smart grid: Threats and potential
solutions," Computer networks, vol. 169, p. 107094, 2020.
[256] N. Onumah, S. Attwood, and R. Kharel, "Towards Secure Application
Development: A Cyber Security Centred Holistic Approach," in 2020 12th
International Symposium on Communication Systems, Networks and Digital
Signal Processing (CSNDSP), 2020: IEEE, pp. 1-6.
[257] S. Harris, "Information security and risk management," CISSP All-in-One (AIO),
pp. 117-118, 2010.
[258] L. Urbaczewski and S. Mrdalj, "A comparison of enterprise architecture
frameworks," Issues in Information Systems, vol. 7, no. 2, pp. 18-23, 2006.
210
[259] A. Eskaluspita and I. Sumitra, "The open group architecture framework for
designing the enterprise architecture of ALIT," in IOP Conference Series:
Materials Science and Engineering, 2020, vol. 879, no. 1: IOP Publishing, p.
012083.
[260] I. Saepurrahman and I. Sumitra, "Designing Enterprise Architecture for Sports
Information System Platform Using the Open Group Architecture Framework
Architecture Development Method," in IOP Conference Series: Materials
Science and Engineering, 2019, vol. 662, no. 4: IOP Publishing, p. 042013.
[261] J. S. Burkett, "Business Security Architecture: Weaving Information Security into
Your Organization's Enterprise Architecture through SABSA®," Information
Security Journal: A Global Perspective, vol. 21, no. 1, pp. 47-54, 2012.
[262] N. Sherwood, Enterprise security architecture: a business-driven approach.
CRC Press, 2005.
[263] S. M. Oda, H. Fu, and Y. Zhu, "Enterprise information security architecture a
review of frameworks, methodology, and case studies," in 2009 2nd IEEE
International Conference on Computer Science and Information
Technology, 2009: IEEE, pp. 333-337.
[264] D. DoD, "Department of Defense Architecture Framework (DoDAF) Version
2.0," DoD Deputy Chief Information Officer. Available via:< http://cionii.
defense. gov/sites/dodaf20/>[accessed August 16, 2010], 2010.
[265] U. Franke, P. Johnson, E. Ericsson, W. R. Flores, and K. Zhu, "Enterprise
Architecture Analysis using Fault Trees and MODAF," in CAiSE Forum, 2009.
[266] B. Von Solms, "Information Security governance: COBIT or ISO 17799 or both?,"
Computers & Security, vol. 24, no. 2, pp. 99-104, 2005.
[267] T. D. Dabade, "Information technology infrastructure library (ITIL)," in
Proceedings of the 4th National Conference, 2012, pp. 25-26.
[268] P. Ravi, Z. Najm, S. Bhasin, M. Khairallah, S. S. Gupta, and A. Chattopadhyay,
"Security is an Architectural Design Constraint," Microprocessors and
Microsystems, 2019.
[269] B. R. Kumar, "Case 2: Developing the World’s Largest Passenger Aircraft-
Airbus A3XX," in Project Finance: Springer, 2022, pp. 91-99.
[270] I. De Visscher, F. Rooseleer, V. Treve, R. Graham, A. Reinke, and U. Scholz, "A
Methodology for Wake Turbulence Categorization of New Large Aircraft
Types Combining LiDAR, RADAR and Wind Tunnel Data with Numerical
Simulation and Manufacturer’s Data," in AIAA Scitech 2019 Forum, 2019, p.
1637.
[271] A. Rajapaksha and N. Jayasuriya, "Smart airport: a review on future of the
airport operation," Global Journal of Management and Business Research,
2020.
[272] S. Shahrabani and S. T. Regev, "Willingness to pay for airline security,"
International Journal of Culture, Tourism and Hospitality Research, vol. 13, no.
2, pp. 153-166, 2019.
[273] M. Lehto, "Cyber security in aviation, maritime and automotive," in
Computation and Big Data for Transport: Springer, 2020, pp. 19-32.
[274] M. Brunner, C. Sauerwein, M. Felderer, and R. Breu, "Risk management
practices in information security: Exploring the status quo in the DACH
region," Computers & Security, vol. 92, p. 101776, 2020.
[275] X. Pan, B. Zhong, D. Sheng, X. Yuan, and Y. Wang, "Blockchain and deep
learning technologies for construction equipment security information
management," Automation in Construction, vol. 136, p. 104186, 2022.
211
[276] F. A. Shaikh and M. Siponen, "Information security risk assessments following
cybersecurity breaches: The mediating role of top management attention
to cybersecurity," Computers & Security, vol. 124, p. 102974, 2023.
[277] E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap, "A systematic
method for measuring the performance of a cyber security operations
centre analyst," Computers & Security, vol. 124, p. 102959, 2023.
[278] A. R. Muhammad, P. Sukarno, and A. A. Wardana, "Integrated Security
Information and Event Management (SIEM) with Intrusion Detection System
(IDS) for Live Analysis based on Machine Learning," Procedia Computer
Science, vol. 217, pp. 1406-1415, 2023.
[279] K. Bernsmed, G. Bour, M. Lundgren, and E. Bergström, "An evaluation of
practitioners’ perceptions of a security risk assessment methodology in air
traffic management projects," Journal of Air Transport Management, vol. 102,
p. 102223, 2022.
[280] W. Derrickson and K. Tripathi, "Difference in risk perception of onboard
security threats by aircrew and aviation security experts," Transportation
research interdisciplinary perspectives, vol. 16, p. 100666, 2022.
[281] X. Lyu, Y. Ding, and S. H. Yang, "Safety and security risk assessment in cyber‐
physical systems," IET Cyber‐Physical Systems: Theory & Applications, vol. 4,
no. 3, pp. 221-232, 2019.
[282] M. Bashendy, A. Tantawy, and A. Erradi, "Intrusion Response Systems for
Cyber-Physical Systems: A Comprehensive Survey," Computers & Security, p.
102984, 2022.
[283] A. I. Frid, A. M. Vulfin, V. V. Berholz, D. Y. Zakharov, and K. V. Mironov,
"Architecture of the Security Access System for Information on the State of
the Automatic Control Systems of Aircraft," Acta Polytechnica Hungarica,
vol. 17, no. 8, pp. 151-164, 2020.
[284] M. López-Lago, J. Serna, R. Casado, and A. Bermúdez, "Present and future of
air navigation: PBN operations and supporting technologies," International
Journal of Aeronautical and Space Sciences, vol. 21, no. 2, pp. 451-468, 2020.
[285] K. Ellis, P. Krois, M. D. Davirs, and J. Koelling, "In-Time System-Wide Safety
Assurance: IASMS Data & Architecture," 2019.
[286] R. Klein, B. Abraham, A. Morales, K. Niewoehner, F. Aknine, and J. Pace,
"Aircraft access to SWIM—A collaborative ATM pathfinder to support a TBO
environment," in 2015 Integrated Communication, Navigation and
Surveillance Conference (ICNS), 2015: IEEE, pp. Q4-1-Q4-10.
[287] G. Tamasi and M. Demichela, "Risk assessment techniques for civil aviation
security," Reliability Engineering & System Safety, vol. 96, no. 8, pp. 892-899,
2011.
[288] J. S. Szyliowicz, "Aviation security: promise or reality?," Studies in conflict &
terrorism, vol. 27, no. 1, pp. 47-63, 2004.
[289] P. A. Polski, "International aviation security research and development,"
Journal of Testing and Evaluation, vol. 22, no. 3, pp. 267-274, 1994.
[290] S. Wong and N. Brooks, "Evolving risk-based security: A review of current issues
and emerging trends impacting security screening in the aviation industry,"
Journal of Air Transport Management, vol. 48, pp. 60-64, 2015.
[291] R. Zagorščak et al., "Risk assessment methodology for Underground Coal
Gasification technology," Journal of Cleaner Production, vol. 370, p. 133493,
2022.
212
[292] G. Hou, K. Xu, and J. Lian, "A review on recent risk assessment methodologies
of offshore wind turbine foundations," Ocean Engineering, vol. 264, p. 112469,
2022.
[293] M. M. Swanson, N. Bartol, J. Sabato, J. Hash, and L. Graffo, "Security metrics
guide for information technology systems," 2003.
[294] B. Guttman and E. A. Roback, An introduction to computer security: the NIST
handbook. DIANE Publishing, 1995.
[295] Y. Liu, B. Chen, Q. Dong, W. Liu, W. Nie, and C. Yang, "Failure mode risk
assessment methodology for controlling multi-uncertainties in the evaluation
process," Engineering Applications of Artificial Intelligence, vol. 116, p.
105470, 2022.
[296] M. Ashour, A. Mahdiyar, S. H. Haron, and M. H. Hanafi, "Barriers to the practice
of sustainable interior architecture and design for interior renovations: A
Parsimonious-Cybernetic Fuzzy AHP approach," Journal of Cleaner
Production, vol. 366, p. 132958, 2022.
[297] U. Awan, L. Hannola, A. Tandon, R. K. Goyal, and A. Dhir, "Quantum
computing challenges in the software industry. A fuzzy AHP-based
approach," Information and Software Technology, vol. 147, p. 106896, 2022.
[298] B. A. Jnr, "Validating the usability attributes of AHP-software risk prioritization
model using partial least square-structural equation modeling," Journal of
science and technology policy management, 2018.
[299] D. DePalmer, S. Schuldt, and J. Delorit, "Prioritizing facilities linked to corporate
strategic objectives using a fuzzy model," Journal of Facilities Management,
vol. 19, no. 3, pp. 358-376, 2021.
[300] F. H. de Souza, L. O. Gavião, A. P. Sant'Anna, and G. B. Lima, "Prioritizing risks
with composition of probabilistic preferences and weighting of FMEA criteria
for fast decision-making in complex scenarios," International Journal of
Managing Projects in Business, 2021.
[301] L. D. Nguyen, L. Le-Hoai, D. Q. Tran, C. N. Dang, and C. V. Nguyen, "Fuzzy AHP
with applications in evaluating construction project complexity," in Fuzzy
hybrid computing in construction engineering and management: Emerald
Publishing Limited, 2018.
[302] A. Al Qubaisi et al., "An analytic hierarchy process for school quality and
inspection: Model development and application," International Journal of
Educational Management, 2016.
[303] V. Kannan, "Benchmarking the service quality of ocean container carriers
using AHP," Benchmarking: An International Journal, 2010.
[304] T. L. Saaty, "A scaling method for priorities in hierarchical structures," Journal
of mathematical psychology, vol. 15, no. 3, pp. 234-281, 1977.
[305] E. F. Farbod Hosseyndoust Foomany, Rohit Sethi "Inquiring Into Security
Requirements of Remote Code Execution for IoT Devices " ISACA Journal vol.
Volume 4, pp. https://www.isaca.org/Journal/archives/2016/volume-
4/Pages/inquiring-into-security-requirements-of-remote-code-execution-for-
iot-devices.aspx, 2016.
[306] R. Blank and P. Gallagher, "Nist special publication 800-30 revision 1 guide for
conducting risk assessments," National Institute of Standards and Technology,
Tech. Rep, no. page ix, pp.
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-
30r1.pdf, 2012.
213
[307] B. A. Nicholds and J. P. Mo, "Risk assessment of business process re-
engineering projects," Open Journal of Social Sciences, vol. 3, no. 3, pp. 30-
34, 2015.
[308] J. P. Mo and A. Sinha, Engineering systems acquisition and support. Elsevier,
2014.
[309] H. Wang, J. Mo, and N. Chen, "Fuzzy position control of pneumatic cylinder
with two state solenoid valves," in Control 95: Meeting the Challenge of Asia
Pacific Growth; Preprints, 1995: Institution of Engineers, Australia, p. 387.
[310] L. A. Zadeh, "A computational approach to fuzzy quantifiers in natural
languages," Computers & Mathematics with applications, vol. 9, no. 1, pp.
149-184, 1983.
[311] M. Nilashi, K. Bagherifard, O. Ibrahim, N. Janahmadi, and M. Barisami, "An
application expert system for evaluating effective factors on trust in B2C
Websites," Engineering, vol. 3, no. 11, pp. http://file.scirp.org/Html/1-
8101448_8656.htm, 2011.
[312] P. Thi-Thu-Hong, A. BIGAND, and É. P. CAILLAULT, "A New Fuzzy Logic-based
Similarity Measure applied to Large Gap Imputation for Uncorrelated
Multivariate Time Series," 2018.
[313] T. Takagi and M. Sugeno, "Fuzzy identification of systems and its applications
to modeling and control," in Readings in fuzzy sets for intelligent systems:
Elsevier, 1993, pp. 387-403.
[314] C.-C. Lee, "Fuzzy logic in control systems: fuzzy logic controller. II," IEEE
Transactions on systems, man, and cybernetics, vol. 20, no. 2, pp. 419-435,
1990.
[315] W. Dong and F. Wong, "Fuzzy weighted averages and implementation of the
extension principle," Fuzzy sets and systems, vol. 21, no. 2, pp. 183-199, 1987.
[316] H. A. El Khalek, R. F. Aziz, and H. M. Kamel, "Risk and Uncertainty Assessment
Model in Construction Projects Using Fuzzy Logic," American Journal of Civil
Engineering, vol. 4, no. 1, pp. 24-39, 2016.
[317] J. M. Mendel, "Uncertain rule-based fuzzy systems," in Introduction and new
directions: Springer, 2017, p. 684.
[318] C. V. a. Exposures, "Exposures (CVE)," ed, 2001, p. https://cve.mitre.org.
[319] N. I. o. Standards, a. T. N. C. S. D. a. i. s. b. t. D. o. Homeland, and S. s. (DHS),
"National Vulnerability Database (NVD)," 2009.
[320] B. A. Nicholds and J. P. Mo, "Estimating performance from capabilities in
business process improvement," Business Process Management Journal, vol.
22, no. 6, pp. 1099-1117, 2016.
[321] Austcyber, "The global outlook for cyber security," Australia’s Cyber Security
Sector Competitiveness Plan 2018, vol. Reports, Chapter 1, pp.
https://www.austcyber.com/tools-and-resources/sector-competitiveness-
plan-2018, 2018.
214
Appendix A: Domianwise Cybersecurity Risk
Assessment
Aircraft (Avionics) System

