Ensuring the resilience of centralised services’ cyber-security wand sharing cyber intelligence

Centralised Service 6-7 Operations and Coordination of Network Security

EUROCONTROL

IMPROVING EUROPEAN ATM CYBER-SECURITY

CS6-7 (Operations and Coordination of Network Security) is a service aimed at coordinating cyber-security issues, consolidating ATM network cyber-security alerts/incidents and recommending actions when and if needed. This will strengthen the cyber-security of European ATM systems, reducing the risk of ATM/ANS service disruption or systemcorruption/compromise.

Sharing cyber intelligence

The ICAO Civil Aviation Cyber Security Action Plan recommends:

n stablishing the mechanisms and means to share and communicate information, including identification of threats, reporting of incidents and development of defences;

n communicating threat-related information and assuring situational awareness.

The ICAO 39th assembly calls upon States and industry Stakeholders to take the following actions to counter cyber threats to civil aviation:

a. encourage Government/industry coordination with regard to aviation cyber-security strategies, policies, and plans, as well as sharing of information to help identify critical vulnerabilities that needs to be addressed;

b. develop and participate in Government/industry partnerships and mechanisms, nationally and internationally, for the systematic sharing of information on cyber threats, incidents, trends and mitigation efforts.

CS6-7 aims to achieve these goals by setting up a pan-European ATM Centre in charge of collecting cybersecurity incidents and alerts from ATM Stakeholders on a voluntary basis, coordinating the response to cybersecurity incidents/alerts and generating and sharing ATM-relevant cyber intelligence.

3

“The modernisation of the air traffic management (ATM) system isleading to an increasingly interconnected system of systems, as partof ICAO’s System Wide Information Management (SWIM), requiringthe aviation community to take a joint and consistent approach whenaddressing any security risks to ATM operations.

Centralised Service 6-7 will tackle this with the setting-up of a EuropeanATM Computer Emergency Response Team (EATM-CERT) which will aimto constantly exchange cyber intelligence with trusted partners andcoordinate the response to pan-European ATM cyber-security incidentsin order to ensure the speedy recovery of ATM operations to normalservice.

CS6-7 will also set up a Security Operations Centre (SOC) for

Frank BrennerDirector General of EUROCONTROL

››

“ICAO is significantly concerned about the risks to aviation safety presented by theexponential development of cyber-security threats to its operations. Our experienceto date in solving safety issues at the global level relies very heavily on the sharingof information to inform the strategic direction of safety risk countermeasures.I believe this particular information-sharing initiative is an extremely importantelement in determining the future work that needs to be undertaken at a globallevel to counter the rising safety risk of cyber-security threats.”

Stephen CreamerDirector Air Navigation Bureau, International Civil Aviation Organization (ICAO)

››

“Security is a common value that goes through an effective system of cooperation, prevention and analysis in a highlytechnical and sensitive environment, which is the provision of air navigation services. The challenge of CS6-7 is thecreation of a European system to support the protection of fundamental rights involved in air traffic management andactively contributing to individual Member State’ initiatives to achieve the highest levels of security”

Francesco Di MaioHead of the Security Department, ENAV Italian Air Navigation Services

››

“We are all experiencing an increase in cyber threats in terms of frequency, levelof sophistication and scope. We have to raise the bar to make it more difficult forour adversaries and detect them more quickly when they succeed. The work ofthe CSIRT/CERT is key to addressing this challenge. We are very pleased to haveEUROCONTROL as one of our trusted partners.”

Freddy DezeureHead of the EU Computer Emergency Response Team (CERT-EU)

››

4

INTRODUCTION

Most of today’s ATM systems are already using the Internet Protocol (IP) to exchange operational data and voice messages. In the near future, most of the European ATM systems will be part of the system wide information management (SWIM) net-centric architecture, as foreseen in the ICAO Global Air Navigation Plan (GANP). This architecture will be based on wide area network (WAN) and will consequently form a single cyber space (ATM network) which could be subject to cyber-attacks.

