The Defence of Civilian Air Traffic Systems from Cyber Threats

DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI Aviation security |Cybersecurity |Italy developments of thecyber threat. a high level of attention andawareness on possible future Italian ATM/ATC systemslow. However, it isnecessarytokeep activities conducted byItalian authorities make theriskfor countermeasures adopted byENAV andthepreventive non-state actors analysed inthisresearch, thecyber security could compromise them?Thelow technical skills of the Do theyhave thetechnological skills toconduct attacks that vulnerable? Which actors could poseathreat tothesesystems? management andcontrol systemsrely on? Are thesesystems several related questions arise:what technologies do airtraffic used tounderminenational security. Against thisbackdrop, management andcontrol (ATM/ATC) vulnerabilities could be Accountability Office (GAO) hasrecently stated that airtraffic serious risksfor aviation cybersecurity. TheGovernment and systemsoften connected to theinternet constitute in thelastyears. Digitalisation andthetechnological tools The useof ICT incivil aviation hasincreasedexponentially ABSTRACT Fabrizio d’Amore andFederica DiCamillo by Tommaso DeZan, Systems from CyberThreats The Defence of Civilian Air Traffic keywords DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 2 * by Tommaso DeZan,Fabrizio d’Amore andFederica DiCamillo* from CyberThreats The Defence of Civilian Air Traffic Systems The Defence of Civilian Air Traffic Systems from CyberThreats . Federica Di Camillo is Senior Fellow in the IAI Security and Defence programme. Defence and Security IAI Fellow the in Senior is Camillo Di Federica (CIS). Security Information and Intelligence Center of Cyber Research of the member Rome and of University Sapienza at the “Antonio (DIAG) Ruberti” Engineering Management and Control, Computer, of Department the in Professor Associate d’Amore is Fabrizio (IAI). Internazionali Affari translated from Italian to English with the support of ENAV. support the with to English Italian from translated was report This of Vitrociset. support the with (IAI) Internazionali Affari Istituto the by conducted Final report of the research project “The defence of civilian air traffic systems from cyber threats”, cyber from systems traffic air of civilian defence “The project research of the report Final Tommaso De Zan is Junior Researcher in the Security and Defence programme at the Istituto Istituto at the programme Defence and Security the in Researcher Junior is Zan De Tommaso 3.1 3 2 Acknowledgements Conclusions 4.3.2 4.3.1 4.3 4.2 4.1 4 3.3 3.2 1.3 1.2 1.1 1 Introduction List of Acronyms Attack or not?Two views compared Cyber Threats toATM/ATC Systems Function andComponentsofATM/ATC Systems Medium- tolong-term assessment Short-term assessment What dangertoATM/ATC systemsinItaly? Cyber threats toItaly ENAV andairtraffic management in Italy The Italian CaseStudy Status of thecyberthreat toATM/ATC systems Actors, objectives andmodus operandi Main arguments andscope of thestudy International efforts Significant events Cyber Security andCivil Aviation p. 3 46 66 28 63 59 10 18 14 19 21 12 31 31 15 51 51 9 6 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 3 List of Acronyms The Defence of Civilian Air Traffic Systems from CyberThreats DIS DDoS CWP CRCO CPNI CPDLC COPASIR CNS CNMCA CNAIPIC CIS CIS CIDIN CIA CERT CENTCOM CANSO BYOD AVSEC ATS ATN ATM ATM ATIS ATFM ATC ASMGCS ASM ARTAS ARO AOIS ANSP AMHS ALS AFTN ADS-B ACI ACARS ACC per lasicurezza) Security Intelligence Department (Dipartimento delle Informazioni Distributed denial of service Control Working Position Central Route ChargesOffice Centre for theProtection of National Infrastructure Controller Pilot Data-Link Communication parlamentare perlasicurezza della Repubblica) Parliamentary Committee for theSecurity of theRepublic (Comitato Communications, Navigation, Surveillance (Centro nazionale dimeteorologia eclimatologia aeronautica) National Center of Aeronautical Meteorology andClimatology protezione delle infrastrutture critiche) Infrastructures (Centro nazionale anticrimine informatico perla National Anti-crime Computer Centre for the Protection of Critical Cyber Intelligence andInformation Security Center Centre for Internet Security Common ICAO Data Interchange Network Central Intelligence Agency Computer EmergencyResponse Team Central Command Civil Air Navigation Services Organisation Bring-Your-Own-Device Aviation Security Air Traffic Services Aeronautical Telecommunication Network Asynchronous Transfer Mode Air Traffic Management Automatic Terminal Information Service Air Traffic Flow Management Air Traffic Control Advanced Surface Movement GuidanceandControl System Air Space Management Atm Surveillance Tracker andServer Air Traffic Services Reporting Office Aeronautical Operational Information System Air Navigation Service Provider ATS Message Handling Service ALerting Service Aeronautical Fixed Telecommunication Network Automatic Dependent Surveillance-Broadcast Airports Council International Aircraft Communications Addressing andReporting System Area Control Center DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 4 The Defence of Civilian Air Traffic Systems from CyberThreats OSI OLDI NSA NOTAM NMOC NIPRNET MPLS MET LAN ITU IT ISO ISMS ISIS ISHD IRE IP IFR IFALPA IETF IED IDS ICT ICS-CERT ICS ICCAIA ICC ICAO IATA GAO FIS FIR FDPM FDP FBI FAA ESSP ESARR ENAV ENAC EGNOS EATMP EASA DoS Open Systems Interconnection On-Line Data Interchange National Security Agency Notices To Air Men Network ManagerOperations Centre Nonclassified Internet Protocol Router Network Multi Protocol Label Switching Aviation meteorology Local Area Network International Telecommunication Union Information Technology International Organisation for Standardisation Information Security Management System Islamic State of Iraq andSyria Islamic State HackingDivision Interconnessione retiesterne Internet Protocol Instrument Flight Rules International Federation of Air LinePilots’ Associations Internet EngineeringTask Force Improvised Explosive Device Intrusion Detection System Information Communication Technology Industrial Control Systems CyberEmergencyResponse Team Industrial Control Systems Associations International Coordinating Council of Aerospace Industries International Communications Centre International Civil Aviation Organisation International Air Transport Association Government Accountability Office Flight Information Service Flight Information Region Flight PlanData Management Flight Data Processing Federal Bureau of Investigation Federal Aviation Administration European Satellite Services Provider Eurocontrol Safety Regulatory Requirements l’assistenza al volo) Italian Air Navigation Service Provider (Ente nazionale per Italian Civil Aviation Authority (Ente nazionale perl’aviazione civile) European Geostationary Navigation Overlay Service European Air Traffic Management Programme European Aviation Safety Agency Denial of Service DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 5 The Defence of Civilian Air Traffic Systems from CyberThreats XSS WAN VPN VOR VHF VFR UIR UHF TTIP TPP TOR TMA TLS TCP SWIM SVFR SRC SQLI SQL SOP SOC SIPRNET SIEM SESAR SES SCADA SARPS SADIS RWY RFC PoP PENS OWASP OSSTM Cross-Site Scripting Wide Area Network Virtual Private Network Vhf Omnidirectional Radio Range Very High Frequency Visual Flight Rules Upper Information Region Ultra High Frequency Transatlantic Trade andInvestment Partnership Trans Pacific Partnership The Onion Router Terminal Control Area Transport Layer Security Transmission Control Protocol System-Wide Information Management Special Visual Flight Rules Safety Regulation Commission SQL-Injection Structured Query Language Same Origin Policy Security Operation Centre Secret Internet Protocol Router Network Security Information andEvent Management Single European SkyATM Research Single European Sky Supervisory Control andData Acquisition Standards andRecommended Practices Satellite Distribution System Runway Request for Comments Point of Presence Pan European Network Services Open Web Application Security Project Open Source Security Testing Methodology DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 6 implications and threats deriving from the use of cyber space,” COPASIR and thefreedom of circulation. Constitution, such asthelife andsafety of persons in-flight and on theground critical infrastructure whose defence helps guaranteeing values ensuredbythe the requisite attention todefending airtraffic control systems, considered asa In particular, COPASIR urgedlegislators andnational security bodies tolend www.gov.uk/government/speeches/chancellors-speech-to-gchq-on-cyber-security. Control Systems Control ATC) experience –of possible attacks on airtraffic management and control (ATM/ a series of examples –agood portion of which weretaken from theAmerican air traffic control systems. the United Kingdom George Osborne underscored thehighly sensitive nature of major government investments incybersecurity, Chancellor of theExchequer of 6 5 4 3 2 1 conduct attacks that could compromise them? actors could poseathreat tothesesystems?Dotheyhave the technological skills to management andcontrol systemsrely on? Are thesesystemsvulnerable? Which this backdrop, several related questions arise:What technologies do airtraffic digital technologies inevitably introduces new forms of vulnerability. Against how thegrowing dependenceof airtraffic management and control systems on The COPASIR andGAO reports pinpoint acentral national security problem: published a report in January 2015 The USGovernment Accountability Office (GAO), which reports tothe Congress, Introduction The Defence of Civilian Air Traffic Systems from CyberThreats 7 Italy. of ATM/ATC in status ajudgement on the security not express does report The to materialise. was athreat case in consequences to the mainly refer COPASIR considerations docnonleg/19825.htm. cibernetico dellodall’utilizzo spazio found intheFederal Aviation Administration (FAA) airtraffic control system. United States. United March 2015, http://cnn.it/1FOFlBU. 2015, March ICT systemstocyberattacks. these weaknesses,it has notyet found asolution tosome that could exposetheir report concludes with theassertion that, despite theFAA’s attempts toaddress the safe anduninterrupted operation of thenational airspacesystem(NAS).” The According tothe GAO, theseweaknessesthreaten “theagency’s ability toensure

COPASIR, COPASIR,

FAA Needs to Address Weaknesses in Air Traffic Weaknesses to Address (GAO), Needs Office FAA Accountability Government US Chancellor’s speech to GCHQ on cyber security on cyber to GCHQ speech Chancellor’s Osborne, George Air Traffic Management (ATM) and Air Traffic Control (ATC).Traffic Air and Management (ATM) Traffic Air CNN Politics cyber-attack”, inCNN to vulnerable system control traffic Air “Report: Cooper, Aaron The FAA is the agency of US Department of Transportation that regulates civil aviation in the the in aviation civil regulates that of Transportation of Department US agency the is FAA The Italy’s Parliamentary Committee for the Security of the Republic. of the Security for the Committee Italy’s Parliamentary 5 systemsowing totheincreasingly pervasive useof information technology. Relazione sulle possibili implicazioni e minacce per la sicurezza nazionale derivanti derivanti nazionale sicurezza la implicazioni per sulle possibili e minacce Relazione , January 2015, http://www.gao.gov/assets/670/668169.pdf. 2015, , January 7 , 7July http://www.senato.it/leg/16/BGT/Schede/ 2010, 3 In a2010report “Onthepossible national security 6 Along thesamelines,inastatement announcing 1 in which it underscored several vulnerabilities , 17 November 2015, https:// 2015, , 17 November 4 cited , 2 2

DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 7 jesi.an.it/2008/101/1.htm. http://gazzette.comune. G.U. No. 2008, 101 April of 30 nazionale, interesse di informatiche critiche transportation, energy, environment andhealth.” of international relations, security, justice, defence, finance,communications, and theagencies andbodies chargedwith theiroversight –operating inthesectors Italian Ministryof Interior included among ascritical infrastructure, “Ministries – entitled “Identification of Critical ICT Infrastructures of National Interest,” the 2006 Directive on European Critical Infrastructures. Finally, with a2008decree December 2013, http://www.cis.uniroma1.it/sites/default/files/allegati/2013CIS-Report.pdf. Readiness Sectors and Sensitive Other Infrastructure Critical release/P-20150709-1.html. release 10 9 8 Infrastructures (CNAIPIC) reported 1,151cyberattacks –161of which involved web 2014 theNational Anti-crime Computer Centre for theProtection of Critical The dangerstothesesystemsarenotonly potential, but real andon therise.In sensitive targets. levels. Theoperators within thesemacro sectors seemedunaware of beingpotential successfully attacked, could lead toserious consequences at national andEuropean industry andthefinancial sector), therewerecomputerised components that, if out that, inthefour sectors analysed (public administration, public utilities, major gives due consideration tothedefence of those infrastructures. Thereport points Italy lagsbehind other developed countries inimplementing acyberstrategy that Information Security Centre (CIS)of theSapienza University of Rome, states that and OtherSensitive Sectors Readiness” draftedbytheCyberIntelligence and The report entitled “2013Italian CyberSecurity Report: Critical Infrastructure infrastructures requireahigh level of protection that isnotalways easytoensure. Given theimportance tonational security andtheirinter-independence, critical of its national cybersecurity planfor 2018. aviation ascrucial tothe“Critical Infocomm Infrastructure Protection” programme consider airtransportation acritical infrastructure. Singapore hasrecognisedcivil infrastructures andcybersecurity. Indeed, themajority of developed nations This study ispartof abroader discussion on therelationship betweencritical The Defence of Civilian Air Traffic Systems from CyberThreats 11 org/10.7708/ijtte.2013.3(4).02. Engineering Transport and for Traffic Plan. on domestic security, within the context of the National Infrastructure Protection systems among 18examples of critical infrastructure inPresidential Directive 7

International Journal Journal International in for Airports”, Security “Cyber al., et Gopalakrishnan Kasthurirangan Singapore hosts civil aviation cyber security conference. Press Press conference. security cyber aviation civil Singapore hosts of Transport, Ministry Singapore 2013 Italian Cyber Security Report. Report. Security Italian (CIS), Cyber 2013 Centre Security Information and Intelligence Cyber Decree of 9 January 2008 of 9January of Interior, Decree Ministry Italian 9 TheEuropean Commission included transportation asacritical sector inits , 9 July 2015, http://www.news.gov.sg/public/sgpc/en/media_releases/agencies/mot/press_ July 9 , 2015, 11 , Vol. 3, No. 4 (December 2013), p. 365-376, p. http://dx.doi. 2013), , Vol. No. 3, 4(December 8 TheUnited States liststransportation , Individuazione delle infrastrutture delle infrastrutture , Individuazione 10 , Rome, Università “La Sapienza”, “La Università , Rome, DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 8 instruments used by Anonymous include malware and phishing. and malware include Anonymous by used instruments Other https://niccs.us-cert.gov/glossary#denial_of_service. (NICCS): Studies and Careers for Cybersecurity Initiative National of the Glossary Cyber the in “denial of service” See services.” 13 12 organisational, technological andprocess-related counter measuresput inplace ATC systemsthat could beexploited bymalicious actors. Also observed arethe The purposeof thisstudy istoassesseventual weaknessesinItalian ATM/ Source: 2015Clusit Report, p.84. Figure 1|Attacks addressedbyCNAIPIC in2014 defacement The Defence of Civilian Air Traffic Systems from CyberThreats 15 14 framework-for-cyberspace-security.pdf. sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2014/02/italian-national-strategic- Security for Cyberspace Framework Strategic National of Ministers, Council of the Presidency Italian website.” See of the pages homepage or of other system intrusions and 187 compromises due to malware, internet websites andcritical Italian infrastructures. Oftheseattacks, 64were 154 potential weaknessesand148otherpossible attacks wererevealed. websites of institutional entities andprivate enterprises. Duringthesameperiod, Cyber Glossary Cyber NICCS in policy.” “exploit” See Astrea, 2015, https://www.clusit.it/download/Rapporto_Clusit%202013.pdf. 2015, Astrea,

Rapporto Clusit 2015 sulla sicurezza Ict in Ict Italia sicurezza sulla 2015 Clusit Rapporto for Security, ICT Association Italian “An attack that prevents or impairs the authorized use of information system resources or resources system of information use authorized the or impairs prevents that “An attack “An attack carried out against a website and consisting in modifying the contents of the contents of the the modifying in consisting and awebsite out against carried “An attack “A technique to breach the security of a network or information system in violation of security of security violation in system or information of anetwork security the “A to breach technique 12 and50Distributed Denial of Service (DDoS) : https://niccs.us-cert.gov/glossary#exploit. : , December 2013, p. 43, http://www. 43, p. 2013, , December 14 13 which had infected the –againstinstitutional 15 , Milan, , Milan, DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 9 relationship betweencivil aviation andcybersecurity. some food for thought on thestudy’s results andon possible developments inthe a discussion of possible cyberthreats directedagainstItaly. Conclusions offer fourth section examinestherole of andtechnologies employed byENAV, with terrorist organisations, ISISandAl-Qaeda, hacktivists andcybercriminals. The including an assessment of the technical skills and objectives of the two main The thirddescribes theactors that civil aviation authorities consider athreat, study. Thesecond section explainswhat anATM/ATC systemisandhow it works. by identification of themainproblems andanoutline of thescope of thepresent brief analysis of ICT-related incidents that have affected thesector will be followed end, thefirstsection introduces thetheme of cybersecurity incivil aviation. A commitments within theframework of international legal conventions. To that agencies, incompliance with thenational cyberstrategy andinlight of Italy’s August 2012, http://www.cpni.gov.uk/highlights/cyber-security-in-civil-aviation. 2012, August National Infrastructure (CPNI) not surprisingthenthat a2012report bytheBritish Centre for theProtection of have introduced considerable problems associated with cybersecurity. It is fields, thedigitalisation andplacement online of such complex instrumentation thousands of connections that link the various parts of an airport. As in other of aircraft tocommunications andnavigation instruments, along with all the increased exponentially over recent years, from thedevelopment andconstruction As it hasinmany othercomplex human activities, theuseof ICT incivil aviation has insurer”, in Reuters 17 16 1. CyberSecurity andCivil Aviation by thenational Air Navigation Service Provider, ENAV, The Defence of Civilian Air Traffic Systems from CyberThreats 19 18 defence of national infrastructure industries and organisations. and industries infrastructure of national defence and consequently theimpact of eventual compromise. inherent toICT-use hasraisedthevulnerability of aircraft andaviation systems, activity poseanoteworthy threat tocivil aviation. managerial improvements, it remainsclear that weaknesseslinked with cyber “Aviation relies on computer systemsextensively inground andflight operations