Likelihood Severity Risk
Risk/Vulnerability [1-100] [1-100] Rating Comment
[0-100]
Inadequate network segregation Hackers gain access to flight controls
among flights Management systems & parameters via IFE or passenger
Very
(FMS), In-Flight Entertainment (IFE) Low
high
Low network (ARINC 629 buses are
system and passenger wireless designed for two-way
network communication)
Aircraft deviates from its approved
flight path into conflicting paths
Zero-day attack on FMS: Attackers
violating separation minima. In
exploit software vulnerability and alter Very
Low
high
Low extreme situations, control flight into
flight plan data, trajectories,
terrain. Aircraft separation is reduced
navigational aid and weather data
to a minimum or leaving no room for
manoeuvre
Aircraft shows abnormal behaviour.
Modified flight parameter thresholds
Malware, virus or worm attack on are causing unexpected warnings
Low High Low
FMS: and system alarms. Slow response
time. Compromised system resources
allocations
Aircraft is not visible to the ATM
ADS-B flight ID spoofing (Altered system (as the spoofed aircraft ID
Low High Low
Aircraft ID) cannot be correlated to any of the
flights in the ATM database)
Vectoring aircraft to pre-planned
Malware attack on ACARS system
map coordinates or redirecting to a
(Controller–pilot data link
treacherous (or already occupied)
communications [CPDLC] message Very
Very low High flight path via fabricated CPDLC
deletion or alteration of the route, low
messages. Flight separation is
terminal, aeronautical and weather
reduced to a minimum and leaving
information)
no room for manoeuvre
Ghost(unidentified) aircraft are
causing ATCs to execute an
Malware (or Stuxnet) attack on
emergency procedure to avoid
aircraft radar transponder (modified Low High Low
collisions. Uncertainty of flight level
Aircraft ID and altitude)
occupation. Loss of actual aircraft
position on the ATM system
Incorrect aircraft position, velocity
and time (PVT) reporting. Conflicting
GNSS Jamming and spoofing Very Very
Very low aircraft positions display on an ATM
(Malware) high low
system, making ATCs execute
emergency separation procedures
Control flight into terrain (The
Unauthorized access to Electronics
Very identified vulnerabilities are often
Flight Bag (EFB) and navigational aid Low Low
high plain design mistakes, which makes
databases
the cryptosystems exploitable )
Prone to cryptanalytic attacks
Use of proprietary encryption key
(simple design mistakes can exploit
algorithms between avionics and
Low High Low proprietary cryptosystems). The use
ground control systems for data
of proprietary encryption is extremely
communication
risky in the aviation environment.
215
[0-100]
Disclosure of command and control
Compromised private keys being communication and possible
used between avionics and ground injection of falsified data. This risk
Low High Low
control systems when using Public Key may direct control flight into terrain,
Infrastructure(PKI) for data comm. reduce separation minimums or/and
leave no room for manoeuvre
Flight operations, maintenance, crew
management, station assistance,
ground handling, passengers, fuel
Denial-of-Service (DoS) attack on
Medium Medium Low and anti-icing information will not be
aircraft datalink application
negotiated promptly and an
extended period of ground/gate
delay
Falsified clearance injection to FMS
Privilege escalation of ADS-C and led the flight to a collisions course
Low High Low
CPDLC login credentials with another flight creating havoc in
the airspace
Country-specific legislations require
The revelation of the secret key and
disclosure of Avionic data link secret
decryption algorithms may lead to
key and decryption algorithm to the Very
Medium Low the destruction, disclosure, and
country’s authority (when high
alteration of critical safety data for
cryptosystems are being used in data
aircraft operation.
communication)
Use of Industrial, scientific, and
medical (ISM) radio band (802.11
The wireless data can be sniffed and
b/g) to update aircraft system
Low High Low intercepted to execute an attack at
components (AHM, LSAP, VDAR, EFB)
the airport terminal gate.
using Boeing GateLink Terminal
Cellular Unit (TCU)
The wireless data can be sniffed and
Use of unsecured (or unencrypted)
intercepted to execute an attack.
wireless dataloaders to update Low High Low
Manipulating system configs through
aircraft system configuration.
a MITM attack.
In-flight data update during flight
Systems and data are vulnerable to
using the Internet via a satellite link Medium High Low
all internet-based cyber attacks
with no SSL/TSL or VPN connection
No accountability can be
Use of common default engineering
established in the event of a security
login (username and password) for Very high Low Low
breach unless adequate physical
applications in all aircraft
security is provided to aircraft.
Prone to network-based attacks and
No active intrusion detection and
longer recovery time after an attack.
dynamic response mechanism (such High Low Low
Longer delays and higher recovery
as IPS & firewall) to cyberattack
costs.
Country-specific legislations require
The revelation of the secret key and
disclosure of secret keys and
decryption algorithms may lead to
decryption algorithm to the country’s Very
Medium Low the destruction, disclosure, and
authority (when cryptosystems are high
alteration of safety-critical data used
used in aircraft for data
for aircraft operation.
communication)
The software security patch updates
have to be passed from the
Regulation restrictions - delay manufacturer through to the
Very high High High
important security updates operator needing appropriate
certifications for all relevant regions
along the way
216
Air Traffic Management System
[0-100]
Unauthorized access to ATM
Inadequate network segregation
Very information. Destruction, disclosure
between ATM and corporate/public Low
high
Low
and alteration of safety-critical
systems
aircraft surveillance data
Man in the middle (MITM) + replay Erroneous display of aircraft position
(ADS-B) attack where altered ADS-B Very information on ATM system if no
Low Low
aircraft location data is fed to ATM high redundant mechanism available to
system verify data
Safety-critical information is passed in
a secretive, unauthorized or illicit
Information leaks through the covert Very
Very low Medium manner (Attackers use covert
channel (storage or timing) attack low
channels to transmit sensitive
documents unobserved).
Unsecured (or unencrypted) data
Exposed to network-based attacks
and voice(VoIP) communication
Medium High Low (sniffing, MITM, session hijacking,
over a public shared network
Phishing, and Backdoor)
between ATM centres
Secured data communication over a Encrypted malware uses ATM data
public shared network between ATM Medium High Low as payload to bypass security
centres controls
Inadequate network perimeter and
ATM system information is exposed to
endpoint security controls to inspect Medium High Medium
malware attacks.
and prevent encrypted malware
Alteration/deletion of safety-critical
SQL injection (flight plan, aircraft
data from various ATM databases
parameter, route, reporting points, Very
Low Low causes catastrophic air safety
weather and aeronautical high
incidents and leads to excessive
information databases)
flight delays
System misconfiguration, disable
decision aids, increase warning or
Privilege escalation attack on an Very
Low Low alert thresholds, alteration or deletion
ATM system high
of safety-critical data (flight,
aeronautical, NOTAM and met info)
Alteration or deletion of parameter
Inadequate application and
thresholds causing system failure,
endpoint security protection( virus, Very
Medium
high
Low service degradation, abnormal IT
worms, Trojan, rootkit, spyware,
resources allocation, memory
blended threat and adware)
overflow and slow response
Remote access session hijacking
Unauthorised configuration of critical
(Admins use remote VPN to
Low High Low network parameters and systems
troubleshoot ATM systems and
using hijacked sessions
networks)
Unauthorised feeding of ATC
Privilege escalation to ACARS system clearance messages to aircraft's
Low High Low
(ADS-C and CPDLC messages) navigation system causing unsafe
flight operation
Falsified ATM information is
Privilege escalation to Notice to Very disseminated among ATM
Low Medium
Airmen (NOTAM) system low stakeholders causing aircraft to fly
longer routes.
The vulnerability is leveraged in live
No software patch management for attacks to gain access to systems
ATM systems (leading to Zero-day Medium High Medium and force aircraft to deviate to
attack) conflicting routes violating ATC
separation minima.
217
[0-100]
Extensive system availability
No Disaster Recovery Plan (DRP) or reduction in incidents, data
Business Continuity Plan (BCP) for Medium High Low breaches or disasters. ATC services to
ATM services aircraft in the affected FIRs and incur
extended delays.
No assurance that all actions
No Security Information and Event performed are logged in and for a
Management (SIEM) mechanism for period that can satisfy both
Low High Low
ATM system and network admin regulatory and consumer needs.
operations Impossible to conduct forensic
investigations.
Forcefully injected ATC clearance for
Unauthorized interception of wireless Very
Low Low landing, take off causing runway
ATC data communication low
intrusions
Extended length of service outages
DoS attack on core/distribution
causing excessive delays due to
network connecting adjacent ATSP Low High Low
communication and surveillance
facilities.
failures
Attack on symmetric key (Known
Command and control data
plaintext, Chosen plaintext or
Very communication revealed/altered,
Chosen cipher text) between Very low High
low causing catastrophic air safety
avionics and ATM system when using
incidents and excessive flight delays
encrypted data comm.
Unauthorized access to systems
Inadequate ATM system physical Very
Very low Medium compromises availability,
security and access controls low
confidentiality, and integrity
An extended period of delays due to
increased separation. (GPSRAIM
servers predict GPS outages to pilots
No patching on GPSRAIM servers Low High Low
during the pre-flight planning process
and notify ATCs of these outages as
well).
No ATM incident response plan for Severe effects on ATM services and
Medium High Low
possible cyber-attacks business operations
The threat exploits coding bugs or
Exploit vulnerabilities in an Very
Low Low design flaws (e.g. buffer overflows,
organisation’s information systems low
improper validation of input)
Airport, Airline and ANSP Network