To mitigate these risks, cyber intelligence and security measures must be shared and seamlessly implemented andcoordinated across the ATM network.

CS6-7 is composed of an EATM-CERT* (European ATM Computer Emergency Response Team) in charge of collecting, generating and sharing cyber intelligence as well as coordinating the pan-European response to cyber-security alerts/incidents for the benefit of the European ATM network and in compliance with the framework as required by the NIS Directive; comprises also it a Security Operations Centre (SOC) for all Centralised Services and those Stakeholders wishing, on a voluntary basis, to delegate (entirely or partially) their SOC to the CS6-7.

The present CONOPS will be validated by a Demonstrator (Phase1) before the service is put into operation (Phase2).

CS6-7 is a service for coordinating cyber-security, consolidating ATM network cyber

security alerts/incidents and recommending actions when and if needed.

›› BUSINESS OPPORTUNITYCentralised services are contributing significantly to the Single European Sky performance targets and support the implementation of SESAR developments.

They encourage air navigation service providers and the ATM manufacturing industry to work together to develop innovative solutions and provide services beyond national boundaries, covering the airspace of the EUROCONTROL Member States and positioning themselves on the world scene.

CS6-7/CS SOC will be run under a contract let by EUROCONTROL in its capacity as Network Manager though CS6-7/EATM-CERT will be operated directly by EUROCONTROL. The service will be provided to all EUROCONTROL Member States ANSPs and Airport Operators.

SCOPE OF CS6-7

The scope of CS6-7 covers the generation and sharing of ATM-relevant cyber-security intelligence, the coordination of the Pan-European response to cyber-security alerts/ incidents in the ATM network, the management of cybersecurity alerts/incidents for all Centralised Services, and the operation of Security Operations Centre for those Stakeholders wishing, on a voluntary basis, to delegate (entirely or partially) these operations to the CS6-7.

This service will consolidate ATM network cyber-secu-rity alerts/incidents and recommend actions when and if needed (e.g. in the event of a cyber-attack).

CS6-7 does not address physical, organisational or personnelsecurity.

*EATM-CERT: Carnegie-Mellon University has granted a license to EUROCONTROL for the use of the Mark .

5

COMPONENTS

The CS6-7 has two main service categories:

1. EATM-CERT (ATM Computer Emergency Response Team)

2. Security Operation Centre (SOC)

For both, a progressive approach has been adopted which consists in gradually introducing certain sets of services.

Cyber IntelligenceServices (CERT)

Cyber ResillienceServices (SOC)

1st SET (core)(alerts, annouce-ments, response

coordination, artifacts)

1st Set (core)(monitoring

analysis,investigation)

2nd Set(IDS, penetration

testing, technology watch...)

2nd Set(vulnerability,

audits)

Advanced CyberServices

Forensics

Assessments

Training...

EACCC

EUROPOL

CERTEU

ENISA

NATO/EDA

EASA (ECCSA)

National CERTs

CS6-7

ATM CERT

CS SOC DSOC

SIEM

Alerts/incidents

CyberIntelligence

Alerts/incidents

CyberIntelligence

Cyber

Cyber

Cyberintelligence

Provider

ATM CI Provider(US & other

Regions ATM CERT)

Logs

Recommendations

CyberIntelligence

CyberIntelligence

CyberIntelligence

Logs

CyberIntelligence

NetworkSecurity

Incidents

CyberIntelligence

Alerts /Other

Incidents

SeriousIncidents

Recommendations

CS 6-7 toolsCS 6-7 tools

ANSP/ACC

Sec devices, AppSec devices, App

CS

NOC

NOCEAGDCS

NewPENSATM Stakeholder

ATM StakeholderATM Stakeholder

SOC

Bilateral agreementsCS CFT

Sec devices, App CS 6-7 tools

EA-ISAC

6

EATM-CERT

The European ATM CERT part of CS6-7 is a team of IT security experts whose main business is to prevent and respond to cyber-security incidents. The team will have a good knowledge and understanding of the European ATM architecture, systems and network in order to ensure the relevance of cyber-intelligence or recommendations to the ATM community. It provides the necessary services to handle them and help its constituents (ATM Stakeholders on a voluntary basis under SLA and centralised services, NM, MUAC, and CRCO) prevent and/or recover from breaches.