Jonathan Gould and Victoria Bryan, “Cyber attacks, drones increase threats to plane safety: safety: to plane threats increase drones attacks, “Cyber Bryan, Victoria and Gould Jonathan National Flight Assistance Agency. Assistance Flight National Cyber Security in Civil Aviation in Civil Security Cyber (CPNI), of Infrastructure National Protection for the Centre British government authority that offers advice and recommendations on the security and security the on recommendations and advice offers that authority government British Tony Tyler, Director General of theInternational Air Transport Association , 4 December 2014, http://reut.rs/1tRTAOZ. 2014, , 4December and airtraffic management, andweknow weareatarget.” 18 found that theinterface andinterdependence 16 aswell asbygovernment 19 Despite financial and , 17 10 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI majority do not involve ATM/ATC systems, with the exception of the 2006 Alaskan incident. Alaskan 2006 of the exception do the not involve ATM/ATC with majority systems, Cyber Glossary Cyber NICCS in horse” “trojan See program.” the invokes that entity of asystem authorizations legitimate exploiting by sometimes mechanisms, security evades that function malicious potentially 21 20 • 2008,August: at Spain’s Madrid-Bajaras airport, atrojan systems inAlaska. • 2006,July: acyberattack forces theAmerican FAA toshut down several ATC are some recent examples of ICT incidents involving thecivil aviation sector: events that include the many episodes ascribable to the cyber threat. The following shift away from traditional physical attacks on aircraft andairports tonewkindsof evolved, thethreats it faceshave changedinbothdimension andmodality, with a Civil aviation hashistorically beenanespecially appetising target.As thesector has 1.1 Significant events main ICT problems that condition in-flight andground security will bedescribed. to combat cyberthreats andthecounter measurescurrently inplace.Finally, the incidents that have affected thesector. It will go on toexamineinternational efforts between cyber security and civil aviation, with the initial presentation of some ICT The goal of thissection istoprovide anintroductory framework for therelationship Cybersecurity, August 2013,p.8,http://www.aiaa.org/aviationcybersecurity. Source: American Institute of Aeronautics andAstronautics, A Framework for Aviation Figure 2|ICT technologies incivil aviation The Defence of Civilian Air Traffic Systems from CyberThreats 22 sg/saaWeb2011/export/sites/saa/en/Publication/downloads/SAA_Journal_2014.pdf. Management of Aviation Journal Mitigations”, in and Challenges

Bernard Lim, “Aviation Security: Emerging Threats from Cyber Security in Aviation – Aviation in Security Cyber from Threats Emerging “Aviation Lim, Security: Bernard “A computer program that appears to have a useful function, but also has a hidden and and ahidden has but also function, auseful to have appears “A that computer program The events described are only a partial sampling of such incidents. It should be noted that the the that noted It be should incidents. of such sampling only a partial are described events The : https://niccs.us-cert.gov/glossary#Trojan_horse. 21 , 2014, p. 84, http://www.saa.com. 84, p. , 2014, 22 inone of Spanair’s main 20 11 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI ANConfWP122.1.1.ENonly.pdf. http://www.icao.int/Meetings/anconf12/WorkingPapers/ 2012, November 19-30 Montréal, ly/1yaHNV0. battle-against-cyber-attacks. Review Airport through collaboration. through excellent results to achieving aview with security, cyber to address readiness agencies’ private United States. systems of theairports andairlinesof Pakistan, Saudi Arabia, South Korea andthe attack againstthecomputer systemsof over 16countries, including attacks on the • 2014, December: the Cylance company accuses Iranian hackers of a coordinated has never beenproven andhasbeenroundly rejectedbyBoeing. 29 28 27 26 25 24 23 resulting from acyberattack on its bankaccounts. • 2015,April: Ryanair airlinesuffers financial damages ofnearly 3 million pounds accounts. Theagencyclaimstherewasnodamagefrom theattack. • 2015,February: theFAA discovers various forms of malware inpersonnel e-mail been commandeered bymeansof amobile phone and/or aUSBdrive. overall uncertainty surrounding theevent, it wasalso suggested that the planehad the Boeing777-200ER islater given up for lost inanairlinepressrelease. In the • 2014,March: Malaysia Airlines flight MH370disappears from trackingradar,and • 2013:according toareport bytheCentre for Internet Security (CIS), airports areblocked byacyberattack, resulting innumerous flight delays. • 2013,July: thepassport control systemsof theIstanbul Ataturk andSabihaGökçen that hadcaused heavy check-inandflight delays. • 2011,June: three engineersareaccusedof “interruption of computer services” 48,000 personnel files. • 2009,February: anattack on FAA computers allows unknown hackers toaccess intentionally compromised through theTrojan. loss of 154passengerlives. It hasyet tobedetermined whether thesystemswere flight No. 5022. This was cited among the causes of the plane’s collision and the computer systems blocks thereception andactivation of analarm messagefrom The Defence of Civilian Air Traffic Systems from CyberThreats 32 31 30 Cyber Glossary Cyber NICCS in “phishing” See information.” sensitive into providing individuals to deceive engineering “Ais of social form digital 75 American airports wereattacked byprolonged spearphishingcampaigns. 8 April 2014, http://resources.infosecinstitute.com/?p=25456. Resources InfoSec in Industry”, Aviation the against Threats “Cyber Paganini, Pierluigi ai/1zalBGR; Daily Mail Online in attack”, of acyber consequences devastating p. 556, http://dx.doi.org/10.1080/09700161.2014.918435. 556, p.

ICCAIA, ICCAIA,

USA Today in USA damage”, no finds cyberattack, by hit “FAA Jansen, Bart US non-governmental and non-profit organisations whose mission is to improve public and improveis public to mission whose non-profit and non-governmental US organisations Insurance Insurance plane?”, in the boarded attackers cyber Have skies: the in threat Elliott-Frey,Jack “The Strategic Analysis Jihad”, Strategic in Electronic Terrorism: “Cyber Heickerö, Roland IHS Jane’s IHS cyber-attacks”, in Vogel, “Authorities against Ben uphill battle and face Lopez Ramon Ellie Zolfagharifard, “Hackers are a serious threat to aircraft safety’: Aviation chiefs warn of the of the warn chiefs Aviation safety’: to aircraft threat aserious are “Hackers Zolfagharifard, Ellie Ramon Lopez and Ben Vogel, “Authorities face uphill battle against cyber attacks”, cit. attacks”, cyber Vogel, “Authorities against Ben uphill battle and face Lopez Ramon Ramon Lopez and Ben Vogel, “Authorities face uphill battle against cyber attacks”, cit. Phishing Phishing cit. attacks”, cyber Vogel, “Authorities against Ben uphill battle and face Lopez Ramon Bernard Lim, “Aviation Security: Emerging Threats from Cyber Security in Aviation”, in 84. p. cit., Security Cyber from Threats Emerging “Aviation Lim, Security: Bernard Cyber Security for Civil Aviation for Civil Security Cyber , 9 April 2015, http://www.ihsairport360.com/article/6186/authorities-face-uphill- 2015, , 9April 30 24 : https://niccs.us-cert.gov/glossary#phishing. , presented at the Twelfth Air Navigation Conference, Conference, Navigation Twelfth at Air the , presented 23 25 32 , 11 December 2014, http://dailym. 2014, December , 11 , 7 April 2015, http://usat. 2015, , 7April , Vol. No. 4(2014), 38, 27 31 approximately 29 Thetheory 26 28 , 12 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI still referred tocybersecurity asa“recommended practice” andnota“standard.” include cyber security. cyber include to founded it was Convention Aviation on which Civil International of the Annexes 19 one of the technologies, at assessingcyberriskstoairtraffic management systemsbased onnew ICT technological nature against air navigation infrastructure. of a attacks including interference,” of unlawful acts any against public general the as well as crew personnel, ground passengers, its guarding safe is state contracting of each objective “Primary the assessing security problems and possible threats to civil aviation. to civil threats possible and problems security assessing secretary-general/rbenjamin/20150720_Singapore_Cyber_Security.pdf. Security Cyber Aviation on Civil Conference to the Opening Remarks Benjamin, Raymond See: displays. information flight and controls departure as such computer systems airport and ATM systems modern supporting systems ICT on cockpits, attacks cyber of possible aseries include reviewing currently is group the problems bbc.com/news/world-europe-33219276. www.fas.org/sgp/crs/homesec/IN10296.pdf. aviation. 39 38 37 36 35 34 33 cyber-attackers-boarded-the-plane-22592.aspx. Blog Business ICAO, In October2012,during the12thAir Navigation Conference sponsored bythe aviation, although many attempts have beenmadetoaddresstheissue. There iscurrently nooverarching, universal approach tocybersecurity incivil 1.2 International efforts to seekconcrete ways toaddresstheirsystems’possible vulnerabilities. aviation. Such events have prompted theprincipal international sector organisations significantly to moving cyber security to centre stage in the discussion on civil This farfrom exhaustive listshows how computer incidents have contributed attack compromised thesystemthat creates flight plans. flights toDenmark, Germany and Poland, causing delays for anotherten.The • 2015,June: an attack on thePolish national airline(LOT)network grounds ten The Defence of Civilian Air Traffic Systems from CyberThreats 40 and practices. In March 2014,theICAO’s AVSEC Panel with implementing, managingandmonitoring cybersecurity-related procedures to cyberattacks. that thenewtechnologies about tobeadopted, wereintrinsically more vulnerable level impediment totheimplementation of theGlobal Air Navigation Plan,and ICCAIA, ICCAIA,

BBC News BBC in computer by hack”, grounded aeroplanes LOT “Polish The International Civil Aviation Organisation is the UN agency that regulates international civil civil international regulates that agency UN the is Organisation Aviation Civil International The Bernard Lim, “Aviation Security: Emerging Threats from Cyber Security in Aviation”, in The cit. Security Cyber from Threats Emerging “Aviation Lim, Security: Bernard International Coordinating Council of Aerospace Industries Associations. Industries of Aerospace Council Coordinating International The Aviation Security (AVSEC) Panel Working Group is a group of ICAO experts tasked with with tasked (AVSEC) Working of ICAO agroup experts Group Panel is Security Aviation The CRS Insights CRS in Cyberattacks”, from Aviation Civil “Protecting Elias, Bart Interview, November 2015. Annex 17 (Safeguarding Against Acts of Unlawful Interference) cites cites Interference) of Unlawful Acts Against 17 (Safeguarding Annex 2015. November Interview, 35 theICCAIA Cyber Security for Civil Aviation for Civil Security Cyber , 27 May 2015, http://www.ibamag.com/news/blog-the-threat-in-the-skies-have- 2015, , 27May 39 sinceAnnex 17of the1944Chicago Convention on Civil Aviation 37 Theassociation urgedthecreation of aworking group tasked 36 asserted that cybersecurity hadbeenidentified asahigh , cit. Also in 2012, the same organisation amended amended organisation same the 2012, in Also , cit. , 9-10 http://www.icao.int/Documents/ July 2015, 38 called for additional efforts 33 , 21 June 2015, http://www. June 2015, , 21 , 18 June 2015, http:// June 2015, , 18 34 40 13 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI around the world. the around from theiralteration. navigation data’s lackof security andthenoteworthy distressthat could result facilities or othersystemsimportant tocivil aviation. Thereport underscored citing the“significant andemergent” threat of cyber attacks on aircraft, ground aviation manual that wasupdated inJuly 2015. June 2013), http://www.ifalpa.org/store/14POS03%20-%20Cyber%20threats.pdf. which account for 83 percent of global air traffic. of air global for account percent 83 which 46 45 44 43 42 41 and tonational security ingeneral. systems that, ifcompromised, could represent adangertothesafety of persons criminal intent arenumerous. Thenextparagraph offers abrief description of those considered, thevulnerabilities that could beexploited byvarious actors with security hasgainedinthecontext of civil aviation. Dependingon thesystem Recent international undertakingsindicate thedegreeof importance that cyber are also usedinothersectors andare,therefore, subject tothesamecyberthreats. approach must also beconsidered sincethetechnologies employed incivil aviation sector needsaspecific approach tocyberprotection. Nevertheless, amore general sponsored byICAO with CANSO, IATA, ACI andICCAIA, isthat thecivil aviation The general belief, voiced also intheIndustry High-Level Group (Cyber)studies In December2014, ICAO, IATA, ACI, In 2014,CANSO In 2013, IFALPA The Defence of Civilian Air Traffic Systems from CyberThreats 48 47 security.aspx. Toolkit Security Cyber IATA, Aviation system. management security acyber to implementing aguide and tool assessment ENAV.includes and sharingbestpractices.” organizations involved ininternational civil aviation, while additionally identifying cyber threat and“promote thedevelopment of arobust cyber-security culture inall Cyber Security Action Plancoordinating theirrespective efforts tocounter the Service Providers (ANSPs). fostering theapplication of sector bestpractices betweenassociated Air Navigation other things,a“CyberSecurity andRisk Assessment Guide”for thepurposeof

CANSO, CANSO, International Federation of Air Line Pilots’ Associations represents approximately 100,000 pilots pilots 100,000 approximately represents Associations Pilots’ Line of Air Federation International Airports Council International. Council Airports Civil Air Navigation Services Organisation, association of air navigation services providers that that providers services navigation of air association Organisation, Services Navigation Air Civil International Air Transport Association, sector association with a membership of 260 airlines, airlines, of 260 amembership with association sector Association, Transport Air International IFALPA Position Papers IFALPA Position in aircraft?”, your who controls threats: “Cyber IFALPA, Intended to offer a general overview of the topic, and to provide airlines with a cyber risk risk cyber a with airlines and to provide the topic, of overview to a Intended general offer Opening Remarks to the Conference on Civil Aviation Cyber Security Cyber Aviation to on the Civil Opening Remarks Conference Benjamin, Raymond Cyber Security and Risk Assessment Guide Assessment and Risk Security Cyber 41 43 published “Cyberthreats: who controls your aircraft?”, a report setup theATM Security Work Group, which produced, among , 2nd edition, July 2015, https://www.iata.org/publications/Pages/cyber- July 2015, edition, , 2nd 42 44 48 Also in2014,IATA 47 CANSOandICCAIA signed aCivil Aviation , 2014, https://www.canso.org/node/753. , 2014, 45 46 published acybersecurity incivil , No. 14POS03 (5 , No. 14POS03 , cit. , 14 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI aerodays2015.com/wp-content/uploads/sites/20/6H-3-Emmanuel-Isambert.pdf. Needs Research Roadmap Cybersecurity Rosay, Aviation well: Cyrille as occasions on other theme the confronted has news/0PmU. EASA Register app’”, The in Android an with aplane hijack you CAN’T ‘No, International Online Spiegel in Plane?”, the in-flight entertainment system accessible through Wi-Fi. with satellite communications, andtherefore with flight navigation systems,using an aircraft. Interview, November 2015. November Interview, aircraft. an commandeering hacker from a different something is this but that frequencies, radio over carried systems collaborative are they that in to interference subject be clearly can ADS-B and ACARS that and in-flightof independent avionics, to that entirely show are study Wi-Fiindependent systems flight hardware. not yield thesameresults when usingasoftware application installed on certified for since it hadbeenperformed with aflight simulator, andthat Teso’s method would 52 51 50 49 crash. using asoftware application that hehadcreated, andeventually make theplane how it waspossible tocommandeer anaircraft control systemwith asmartphone, European Aviation Safety Agency (EASA), Spanish expertHugo Teso demonstrated Wi-Fi hasproduced noteworthy security faults. In 2013,at aconference of the Many information security expertshave stressedhow theintroduction of on-board operations (DoS,phishing,trojans, etc.). of bothphysical devices (USBdrives, computers, digital cameras,etc.)andvirtual within airports, makingthempotentially vulnerable toattack byavastnumber use of web-linked mobile applications will probably furthermenaceoperations ventilation systems,baggagetransport, andsoforth. In thefuture, theincreased the Supervisory Control andData Acquisition (SCADA) systemsthat often control operations, such asdata exchanges andmessaging,othertargetscould include systems of theorganisations andentities that routinely usetheinternet for daily Airport facilities areespecially vulnerable tocyberthreats. In addition tothe and airtraffic management systems. civil aviation: internal airport computer systems,in-flight aircraft control systems There arethreemaintargetsthat could bethefocus of cyber-related attacks on 1.3 Main arguments and scope of thestudy The Defence of Civilian Air Traffic Systems from CyberThreats 53 rs/1olAeyA. Reuters in of cyber-attack”, at risk jets to passenger show says “Hacker Jim Finkle, See: risk. actual the downplay although they results, of of some Santamarta’s validity threat.aspx. Threat Cyber ICAO, See: Unites Aviation on passengers. their and airlines target attempts of all phishing percent 50 approximately to figures, some according that, extent to the channels, preferred criminals’