[0-100]
Escalated credentials to gain control
over host computers and secured
servers and networks for market
Spear phishing attack. Targets key
information. Loss of economic
executives/administrators and attack High High Medium
advantage for their businesses. Theft
their computers with malware
of operational data relating to flights
and intelligence on airport operators
and partners.
Ransomware attacks targeting Obtaining financial reward or
executives, administrators and key Medium Medium Low ransom in exchange for
employees cancellations or flight disruptions
218
[0-100]
State-sponsored reconnaissance
Loss of valuable information on
attack (Attackers with a large
Low High Low vulnerable networks /systems and
number of resources at their disposal
services over a long period.
and highly skilled)
Trojan, fishing, spam and social Reconnaissance attacks to steal
engineering attack on aviation IT Low Medium Low information from network systems
infrastructure and services
Passengers or airlines press charges.
Use of internal infectious sources This causes the aviation industry to
(PCs) or networks as emitters to Medium High Medium incur heavy panellists, fine, loss of
conduct botnet attacks confidence and potentially bringing
organizations into disrepute
Destroying or misconfiguration of
airport IT systems. Exposed to multiple
Unsecure physical access to IT
Low High Low cyber-attacks, loss of confidence
infrastructure
and significant revenue loss for the
airport operator and airlines.
Hackers gain unauthorised access to
airport infrastructure; power, ramp,
Use of legacy ICS on airport water, baggage, x-ray, HVAC and
infrastructure with remote monitoring Medium High Medium lighting systems. This method is to
via the internet carry out a cyberattack using
inherent security holes of legacy ICS
and the internet.
Integration of less secure legacy
Hackers gain access to secure
technology systems with secure Medium Medium Low
systems through insecure system
systems
Employees or contractors misuse
Potential cyber-attacks cause major
restricted information either
Low High Low disruptions or infrastructure
accidentally or deliberately (e.g.
shutdown, or destruction
when threatened by terrorists)
Unauthorized access to personally
Use of shared login in aviation and
identifiable information (PII), change,
airport systems (e.g. airline ticketing, Very
Low Medium
low
steal or delete information. No
ramp handling and
accountability can be established in
maintenance/control system)
the event of a security breach.
Unauthorized access to the airport
security system, badging,
Use of uncertified/ unaccredited
authentication, CCTV, customs,
commercial off-the-shelf (COTS) Very high Medium Medium
immigration, passenger screening,
devices in airport systems.
perimeter intrusion detection systems
and emergency response system
Prevent legitimate users from
accessing the information and
saturation of the information system.
Impact on physical operation of
Distributed Denial-of-Service (DDoS) Very
Low Medium core services. There are no up-to-
(as a botnet attack) low
date weather forecasts, which could
be critical in case of low visibility or
snowy conditions. Slow system
response time
Use of default passwords in systems, Unauthorised control of infrastructure
remote and maintenance web and possible misconfigurations
High Medium Low
consoles (Unauthorized use of airport causing system outages and
IT infrastructure) malfunctions.
Theft of intellectual
Very
Advanced persistent threat (APT): Very low Medium
low
strategic/tactical, proprietary data,
trade secret or PII.
219
[0-100]
Abuse of De-icing, Met, airfield
Use of open communication
Very lighting, taxi/runway guidance,
protocols for remote access and Low Medium
low catering, and aircraft maintenance
control
systems via communication links
Alteration/deletion of aircraft
Use of unencrypted communication
position & message (ADS-C/CPDLC),
for ACARS and ATN (satellite and Low High Low
performance reporting and route
ground-based) system
and level clearances.
Dissemination of incorrect flight
Inadequate security configuration for information to the targeted airports
LAN, WAN IT Equipment Low High Low using a major messaging service
Hardware/Software (such as IATA) deployed around the
world used by airlines and airports
Unsecured physical network access
Aircraft on holding patterns for
to arrival/ departure control, ramp, Very
Low Low extended periods. Extended delays
fuel, catering and maintenance low
in taxiways, airfields and gates.
systems
Alteration or deletion of flight
SQL injection to Flight Information Very Very
Medium information from terminal displays
Display System (FIDS) low low
and disruption of operations.
Excessive admin privileges or abuse False positive acceptance and
of database privilege to staff Very Very authorized personnel denied access.
Very low
authentication system ( Biometric high low Unauthorised people are allowed to
Identification System) restricted airport areas.
Incorrect parameterisation to aircraft
Malware attack on freight/ cargo
weight and balance distribution and
/mail management system (weight Low Medium Low
allow contrabands items
and cargo screening)
endangering aircraft operation
Open physical network and Allow unauthorized personnel to
Very
communication ports on critical Low Low
low
gain access to infrastructure via the
infrastructure open, unsecured ports
Unauthorised control or modification
Use of Supervisory Control And Data
of airport infrastructure or possible
Acquisition (SCADA) without Medium Medium Low
shut down/ or causing abnormal
adequate security controls
operation.
Fraudulent deployment of hardware/ Very Remote eavesdropping, espionage,
Very low Medium
malware low and larceny of documents or media.
Radiation disturbance Very Loss of data and voice
Very low Medium
(electromagnetic and thermal) low communication or data corruption
Uncontrolled downloading and use
Malware and Trojan infection open
of software (no software zero trust or Medium Medium Low
the door for cyber attacks
block listing)
Unauthorized injection of malware or
Poor supply chain security Low High Low hardware tamper, compromise the
integrity or infiltrate the system
System Wide Information Management (SWIM)