EATM-CERT has the role of alerting all ATM stakeholders by generating cyber intelligence.

Its core services are:

n alerts and warnings;

n dissemination of announcements/security-related information;

n coordination of responses to pan-European ATM cyber-security events/incidents, relying on cyber-security incident analysis and response support;

n artifact handling, including artifact analysis, response and response coordination.

Once experience is gained and a sygnificant number of CSs and ATM Stakeholders SOCs are operational, a second set of series will be provided:

n intrusion detection service;

n penetration testing;

n technology watch.

The EATM-CERT operating environment (e.g. tools, use cases, procedures) will be aligned with that of the CERT-EU. This will ensure not only a cost-effective approach but also an immediately productive and high-quality service delivery. Some services may even be supported by CERT-EU during the early years.

CS-SOC

Each CS will implement its own security measures derived from the specific security risk assessment (SecRA) defined by the respective CS call for tenders and the applicable requirements in the CS architecture document.

All CSs will include applications and security devices/ probes (e.g. fi ewall, anti-virus) that will send raw data (log files) to the CS SOC for analysis and, when relevant, investigation. NewPENS and European Air-Ground Data Communication Service will send network security incidents as they will operate their own NOC/SOC (Network Operation Centre/Security Operation Centre). CS6-7 will also act as a security operations centre for itself.

CS SOC will provide the following services:

n Receiving/collecting raw data (log files) detected by CS security and application devices;

n Real-time monitoring and triage of those data to raise cyber-security event(s) using SIEM (security information and event management) and applied intelligence;

n Categorising each cyber-security event;

n Determining whether a cyber-security event warrants further analysis;

n Reviewing logs and reporting any unusual or suspect activities;

n Reporting any unusual behaviours of the systems to the Central Help Desk and to the respective CS SMCR (supervision, monitoring & control and reporting);

n Protecting evidence of a cyber-security event according to customer guidelines and instructions;

n Assessing damage inflicted on a system and/or data together with the relevant CSs contractor and reporting information back to the EATM-CERT and any relevant local and government law enforcement;

n Assisting in determining the scope of the intrusion and identifying the point of access or the source of the intrusion;

n Making recommendations to CSs to close the source or point of access of the intrusion. Though done in coordination with the CS SOC and EATM-CERT, implementing recommendations remains the responsibility of the respective CS contractors;

n Categorising the cyber-security incident;

7

Help Desk

EUROCONTROL will organise a central Help Desk to support all centralised services and help Stakeholders.

n Determining whether the cyber-security incident warrants further investigation;

n Leading the investigation;

n Maintaining the various databases (events/incidents, vulnerabilities, indicator of compromise (IOC), assets, tickets) and analysing cyber-security incident data;

n Preparing reports and recommendations to the re-spective CS contractors and EATM-CERT.

The SOC services will gradually be introduced as sets of services as the number of CSs being implemented and their security needs increase. These services are supported by a tool set which includes a SIEM (security information & event management) tool.

Its core services are:

n Monitoring (Tier1);

n Analysis (Tier2);

n Investigation/Hunting (Tier3).

Once experience has been gained and a significant number of CSs are operational, a second set of services will be provided:

n Vulnerability management

n Forensic investigation

n Security assessments:- infrastructure review- best practice review- penetrating testing- mapping

Delegated Security Operations Centre (D-SOC):ATM stakeholders who wish to delegate their SOC tasks will benefit from “à la carte” SOC services provided by the CS6-7 Delegated SOC services (D-SOC), subject to bilateral agreements defining the respective roles, responsibilities and liabilities.

A specific bilateral agreement will be drawn up between EUROCONTROL and an ATM Stakeholder wishing to use CS6-7/D-SOC according to its requirements and its system capabilities.