Marcel Rosenbach and Gerald Traufetter, “Cyber-Attack Warning: Could Hackers Bring Down a Down Bring Hackers Could “Cyber-Attack Warning: Traufetter, Gerald and Rosenbach Marcel Some industry representatives that produce potentially violable systems have confirmed the confirmed have systems violable potentially produce that representatives industry Some Neil McAllister, “FAA: ‘No, you CAN’T hijack a plane with an Android app’”, cit. Airbus funded an an funded app’”, Airbus cit. Android an with aplane hijack you CAN’T ‘No, “FAA: Neil McAllister, Kasthurirangan Gopalakrishnan et al., “Cyber Security for Airports”, cit. for Airports”, Security “Cyber al., et Gopalakrishnan Kasthurirangan Another concern is computer fraud: the sector’s substantial potential profits make it one of cyber cyber it make one of profits potential substantial sector’s computer the is fraud: concern Another 51 BoththeFAA andEASA subsequently assertedthelimited validity of thetest , 10 December 2014, http://www.icao.int/Newsroom/Pages/aviation-unites-on-cyber- 2014, , 10 December 52 In 2014,Ruben Santamarta proved that it waspossible tointerfere , 22 May 2015, http://spon.de/aevsu; Neil McAllister, “FAA: http://spon.de/aevsu; “FAA: 2015, May Neil, 22 McAllister, , Aerodays2015, London, 20-23 October 2015, http://www. 2015, 20-23 October London, , Aerodays2015, 49 50 , 13 April 2013, http://goo.gl/ 2013, April , 13 , 4 August 2014, http://reut. 2014, , 4August 53 Similarly, in July 15 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI data, andauditing and monitoring activity on FAA’s systems.” and authenticating users,authorizing userstoaccesssystems,encryptingsensitive computer resources, such ascontrols for protecting systemboundaries, identifying weaknesses incontrols intended toprevent, limit, anddetectunauthorized accessto and uninterrupted operation of the national airspace system (NAS). These include control weaknessesremain,threatening theagency’s ability toensurethesafe recent report bytheGAO (January 2015)underscored that “significant security 54 ATM =ATS + Air Traffic Flow Management (ATFM) + Air SpaceManagement (ASM). ATM canbeunderstoodastheintegration of thefollowing components: (routes andaltitudes indicated inflight plans)without compromising security. The established departureandarrival timesand maintain theirpreferred fight profiles The mainpurposeof anATM istoallow operators (e.g.airlines)tocomply with their Services component (ATS) and,inparticular, on Air Traffic Control (ATC). circumscribe its field of investigation, thisstudy will focus on the Air Traffic An ATM systemisapoolof airtraffic management services. Inan effort to 2. Function andComponents of ATM/ATC Systems access control procedures andtheability toidentify unlawful intrusions. inefficiencies andweaknessesinthe FAA’s ATMsystems,especially with regardto report bytheUSDepartment of Transportation Inspector General criticised dependence on ICT andinterface with othersystemsandtechnologies. A2009 Finally, ATM/ATC systemshave also come underscrutiny given theirgrowing and theplane’s engineresponded totheprompt. electronic box located underhisseat, Roberts typedinthecommand “CLB”(climb) Bureau of Investigation (FBI)documentation, afterconnecting hiscomputer tothe was flying on through thein-flight entertainment system. According to Federal 2015 Chris Roberts wasable tomanipulate thecontrol systems of theaeroplane he The Defence of Civilian Air Traffic Systems from CyberThreats 57 56 55 it/ec5/enav/it/pdf/compendio_77_155.pdf. systems. confronts thelattermost of theforegoing themes,i.e.thecyberthreat toATM/ATC As for therelationship betweencybersecurity andcivil aviation, thisreport definition of roles andresponsibilities within the FAA. cyber riskmanagement programme, proof of which lay intheabsenceof aprecise report, some of thesystemsweaknesseswereowing tothelackof acomprehensive com/?p=1782748. Wired in aPlane”, Commandeered Researcher Banned That

GAO, GAO,

, September 2011, p. 92, http://www.enav. 92, p. ENAV,aereo”, inCompendio ATC 2011, traffico , September del “Gestione Bart Elias, “Protecting Civil Aviation from Cyberattacks”, cit. Cyberattacks”, from Aviation Civil “Protecting Elias, Bart Marcel Rosenbach and Gerald Traufetter, “Cyber-Attack Warning…”, cit.; Kim Zetter, “Feds Say Say “Feds Zetter, “Cyber-Attack Warning…”, Kim Traufetter, cit.; Gerald and Rosenbach Marcel FAA Needs to Address Weaknesses in Air Traffic Control Systems inControl Air Traffic Weaknesses to Address Needs FAA 54 , 15 May 2015, http://www.wired. 2015, May , 15 , cit. , 56 According tothe 55 Amore 57 16 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 59 58 pilots areobliged to follow, save incasesof clearly perceived emergency. recommendations that pilots may choosetofollow or not,or instructions that air space.Dependingon thetypeof flight andclass of airspace, ATC makes private, military, commercial andgovernment carriers operating intheirassigned in search andrescue operations. In many countries, ATCs provide services to all pilots toimprove thequality andefficiency of flights andassistingthird parties and optimising airtraffic flow, providing information andrecommendations to preventing collisions between aircraft or with various other obstacles, organising procedures, organisations and technological instruments for the purpose of The ATC isacomplex systembasedon national andinternational legislation, controllers, operations management. Themostimportant of ANSPpersonnel aretheairtraffic equipped with various systems(radar,radio, weather sensors, etc.)ensure personnel of airports andArea Control Centres (ACC), where control rooms ATS services aregenerally provided byANSPs that usetheinstruments and Figure 3|Principal CNS/ATM systemelements The Defence of Civilian Air Traffic Systems from CyberThreats 60 anconf12/Document%20Archive/an02_cons%5B1%5D.pdf. http://www.icao.int/Meetings/ July 2005, edition, 10th Aviation, Civil Convention on International ACC incompliance with theinternational accords stipulated byICAO. are called Flight Information Regions (FIR),andeachFIRisassigned toadesignated (UIR) to the air space above. space air to the (UIR) Region Information Upper term the and below space air to the refers FIR term the case, that in and,

FIR size and format can differ considerably; in some cases, FIRs can be subdivided horizontally horizontally subdivided be can FIRs cases, some in considerably; differ can format and size FIR Commonly known as flightcontrollers. as known Commonly The pilot is responsible for the safety of the aircraft. See: ICAO, See: of the Rules Air aircraft. of the safety for the responsible pilot is The 58 who arespecialised inproviding ATS. Air spaceis divided into what . Annex 2 to the 2to the . Annex 59 60 17 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI Local Control, normally handled bythecontrol tower, Ground Control viaVHF/UHFradio. person moving inthesecontrolled areasmust receive explicit authorisation from after leaving thegate, upon arrival, coming off therunway). Any aircraft, vehicle or into/out of thetaxiway, inactive runways, stopping andtransit areas(indeparture, the movement of aircraft andothervehicles intheairport area,including entry/exit Ground Control, coordinated from theairport control tower, regulates andorganises distinguished asGround Control, Local Control andArea Control. transponder modality clouds, obligation of radio contact, theneedfor entry authorisation, on-board which ATS services areprovided, minimum visibility conditions anddistance from whether operations must beunderIFR/VFR/SVFR; maintenance of separation, in consideration of specific required features: whether airspacecontrol isrequired, modes varyfrom thestrict ClassAtothemore relaxed ClassG.Eachclassisdefined Flight Rules (IFR) and, in some cases, Special Visual Flight Rules (SVFR). Operational with specific local needs),andaresubject to Visual Flight Rules (VFR), Instrument Classes A,B,C,DandE,for VFRflights inClasses B,Cand D. space, FandGtouncontrolled airspace.ATC services arerequiredfor IFRflights in 61 debarking, airport areas, ATC services involve all phases of an aircraft’s movement – taxiing, boarding and classes ATC procedures arebasedon ICAO’s assignment of airspacevolumes toseven The Defence of Civilian Air Traffic Systems from CyberThreats 65 64 63 62 nationalitymarks/annexes_booklet_en.pdf. Annexes 1to 18 Aviation. Civil International ICAO, Convention on in The Services), Traffic (Air 11 Annex See Golf. Foxtrot, Echo, Delta, a go-around directive, telling thepilot tointerrupt landingoperations andstand case of anomalies inanaircraft approaching for landing,Local Control canissue The ACC also provides route details for reaching a designated landing strip. In the dedicated frequency known as the Automatic Terminal Information Service (ATIS). runway closures, and soforth, andarebroadcast on acontinuous loop over a information on weather variations, interruptions, delays inground operations, with Clearance Delivery, istheresource that delivers pilots accurate andupdated the related authorisations (Clearance Delivery). Flight Data, normally coordinated with taxiway andrunway indications androute instructions upon take-off, with off phase,shortly before starting up the runway, local control provides thepilot ensuring separation betweenrunways andaircraft at all times.In thepre-take- (Approach Control), for which it provides specific authorisations andinstructions, of the runway (RWY), taxiways tothe runways, aircraft take-off/landing stages

ICAO, ICAO,

Normally denoted by the first 7 letters of the ICAO phonetic alphabet: Alpha, Bravo, Charlie, Charlie, Bravo, Alpha, the alphabet: phonetic ICAO of 7 letters first the by denoted Normally Pilots often refer to Local Control with the term Control Tower. Control term the with Control to refer Local often Pilots Receiver-transmitter that generates a signal in response to a specific query. to aspecific response in asignal generates that Receiver-transmitter Take-off/landing area. Take-off/landing 61 (Air Traffic Services), cit. Services), Traffic (Air Annex 11 (although some countries areallowed tomake adaptations inaccordance 62 andsoforth. ClassesAtoEcorrespond tocontrolled air 64 take-off/landing operations andcruising–are , http://www.icao.int/safety/airnavigation/ 65 isresponsible for theuse 63 18 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI will attempt toreveal any regularities that may existinboththeirtechniques and operating incyberspace.Asubsequent detailed analysis of theirmodus operandi The following section will seektounravel thelogic employed bynon-state actors potentially bemanipulated. disloyal employees or of actors traceable tosuppliers or sub-suppliers who could study will notmake direct reference to the possible risks associated with the actsof on exploiting vulnerabilities incivil society.” events, it wasfully aware that “terrorists, criminals andhacktivists aregenerally set that the organisation had not yet been informed of any cyber-related catastrophic Singapore, ICAO secretarygeneral Raymond Benjamin stated that, despite thefact gov/node/18. critical See: infrastructure. ICS-CERT, Descriptions Source Threat Cyber country’s a to attack needed capabilities the for developing means financial and technological 66 loss of life.” intent rangingfrom thetheftof information andgeneral disruption topotential “hackers, ‘hacktivists’, cyber criminals andterrorists now focused on malicious for cybersecurity incivil aviation, inaneffort to form acommon front against In December2014,ICAO, IATA, ACI, CANSOandICCAIA signed anaction plan 3. CyberThreats toATM/ATC Systems operations andassistswith thoseasnecessary. The ALSnotifies theproper authorities of aircraft inneed of search andrescue collision, presenceof ships intheareaandall othersecurity-related information. changes intheoperational efficacy of navigation aids,unmanned balloons, risk of volcanic activity, thepresenceof radioactive or toxic substances intheatmosphere, Service (FIS)andan Alerting Service (ALS).FISdata cover weather conditions, during cruise stage. Basic ATS services for each FIRconsist of aFlight Information Area Control is provided by an ACC assigned to the FIR in which a plane is located other airport) nearby. sometimes assistedbytheairport’s radarrooms operators andacontrol centre (or manage planes at adistance of up to 30-50 nautical miles from theairport, andare by toreceive newinstructions. Controllers assistingapproaching aircraft normally The Defence of Civilian Air Traffic Systems from CyberThreats 68 67 the greatest danger to the critical infrastructures of third countries. out that, inlight of theircombined resources andtechnological skills, states pose does notdeal with electronic warfareoperations. Nevertheless, it isworth pointing excludes analysis of thethreat of possible attack bystate or para-state entities. It also hacktivists andcybercrimegroups. Basedon thisassessment, thepresent study most directcyberthreat tocivil aviation isposedbynon-state actors, i.e.terrorists,

ICAO, ICAO,

Opening Remarks to the Conference on Civil Aviation Cyber Security Cyber Aviation to on the Civil Opening Remarks Conference Benjamin, Raymond According to some estimates, for the next 5-10 years only national governments will have the the have will 5-10 governments only national next for the years to estimates, some According Aviation Unites Threat Aviation on Cyber 66 Similarly, during theAugust 2015 cybersecurity conference in , cit. , 67 According totheseinstitutions, the , https://ics-cert.us-cert. , 68 Similarly, the , cit. , 19 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI and theirrelatively easyassembly. Despite that, anIEDattack iscapable of causing especially simple basedon thelow costandeaseof findingthematerials needed from a few million to tens of millions of dollars. or more teamsof computer science expertsandengineers,for anoverall costof some analyses, Stuxnet wastheproduct of 10,000hoursof development byone noteworthy technical expertiseand massive financial resources. According to Although thedamagewaslimited tothecentrifuges, theact’s outcome required sources, this has been the only cyber attack to date to produce a physical effect. one-fifth of a nuclear plant’s centrifuges hadbeendamaged.Based on the available programme. Theworm wasdiscovered in2010when Iranian engineersrealised that authorities with theintention of slowing and/or halting theIranian nuclear Response and Understanding, Assessment, Cyberterrorism. (eds.), Macdonald Stuart Jarvis, Lee Chen, M. Departing from thework of Giampiero Giacomello, facilities arenot,andwill never be,entirely secure,asistrue of all ITsystems. because it canbedone; inotherwords, because thesystemsthat maintain those however, a terrorist could target the critical infrastructure of acountry simply bomb detonated in the heart of a city. From a more technological point of view, expensive and its potential results would not have the media impact of a simple afford toplanandconduct acomplex operation incyberspacebecause it is confronting thequestion. According to acost/benefit analysis, aterrorist cannot her theory. Stuxnetisa“worm” uses the examples of Stuxnet and an improvised explosive device (IED) toexplain and Homeland Security, 24 February 2004, http://www.gpo.gov/fdsys/pkg/CHRG-108shrg94639. Century in the 21st Cyberterrorism 71 70 69 a country’s critical infrastructures? What could spurterrorists or othermalicious actors tolaunch acyberattack on 3.1 Attack or not?Twoviews compared ATM/ATC systems. initial assessment of thestatus of thecyberthreat tocritical infrastructures such as targets. Thelastpartwill summarisewhat theanalysis bringstolight andoffer an The Defence of Civilian Air Traffic Systems from CyberThreats 73 72 are cost/benefit driven. The section refers mainly to the logic behind terrorist organisations’ acts. organisations’ terrorist behind the logic to mainly refers section The driven. cost/benefit are choices groups’ crime or cyber hacktivist how terrorist, to foreground aims section This particular. of Italy in case the in of ATC, and realm the in systems no SCADA are there that considering ATMs, Cyber Glossary Cyber NICCS in “worm” See itself.” to spread Studies in Conflict and Studies Terrorism and tools:cost,complexity, destruction factor andmediaimpact. at least four factors motivate a terrorist organisation to use other than cybertactics

Maura Conway, “Reality Check: Assessing the (Un)likelihood of Cyberterrorism”, in Thomas Thomas in of Cyberterrorism”, (Un)likelihood the Assessing Conway, Check: Maura “Reality Virtual Threat, Real Terror: Real Threat, Virtual Judiciary, on the Committee Senate US see: analysis, in-depth For an “A self-replicating, self-propagating, self-contained program that uses networking mechanisms Giampiero Giacomello, “Bangs for the Buck: A Cost-Benefit Analysis of Cyberterrorism”, in Cyberterrorism”, of ACost-BenefitAnalysis Buck: for the “Bangs Giacomello, Giampiero This section does not intend to describe the specific vulnerabilities of infrastructure such as such infrastructure of vulnerabilities specific the not intend to describe does section This , New York,, New 103-122. p. 2014, Springer, , Vol. 27, 387-408. p. No. 5(2004), , Hearing before the Subcommittee on Terrorism, Technology, on Terrorism, Subcommittee the before , Hearing 72 (probably) created byone or more government 69 The study brings two main approaches to : https://niccs.us-cert.gov/glossary#worm. : 73 By contrast, building an IED is 70 Maura Conway maintains that 71 Theauthor 20 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI improve it”. See: Wikipedia, https://en.wikipedia.org/wiki/Patch_(computing). it”.improve Wikipedia, See: www.kaspersky.com/flame. that whereas theseexploits wereonce thesole prerogative of governments and precisely because theweaknessesareunknown. Against thisbackdrop, it seems on themanagement of theinfrastructures systemsthemselves. and Industrial Control Systems (ICS) headquartersinorder togenerate reports many critical infrastructures today areremotely linked andmanaged from SCADA service andthus make continuous updating difficult, ifnot impossible. Similarly, updates on critical infrastructure components could lead to the suspension of and difficult tomanage, even inthecase of non-obsolete software. Installing public search enginessuch asShodan.Updating asecurity patch canbecostly ones. Thisisextremely riskysincesoftware that isnotupdated iseasily visible by to stop patching security vulnerabilities even in the presence of newly discovered which such systemsoftware ispatented, non-standard or dated, one may decide 77 76 75 74 infrastructures function properly are not fast or frequent enough. first place,thesecurity updates of software that regulate andmake critical networks feature vulnerabilities that areeasily exploitable byterrorists. In the Alternatively, Clay Wilson argues from atechnological standpoint that digitised these four factors makes cyberterrorism possible but, fortunately, improbable. resonance of abomb that leaves dozens of civilian victims. Thecombination of such asthosethat various terrorist organisations could launch lackthemedia final element tobeconsidered: mediaimpact. According toConway, cyber attacks of destruction therefore becomes adeterminingfactor, andnotleast inlight of the dramatic physical harm,certainly greater thanthat caused byStuxnet.Thedegree The Defence of Civilian Air Traffic Systems from CyberThreats 78 zero-day exploits. circumstances. These two malware made history because they contained multiple analysed byvarious organisations andthenaltered andreutilised underavariety of Woodrow Wilson Center Press / New York, Columbia University Press, 2015, p. 152-153. p. 2015, York, / New Press, University Center Columbia Press Wilson Woodrow Generation Next The in Cyberspace. Terrorism Weimann, Gabriel view, see: opposing attacks. Flame possession of powerful malware that canbe“reverse-engineered” toconduct cyber injected into thetargetedsystem.Finally, potential terrorists could already bein system weaknessesandthenbeexploited byspecifically designed malware tobe entire SCADA or ICS systems.Cyberespionage techniques canbeusedtoidentify if notproperly protected, toinfection bymalware capable of spreadingtothe to thepublic network could make theseinfrastructures vulnerable toattack and, wired.com/?p=1588707. day?”, azero is what Wired in Lexicon: “Hacker Zetter, Kim See, vendors.” or to antivirus maker software to the unknown yet is –that software system operating Cyber Related Terms Related Cyber of Center, Glossary &Communication Policy Democratic See: grid. electrical of the regulation