[0-100]
Inadequate security policies and Cause lasting damage to enterprise
Low High Low
procedures services
220
[0-100]
Not able to apply appropriate
security controls for each class of
No data classification Medium High Low
data. The increased cost of
maintaining data/ information
Very
No authentication Low Low Impersonation or access violation
high
Loss of public Key Infrastructure (PKI) Disclosure of secure or confidential
Low High Low
security credentials data to unauthorized parties
SWIM network won’t be updated,
Network attack on SWIM (malware or
Low High Low and their partners or partners are
injection of falsified information)
updated with falsified data
The real threat is obscured by the first
Blended attack (consists of several
Medium Medium Low attack and causes heavy financial
attacks with one being obvious)
loss
The data encryption mechanism or
Loss of data confidentiality, theft of
secret key being used is Low High Low
media, data breach
compromised
The systems are vulnerable to Zero-
No software patch management Low High Low
day attack
Corruption of data, illegal processing
No physical security control to SWIM
Low High Low of data, tampering with data and
hardware, servers and infrastructure
software, remote spying
No intrusion-prevention systems (IPS) Reduced availability and fail-open
(preferably at the edge of the Low High Low mechanism let traffic pass the
network after firewall) network boundary with no inspection
Leave network vulnerable to abuse,
No firewalls or intrusion detection allowing viruses to infect
systems were installed to protect the Low High Low interconnected devices, and
SWIM network allowing cybercriminals to execute
malicious code remotely
Extended length of service outages
DoS attack on SWIM network causing excessive delays due to
Low High Low
connecting ANSP facilities. communication and surveillance
failures
Inability to track and audit user
Poor access management ( no
Low Medium Low activity to a specific person should
principle of least privilege)
there be any errant behaviour
Authorized employees exploiting their
Bring your device (BYOD) with a lack privileged access rights using the
Low Medium Low
of user access control devices and loss of device would
compromise stored classified data
SQL injection to the flight plan, Database backend components are
trajectory, weather and aeronautical Low High Low attacked through the web interface
database and alter/delete database records
Inadequate or no Security No assurance that all actions
Information and Event Management Medium Medium Low performed are logged to satisfy both
(SIEM); No traceability and forensics. regulatory and consumer needs
Disclosure of end user’s session
Poorly designed SWIM web interfaces Low High Low tokens. Exposure to web and
database vulnerabilities
Attackers could guess (or use brute
Very
Poor password policy Low Medium
low
force) to compromise the password
of users to gain access to systems
DLP identifies, monitors and protects
No Data Loss Prevention(DLP)
Low Medium Low data in use, in motion and at rest on
mechanism
the SWIM network
221
[0-100]
Unauthorized injection of malware or
Poor supply chain security Low High Low hardware tamper, compromise the
integrity or infiltrate the system
Ground Navigational and Landing Aid

