Control Consistency as a Management Tool: The Identification of Systematic Security Control Weaknesses in Air Traffic Management

Research output: Contribution to journalArticlepeer-review

Abstract

In 2008 EUROCONTROL published Information and Communications Technology (ICT) Security Guidance to Air Navigation Service Providers (ANSPs), to assist them in complying with regulatory security requirements. This included a visualisation tool which allowed the consistency of control sets to be reviewed and communicated: consistency being the degree to which more sophisticated controls were supported by core controls. The validation of that guidance included surveys which were conducted to contrast current practice in European ANSPs with a baseline control set based on ISO/IEC 27001:2005. The consistency test revealed significant gaps in the control strategies of these organisations: despite relatively sophisticated control regimes there were areas which lacked core controls. Key missing elements identified in the ANSPs surveyed include security management and senior management engagement, system accreditation, the validation and authentication of data used by ATM systems, incident management, and business continuity preparedness. Since anonymity requires that little can be said about the original surveys these results are necessarily indicative, so the paper contrasts these findings with
contemporaneous literature, including audit reports on security in US ATM systems. The two sources prove to be in close agreement, confirming the value of the control consistency view in providing an overview of an organisation's security control regime.
Original languageEnglish
Number of pages17
JournalInternational Journal of Critical Computer-Based Systems
Volume6
Issue number3
DOIs
Publication statusPublished - 1 Oct 2016

Bibliographical note

© 2016 Inderscience Enterprises Ltd. This is an author-produced version of the published paper. Uploaded in accordance with the publisher’s self-archiving policy. Further copying may not be permitted; contact the publisher for details

Cite this