Maura Conway, “Reality Check: Assessing the (Un)likelihood of Cyberterrorism”, cit. For an For an cit. of Cyberterrorism”, (Un)likelihood the Assessing Conway, Check: Maura “Reality “A piece of software designed to update a computer program or its supporting data, to fix or to fix data, or supporting its to acomputer update program designed “A of software piece What is Flame Malware? Flame is What Lab, Kaspersky see: effects, its and of Flame For adescription SCADA and ICS are automated systems used to control industrial processes such as, for example, for example, as, such processes to industrial control used automated systems are ICS and SCADA “Zero-day vulnerability refers to a security hole in software – such as browser software or software browser as –such software hole in to asecurity refers vulnerability “Zero-day 77 andStuxnetareexamples of malware that, once discovered, were , July 2012, http://www.dpc.senate.gov/docs/fs-112-2-183.pdf. July, 2012, 78 Counter-measures againstthesetypesof malware do notexist , 11 November 2014, http://www. 2014, November , 11 76 Beinglinked 75 In cases in , Washington, , Washington, , http:// , 74 21 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI what-next-for-isil-and-al-qaeda. Insights Strategic ASPI in Reports BokoHaram”, Blue Bat Special in and Shabaab, Al ISIS, Qaeda, of Al Capabilities and Strategies Cyber The Cyber: Goes “Terror see: organisations, terror other by dimension cyber of the use the of chapter). analysis For following an the in analysed study case to Italy the (see threat greatest the represent they since chosen were two The goals. of their pursuit of it the in use make organisations York, 123-137. p. 2014, Springer, and Response Understanding, Assessment, Cyberterrorism. (eds.), Macdonald Stuart Jarvis, 80 79 parts of theworld. thanks notleast tothesupport of thousandsof fighters and followers from various itself aCaliphate inJune 2014,currently controls vastportions of Syria andIraq, The Islamic State of Iraq and Syria (ISIS), a militant jihadist group that proclaimed Terrorist organisations (ISISand Al-Qaeda) with aview todeterminingtheiractual capabilities andintentions. hacktivists andcybercriminals –andanoverview of theiractivities incyberspace, aviation authorities have identified aspossible threats –terrorist organisations, This section offers ananalysis of themeansandobjectives of thoseactors that civil 3.2 Actors, objectives and modus operandi capability. it is not clear whether non-state actors have yet thiseconomic and technical financial andtechnical resources. As will become evident asthisstudy continues, Stuxnet worm iscurrently anextremely complex undertaking,requiringmassive emphasises, carryingout anattack with effects similar tothoseresulting from the will decidetomount one, or that theyareeven capable of doing so.As Conway complex ICT systemsdoes notmeanthat terrorists, hacktivists andcybercriminals a marketplace. In any case,theexistenceof faults capable of allowing anattack on such anattack would certainly notbeless mediaworthy thanabomb going off in manage toblock anATM systeminthefuture andcause large-scale civilian death, depends on theextent of thecyberattack. If aterrorist organisation will successfully blocking centrifuges hasless mediapunchthandozens of fatalities, but that they will never beentirely secure.It may betrue that acyberattack capable of compromise thesystemsandnetworks of these infrastructures isfeasible because such asATM/ATCs. According toWilson’s technological argument, anattempt to considering the possibility that various actors may decidetoattack critical systems These two discrete perspectives offer some interesting food for thought when agencies, today areemployed byavariety of actors inthecyberspace. The Defence of Civilian Air Traffic Systems from CyberThreats 81 its intention of extendingits jurisdiction across theplanet,various international

Tobias Feakin and Benedict Wilkinson, “The Future of Jihad: What Next for ISIL and al-Qaeda?”, for and ISIL Next What of Jihad: Future “The Wilkinson, Benedict and Tobias Feakin Clay Wilson, “Cyber Threats to Critical Information Infrastructure”; in Thomas M. Chen, Lee Lee Chen, M. Thomas in Infrastructure”; Information to Critical Threats “Cyber Wilson, Clay This study examines the use of cyber space by ISIS and Al-Qaeda only, regardless that other other that only, Al-Qaeda and ISIS by regardless space of cyber use the examines study This , April 2015, http://www.batblue.com/?p=6166. 2015, , April 81 As thegroup claimsauthority over theentire Muslim world and , June 2015, https://www.aspi.org.au/publications/the-future-of-jihad- 2015, June , 80 79 , New , New 22 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI the transfer of ICT expertise. 84 83 82 often recurringto“hacking,” theunauthorised accesstocomputer systems, As anotheremergingdimension of thegroup activities incyberspace,ISISismore its acts. the “dark,” andthe“surface” web,where it seeksthehighest possible visibility for space hasdrawn theattention of scholarsandexperts.ISISoperates inthe“deep,” its military successes on the ground and the brutality of its practices, its use of cyber organisations andnations have declaredit aterrorist organisation. In addition to The Defence of Civilian Air Traffic Systems from CyberThreats 85 card data stolen online. Ibid. online. stolen data card or buy credit attacks phishing use also jihadists The data. card or credit bank at obtaining aimed are attacks cyber ISIS Many Bitcoin. PayPal and as such services through versa vice West and the in operating militants of money to sums transferring capable of is allegedly ISIS for financing, As mobile phone. and browser both via more secure navigation online how to make general, more in or, (VPN) Network Private Virtual the on how to use produces organisation the manuals provides eu/publications/detail/article/cyber-jihadists-and-their-web. Briefs web”, EUISS their in and jihadists “Cyber Pawlak, Patryk and Berton Beatrice real-time. in Ibid. activities command/control and recruitment coordinate and to communicate for jihadists it possible make or Skype Kik as such services Online Europe. from of whom came 3,000 ISIS, up to with sign Iraq and to Syria travelled had countries 80 than more from individuals 30,000 approximately 2015 of January as that estimated it is to recruitment, With regard tweets. and automatic updates of sending capable Tidings”) of Glad (“Dawn application an create to managed has The organisation battlefield. on the happening of is what coverage time real- nearly offer that “diaries” as Twitter exploited are Facebook and merchandising. and games NATO soldiers obtained,according totheperpetrators, afterhackinginto one of and threeEgyptian websites. Twitter imagespostedinJuly contained thedata of March 2015,during which timethecyberjihadists defacedone French, one Russian military site”. Also worthy of noteareISIS“CyberArmy” activities between19and29 French andItalian military personnel, claimingtohave hacked into a“British addresses, telephone number, IPaddressandhome country) of American, English, posted a9-minute videocontaining thedemographic data (name,e-mail andhome to release aflood of propaganda. In August, theaffiliated Al-Battar Media group ISIS-affiliated hackers took over theTwitter account of Egyptiansinger Nugoum platform andcompromised approximately 200websites. Thefollowing April, In March 2015, pro-ISIS militants exploited a series of weaknesses in theWordPress by ISISmembersor, more probably, bydirectly affiliated hacker groups. Dos/DDoS, theinterruption of computer services. Theseactivities areperpetrated org. page: https://www.torproject. project the see For details online. invisible identity auser’s maintain to designed Thewas Tor browser http://securityaffairs.co/wordpress/40933. 2015, October 11 Affairs Security in more dangerous?”, even is web of the part hidden the –Why web Dark “The Paganini, Pierluigi See: known. is URL exact Torthe by if browser but accessible hidden are addresses up IP of sites whose made web deep of the portion that is web dark The Google. as such engines search normal by not indexed are content digital that and networks up sites, of web made

Glossary of Cyber Related Terms Related of Cyber Center, Glossary &Communication Policy Democratic Propaganda is disseminated by means of social media, videos, forums, publications, online online publications, forums, videos, media, of social means by disseminated is Propaganda The “dark web” is distinct from the “deep web”. The deep web is an extensive section of the web web of the section extensive an “deep is web”. the web from deep The “dark distinct web” is The ISIS instructs its operatives on how to remain anonymous online: the JustPaste.it website website JustPaste.it online: the anonymous on how to remain operatives its instructs ISIS 82 It usescyberspaceprimarily for propaganda, recruiting, 84 , No. 2/2015, http://www.iss.europa. No., 2/2015, 83 , cit. , financingand , 85 or or 23 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI September 2015, http://t.co/8gLdpIHwGa. 2015, September residing inAmerica [to]deal with you.” and that theirgoal indisseminating themwastomake it possible for “our brothers hacking into multiple military servers, databases andprotected e-mail services, jihadist forums in March. ISHD claimed that they had obtained these data after The photosandaddressesof 100USmilitary personnel werecirculated on several inducement toanalyse thetwo groups’ activities in2015. Cyber Force. Cyber United Islamic the and Army Cyber East Middle the as such groups Islamic and Hackers Izzah Alert%20-%20ISIS%20Cyber%20Attacks.pdf. http://security.radware.com/uploadedFiles/Resources_and_Content/Threat/ERT%20Threat%20 Alert Threat ERT in Attacks” Cyber “ISIS Radware, terrorismo-informatico-1.197769; http://espresso.repubblica.it/plus/articoli/2015/02/02/news/isis-al-qaeda-e-la-sfida-del-2015, en/0/0/0/0/0/857/8714.htm. MEMRI Inquiry & Analysis Series Inquiry &Analysis MEMRI It isbelieved that ISHDwasled up until thenby21-year-old Junaid Hussain, addresses and other sensitive data of 1,351 US military and government personnel. 92 91 90 89 88 87 86 (“crews”) that ISISdoes notcontrol. the mostreliable assessments lead tothebelief that these areautonomous groups conducted computer operations on behalf of theterrorist organisation. To date, State HackingDivision (ISHD)andtheCyberCaliphate hacker groups have While theirnature andaffiliation with ISISarenot entirely clear, alsothe Islamic the Atlantic Alliance’s websites. The Defence of Civilian Air Traffic Systems from CyberThreats users tochangetheirpassword andtoarevision of security procedures. to access,but authorities could notrule out data exfiltration. Thisprompted various Home SecretaryTheresaMay. It remainsunclear what information theywereable to hackinto thee-mail of several membersof theBritish government that included wishing toshow theirdiscontent with theWestern reaction totheterrorist attack. websites with the support of an informal network of hacker groups and individuals Cyber Caliphate launched the #OpFrance operation against thousands of French 2014. Between10and16January 2015,following theCharlie Hebdo terrorist attack, Cyber Caliphate firstsurfacedinan attack on theAlbuquerque Journal inDecember ISIS recruits before beingkilled inaUS-led raidon 25August. Abu Hussain Al-Britani, who it issupposed wasteachinghackingtechniques to negligible consequences (mainly webdefacement); According toFrench authorities, approximately 1,300sites wereattacked, but with

Ibid. The principal names associated with the campaign include AnonGhost, the Fallaga Team, the Fallaga the Team, the AnonGhost, include campaign the with associated names principal The Claire Newell et al., “Cabinet ministers’ email hacked by Isil spies”, Guardian The Isil by in hacked email ministers’ “Cabinet al., et Newell Claire Carola Frediani, “Isis, al Qaeda e la sfida del cyber terrorismo”, in l’Espresso terrorismo”, cyber del sfida ela al Qaeda “Isis, Frediani, Carola Steven Stalinsky and R. Sosnow, “Hacking in the Name of the Islamic State (ISIS)”, State cit. Islamic of the Name the in Sosnow, “Hacking R. and Stalinsky Steven Steven Stalinsky and R. Sosnow, “Hacking in the Name of the Islamic State (ISIS)”, State in Islamic of the Name the in Sosnow, “Hacking R. and Stalinsky Steven Interview, October 2015. Interview, October , No. 1183 (21 August 2015), http://www.memri.org/report/ 2015), August (21 , No. 1183 86 In May, ISIS-affiliated hackers allegedly managed 88 Theirdomination of themediawasample 89 In August, ISHDpostedthenames,e-mail 92 according toothersources, a , 4 February , 4February , April 2015, 2015, , April , 11 , 11 87 90 aka 91

24 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI been noaccesstoits server. Airlines. Beyond webdefacement, however, thecompany maintained therehad as the “Official Cyber Caliphate” took credit for violating the website of Malaysia obtained bypenetrating classified networks. That samemonth, agroup known propaganda andCENTCOM personnel data that thejihadistgroup claimedtohave in hackingtheTwitter andYouTube accounts of USCENTCOM to postpro-ISIS “ISIS cyber attacks”, cit. attacks”, cyber “ISIS Caliphate’”, in Reuters in Caliphate’”, 96 95 94 93 in 2003, electronic jihad is a fundamental and sacred duty for all Muslims, its firstwebsite, Azzam.com. According tothe“39Principles of Jihad” published Al-Qaeda already displayed aninterest incyberspace20years ago, when it created and non-Western security. regional groups that it hasspawned continue toposeaserious threat toWestern believed tohave significantly weakened the organisation’s leadership, although the 2004. Successive military operations inAfghanistan, Iraq, Pakistan andYemen are terrorist attacks such asthoseof New York in2001,Bali in2002andMadrid multimillionaire OsamaBin Laden,wasresponsible for aseries of large-scale Al-Qaeda (“TheBase”),aterrorist organisation founded in1988bySaudi portion of thesewereDDoS attacks. The Defence of Civilian Air Traffic Systems from CyberThreats 99 98 97 2014, http://reut.rs/1hTuTjC. “ISIS Cyber Attacks”, cit. Attacks”, Cyber “ISIS Approfondimenti page. its live television broadcast and its website in addition todefacingits Facebook In April, theCyberCaliphate hacked into TV5Monde computers, interrupting Twitter account, which it usedtospreadISISpropaganda and“classified material”. hacking-twitter-account.html. News Hacker FBI”, The in and CIA of the community andtherecruitment of new martyrs. how jihadonline serves topromote propaganda, theradicalisation of theIslamic when viewed infunction of the“Al-Qaeda 20years strategy”, which demonstrates and monitoring its progress. Al-Qaeda’s useof internet canbebetterunderstood which considers thewebanimportant meansfor disseminating the “holy war” and falls within thebroader strategic framework of “44Ways toSupport Jihad”, Agency (NSA). have also publicised thedata of theheads of theCIA,FBIandNational Security victims who had theirdata leaked tothewebarefrom Saudi Arabia. Islamic hackers accounts that it once againusedtopostpro-ISIS messages.Themajority of the

Mark Hosenball, “U.S. says al Qaeda core weak, but affiliates still threaten”, still inReuters but affiliates weak, core al Qaeda says “U.S. Hosenball, Mark Steven Stalinsky and R. Sosnow, “Hacking in the Name of the Islamic State (ISIS)”, cit.; Radware, (ISIS)”, State Radware, cit.; Islamic of the Name the in Sosnow, “Hacking R. and Stalinsky Steven Steven Stalinsky and R. Sosnow, “Hacking in the Name of the Islamic State (ISIS)”, cit.; Radware, (ISIS)”, State Radware, cit.; Islamic of the Name the in Sosnow, “Hacking R. and Stalinsky Steven Beatrice Berton and Patryk Pawlak, “Cyber jihadists and their web”, their cit. and jihadists “Cyber Pawlak, Patryk and Berton Beatrice Il mondo dell’intelligence. dell’intelligence. mondo ereale”, Il in virtuale tra jihadisti “Network Vito Morisco, Swati Khandelwal, “ISIS Supporter Hacks 54,000 Twitter Accounts and Posts Details of Heads of Heads Details Twitter Posts and Accounts 54,000 Hacks Supporter “ISIS Khandelwal, Swati Al-Zaquan Amer Hamzah, “Malaysia Airlines website targeted by hacker group ‘Cyber ‘Cyber group hacker by targeted website Airlines “Malaysia Hamzah, Al-Zaquan Amer 95 In October,thehacker group gainedaccesstoapproximately 54,000Twitter , May 2015, https://www.sicurezzanazionale.gov.it/sisr.nsf/approfondimenti/ 96 , 26 January 2015, http://reut.rs/1z0irG4. 2015, January , 26 97 94 In February, thesamegroup accessedtheNewsweek , 8 November 2015, http://thehackernews.com/2015/11/ 2015, , 8November 93 Also inJanuary, CyberCaliphate succeeded 99 , 30 April April , 30 98

25 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI tegory=content:37&tagId=656&Itemid=1355. siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_ca of any country, although a US ICS-CERT report carried out attacks of any particular importance againstthecritical infrastructures defacement. Electronic Army’s 2015activities seemtohave focused mainly on Western website Descriptions Source Threat ICS-CERT, Cyber http://resources.infosecinstitute.com/?p=21557. 2013, 2 October 107 106 105 104 103 102 101 100 network-jihadisti-tra-virtuale-e-reale.html. promotion of human rights. cyber spaceinsupport of political causes, including freedom of speechandthe The term “hacktivism”, acompound of hacker and activism, refers tothe useof Hacktivists forums on thepossibility of conducting cyberattacks. According tosome reports, Al-Qaeda andits cyber“legions” frequently chat on online cyber operations, although theauthenticity of thoseclaimsisoften unverifiable. Hackboy. Over theyears, Al-Qaeda hasclaimedthesuccessful execution of several Majmu’at Al-Jihad Al-Electroni, Majma’ Al-Haker Al-Muslim, Inhiyar Al-Dolar and Ansar Al-Jihad Lil-Jihad Al-Electroni, Munazamat Fursan Al-Jihad Al-Electroni, Towards themid-2000s, sixgroups could beassociated with Al-Qaeda’s cyberjihad: The Defence of Civilian Air Traffic Systems from CyberThreats Engage in Cyber Jihad”, cit. Cyber in Engage content/uploads/2014/12/cyber-jihad-2.pdf. Inquiry &Analysis Jihad”, MEMRI in Cyber in Engage has postedinformation concerning theexecution of DDoS attacks. of operation requires.Ontheotherhand,one website associated with Al-Qaeda organisation isactually in possession of the technical skills and resources this type SCADA command andcontrol functions, even though it isnotknown whether the of the possibility of hijacking airplanes using an Android smartphone. Shumouk Al-Islam jihadistforum discussedSpanish expertHugo Teso’s discovery was also reported on theehackingnews.com website. Onemonth later, auserof the they hadhacked into Pentagon andUSDepartment of State websites, newsthat In March 2013,theAl-Qaeda Electronic Army andtheTunisianCyberArmy claimed state-supported hackers. operations that display techniques very similar tothoseof cyber criminals and years, going from thedefacement of sites notparticularly defended tocomplex Ibid.