[0-100]
Incorrect navigational or landing aid
Malware infection of landing aids guidance causes aircraft to crash.
and navigational systems (such as ILS, Risk shutting down equipment when
Low High Low
DVOR, DME, GBAS, ASMGCS and aircraft heavily rely on these
AWOS) systems(e.g. blind landing in bad
weather)
Unauthorised access to system
Use of unencrypted communication
parameters. System shut down can
for control and monitor operation of Medium Medium Low
be performed by injecting a bit
airport infrastructure
pattern to the communication.
Hackers gain access to airport
infrastructure; Instrument Landing
Use of legacy ICS, PLC and SCADA Systems, direction finders, radar,
High Medium Low
devices on airport infrastructure; ASMGCS, Runway visual range, Taxi
guidance system and distance
measuring equipment
No software or firmware updates.
Vulnerabilities remain unaddressed Hackers gain access to ATM system
Medium Medium Low
during the period of the equipment controls.
lifecycle
222
Appendix B: Cybersecurity Industry
Certifications gained by the author
Certified Information Systems Security Professional
Certified Cloud Security Professional
Certified Information Systems Auditor
223
Appendix C: Best Student Paper - Award
Cybersecurity Risk Assessment
Best Paper Awards for ICNS 2019
224
Appendix D: MATLAB Code - MATLAB &
Simulink - MathWorks
Fuzzy Logic System 1

