There are many cyber security threats that include attempts to destroy, expose, alter, disable, steal or gain unauthorised access. ATM systems are an attractive target as the critical components that control ATM systems could be particularly vulnerable. Originally physically isolated from the rest of the organisation’s infrastructure, Manchester Airport (MAN) has a number of modern ATM systems that will require enhanced connectivity and will be using more and more common and open components, services and standards. Although the benefits of this increased level of interconnectivity are clear, it also exposes these systems to the same personnel and cyber risks associated with corporate infrastructure which, unlike ATM systems, has evolved to include security.
As this trend exposes systems to increased cyber security risks, it is therefore paramount to identify these risks, assess their possible impacts and mitigate them with appropriate measures.
By implementing those activities Manchester airport group will fulfils prerequisites/enablers to families 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.1, 5.6.1 and 5.6.2f.

Specific objectives:
This IP specifically aims to Plan, Prevent, Detect and Respond as follows:
Plan:

• Define and scope critical operational business priority systems, functions and their nterdependencies, including risk assessments and identification of key assets, information exchange and related environment.

• Identification and threat modelling of cyber risks on critical operations assets, systems and processes.

• Development of a governance framework to support SWIM interfaces.

Prevent:

• hardening of critical systems, penetration and vulnerability assessments, use of encrypted traffic.

Detect:

• Deploy detection technologies and monitoring through an established Security Operations Centre (SOC) to monitor and detect a cyber-attack against airport operational and air navigation IT critical systems.

• Security operations centre integration, with bespoke use case development of critical areas identified in objectives above, to protect and militate against the risk of cyber-attack.

Response:

• This work will further utilised through information exchange with other security operations centre and network manager to provide reliable information about attacks, risks and controls.

Expected Results:

• The current status of Cyber security defences is assessed, taking into account known changes like a SWIM enabled infrastructure, including identification of gaps in defences.

• SOC architecture is defined, designed and implemented, that will be of high availability and will target business continuity scenario;

• Specific use cases for operational systems into the SOC are integrated;

• Training for internal staff managing relationships with outsourced SOC is provided.

• All certification aspects of the project e.g. ATSEP (Air traffic safety electronics personnel) are achieved.

• Detection technologies are deployed which enable monitoring through the established SOC to detect a cyber-attack against airport operational and air navigation IT critical systems.

• SOC is integrated with bespoke use case development of critical areas identified in objectives, to protect and mitigate against the risk of cyber-attack.

• Interoperability for information exchange with other security operations centre and network manager to provide reliable information about attacks, risks and controls dependent on an integration broker is ensured.

Performance Benefits:
The main benefit will be further establishing an outsourced Security Operations Center to monitor and protect high risk systems against cyber-attacks, as well as create information that can be shared with the Network Manager (enabler for 4.2.4). The implementation of monitoring of operational systems will allow for improved visibility of critical operational system’s security. (50%). Full scope will be defined post the completion of tasks 1,2 and 3. The risk assessments are required to be performed in order to ascertain how many systems will be in scope. The measurable benefit will target at minimum 8 in scope applications. With use case deliverables of 30 bespoke use cases linked to threats to aviation.

Controls will be in place to mitigate the risk of cyber attacks to an acceptable level (50%). We are currently targetting 16 systems. Once tasks 1,2,3 complete we will have defined scope. The average time to detect an incident on critical operational systems in scope will be reduced, improving on industry standard of 191 days to detect a breach as quoted by IBM 2017 statistic.

IBM 2017 report: The faster the data breach can be identified and contained, the lower the costs. Business savings: Manual monthly reporting time reduced (average 3 days per month) Gartner statistic: takes 15 – 30 minutes average to investigate and alert on SIEM (Security information and event management) tool, performance benefits across the information security team where third party outsourced SOC can absorb the work factor.
The project do not include any costs to run the SOC."