Ibid.

Industrial Control Systems Cyber Emergency Response Team. For the report see: ICS-CERT, see: report For the Team. Response Emergency Cyber Systems Control Industrial Steven Stalinsky and R. Sosnow, “From Al-Qaeda to the Islamic State (ISIS), Jihadi Groups Groups Jihadi (ISIS), State Islamic to the Al-Qaeda Sosnow, “From R. and Stalinsky Steven InfoSec Resources InfoSec in Else?”, … What Motivations and Means “Hacktivism: Paganini, Pierluigi Dark Web & Cyber Security Web Dark in Site &Cyber Group, Intelligence “Al-Qaeda Electronic”, Pierluigi Paganini, “Hacktivism: Means and Motivations … What Else?”, cit. Else?”, …What Motivations and Means “Hacktivism: Paganini, Pierluigi Steven Stalinsky and R. Sosnow, “From Al-Qaeda to the Islamic State (ISIS), Jihadi Groups Groups Jihadi (ISIS), State Islamic to the Al-Qaeda Sosnow, “From R. and Stalinsky Steven , cit. , 102 106 To date, theseactors have notbeenreported ashaving 105 Hacktivist skills have grown exponentially over the , 5 December 2014, http://cjlab.memri.org/wp- 2014, , 5December 107 credits them with a series of 103 Al-Qaeda targetsinclude , https://ent. , 104 101 Al-Qaeda , 100

26 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 2012, http://www.imperva.com/download.asp?id=312. 2012, systems; Acunetix toidentify weaknessesandthenlaunch anattack againstthetargeted skilled hackers launch aprocess of reconnaissance usingtoolssuch asNikto and as Facebook andTwitter andsites such asYouTube. In thesecond, themore highly a few hacktivists attempt tounite asmany persons aspossible on social mediasuch against government sites and/or other major institutions, and SQL-injection. electrical grid to them as ridiculous. as to them grid electrical the intention to the attack who attributed of those idea the called Anonymous Journal, Wall Street identify website and application weaknesses. application and website identify to use scanner box” “black is a Acunetix of problems. types and other dateoutsoftware of files, 111 110 109 108 MM201502. Monitor, 2015 ICS-CERT 2014-February September Anonymous claimedotherwise,announcing it hadstolen 150,000demographic Response Team (CERT) assertedthat no Israeli government site hadbeenhacked, committed inthePalestinian territories”. Although theIsraeli Computer Emergency They launched aseries of attacks inApril againstIsraeli websites toavenge “crimes activities in2015,apart from thoselaunched againstISISsupporters andaffiliates. Anonymous didnotsignificantly interrupt or veer from theprevious years’ event. conduct frequent computer attacks that arenotnecessarily inresponse toany reaction to an event or incident. Its regional pro-active versions, on the other hand, global component rarely launches attack campaigns and,for themostpart,in Anonymous appears tohave split into aglobal andaregional components. The arrest of one thegroup’s leaders, Hector Monsegur, andothersof themovement, formed inthe2000son behalf of thefreedom of online information. After the2012 The most famous of hacktivist collectives is Anonymous, a group of hackers attacks on ICS/SCADA facilities over 2014. The Defence of Civilian Air Traffic Systems from CyberThreats 114 113 112 Havij. especially for theattack. software that can be bought over the web black market or through websites created base inorder tolaunch aDDoS. Theattack iscarried out usingconventional highly skilled hackers request assistancefrom thepreviously recruited member Glossary.aspx?tid=2188&char=S. Glossary ISACA in injection” “SQL See (MITRE).” design. application during not envisaged ways in database the from information to glean possible it is queries, of SQL part as validation proper without used is syntax of SQL user-controlled input consisting Anonymous’ modus operandi usually consists of threephases. 2012, http://blog.imperva.com/2012/08/the-evolving-nature-of-hacktivism.html. 2012,

Hacker Intelligence Hacker in Reports Attack”, Anonymous of an Anatomy “The Imperva, Havij is a tool that reveals a website’s SQL-injection vulnerabilities. awebsite’s SQL-injection reveals that atool is Havij Nikto is a web scanner used to test for web servers’ vulnerabilities. It searches for dangerous for dangerous It searches vulnerabilities. for servers’ to web test used scanner aweb is Nikto Imperva, “The Anatomy of an Anonymous Attack”, cit. Attack”, Anonymous of an Anatomy “The Imperva, “Results from failure of the application to appropriately validate input. When specially crafted crafted specially When input. to appropriately validate application of the failure from “Results Pierluigi Paganini, “Hacktivism: Means and Motivations … What Else?”, cit. In a message to the to the amessage In cit. Else?”, …What Motivations and Means “Hacktivism: Paganini, Pierluigi Imperva Cyber Security Blog Security Cyber Imperva in of Hacktivism”, Nature Evolving “The Rob Rachwald, 113 109 In thethirdphase,incasedata exfiltration process hasfailed, themore Thetechniques theymostfrequently useinclude webdefacement, DoS 112 during theattack, theyuse special data exfiltration software such as 114 , https://ics-cert.us-cert.gov/monitors/ICS- , 108 , http://www.isaca.org/Pages/ 111 In thefirstphase, , February , February , 8 August , 8August 110

27 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 2015, http://securityaffairs.co/wordpress/38860. Affairs law. government’s computer systeminresponse toapproval of anew counter-terrorism June, themasked hackers wereresponsible for aDDoS attack againsttheCanadian have published a list of websites it believes sponsor the jihadist cause. have hacked into social mediaaccounts usedbyISIStospreadpropaganda andto FBI’s investigation into theUSCENTCOM Twitter account hack,andappears to sources, betweenJanuary andJuly 2015,thehacker group collaborated with the and police forces toavert ISIS-plannedterrorist attacks inTunisiaandNew York. an Anonymous affiliate, isthought to have collaborated with American intelligence Security Affairs Security in massacre”, extend intellectual property restrictions tothecountries of EastAsia. Pacific Partnership (TPP)negotiations that, according tothehackers, threatened to reaction toTransatlantic Trade andInvestment Partnership (TTIP)andTrans securityaffairs.co/wordpress/37883. Affairs Security in Government”, at Canadian systems hit Anonymous 119 118 117 116 115 these criminal organisations. commit theactual crimes,but actfor themostpartascoordinators, usually manage meet mainly on theweb andvery rarely inperson. Experthackers who rarely for years now. Thefulcrum of online crimeconsists of agroup of individuals who Criminal networks who operate almost exclusively inthevirtual world have existed to makingonline crimeone of themostprofitable sectors of the world’s economy. the tools for engaging in illegal activities in cyber space. All this has contributed in communications, thepossibility of easily remaininganonymous andobtaining Online crime hasbeenabettedinits development over recent years bytheease Cyber criminals and organised crime agencies confirmed that some government sites had been compromised. data (telephone numbers andFacebook, Gmail andHotmail accounts). Israeli press The Defence of Civilian Air Traffic Systems from CyberThreats 121 120 p. 16-17, http://f3magazine.unicri.it/?p=310. reprisals againstanyone who backed violent jihad. attacks byISISsympathisers andsupporters, thehackers collective announced of the French periodical Charlie Hebdo were killed. Following a week of cyber interesting wasAnonymous’ reaction totheterrorist attack inwhich two journalists 2015, http://securityaffairs.co/wordpress/35486. Affairs in Security propaganda”,theISIS against fighting are “Anonymous vigilantes Affairs Security July 2015, http://securityaffairs.co/wordpress/35776.

Security Security in TPP/TTIP”, against Bureau Census US “Anonymous Hacks Pierluigi, Paganini Security Affairs of #opIsrael”, Security in part as Israel hit “Anonymous collective Paganini, Pierluigi The attack was confirmed by the Canadian authorities. See: Pierluigi Paganini, “#OpC51 “#OpC51 Paganini, Pierluigi See: authorities. Canadian the by confirmed was attack The Freedom from Fear from Freedom Crime”, in Organized and Crime “Cyber Tropina, Tatiana Pierluigi Paganini, “Anonymous supports FBI investigation of US CENTCOM hack”, in in hack”, of CENTCOM US investigation FBI “Anonymous supports Paganini, Pierluigi Pierluigi Paganini, “Update Charlie Hebdo Tango Down – Anonymous promises to avenge the to avenge the promises –Anonymous Down Tango Hebdo Charlie “Update Paganini, Pierluigi Security Affairs Security terror”, in Isis thwarts GhostSec “Anonymous’s team Paganini, Pierluigi 116 , 25 July 2015, http://securityaffairs.co/wordpress/38817. July, 25 2015, In July, thecollective succeeded inobtainingUSCensusBureau data in , 19 January 2015, http://securityaffairs.co/wordpress/32403;Pierluigi Paganini, , 11 January 2015, http://securityaffairs.co/wordpress/32006. 2015, January , 11 121 Theweaknessesof various systemsareexploited 118 According togovernment , 18 June 2015, http:// June 2015, , 18 , No. 7(July 2010), 117 , 30 March March , 30 119 Particularly GhostSec, , 26 July, 26 115 , 8 In In 120 28 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 2015, official sources stated immediately afterthe data weredisseminated that no competitors inthesamesector, along with tradesecretsandconfidential data. ensure success. Critical infrastructures can become targetsof attacks on behalf of financial resources at its disposal, it iscapable of hiringhighly skilled hackers to of organised crime’s mainactivity isindustrial espionage for profit. With massive 125 124 123 122 (SIPRNet) ones. heavily protected military networks, both classified (NIPRNet) and non-classified That, however, cannotnearly compare toasbeingable topenetrate much more a user’s accesscredentials (password plus username/email/telephone number). of that famoussocial medium it isnecessarytoeither guess or otherwiseobtain Twitter account, various expertshave stressedthat inorder to“violate” theaccounts Analysing the Cyber Caliphate accessing of the US Central Command (CENTCOM) amount of medialimelight theyhave enjoyed. systems. The level of sophistication of these operations has been well below the skills do notposeanimminent threat tocritical infrastructures such asATM/ATC Analysis of ISIS and Al-Qaeda’s cyber space activities reveal that their hacking 3.3 Status of thecyberthreat toATM/ATC systems to attack theICS/SCADA systemsof critical American infrastructures in2014. according toUSCERT, therewerecybercriminals among theactors that attempted seem tobeinterested predominantly incommercial andfinancial institutions, mainly employed bythemostcomplex government actors. While cybercriminals has spurredinnovation, insome casesgoing asfartoadopt theuseof techniques capable of ensuringever-richer profits. Competition between vendors of malware Cyber-crime continued toevolve over 2015with theuseof more efficient tactics with the help of malware such as viruses, trojans, keyloggers The Defence of Civilian Air Traffic Systems from CyberThreats 127 126 ICS-CERT Monitor, ICS-CERT, 2015 ICS-CERT 2014-February trends-2015.pdf; September Papers Cyber Glossary Cyber NICCS in “botnet” See considered “anactof purevandalism.” CENTCOM reported that nosystemhadbeenaltered, andthat theepisodewastobe breach-the-truth-about-the-centcom-hack.html. Blog Rand The in Hack”, Glossary Cyber NICCS in “keylogger” See system.” information of an user the secretly, by to monitor actions The Guardian The in

ICS-CERT, Emma Graham-Harrison, “Could Isis’s ‘cyber caliphate’ unleash a deadly attack on key targets?”, on targets?”, key attack adeadly unleash caliphate’ ‘cyber Isis’s “Could Graham-Harrison, Emma RSA White White RSA in Landscape”, Threat Changing at the Look Inside An 2015. “Cybercrime EMC, “A collection of computers compromised by malicious code and controlled across a network.” anetwork.” across controlled and code malicious by “A of computers compromised collection “Software or hardware that tracks keystrokes and keyboard events, usually surreptitiously / surreptitiously usually events, keyboard and keystrokes tracks that or hardware “Software David C. Gompert and Martin C. Libicki, “Decoding the Breach: The Truth about the CENTCOM CENTCOM the about Truth The Breach: the “Decoding Libicki, C. Martin and Gompert C. David , April 2015, http://www.emc.com/collateral/white-paper/rsa-white-paper-cybercrime-, April 2015, : https://niccs.us-cert.gov/glossary#keylogger. : Cyber Threat Source Descriptions Source Threat Cyber , 12 April 2015, http://gu.com/p/47at3/stw. 2015, April , 12 126 Regarding thealleged dissemination of classified material, , 3 February 2015, http://www.rand.org/blog/2015/02/decoding-the- 2015, , 3February : https://niccs.us-cert.gov/glossary#botnet. : 127 As for ISHD’s alleged theftof data inAugust , cit. , 122 and botnets. , cit. , 123 125 One 124 29 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI “offensive” capabilities, but that they would probably behampered bytheirlack of some terrorist organisations appeared tohave agrowing interest indeveloping cyber In 2012,theheadof American intelligence, James Clapper,above. maintained that Analyses andassessments byinstitutional authorities andexpertsconfirm the in general. Nevertheless, thisdoes notrule out aninterest inattacking thecivil aviation sector these have notyet demonstrated the intention tospecifically attack ATM systems. ICT infrastructures areamong thesensitive targetsof terrorist organisations, attackers’ technological skill. Although it iswidely recognisedthat states’ critical there would be signals indicating a significant increase inthe sophistication of the launching anattack that could produce effects of acertainimport, it isprobable that their propaganda andattract financingandrecruits. Before theywerecapable of mainly tomake theircommand andcontrol operations more effective, spread 2015. In conclusion, terrorist organisations have thus farexploited cyberspace which hasproved less active incyberspacethanISIS,at least over thecourseof or Twitter account are.Thesameconsideration could bemadefor Al-Qaeda, subject tomuch more stringent security policies thanatelevision network technical maturity that would indicate its ability to successfully attack systems sources, arethemostnotorious) didtheterrorist organisation demonstrate a In thecaseof ISISthen,innone of thecasesanalysed (which, according toavailable damaging thereputation of anindividual entity or the“national economic system.” have. At most,such violations show theeffect –not least themediaimpact – of penetrate systemswith themulti-strata defences that various critical infrastructures networks or web services is not proof a hacker hastheexpertise necessary to to do with attacks on ATM/ATC systems.Therefore, knowing how toaccesssome monde-sur-les-images-de.html. http://www.telesatellite.com/actu/45271-des-mots-de-passe-de-tv5- 2015, , 10 avril Numérique presstv.com/Detail/2015/08/13/424575/ISIL-Hack-US-Military. 129 128 list of namesandotherdata hadbeenobtainedbycyberattack. The Defence of Civilian Air Traffic Systems from CyberThreats 131 130 2015, http://www.justice.gov/opa/pr/isil-linked-hacker-arrested-malaysia-us-charges. 2015, subsequently postedon Twitter bytheISIScomputer expert. supplying Junaid Hussain with thepersonal data of 1,351American soldiers, data of this, in October 2015, Kosovo national Ardit Ferizi was arrested in Malaysia for computer systemof anAmerican company andnotaprotected military network. American Department of Justice, Ferizi obtainedthesedata byhackinginto the television studio. passwords of some TV5usershadbeenbroadcast byaccident during filming inthe web defacement, some analysts have suggested theattacks happened because the Cyber Caliphate hadachieved amuch higher level of sophistication thannormal In ananotherepisode,namely theattack on TV5Monde, inwhich it seemedthe

Ibid.