1 [System]
2 Name='FLS1'
3 Type='mamdani'
4 Version=2.0
5 NumInputs=2
6 NumOutputs=1
7 NumRules=25
8 AndMethod='min'
9 OrMethod='max'
10 ImpMethod='min'
11 AggMethod='max'
12 DefuzzMethod='centroid'
13
14 [Input1]
15 Name='ThreatLevel'
16 Range=[0 100]
17 NumMFs=5
18 MF1='Negligible':'trapmf',[0 0 7.5 17.5]
19 MF2='low':'trapmf',[7.5 17.5 32.5 42.5]
20 MF3='Moderate':'trapmf',[32.5 42.5 57.5 67.5]
21 MF4='high':'trapmf',[57.5 67.5 82.5 92.5]
22 MF5='VeryHigh':'trapmf',[82.5 92.5 100 100]
23
24 [Input2]
25 Name='Likelihood'
26 Range=[0 100]
27 NumMFs=5
28 MF1='VeryLow':'trapmf',[0 0 7.5 17.5]
29 MF2='Low':'trapmf',[7.5 17.5 32.5 42.5]
30 MF3='Medium':'trapmf',[32.6703577512777 42.6703577512777 57.6703577512777
67.6703577512777]
31 MF4='high':'trapmf',[57.5 67.5 82.5 92.5]
32 MF5='VeryHigh':'trapmf',[82.5 92.5 100 100]
33
34 [Output1]
35 Name='ThreatOccurrenceFactor(TOF)'
36 Range=[0 100]
37 NumMFs=4
38 MF1='low':'trimf',[0 12.5 25]
39 MF2='medium':'trimf',[25 37.5 50]
40 MF3='mediumhigh':'trimf',[50 62.5 75]
41 MF4='high':'trimf',[75 87.5 100]
42
225
43 [Rules]
44 1 1, 1 (1) : 1
45 1 2, 1 (1) : 1
46 1 3, 1 (1) : 1
47 1 4, 2 (1) : 1
48 1 5, 3 (1) : 1
49 2 1, 1 (1) : 1
50 2 2, 1 (1) : 1
51 2 3, 1 (1) : 1
52 2 4, 2 (1) : 1
53 2 5, 3 (1) : 1
54 3 1, 2 (1) : 1
55 3 2, 2 (1) : 1
56 3 3, 2 (1) : 1
57 3 4, 3 (1) : 1
58 3 4, 4 (1) : 1
59 4 3, 2 (1) : 1
60 4 2, 2 (1) : 1
61 4 3, 3 (1) : 1
62 4 4, 3 (1) : 1
63 4 5, 4 (1) : 1
64 5 1, 3 (1) : 1
65 5 2, 3 (1) : 1
66 5 3, 3 (1) : 1
67 5 4, 4 (1) : 1
68 5 5, 4 (1) : 1
1 [System]
2 Name='FLS2'
3 Type='mamdani'
4 Version=2.0
5 NumInputs=2
6 NumOutputs=1
7 NumRules=15
8 AndMethod='min'
9 OrMethod='max'
10 ImpMethod='min'
11 AggMethod='max'
13
14 [Input1]
15 Name='ThreatOccurranceFactor(ToF)'
16 Range=[0 100]
17 NumMFs=5
18 MF1='verylow':'trapmf',[0 0 7.5 17.5]
19 MF2='low':'trapmf',[7.5 17.5 32.5 42.5]
20 MF3='medium':'trapmf',[32.5 42.5 57.5 67.5]
226
21 MF4='high':'trapmf',[57.5 67.5 82.5 92.5]
22 MF5='Veryhigh':'trapmf',[82.5 92.5 100 100]
23
24 [Input2]
25 Name='Vulnerability'
26 Range=[0 100]
27 NumMFs=3
28 MF1='Low':'gbellmf',[25 2.5 -4.441e-16]
29 MF2='Medium':'gbellmf',[25 2.5 50]
30 MF3='High':'gbellmf',[25 2.5 100]
31
32 [Output1]
33 Name='ThreatRrealizationFactor(TRF)'
34 Range=[0 100]
35 NumMFs=5
36 MF1='VeryLow':'trimf',[0 10 20]
37 MF2='Low':'trimf',[20 30 40]
38 MF3='Medium':'trimf',[40 50 60]
39 MF4='High':'trimf',[60 70 80]
40 MF5='VeryHigh':'trimf',[80 90 100]
41
42 [Rules]
43 1 1, 1 (1) : 1
44 1 2, 1 (1) : 1
45 1 3, 2 (1) : 1
46 2 1, 1 (1) : 1
47 2 2, 2 (1) : 1
48 2 3, 3 (1) : 1
49 3 1, 2 (1) : 1
50 3 2, 3 (1) : 1
51 3 3, 4 (1) : 1
52 4 1, 3 (1) : 1
53 4 2, 4 (1) : 1
54 4 3, 5 (1) : 1
55 5 1, 4 (1) : 1
56 5 2, 5 (1) : 1
57 5 3, 5 (1) : 1
1 [System]
2 Name='FLS3'
3 Type='mamdani'
4 Version=2.0
5 NumInputs=2
6 NumOutputs=1
7 NumRules=25
8 AndMethod='min'
9 OrMethod='max'
227
10 ImpMethod='min'
11 AggMethod='max'
13
14 [Input1]
15 Name='TRF'
16 Range=[0 100]
17 NumMFs=5
19 MF2='low':'trapmf',[7.5 17.5 32.5 42.5]
20 MF3='medium':'trapmf',[32.5 42.5 57.5 67.5]
21 MF4='high':'trapmf',[57.5 67.5 82.5 92.5]
23
24 [Input2]
25 Name='AssestValue'
26 Range=[0 100]
27 NumMFs=5
28 MF1='Insignificant':'gauss2mf',[0.08493 0 3.397 8.5]
29 MF2='Minor':'gauss2mf',[3.397 16.5 3.397 33.5]
30 MF3='Moderate':'gauss2mf',[3.397 41.67 3.397 58.67]
31 MF4='Major':'gauss2mf',[3.397 66.5 3.397 83.5]
32 MF5='Catastropic':'gauss2mf',[3.397 91.76 0.08493 100.3]
33
34 [Output1]
35 Name='ToF'
36 Range=[0 100]
37 NumMFs=5
39 MF2='Low':'trimf',[20 30 40]
40 MF3='Medium':'trimf',[40 50 60]
41 MF4='High':'trimf',[60 70 80]
43
44 [Rules]
45 1 1, 1 (1) : 1
46 1 2, 1 (1) : 1
47 1 3, 1 (1) : 1
48 1 4, 2 (1) : 1
49 1 5, 3 (1) : 1
50 2 1, 1 (1) : 1
51 2 2, 1 (1) : 1
52 2 3, 2 (1) : 1
53 2 4, 3 (1) : 1
54 2 5, 4 (1) : 1
55 3 1, 1 (1) : 1
56 3 2, 2 (1) : 1
57 3 3, 3 (1) : 1
58 3 4, 4 (1) : 1
59 3 5, 5 (1) : 1
228
60 4 1, 2 (1) : 1
61 4 2, 3 (1) : 1
62 4 3, 4 (1) : 1
63 4 4, 5 (1) : 1
64 4 5, 5 (1) : 1
65 5 1, 3 (1) : 1
66 5 2, 4 (1) : 1
67 5 3, 5 (1) : 1
68 5 4, 5 (1) : 1