››

8

ROLES ANDRESPONSIBILITIESEUROCONTROL will set up a team to manage the CS6-7 services and act as CS6-7 service provider for its Stakeholders.

The EUROCONTROL CS6-7 team shall:

n Develop and maintain the EATM-CERT systems;

n Manage and deliver the EATM-CERT services;

n Endorse the recommendations sent to ATM Stakeholders and to CS contractors;

n Endorse the cyber intelligence disseminated via the CS6-7 website and other means;

n Manage CS6-7/CS SOC and D-SOC contractor development, implementation and operations (including performance);

n Lead the evolution of CS6-7 (progressive introduction of services);

n Be responsible for overall coordination with international organisations (e.g. NATO, EUROPOL, EC, EDA, ENISA, EASA, State cyber-security organisation);

n Set-up Service Level Agreements with CS6-7 users and data/cyber intelligence providers;

n Organise CS6-7 governance.

The customers (i.e. users/consumers) of the services provided by the CS6-7 will be the following:

n ATM Stakeholders SOC: share cyber intelligence, benefit from CS6-7/EATM-CERT recommendations in the event of a pan-European ATM cyber-security event/incident. Some ATM stakeholders may wish to delegate their SOC to CS6-7.

n Centralised Services: recommendations to stop/avoid/remedy cyber-security incidents.

n EDA (the European Defence Agency): cyber-security dashboards, coordinate on civil and military security issues.

n Europol EC3 Cyber Crime: Notification of any serious breaches of cyber-security, which may have had criminal intent of causing a serious incident with air travel.

n CERT-EU (European Union Computer Emergency Response Team): Collaborate on threats and risks to European air transport assets and share cyber intelligence. CERT-EU will also share its practices (system and procedure) with CS6-7/EATM-CERT.

n ENISA (European Network and Information Security Agency): cyber-security dashboards; exchange of information, best practices and knowledge in the field of information security.

n European Aviation Crisis Coordination Cell (EACCC): Cyber-security dashboards.

n European Aviation Information Sharing and Analysis Centre (EA-ISAC): CS6-7 (EATM-CERT) will represent the European ATM community in the EA-ISAC to share cyber intelligence. EATM-CERT could also become the analysis centre of EA-ISAC.

n Other non-European ATM organisations (e.g. FAA): share cyber intelligence.

n EASA (European Aviation Safety Agency) - European Center for Cyber Security In Aviation (ECCSA).

The CS6-7/SOC contractor

During CS 6-7/SOC Phase 1, the contractor will set up and validate CS6-7/SOC operations using inputs provided by some CSs and some ATM stakeholder SOCs.

During CS 6-7/SOC Phase 2, it will:

n initiate CS SOC operations progressively by connecting to the CSs systems;

n maintain the CS6-7/SOC system, including supporting tools; and

n enhance CS6-7/SOC services, upon request by EUROCONTROL, by setting additional services, including the D-SOC services.

9

LINKING CS6-7 TO OTHER CSSEach CS will operate in (a) given site(s) using an infrastructure composed of network components (switches and routers), security devices (e.g. firewall, anti-virus, intrusion detection system), and different application end systems.

For each CS, a security risk assessment (SecRA) will be conducted to identify specific security risks and propose adequate security controls.

Based on this SecRA, each CS will implement appropriate security control that will send raw data (e.g. log files) to the CS6-7/CS SOC/SIEM. Those raw data will be processed by the CS6-7/CS SOC.

Consequently, there will be no need to implement a SIEM or a SOC in a CS itself.

CS8/NewPENS and CS9-1 will operate a SOC, as part of their NOC (Network Operations Center), provided by the CS8/NewPENS and CS9-1 network operators/Communication Service Providers. CS8/NewPENS and CS9-1 NOCs will send network-related cyber-security incidents to CS6-7.

CS6-7 TIMELINE

EUROCONTROL was entrusted by its Member

States with developing a demonstrator for

CS6-7 in 2014.