“Des mots de passe de TV5 Monde sous les images de France 2 et BFM TV”, in Télé in Satellite TV”, BFM 2et et deFrance images les Monde sous de TV5 depasse mots “Des ISIL-Linked Hacker Arrested in Malaysia on U.S. Charges on U.S. in ISIL-Linked Malaysia of Justice, Arrested Hacker Department US “US military data stolen by Daesh’s ‘Hacking Division’”, in PressTV Division’”, in Daesh’s ‘Hacking by stolen data military “US 131 It goes almost without saying that theseattacks have nothing , 13 August 2015, http://www. 2015, August , 13 129 128 According tothe In confirmation , 15 October October , 15 130

30 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI house.gov/files/documents/ClapperOpening09102015.pdf. Committee on Intelligence, 10 September 2015, http://intelligence.house.gov/sites/intelligence. https://www.hsdl.org/?abstract&did=699575. of the Intelligence US on Committee Intelligence Community for the Select Senate and threat posedbytheseactors.” groups andattract attention of themedia,which might exaggerate thecapabilities sympathizers will probably conduct low level cyberattacks on behalf of terrorist could serve asthefoundation for developing more advanced capabilities. Terrorist more serious: “Terrorist groups will continue toexperiment with hacking,which not seemtohave changedin2015,andthethreat does notappear tohave become level of threat posedbytheseactors istherefore low. they will usecyberspaceasopposed to other means for achieving theirgoals. The groups have more primitive cybercapabilities thanotheractors, andit isless likely the American authorities’ assessment. 135 134 133 132 hand, do notappear toposeacritical threat, although thelevel of dangerincreases against critical infrastructures. Individuals or small groups of hackers, on theother medium-level threat, given theircapability for isolated, albeit damaging,attacks In general, according to the American authorities, hacktivists constitute a individuals notaligned with theirideology. endanger human lives; rather, that theirintention istotargetinstitutions and/or given no indication of their intention to strike targets in a manner that could the Anonymous case-study, according toavailable sources todate thegroup has confirmation that ATM/ATC systemsconstitute aspecific target.Mainly asregards that hacktivists hadattacked critical American infrastructures, there hasbeenno in theseactors’ technical prowess. Despite the2014ICS-CERT announcement Newsweek continue tobeobserved, along with amore general andsteady increase from more complex domains such astheTwitter accounts of USCENTCOM and sophistication, actsof DoS/DDoS againstinstitutional websites anddata theft analysed above. In addition towebdefacement, which does notrequiremuch demonstrated ahigher level of technical skill thantheterror-motivated actors Considering thedifferences intheirintentions andtargets,hacktivists have resources, organisational limitations and diverse priorities. The Defence of Civilian Air Traffic Systems from CyberThreats securityaffairs.co/wordpress/41438. Affairs in Security capability”, cyber offensive acredible has ISIS the warns Hyppönen “Mikko Paganini, Pierluigi Hyppönen: Mikko expert computer security see and Response Understanding, Assessment, Cyberterrorism. (eds.), Macdonald Stuart Jarvis, Lee Chen, M. Thomas in of Cyberterrorism”, Threat the “Rethinking Yannakogeorgos, A. Pano See: them. against to use or to malware create and/ systems of ICT complex vulnerabilities on exploitable data to gather skills necessary the have currently do not the to terrorists whom according Pano by Yannakogeorgos, offered is assessment Blog Buzz The in Cyberspace”, in ISIS Underestimate Don’t “A Mistake: Deadly Tobias Feakin, See: networks. vital against attacks

ICS-CERT, Worldwide Cyber Threats Worldwide Clapper, Cyber R. James Also according to Tobias Feakin, ISIS and their affiliates are not capable of launching complex launching of capable are not affiliates their and ISIS to Tobias Feakin, according Also Unclassified Statement for the Record on the Worldwide Threat Assessment Assessment Statement Threat on forthe the Record Unclassified Worldwide Clapper, R. James Cyber Threat Source Descriptions Source Threat Cyber , 1 June 2015, http://nationalinterest.org/node/13014. The same same http://nationalinterest.org/node/13014. The , 1June 2015, 133 , New York, Springer, 2014, p. 56. For an opposing view, York,, New opposing For an 56. p. 2014, Springer, According also toUS-CERT, known terrorist 135 , Statement for the Record, House Permanent Select Select Permanent House Record, for, Statement the , cit. , 134 Many otheranalysts share , 26 October 2015, http:// 2015, October , 26 132 That judgement does , 31 January 2012, 2012, , 31 January 31 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 139 138 low for 2015. was risk cyber the that concluded group working Risk” 137 136 authority (ENAC in Italy system. It operates incollaboration with eachmember’s national civil aviation in developing andmaintaining anefficient European-level airtraffic management countries and neighbours (Turkey, Armenia and Georgia), is principally engaged Eurocontrol, anintergovernmental organisation with amembership of 41European 4.1 ENAV and air traffic management in Italy the organisation. ATM/ATC services inItaly, along with thearchitecture andsystemsemployed by study. Thefirstsection will outline the role of ENAV, thecompany that provides This chapter attempts torespond tothequestions raisedintheintroduction tothis 4. TheItalian CaseStudy and organised crimedo poseamedium-level threat. financial resources available for theirrecruitment of skilled hackers, cybercriminals Nevertheless, inlight of theirability tocarryout industrial espionage, andthe their ultimate aims,but only exposethemtounwanted visibility. of airtraffic control andmanagement services would notseemto correspond with reflects theirprimaryobjective: profit. In keeping with this logic, the interruption especially skilled actors, thetechniques andinstruments cybercriminals areusing actors. Even ifit isdifficult todraw exact conclusions ontheacts ofa number of highlighted bytheuseof instruments previously reserved for more sophisticated Finally, thevastworld of cybercrimehascontinued toevolve technologically, as significantly when considering thehacker community in its entirety. The Defence of Civilian Air Traffic Systems from CyberThreats infrastructures. as the sole acting authority in technical regulation, certification and vigilance in the civil aviation aviation civil the in vigilance and certification regulation, technical in authority acting sole the as ENAC establishes also Code Navigation The plans. investment airport and intervention regulatory, of evaluation and regulation 7) parameters; quality service transport air and of airport monitoring and 6) setting charges; airport and taxes duties, concerning of acts evaluation 5) preliminary sector; aviation civil the in operating organisations and companies agencies, international and national with Force; ENAV 4) relations Air with the and 3) coordination services; to airport pertaining of procedures modification and 2) rationalisation associations; of registers/professional maintenance and inspection regulation, technical 1) are: of authority areas Its main Transport. and which thenon-state actors considered have thetechnical capability toattack them. assesses theeventual vulnerability of ENAV ATM/ATC systemsandtheextent to to Italy. Thethirdsection summarisesthemainpoints of theprevious two, and

ICS-CERT,

Ibid. In general, when considering the civil aviation sector specifically, the ICAO “Threat and “Threat the ICAO specifically, sector aviation civil the when considering general, In Ibid. Italy’s Civil Aviation Authority, ENAC, is subject to the control of the Ministry of Infrastructure of Infrastructure Ministry of control the to the subject Authority, Aviation is ENAC, Italy’s Civil Within the limitations of the laws on confidentiality regarding the technologies used by critical critical by used the technologies regarding on confidentiality laws of the limitations the Within Cyber Threat Source Descriptions Source Threat Cyber 138 The second section confronts the issue of the cyber threat 139 ), ATM/ATC service agencies and providers (ENAV and , cit. , 137 136 32 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI available here: http://www.eurocontrol.int. ATS inItaly ismainly provided byENAV, Requirements (ESARR). based on therequirements establishedbytheEurocontrol Safety Regulatory on improving air traffic control security and to propose the adoption of regulations Safety Regulation Commission (SRC) to generate reports andrecommendations costs madeavailable toairspaceusers.Amemberstate convention created the Central Route ChargesOffice (CRCO), asystem for therecovery of ATMservices’ purpose istoharmonise andoptimise flight plansconcerning Europe, andthe is inchargeof theNetwork ManagerOperations Centre (NMOC), aunit whose management services security. OnEuropean Commission mandate, Eurocontrol Eurocontrol isresponsible for thestudy andanalysis of airnavigation and Figure 4|Eurocontrol Member States professional associations anddesignated European institutions. the Air Force inItaly), usersof civilian andmilitary airspace,theindustrial sector, The Defence of Civilian Air Traffic Systems from CyberThreats 141 140 sector. management companies. Brindisi-Casale andRoma-Ciampino FIRs, while thewesternsection of theMilano of Brindisi, Roma andMilano. Thefirsttwo ACCs are managedrespectively bythe into upper andlower airspace.Lower airspaceissubdivided into the threeFIRs Roma-Ciampino andBrindisi-Casale airports. Air spaceisvertically subdivided ENAV managesfour ACCs located at theMilano-Linate, Padova/Abano Terme, 751,000 km²),including authorised airports. non-operational military and government national air space traffic (approximately

At smaller airports, such as Aosta and Tortolì, ATS services are provided locally by airport airport by locally provided are ATS Tortolì, services and Aosta as such airports, At smaller Eurocontrol was established with the Eurocontrol Convention (13 December 1960). Data Data 1960). December Convention (13 Eurocontrol the with established was Eurocontrol 141 which generally deals with civilian, 140 33 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI upper horizontal airspaceissimilarly subdivided. for the three FIRs, classes C and G for the three UIRs and classes A, D and Efor TMAs. Dand A, classes and UIRs three Gfor the Cand classes FIRs, three for the plans, meteobulletins, slot messages, etc.),inthecontext of theaeronautical level with aview tomodernisingATS messageexchanges (NOTAMs, flight The ATS Message Handling Service (AMHS) standard wasestablishedat European before take-offs. Fiumicino airports, where airtraffic services data and flight plansarereceived ENAV Air Traffic Services Reporting Offices located inthe Milano-Linate and Roma- handling companies andaviation authorities) either electronically or through the to the entire aviation community (Italian Air Force, aeronautics operators, airport 42 airports where ENAV managesairtraffic services. AOIS data aremade available backup incaseof disruption. TheAOIS makes data available tothefour ACCs and The AOIS Data Processing Centre works on thecompany’s network, with satellite traffic flow (flight plans, Notices To Air Men (NOTAM), ATFM slots,meteo bulletins). owned database that handles all aeronautics data essential toensuringsafe air System (AOIS). Thisisanational online systemconsisting of acentral, ENAV- service, whose data arepreparedbytheAeronautical Operational Information ENAV provides pilots andaeronautics operators with anaeronautics information ATM/ATC services Figure 5|ACC airspacesubdivision FIR ismanagedbyMilano-Linate andtheeasternbyPadova/Abano Terme. The Defence of Civilian Air Traffic Systems from CyberThreats 144 143 142

Italian UIRs are further subdivided vertically into two portions. into two vertically subdivided further are UIRs Italian Italy has adopted ICAO classification, although it does not use classes B or F, as follows: class G B or as follows:class F, classes use not although it does ICAO adopted classification, Italy has Vitrociset note, July 2015. Vitrociset 144 143 142 FIR 34 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI standard, 147 146 145 others (operational telephony, Air Control Tower radio, etc.). OLDI, Radar, etc.) and on pure Asynchronous Transfer Mode (ATM) technology for based on Internet Protocol (IP)technology for some services (AFTN, AOIS, weather, To ensurethemaximum resilience, thelogical level of theaccesscomponents is and national transportation. availability of communications on local sites, accesstothegeographic network telecommunication system.Thefinal objective istoimprove thereliability and control tower radio andradarcentres through aper-site andper-service modular of beingcompleted. The E-Net programme aimstoconnect all ACCs, airports, air operational communications network known asE-Net, which isintheprocess ENAV telecommunications connectivity isensuredbyanewintegrated ATM/ATC systemarchitecture ICAO directives, up toits complete replacement within 2020. CIDIN network, although this latter will gradually be phased out in accordance with Network (CIDIN) standards.TheAMHSsystemiscurrently flanked bytheAFTN/ Telecommunication Network (AFTN)andtheCommon ICAO Data Interchange telecommunication fixed service, which isbasedtoday on the Aeronautical Fixed The Defence of Civilian Air Traffic Systems from CyberThreats 149 editoriale.php?id_editoriale=71. Handling (ATS System) Message system AMHS to ENAV provides the Vitrociset Vitrociset, See: system. AMHS new to the Vitrociset) by provided 148 (ATN). authentication mechanisms. allow for increased message exchanges, binary data exchanges, or messagesfrom advantages over AFTN/CIDIN, AMHSoffers abroader range of functions that years now, relying on anetwork basedon TCP/IP. In addition tothetechnological and-forward mode. Various European ANSPs have been using AMHS systemsfor Systems analogous to Internet email. to Internet analogous Systems Handling Message Union (ITU-T) Telecommunication of astandard creation forInternational the ATN SARPS manuals,

Ibid. Ibid.

X.400 is a series of recommendations by the Telecommunication Standardisation Sector of the of the Sector Standardisation Telecommunication the by of recommendations a series is X.400 Standards and Recommended Practices (SARPS) Aeronautical Telecommunication Network Network Telecommunication Aeronautical (SARPS) Practices Recommended and Standards ENAV stipulated an accord with Vitrociset calling for an upgrade of the AFTN/CIDIN (previously (previously AFTN/CIDIN of the upgrade for an calling Vitrociset ENAV with accord an stipulated 147 which isemployed for ATS messageexchanges on anATN instore- 146 theAMHSimplements theX.400 protocol communication 148 , 26 January 2010, http://www.vitrociset.it/dett_ 2010, January , 26 149 145 According toICAO 35 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI centres andbackbone sites. as ground connections betweenairports, radarrooms, aircontrol tower radio protected connection between ACCs and airport flight assistancesystems, aswell The E-Net isdistinguishedbyanational “backbone” consisting of anhigh-capacity Source: Vitrociset. Figure 7|E-Net network protocols andassociation with operational services Source: Enav. Figure 6|E-Net networks inItaly The Defence of Civilian Air Traffic Systems from CyberThreats 36 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI anomaly cause the dysfunction of the entire system. entire of the dysfunction the cause anomaly 150 • • E-Net pursues thefollowing objectives: ANSPs. which links the various Eurocontrol locations and the sites of the various European for ground-to-ground communication (Pan European Network Services, PENS), The newnetwork architecture connects ENAV totheintegrated European network control tower radio centres andbackbone sites Figure 8|E-Net ground connection layout betweenairports, radarrooms, air The Defence of Civilian Air Traffic Systems from CyberThreats 152 151 • • • • cleared/CLEARED_5_09.pdf. Cleared in Enav”, di

Eurocontrol, Eurocontrol, ENAV, “Nel programma E-Net le soluzioni abilitanti per le applicazioni aeronautiche del futuro futuro del aeronautiche le applicazioni ENAV, E-Net per abilitanti le soluzioni programma “Nel Individual components (hardware or software, in general) that in case of malfunction or of malfunction case in that general) in or software, (hardware components Individual elimination of current “single points of failure” creation of anational network for ENAV operational communications; Information Management (SWIM). actors, particularly airports, inanticipation of thenewgeneration System-Wide development of collaborative decision-making modeswith other aviation Communications Strategy; for Gate-to-Gate and Single Sky frameworks according to the EATMP compliance with Eurocontrol andnational safety andsecurity requirements each application; assurance of service quality bymeansof specific service-oriented contracts for applications (Voice/Tower-Air andradardata); duplication of thetypeof transmission support (“protection”) for more critical infrastructure; 150 Pan-European Network Services (PENS) Pan-European Services Network , Vol. VI, No. 9 (October 2009), p. 4-5, http://www.enav.it/ec5/enav/it/pdf/ 4-5, p. 2009), No. 9(October , Vol. VI, 151 , http://www.eurocontrol.int/node/1514. 152 intelecommunications 37 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI terminals. The name derives from the first mainframe computer’s similarity to a large wardrobe. large to a computer’s similarity mainframe first the from derives name The terminals. remote from connect users to which processing, massive and activities for critical organisations have access.Data flow usesaTCP/IP protocol. database located in the Ciampino ACC, to which several of the airport terminals are contained inadatabase that usesWeb/Linux J2EEtechnology with anOracle The AOIS service makes aviation navigation data available tousers.Thesedata on the public network of Presence(PoP), called External Network Interfaces (ENI),have beencreated separate, making a clear physical and logical border between the two. Two Points The ENAV approach istokeep theinternal operational andmanagement networks The Defence of Civilian Air Traffic Systems from CyberThreats 160 159 158 157 156 155 154 153 • The AOIS service hasthreedistincttypesof infrastructure: switches, segmentation arrangements. Remote connections rely on routers and a series of in casesof emergency, with theappropriate dedicated Internet security and system usestheE-Net todisseminate data, andalternatively thepublic network ACC that connects theAOIS mainframe(beingphasedout) andtheterminals. This The network infrastructure foresees aLocal Area Network (LAN)intheCiampino • • granular traffic analysis, also have advanced Intrusion Detection Systems(IDS) segment and separate local high-speed networks. high-speed local separate and segment to used are Switches connectivity. external provides that another with network alocal to connect function of a set of security rules, and they block any communications that violates those. violates that communications any block they and rules, of security of aset function users or, in any case, different to expected behaviour. expected to different or, case, any in users IDS) or network (Network IDS). (Network or network IDS) with “behavioural” checks events recorded byENI-MS IDSsandlooks out for abnormal or malicious activity, traffic policies. The ENAV Security Operation Centre (SOC)receives andanalyses entities according toresponsibility/authorisation configurations andstringent to analyse traffic at application level. Accessispermitted exclusively to“trusted” ENI Security Modules (SM),inaddition toproviding firewalling redundant for some services inthecasethat one of thetwo terminals crashes.The to ensuringgreater connection flexibility, thetwo PoPs are also geographically third partyconnected, aswell asanE-Net perimeterprotection service. In addition connection andtraffic flow services between E-Net andtheinfrastructure ofeach

Interview, November 2015. November Interview, PoPs are interface access points. access interface are PoPs Intrusion Detection System technology is used to detect harmful intrusions into a system (Host (Host into asystem intrusions harmful to detect used is technology System Detection Intrusion Computers, typically very large and with vast computational capacity, used by major major by capacity, computational used vast with and large very typically Computers, Behaviour-based IDS attempt to detect intrusions based on anomalous behaviour by systems or systems by behaviour on anomalous based intrusions to attempt detect IDS Behaviour-based Vitrociset note, cit. Firewalls are systems that analyse data traffic between an internal and external network in network external and an internal between traffic data analyse that systems are Firewalls Ibid. Routers and switches are devices used to connect networks. Routers are typically used used typically Routers are networks. to connect used devices are switches Routers and Ibid. the Ciampino ACC housestheAOIS mainframe C/M typeairports andStypeairports. remote ACCs (Brindisi, Padova, Milano); 160 which areprotected bysecurity checksbasedon thelatest generation 153 for communication purposes. The two PoPs offer both 156 basedon apre-codified alarm scale. 158 159 andterminals; 157 154 with very high 155

38 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI and approximately 7,000outgoing messagesdaily. messages) worldwide. The AOIS system handles approximately 50,000 incoming AFTN, which transmits all ATSs (flight plans, NOTAMs, meteo bulletins andslot ENAV islinked with theaviation telecommunications network, known as the high-speed connection with theInternational Communications Centre (ICC), and aviation authorities) either electronically or at ENAV’s ARO offices. Usinga aviation community (Air Force, aeronautic operators, airport management firms the aviation navigation services for. AOIS data aremade available totheentire of the ATC service of the Brindisi-Casale former military airport) ENAV handles of thefour ACCs and42airports (43from 10December2015,with theaddition • • • • The AOIS systemmakes it possible to: E-Net and a satellite network The AOIS data processing centre ensurescontinuity of its activities through the interface. Note: The figure does not show the security component, which exists and is redundant at every site Figure 9|AOIS E-Net service firewall, centrally managedandmonitored bytheSOC. The Defence of Civilian Air Traffic Systems from CyberThreats 162 161 EN/ServiziEAttivita_EN?CurrentPath=/enav/en/services/aeronautical_information. data transmission (two bidirectional channels at 64kb/s and another at at 16kb/s). 64kb/s another and channels bidirectional (two transmission data (caller multi-number) ID, call-forwarding, low speed and services additional and teleconference

ENAV, ENAV, A digital telecommunications network, now partially obsolete, that provides telephony, provides that telefax, obsolete, now partially network, telecommunications A digital consult weather bulletins. to flow regulation; visualise ATFM slots assigned tooutgoing planesinthe caseof flights subject obtain flight security data inreal time(NOTAMs, flight personnel advisories); submit flight plansdirectly for Eurocontrol validation; Aeronautical Information Aeronautical , http://www.enav.it/portal/page/portal/PortaleENAV/Home_ , 161 as backup. The AOIS places data at thedisposal 162 39 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI • • • • • • • • • ATC systems: The AFTN-CIDIN-AMHS central systemallows for linkageof thefollowing ATM/ international AFTN/AMHS network. AMHS messageexchanges, andensuresinter-operability with thenational and which operates on aLinux platform, permits bothnational andinternational users The integrated AFTN-CIDIN-AMHS central systemof theRoma Ciampino ICC, recovery andconfiguration management standardsthat apply to all ATC centres. even when owing to serious malfunction, according to strict backup, disaster interferences andtoreduce toaminimum thepossibility of service interruption, systems designed toensurecontinuity of operations, tobeimmune from The network infrastructure consists of highly reliable circuitry andredundant redundant modules. Note: Thisfigure omits the,nevertheless existing,stratum of security provided bycentrally managed Figure 10|AOIS-FPDM services on E-Net The Defence of Civilian Air Traffic Systems from CyberThreats 164 163 Ibid.