1 [System]
2 Name='FLS4'
3 Type='mamdani'
4 Version=2.0
5 NumInputs=2
6 NumOutputs=1
7 NumRules=25
8 AndMethod='min'
9 OrMethod='max'
10 ImpMethod='min'
11 AggMethod='max'
13
14 [Input1]
15 Name='LossExpectancy'
16 Range=[0 100]
17 NumMFs=5
19 MF2='low':'trapmf',[7.5 17.5 32.5 42.5]
20 MF3='medium':'trapmf',[32.5 42.5 57.5 67.5]
21 MF4='high':'trapmf',[57.5 67.5 82.5 92.5]
23
24 [Input2]
25 Name='ARO'
26 Range=[0 100]
27 NumMFs=5
28 MF1='VeryLow':'gbellmf',[9.898 3.278 5.898]
29 MF2='Low':'gbellmf',[12.5 6.25 25]
30 MF3='Medium':'gbellmf',[12.5 6.25 50.17]
31 MF4='High':'gbellmf',[12.5 6.25 75]
32 MF5='VeryHigh':'gbellmf',[8.27 4.135 96.03]
33
34 [Output1]
35 Name='AnnualizedLossExpectancy(ALE)'
36 Range=[0 100]
37 NumMFs=5
229
39 MF2='Low':'trimf',[20 30 40]
40 MF3='Medium':'trimf',[40 50 60]
41 MF4='High':'trimf',[60 70 80]
43
44 [Rules]
45 1 1, 1 (1) : 1
46 1 2, 1 (1) : 1
47 1 3, 1 (1) : 1
48 1 4, 2 (1) : 1
49 1 5, 3 (1) : 1
50 2 1, 1 (1) : 1
51 2 2, 1 (1) : 1
52 2 3, 2 (1) : 1
53 2 4, 3 (1) : 1
54 2 5, 4 (1) : 1
55 3 1, 1 (1) : 1
56 3 2, 2 (1) : 1
57 3 3, 3 (1) : 1
58 3 4, 4 (1) : 1
59 3 5, 5 (1) : 1
60 4 1, 2 (1) : 1
61 4 2, 3 (1) : 1
62 4 3, 4 (1) : 1
63 4 4, 5 (1) : 1
64 4 5, 5 (1) : 1
65 5 1, 3 (1) : 1
66 5 2, 4 (1) : 1
67 5 3, 5 (1) : 1
68 5 4, 5 (1) : 1
230
Appendix E: Peer-reviewed published
research papers
• A systems engineering approach to appraise cybersecurity risks of CNS/ATM