The calls for tenders were launched in

September 2015 to those organisations that were accepted

as a result of the CFI.

EUROCONTROL expects to select the consortium to develop the demonstrator

Mid-2017.

The contractor will develop a demonstrator over a period of 12 months

The contractor will provide

the service during phase 2 (6 years)

Following a call for

interest (CFI) in March

2014

GO/NO-GO for service

10

TRAINING ON RESPONSIBILITIES

A training course on Centralised Services is offered by the Institute of Air Navigation Services (IANS), our Training Centre in Luxembourg.

The course describes the overall concept of Centralised Services, its business model, governance and management. This course is designed for anyone who is looking to gain a deep understanding of the Centralised Services approach.

More information on the “Discover Centralised Services” course is available on the EUROCONTROL training zone: http://trainingzone.eurocontrol.int

Governance

The objective is to ensure the participation of the CS6-7 users in the governance process. In the tradition of the EUROCONTROL organisation, transparency is key. An established user steering group will be listened to in order to ensure that the voice of the customers is heard.

Built on Research and Development(SESAR)As a founding partner of SESAR, EUROCONTROL is participating actively in R&D activities in Europe. Concept developments and validation exercises mould and develop the knowledge of requirements. In line with the work on SESAR and the SES, the CS in general and CS6-7 in particular will allow further evolution of SWIM (System Wide Information System).

CS6-7 should also be involved in SESAR2020 Large Scale Demonstrations (VLD).

CS6-7 supports the Network Strategy Plan 2015-2019 and the Pilot Common Project Implementation Regulation (PCP IR) No 716/2014.

CS6-7 is compliant with the SES regulations, the NIS Directive and in line with the SESAR ATM Master Plan directions and objectives. It is a pan-European central service related to the PCP ATM Functionality AF#5 ‘iSWIM.

››

11

GLOSSARY

AF ATM Functionality

ANS Air Navigation Service

ANSP Air Navigation Service Provider

ATM Air Traffic Management

ATS Air Traffic Services

B2B Business to Business

CBA Cost Benefit Analysis

CERT Computer Emergency Response Team

CERT-EU Computer Emergency Response Team for European Union agencies, bodies, council, parliament, commission

CFI Call For Interest

CFT Call For Tenders

CONOPS Concept of Operations

CS Centralised Services

D-SOC Delegated Security Operations Centre

EACCC European Aviation Crisis Coordination Cell

EA-ISAC European Aviation Information Sharing and Analysis Centre

EATM-CERT European ATM Computer Emergency Response Team

ECCSA European Center for Cyber Security in Aviation

EDA European Defence Agency

EASA European Aviation Safety Agency

EC European Commission

ENISA European Network and Information Security Agency

EU European Union

FAA Federal Aviation Administration

GANP Global Air Navigation Plan

IANS Institute of Air Navigation Services

IATA International Air Transport Association

ICAO International Civil Aviation Organisation

IOC Indicator Of Compromise

IP Internet Protocol

IR Implementing Rule

KPI Key Performance Indicator

NATO North Atlantic Treaty Organisation

NM Network Manager

PCP Pilot Common Project

PENS Pan-European Network Service

R&D Research and Development

SecRA Security Risk Assessment

SES Single European Sky

SESAR Single European Sky Air Traffic Management Research

SIEM Security Information and Event Management

SLA Service Level Agreement

SMCR Supervision, Monitoring & Control and Reporting

SOC Security Operations Centre

VLD SESAR2020 Large Scale Demonstrations

SWIM System-Wide Information Management

WAN Wide Area Network

© EUROCONTROL February 2017

EUROCONTROL is a pan-European, civil-military, intergovernmental organisation for the airspace of its Member States – Albania, Armenia, Austria, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Moldova, Monaco, Montenegro, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, the former Yugoslav Republic of Macedonia, Turkey, Ukraine, the United Kingdom of Great Britain and Northern Ireland.

EUROCONTROL

For more information on CS6-7, please contact:CS6-7@eurocontrol.int