National Centre for Aviation Meteorology and Climatology. and for Meteorology Aviation Centre National SETINET systemfor AMHSconnection to theGenevaAMHS; Italian Air Force’s CNMCA weather centre; Italian Air Force ReSIA’s AFTNsystem; Brindisi FDP system; Milan FDP system; Rome FDP system; AOIS systemof theRoma Ciampino ICC; through E-Net; User Agent stations (AMHSterminals at airport AROs) of thenational periphery Wide Area Network (WAN) systemon E-Net; the integrated AFTN-CIDIN-AMHS central systemof Fiumicino, through dual 163 164 40 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web a web anywhere occur and quite widespread are to succeed attacks allow these that Flaws user. end to adifferent script, side of abrowser form the generally in code, malicious to send application web a uses attacker when an occur attacks XSS sites. web trusted and benign into otherwise injected or explicit. implicit either kind of any responsiblity no ENAV assumes portal. Briefing Self the through provided data of the accuracy and completeness correctness, for the of all responsibility itself it relieves service, of the phase testing 166 165 Security (TLS)for securelog-on, The service comes in the form of a web application that usesa Transport Layer Figure 11|TheNew Generation of Pre-Flight Information Systems information andpre-flight documentation in few steps. pre-flight data. With thissystem, Users canindependently provide aeronautic portal bywhich aeronautical operators, pilots andorganisations may access service it calls “TheNew Generation of Pre-Flight Information Systems,” adedicated With regardtoflight data, ENAV provides asimple andinnovative Self-Briefing • • The Defence of Civilian Air Traffic Systems from CyberThreats 168 167 attacks. cross-site scripting, cookie hijacking andotherforms of command injection Javascript, thewebapplication ispotentially vulnerable to(D)DoS,SQL-injection, Since it accepts user input (at least insertion of identification credentials) anduses established inthetechnical annexes of theChicago Convention. contains measuresfor verifying data, incompliance with international standards refer totheflight planssubmitted by airlines, but tothose submitted byusers,and single-factor username/password authentication system.Thesystemdoes not exchanged data andserver identity. User IDsarechecked bymeansof atraditional,

ENAV, ENAV,

Defined in RFCs 2246, 4346, 5246 and 6176 of the Internet Engineering Task Force (IETF). Force Task Engineering and 6176Internet the of 5246 4346, 2246, RFCs in Defined ENAV issues a disclaimer on the service’s access page saying that, during the validation and and validation the during that, saying page access service’s on the ENAV adisclaimer issues “Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are are scripts malicious which in of injection, atype are attacks (XSS) “Cross-Site Scripting at theRoma Ciampino ICC (TCP/IPconnection). Bankok AMHSsystembymeansof adedicated circuit madeavailable byENAV European PENSnetwork for AMHSEurope connection; 168 Aeronautical Information Aeronautical These could have consequences ranging from the service temporary , cit. , 167 andensurescommunication privacy, integrity of 165 166 41 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI application security: https://www.owasp.org. 170 169 https://www.owasp.org/index.php/Session_hijacking_attack. OWASP, Web to See the Server.” attack access hijacking Session unauthorized token to gain session avalid or predicting token stealing by session the compromises attack Hijacking Session The requisition. http of the body the in or yet request, http of the header of the parts other in cookie, as a requisition the http of the header in URL, the in like ways, different in used it could be and width of variable of astring composed token normally is Asession authentication. client successful a after browser client to the sends Web the Server on atoken that depends method useful most The connections. user’s every to recognize amethod needs server web the connections, TCP different many uses communication http Because token. for asession managed normally is which mechanism, control session web of the exploitation of the consists attack Hijacking Session “The OWASP,it.” See Scripting Cross-Site or encoding validating output it without generates the within auser input from uses application controllers resolve flight separation issues. predicting possible medium to short term flight trajectory conflicts, which help weather conditions, airport surfacetraffic, communication systems,systems for its activities: radarscreens,aeronautical chartsandmaps, electronic strip displays, systems andbytheFDP. It integrates themultiple systemsthecontroller needsfor display current airtraffic conditions, integrating thetactical data emitted byradar The Control Working Position (CWP)istheairtraffic control station whose monitors decisions. make it possible toanticipate dangersituations andtake effective traffic planning The FDP systemprovides a30/60-minute forecast of airtraffic conditions that and it supplies airtraffic controllers with a broad range of flight plan information. The FDP istheATC systemthat processes flight plandata for avariety of purposes, traffic control. communication andsurveillance systems,usedduring thevarious phases of air The following isadescription of ATC systems,inclusive of thecontrol, ATC systems tests conducted according toOSSTM on thebrowsers theuseremploys toconnect totheservice. However, penetration suspension andsystemcompromise, including its supporting database, toattacks The Defence of Civilian Air Traffic Systems from CyberThreats 173 172 171 osstmm.html. http://www.isecom.org/research/ Spain: in registered anon-profit organisation Methodologies, standards. the absenceof known vulnerabilities, according tothesecurity ENAV security

Ibid.

Interview, November 2015. November Interview, Vitrociset note, cit. The Open Web Application Security Project is the best known community on the theme of web of web theme on the community known best the is Project Web Security Application Open The The Open Source Security Testing Methodology of the Institute for Security and Open Open and for Security Institute of the Methodology Testing Security Source Open The 172 171 , https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). , https://www.owasp.org/index.php/Cross-site_Scripting_(XSS). 169 andOWASP 173 170 guidelineshave ascertained , 42 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI networks. radio control traffic air in on interference bans judiciary and administrative supplementary permits Security” and Assistance to Flight Relative Communications of Radio entitled “Defence No. 110/1983 Law phenomena. interference of radio-electrical cases in not least police, by rapid intervention for the Service, Police Communications and Postal the through provides, that Security Public of Department the with agreement ENAV an has offices. regional and central Aireon, 177 176 175 174 and todisseminate that data toaseries of appropriately connected systems. to provide anaccurate “airsituation picture” inawell-defined geographical area, The ATM Surveillance Tracker and Server (ARTAS) is a system designed byEurocontrol surveillance sub-systems. a ground surveillance system that receives and correlates data from various The Advanced Surface Movement GuidanceandControl System (ASMGCS) is Radar control continues throughout thecruiseuntil landing. elaborated byspecific systemsandthenmade available toairtraffic controller. Air traffic radar control combines data ofvarious radarsensors, which are later messages. Data-Link Communication (CPDLC) systemthat allows for theexchange of digital VHF voice communication congestion, thetendencyistouseController Pilot operating on VHF/UHFfrequencies. In aneffort toimprove service andreduce communication betweenpilots andground control usingananalogue system Every aircraft isequipped with areceiver/transmitter apparatus that permits following anapproach basedon physical andlogical redundancy. fundamental for airtraffic management. These work onthe E-Net network and ENAV isespecially attentive toground-air telecommunications, which are The Defence of Civilian Air Traffic Systems from CyberThreats 181 180 179 178 Egnos, through theEuropean Satellite Services Provider (ESSP)consortium aspects, including security. ENAV directly participates intwo programmes: Galileo- recognition of aircraft. Various working groups areanalysing thesesystesm geostationary satellite constellations inorder topermit thepreciseandresilient others) underway across theworld todevelop collaborative systemsusing is arapidly expandingsector, with efforts (Galileo-Egnos, Aireon, Glonass, among Ibid.

ESSP, Ibid.

The control of frequencies is provided by the Ministry of Economic Development from its its from Development of Economic Ministry the by provided is of control frequencies The Vitrociset note, cit. Aireon, About Aireon, http://aireon.com/company. Aireon, About Aireon, Interview, November 2015. November Interview, Vitrociset note, cit. 178 Company Structure and Ownership Company Structure of which it isastakeholder. 175 180 , http://www.essp-sas.eu/company_structure. 179 176 Aircraft surveillance 174 181 177 and 43 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI event which one has a legal obligation to prevent shall be equivalent to causing it.” to causing equivalent be to shall prevent obligation alegal one has which event to an prevent “Failing as much as in measures, of adoption all practicable the obligates to guarantee comply with thisregulation. their certification as ATM/ATC services providers, ENAV and other ANSPs must 186 185 184 183 182 software andprocesses byadopting adetailed riskmanagement planinspiredby defence andmulti-strata security approach andaimtosecurenetworks, systems, hinges on simple principles, which intend togo beyond thetraditional perimeter- and aparticularly rigorous andpervasive process of riskanalysis. Theapproach “Deming Cycle”, which requiresthecommitment of thecompany’s management The entire security process takes placeincompliance with amethodknown as the Management System” regardingaviation operational security. ENAV’s management principles: quality measurement ISO9001andthe“Safety physical security, human factor andprocesses, andisheavily integrated with other party assessment. Thisprocess also extendstoevaluation of aspects related to rendering its entire “security life-cycle” objective andmeasurable, even bythird- process according to ISO international standard 27001:2014, with theobjective to This principle laidthefoundation of ENAV’s decision toundergo acertification is laiddown inArticle 4of Annex Iof EURegulation 1035/2011. “security management system” compliant with thecommon requirements, which European regulation isespecially severe inrequiring ATM/ATC services suppliers a as described bylaw, isapublic service that serves thenational interest. the company ensuresdata security. Theprovision of aviation navigation services, ENAV security strategies are based on detailed definition of the principles by which ENAV security strategy information andhigh-resolution weather images. The Satellite Distribution System (SADIS) is a satellite system that transmits updated dedicated frequency or can be associated with a VOR transmitter meteorological andoperational data concerning on aparticular airport. It usesa The ATIS is an automated system that provides pilots with continuous The Defence of Civilian Air Traffic Systems from CyberThreats 188 187 TXT/?uri=celex:32011R1035. http://eur-lex.europa.eu/legal-content/en/ 2011, 17 October services…, navigation of air provision Sky, http://eur-lex.europa.eu/legal-content/en/TXT/?uri=celex:32004R0550. 2004, 10 March transmits viadata link).

Ibid. It must also be kept in mind that, according to Article 40 of the Penal Code, being in a position aposition in being Code, Penal of the 40 to Article according that, mind kept in be also It must Regulation (EC) No 550/2004 on the Provision of Air Navigation Services in the Single European European Single the in Services Navigation of Air Provision on the No (EC) 550/2004 Regulation Vitrociset note, cit. VHF Omnidirectional Radio Range. Radio Omnidirectional VHF Commission Implementing Regulation (EU) No 1035/2011 laying common requirements for the for the requirements common No laying 1035/2011 (EU) Regulation Implementing Commission Interview, November 2015. November Interview, 183 187 184 188 186 In order tokeep 182 (the D-ATIS 185 44 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI Figure 13|Risk management process (ISO31000) fosters bestpractices andtheirdissemination. for targetingweaknessesbasedon riskanalysis, with asecurity management that ENAV istheonly certified provider in Europe, which has allowed it todesign aprocess ISO standard31000, The Defence of Civilian Air Traffic Systems from CyberThreats 189 Figure 12|Demingcycle for aninformation security management system ISO, ISO, ISO 31000 - Risk management - Risk 31000 ISO 189 asthefollowing figure illustrates. , http://www.iso.org/iso/iso31000. , 45 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI organisation’s nature andmission. it ispartof thenational security anddefence network, inaccordance with the security-plan.pdf. www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2014/02/italian-national-cyber- Security 193 192 191 190 participates in theimplementation process of the national cyberstrategy, Along with otheractors operating inthesecurity anddefence domain, ENAV ENAV SOC. assessments. Thefollowing figure illustrates thesupport services provided bythe the design phase. It also issues automatic vulnerability and compliance monitoring domain andsecuresoftware requirements, aswell astosuggest security checksin in thepresenceof specific mandate from themanagerial leadership, todefinethe The SOC supports all thecompany’s information security activities, and contributes, and certified resources, all of which areinternal. employing amulti-strata architecture with amassive useof open source software It also performs intelligence activities bycorrelating physical andlogical events, personnel; crisismanagement support; andphysical security events management. advisories; security events; coordination of police forces andATS unit surveillance centralised management of accesscontrol andintrusion detection; alarms and services, operational services andtheE-Net network. Its functions include the actors/entities. TheSOC’s monitoring domains arethesecurity of non-operational procedures andtechnologies, andcooperates with various internal andexternal ENAV’s SOCmanagessecurity inacentralised mannerthrough specific processes, application, As regardsriskassessment, ENAV employs theMagerit methodandthePilar The Defence of Civilian Air Traffic Systems from CyberThreats 194 an effort to reduce, if not eliminate, potential conflicts of of interest. conflicts potential eliminate, if not reduce, to effort an in actors organisation to separate entrusted be must monitoring their and requirements security Perspectives National Competing Conflict. Ventre Cyber (ed.), Daniel in Strategy”, Security and Defense Cyber Italian Toward an “Moving Ducci, Stefania http://www.poliziadistato.it/articolo/view/37318; established in2009. multifunctional SOC.TheSOCisintegrated with “physical security” andit was that strictly applies the“separation of duties” principle There isacorporate function specifically designed for logical security management “operational continuity management” measures. risks, assets,riskmanagement andmitigation, with particular attention to focus on government administration. Magerit provides the “Pilar” application for the purpose. for application the “Pilar” the provides Magerit administration. on government focus a special with Technologies, of Information use the in risk to minimise Electrónica Administración

A principle on the basis of which the design of systems and their use, and the proposal of proposal the and use, their and of systems design the of which basis on the A principle National Strategic Framework for Cyberspace for Cyberspace Framework Strategic National of Ministers, Council of the Presidency Italian Interview, November 2015. November Interview, Sicurezza: rinnovato l’accordo tra Polizia di Enav Stato ed Polizia rinnovato l’accordo tra Sicurezza: Stato, di Polizia Magerit is a risk analysis and management method created by Spain’s Consejo Superior de Superior Consejo Spain’s by created method management and analysis arisk is Magerit National Plan for Cyberspace Protection and Security ICT Protection for Cyberspace Plan National and , cit.; , London, Wiley / Hoboken, Iste, 2012, p. 165-191. p. 2012, Iste, Wiley /Hoboken, , London, 190 which allows immediate assessment of therelationship between 192 194 191 andthat relies on a , December 2013, http:// 2013, , December , 22 January 2015, 2015, January , 22 193 as 46 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI Site Intelligence Group, “’Islamic State Hacking Division’ Calls for Attacks on 10 Italian Army Army on 10 Italian for Attacks Calls Division’ Hacking State Site Group, Intelligence “’Islamic website, waslater tweetedunderthehashtag #WeWillBurnRome. military personnel inAugust 2015.Thedocument, postedon theJustpaste.it server” inthesameway theyhadwhen theypostedthedata of some American military personnel. In the document, ISHDclaimedthey hadaccesseda“secure document signed byISHDon Twitter containing thepersonal data of ten Italian most noteworthy episode took placeinMay 2015when ISISsupporters posteda the Middle East,Italy toowasallegedly atargetof ISIScyberattacks in2015.The As hashappened with othergovernments participating inmilitary operations in Rome. the terrorist organisation inSyria andIraq andbecause of thesymbolic value of ISIS considers Italy alegitimate targetbasedon its role inthecoalition against Terrorist organisations (ISISand Al-Qaeda) 4.2 Cyberthreats toItaly Figure 14|Catalogue of ENAV SOCServices The Defence of Civilian Air Traffic Systems from CyberThreats 196 195 it/sisr.nsf/wp-content/uploads/2015/02/relazione-2014.pdf. 2014 sicurezza la per dell’informazione