and avionics systems
L Bogoda, J Mo, C Bil
2019 Integrated Communications, Navigation and Surveillance Conference
(ICNS) ,
Dulles Airport Herdon, Washington, USA, 9-11 April 2019.
• A risk-oriented systems engineering approach to address cyber security

issues of civil aircraft, air traffic management and airports systems
L Bogoda, J Mo, C Bil
AIAC18: 18th Australian International Aerospace Congress (2019): HUMS-
11th Defence Science and Technology (DST) International Conference on
Health and Usage Monitoring (HUMS 2019): ISSFD-27th International
Symposium on Space Flight Dynamics (ISSFD) Conference Paper 01 January
2019,
Crown Promenade, Crown Melbourne, Australia, 24-26 February 2019.
• Safety and Security considerations in the certification of next-generation

avionics and air traffic management systems
E Batuwangala, L Bogoda, S Ramasamy, R Sabatini
Australian Intnternationall Aerospace Congress 2017,
Melbourne Australia, 26-28 February 2017
• An interoperability assessment model for CNS/ATM systems

E Batuwangala, L Bogoda, R Sabatini, S Ramasamy,
38th Australasian Transport Research Forum (ATRF) 2016,
Melbourne, Australia, 16-18 November 2016
231
-End-
232

Bogoda

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bogoda

Uploaded by

Copyright:

Available Formats

Cybersecurity of Air Traffic

Management and Aviation Systems:

A thesis submitted in fulfilment of the requirements for the degree of

College of Science, Technology, Engineering and Maths

In addition, I certify that this submission contains no material previously

I acknowledge that the copyright of any published works contained within

I give permission for the digital version of my research submission to be made

I acknowledge the support I have received for my research through the

First and foremost, I want to express my gratitude to my research supervisor and

the industry requirement to attain a higher level of competency in systems

security engineering. Following the anecdote “to perceive innovation as an

extension of an ardent imagination leading to profound excellence and deep

satisfaction towards the benefit of mankind”, I wholeheartedly thank Professor

John Mo for his infinite insights and encouragement throughout my doctoral

throughout my research at the University.

I take this opportunity to acknowledge the study leave assistance offered by

Airservices Australia (ASA), Michelle Bennetts (Executive Manager – Technical

- 2016), and my work colleagues. I also want to thank my managers at Thales

received from my fellow research colleagues and compadres: Dr Boyd

Nicholds, Dr Subramanian Ramasamy, and others at RMIT University, has been

highly instrumental during my doctoral work.

I extend my gratitude to the technical and administrative staff of RMIT

University, who made the resources available for my research in a timely

arrangements and to the Government of Australia through the Postgraduate

Being a fellow member and Charted Professional Engineer (CPEng) of

Engineers Australia, I participated in various forums, met engineers from diverse

backgrounds, and shared their knowledge related to my research area.

Participating in international conferences, especially the ICNS conference in

the USA, and Aerospace conferences in Australia, allowed me to associate

wisdom, it is always lovely to see them all on my LinkedIn account to foresee

the industry’s future from their regular updates.

funding from the Australian government under the Grant Agreement

Commonwealth Government Research Training Scheme (RTS). Being a

Certified Information Systems Security Professional (CISSP), Certified Information

Systems Auditor (CISA) and Certified Cloud Security Professional (CCSP)

certification holder, I had the privilege to use a significant amount of

cybersecurity resources from the respective security bodies. While working as

an engineer at Thales Australia (Systems Security Engineer - ATM systems),

Airservices Australia (Australian Air Navigation Service Provider [ANSP]), and

projects. The training material compiled by original equipment manufacturers,

Lanka were invaluable resources to the research.

ANSPs enabled me to grow my competency in every aspect of system

engineering. The situation was evident when I had to discharge my duty as an

engineer and technologist, which eventually eased my research journey and

is highlighted in the following table.

Domain System Organisation

Communication Satellite systems, VSCS, AASL

The Nectar Research Cloud is a service of the Australian Research Data

Commons (ARDC); it enables the Australian research community and industry

access to nationally significant, data-intensive digital research infrastructure

the cloud infrastructure facility. I also want to extend my gratitude to Monash

provides well-guided research supervision through Professor John Mo and

such as Laboratory facilities, Software, Nectar research cloud, Library facilities

and other research-related training to carry out the doctoral work.

higher intensity and commitment.

Best Paper Awards for ICNS 2019

understanding during the course of my six years as a father, part-time

researcher and full-time professional engineer.

ACKNOWLEDGEMENTS _____________________________________________________________ iii

Table of Content ___________________________________________________________________ vii

List of Tables _______________________________________________________________________ xv

List of Figures ______________________________________________________________________ xvii

Glossary of Terms, Abbreviations, and Acronyms ____________________________________ xxi

Chapter 1: Introduction ___________________________________________________________ 5