Relazione sulla politica politica sulla Relazione Republic, of the Security for the Italy’s System Intelligence Steven Stalinsky and R. Sosnow, “Hacking in the Name of the Islamic State (ISIS)”, State cit.; Islamic of the Name the in Sosnow, “Hacking R. and Stalinsky Steven 195 , February 2015, p. 31, https://www.sicurezzanazionale.gov. 31, p. 2015, , February 196 It readas 47 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 200 199 198 197 ITSTIME in IS: italiani’”, di ‘Colpite ‘lupi’ isoldati ai Division Hacking State “Islamic Burato, Alessandro Web-and-Cyber-Security/site-6-1-15-ishd-calls-for-attacks-on-10-italian-army-personnel.html; Security Web Dark in Personnel”, &Cyber for ISIStoteamup with theMafiatoconquer Rome). the Italian crusade”) and, finally, Italy ingeneral (in abook available online that calls “missiles”), Italian foreign ministerPaolo Gentiloni (described asthe“ministerof intimidating threats againstItaly andEurope (identified aspossible targets of ISIS that have usedthewebasapropaganda tool.In 2015,significant examples included The cyberactivities of ISISandtheirsupporters have mainly taken theform of threats the Tuscany division of theDemocratic Party andtheAccademia della Crusca. attacks. Examples include thewebdefacement of thesites of theLombardy Region, or theirsupporters andaffiliates, hasmostly beeninthe form of low-level computer Apart from thisepisode,“offensive” (or so-alleged) cyberactivity on thepart of ISIS follows (translated from theItalian): The Defence of Civilian Air Traffic Systems from CyberThreats arrested inJuly were,according totheauthorities, “at very serious riskof carrying isis_1042b667-394e-4fba-99b7-0c8828df693c.html. August 2015, http://www.ansa.it/toscana/notizie/2015/08/09/hackerato-sito-crusca-simboli- Ansa in simboli”, Toscana sito Crusca, “Hackerato 360d-4dd8-9d5e-89893b96983f.html; http://www.ansa.it/toscana/notizie/2015/03/07/hacker-su-sito-pd-toscana-sigla-isis_afb49349- Ansa Isis”, in Toscana sigla sito su Toscana, Pd “Hacker 84ab-6c28ccc2d5c6.html; it/sito/notizie/cronaca/2015/02/02/hacker-pro-isis-su-sito-web-lombardia_7035dab0-d8de-4c8c- 91641e80-e383-11e4-8e3e-4cd376ffaba3.shtml. www.corriere.it/esteri/15_aprile_15/isis-per-conquistare-l-italia-dobbiamo-allearci-la-mafia-in Corriere.it mafia’”, la con allearci dobbiamo l’Italia conquistare ‘Per “Isis: isisgentiloniministro-italia-crociata_4c7e0481-7371-4aba-8025-47301deb31eb.html; Serafini, Marta Ansain Cronaca sullitalia_90b0483d-6617-4127-9618-9993f953e334.html; “Isis,Gentiloni “ministro Italia crociata”, http://www.ansa.it/sito/notizie/politica/2015/02/02/terrorismo-ancora-minacce-web-missili- that automatically affected websites lackinginany particular protection. that groups of hackers that support thejihadistcause launched online programmes to ISISor that theyweremeant totargetItalian institutions. Indeed, it ispossible Nevertheless, it cannot necessarily be taken for granted that theseacts are ascribable

Alessandro Burato, “Islamic State Hacking Division ai ‘lupi’ di IS: ‘Colpite i soldati italiani’”, cit. IS: italiani’”, di ‘Colpite ‘lupi’ isoldati ai Division Hacking State “Islamic Burato, Alessandro “Hacker pro Isis su sito web Lombardia”, in Ansa in Cronaca sito Lombardia”, su web Isis pro “Hacker “Hackerato sito Crusca, simboli”, cit. simboli”, sito Crusca, “Hackerato “Terrorismo: ancora minacce web, ‘missili sull’Italia’”, in Ansa in Cronaca sull’Italia’”, ‘missili web, minacce ancora “Terrorismo: the handsandthroats of disbelievers.” long andcanreacheverywhere, soknow that ourknives aresharp:theycut will bringthejihadtoyour land.You have saidthat thehandof America is war andwedeclaredlong ago Aljihad Aljihad Aljihad. Thus it will beuswho long... Amessagetothelone wolves weawait your surprisesItaly hasdeclared Allah that wewould enter [sic] andwould conquer [sic] Rome andit won’t be blessing of Allah. I’mbackalthough the disbelievers dislike it. We swearon “We will conquer Rome, andAqsa, wewill destroy your crosses, with the , 20 July 2015, http://www.itstime.it/w/?p=1962. July, 20 2015, , 14 February 2015, http://www.ansa.it/sito/notizie/topnews/2015/02/14/ , 1 June 2015, https://ent.siteintelgroup.com/Dark- 2015, June 1 , 197 , 2 February 2015, http://www.ansa. 2015, , 2February 200 ATunisianandaPakistani , 3 February 2015, 2015, , 3February , 26 April 2015, http:// 2015, April , 26 , 7 March 2015, 2015, , 7March , 9 199 198

48 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI autore-documento-propaganda-italiano_022c59db-bbdb-4578-bd47-c9f70670ac18.html. Piemonte Ansa in italiano”, autore propaganda documento arrestato “Isis, See: apprehended. was origin, Moroccan of old Italian a20-year document, author of the the March, In 8fef-42fb-8fd7-0b88b3739403.html. it/sito/notizie/cronaca/2015/02/28/isis-documento-di-propaganda-in-italiano-sul-web_6e00ea79- hacktivist panorama precisely for its ability toaggregate. for othersimilar groups. As such, it hasbecome apoint of reference on theItalian online forums andchats and,inItaly, thegroup hastaken on an“umbrella” function per la sicurezza 2014 sicurezza la per 203 202 201 democratic” behaviour. and Italian corporations, that themasked hackers claimedwereguilty of “anti- were launched againstgovernment agencies andinstitutions, aswell asforeign Anonymous beganoperating inItaly in2009-2010, years inwhich thefirst attacks Hacktivists inferior thanthoseof ISIS. in Italy, inlinewith its global activities ingeneral, inany caseappear quantitatively and “operational recruitment” “operations” on theweb.Al-Qaeda’s online activities Italian of North African descent andanItalian convert) suspectedof propaganda 2012, theItalian judiciary police opened aninvestigation into two individuals (an point of view, thegreater dangerseemstolie insolitary cyberterrorism. Indeed, in primary vehicle of radicalisation bothinIslamic andWestern countries. From this activity. Themessagesspreadover chat-rooms andforums have continued tobethe and ISIS.Thegroup hasbeendisseminating anti-Western propaganda asits main its historic nucleus and, on the other, to avoid being upstaged by the Arab spring Al-Qaeda cyberstrategy hasbeenmeant, on theone hand,tooffset losses among out attacks against thepublic safety for thepurposes of terrorism.” The Defence of Civilian Air Traffic Systems from CyberThreats 205 204 f7003642-3032-11e5-8ebc-a14255a4c77f.shtml. http://www.corriere.it/cronache/15_luglio_22/terrorismo-due-arresti-brescia-sostenevano-l-isis- relazione-annuale.html. 2011 sicurezza la per you). ti vorrebbe comunicare (TheIslamic State, areality that wishestocommunicate to to ISISandwritten in fluent Italian, wasentitled “LoStato Islamico, unarealtà che particularly important 64-pagedocument that circulated inApril, also attributable had also expressedthedesiretoattack theGhediAir Force baseinnorthern Italy. A Rome’s Colosseum threatening possible attacks againstthosemonuments. They posted photoson Twitter infront of symbolic sites such astheMilan Duomo and

Ibid. “Terrorismo: due arresti a Brescia, sostenevano l’Isis su twitter”, in Corriere.it in twitter”, su l’Isis sostenevano aBrescia, due arresti “Terrorismo: Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence “L’Isis parla italiano, 64 pagine di propaganda sul web”, sul Ansa in propaganda di pagine 64 italiano, “L’Isis parla 202 , 25 March 2015, http://www.ansa.it/piemonte/notizie/2015/03/25/isis-arrestato- 2015, March 25 , , 28 https://www.sicurezzanazionale.gov.it/sisr.nsf/category/ February 2012, , cit. , 204 Anonymous choosesits targetsandattack modesin 203 , 1 March 2015, http://www.ansa. 2015, , 1March 205 , 22 July 2015, July, 22 2015, 201 Thetwo had 49 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI per la sicurezza 2014 sicurezza la per “military-industrial complex” andcyberdefence industry. doing businesswith thearmedforces. Anonymous’ intention wastoimpact on the in some cases,telephone numbers of theDefence Ministrystaffandcompanies injection attack. Theexfiltrated data included thenames,email addressesand, eu2014.difesa.it of theMinistry of Defence, which thepressreported asanSQL- May, the collective posteda series of data stolen from the server of the subdomain relazione-annuale.html. 2012 sicurezza la per 210 209 208 207 206 com website. Expo beganinMay, when theysucceeded indefacingthepadiglioneitaliaexpo2015. 2015 andvarious Italian ministries. Thehacktivists’ campaign (#OpItaly) againstthe Anonymous’ 2015activities wereaimedmostly at two targets:the websites of Expo objectives such as,for example, themilitary sector. information, hasexpandedover theyears andled totargetotherparticularly sensitive The collective’s mainmotivational impetus, originally thefreedom of online The Defence of Civilian Air Traffic Systems from CyberThreats 212 211 anonymous-2301345920346.shtml. it/bologna/notizie/cronaca/2015/5-maggio-2015/expo-7-informatici-best-union-guerra-contro- di Bologna Corriere in Anonymous”, contro guerra Union in Best di i7informatici “Expo, Baccaro, Andreina See: powers”. industrial of the hands usurping bloody the are environment for the respect and rights human on nutrition, discourse hypocritical sweet the “Behind sponsor: its criticising fiercely conscience”, dirty oppressors’ politicians and institutions. such asthe“No TAV” movement, which took theform of computer attacks on struggle for freedom of information tosupport for othertypes of undertakings, Between November andDecember2013,thehacktivist movement shiftedfrom the of asocial discontent that haddeepenedfurtherwith theeconomic downturn. cyber spacefor propaganda purposesin2013,andasavehicle for theexpression relazione-annuale.html. 2013 sicurezza la per Security Affairs Security in service”, to affordable housingandagainsttheeconomic crisis. during theOctober2013protests inRome, which weresettocampaign for theright street demonstrations, as in the case of hackings against institutions taking place attacked political partyrepresentatives andinstitutions. in 2014 when some movement’s members sympathising with anarchical ideas data of private citizens who had bought tickets online. company handling theonline sale of tickets totheExpo,usingTwitter topostthe qlFNgswyvu20wnQiNYK1kL/pagina.html. http://www.lastampa.it/2015/05/19/italia/cronache/anonymous-colpisce-il-ministero-della-difesa-

Ibid.

Pierluigi Paganini, “Expo 2015 – Anonymous has stolen 1TB data from Best Union ticketing Union ticketing Best from 1TB stolen data has –Anonymous 2015 “Expo Paganini, Pierluigi Carola Frediani, “Anonymous colpisce il ministero della Difesa”, Stampa La in della il ministero “Anonymous colpisce Frediani, Carola In an online communiqué, the collective called Expo “the disgusting expression of the of the expression disgusting “the Expo called collective the communiqué, online an In Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence 210 They later successfully penetrated the systems of Best Union, the , cit. , , 6 March 2014, https://www.sicurezzanazionale.gov.it/sisr.nsf/category/ , 28 February 2013, https://www.sicurezzanazionale.gov.it/sisr.nsf/category/ , 18 May 2015, http://securityaffairs.co/wordpress/36907. 2015, May , 18 207 Their online campaigns have often coincided with , 5 May 2015, http://corrieredibologna.corriere. 2015, , 5May 206 208 Anonymous begantouse 209 Thistrendhascontinued 211 212 In the same month of Following thearrestof , 19 May 2015, 2015, May , 19 50 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI it). giustizia.it, sap-nazionale.org, assopolizia.it, carabinieri-unione.it anduilpolizia. the Interior andJustice Ministries (siap-polizia.org, giustizia.lazio.it, caltanisetta. have led totheexfiltration of data andwebdefacement of sites associated with ius, summainiuria”) launched also asareprisal for thosearrests,isalleged to per la sicurezza 2013 sicurezza la per Zeus News Zeus in website hasbeenunsuccessfully targetedbyAnonymous. (etc.) inthedeepwebhaspermitted theirusealso bythosecriminal organisations 219 217 216 215 214 213 rather thanof national defence. Easyaccesstomalware, ransomware, cyber criminals and organised crime mainly regardaspects of economic security Considering the targets andtactics of online crime, the dangerassociated with Cyber criminals and organised crime to conceal thetrue perpetrators of operations. of specific antidotes, and newtechniques for maintaining anonymity have helped Their development of specific malware hasbeenfacilitated bythe market’s absence qualitatively, astheconstant increaseinthetechnical skill of its attacks shows. Over recent years, thegroup hasreduced its actions quantitatively but not it, statoregioni.it and mobilita.gov.it). partner site to that of the Ministry of Foreign Affairs, and several other sites (ferrovie. Italian government. Attacks recorded thus farhave beenon infomercatiesteri.it, online bythenicknames OtherwiseandAken –Anonymous declared“war”on the two of thegroup’s prominent members,Fabio Meier andValerio Camici –known The Defence of Civilian Air Traffic Systems from CyberThreats 218 hacking expertise,while sympathisers appear limited intheirtechnical prowess. have shown that only asmall portion of themovement hasanadvanced level of as worms and spear-phishing to steal sensitive data. Nevertheless, these activities been observed from DoSand webdefacements toSQL-injection attacks, aswell http://whatis.techtarget.com/definition/ransomware-cryptovirus-cryptotrojan-or-cryptoworm. WhatIs.com in key.” “Ransomware” See decryption for the payment demands and data victim’s Dark Web & Cyber Security Italy”, Web Dark in &Cyber “Operation compagni arrestati”, in 6gradi in arrestati”, compagni I vendicare per governo del siti attacca “Anonymous as-part-of-opitaly.html; Serafini, Marta Web-and-Cyber-Security/site-6-9-15-partner-of-the-italian-ministry-of-foreign-affairs-targeted- sites, including unencryptedpasswords. Anonymous Italia collective, andhasexploited the“historic weaknesses”of those per la sicurezza 2012 sicurezza la per

214 Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Interview, October 2015. Interview, October Interview, November 2015. See also: “Anonymous, tutti i dettagli dell’operazione Tango Down”, Tango dell’operazione idettagli tutti also: “Anonymous, See 2015. November Interview, Site Intelligence Group, “Partner of the Italian Ministry of Foreign Affairs Targeted as Part of Part as Targeted Affairs of Foreign Ministry Italian of the Site Group, Intelligence “Partner “Ransomware is malware for data kidnapping, an exploit in which the attacker encrypts the the encrypts attacker the which in exploit an kidnapping, for data malware is “Ransomware The news was reported on the Anonymous blog. Interview, November 2015. November Interview, blog. Anonymous on the reported was news The Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Theoperation hasallegedly been carried out byemerginggroups within the , 17 May 2015, http://www.zeusnews.it/n.php?c=19252. 2015, , 17 May , cit. , , cit. , , 4 August 2015, http://seigradi.corriere.it/?p=10142. 2015, , 4August , 9 June 2015, http://ent.siteintelgroup.com/Dark- 2015, June 9 , 213 Another operation (entitled “Summum 215 It isworth recalling that even ENAV’s 217 At thesametime,ashift has 216 219 andtrojans : 218 51 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI techniques include theVirtual Private Network (VPN) per la sicurezza 2013 sicurezza la per (COTS) products, reclutano_una_banda_di_hacker_e_clonano_migliaia_di_carte_di_credito-123895964. Repubblica.it producers who permit at most their configuration. their at most who permit producers per la sicurezza 2014 sicurezza la per website: https://www.torproject.org/about/overview.html.en. Tor See Project built-in features. with tools privacy communication to new create developers for software block abuilding as used or be content. Tor also can destinations blocked otherwise reach to users its allowing tool, circumvention censorship Tor effective an line, is same Along the privacy. their compromising without networks public over information to share individuals and organizations both allowing thus connection, adirect making than rather tunnels of virtual series a through connecting by network employ this Tor’s users Internet. on the security and privacy systems, including various legacy software ENAV’s high technological component, also considering themultiplicity of its The technology factor 4.3.1 Short-term assessment danger4.3. What toATM/ATC systemsin Italy? that previously didnotusethem. The Defence of Civilian Air Traffic Systems from CyberThreats 226 225 224 223 222 221 220 • that areworth underlying: obvious reasons, cannot be published in this study, included the following aspects and some airtraffic control applications, whosedetails are confidential and, for The analysis of thetechnologies employed byENAV, andinparticular of the E-Net integrity of data and,consequently, jeopardise airnavigation services. cloning activities. threat, as witnessed by the recruitment of hackers by Mafia bosses for credit card confirm that organised crimecontinues toposemore of afinancial thanasecurity phones andmobile bankingservices. Even thelatest developments seemsto same market sector. not rule out theirbeingcommissioned byfirmsstruggling for amarket slice inthe Organised crimemainly participates inindustrial espionage campaigns that do Ibid.

Custom-designed software not commercially available. commercially not software Custom-designed Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence “The Tor network is a group of volunteer-operated servers that allows people to improve their to their improve people allows that Tor of volunteer-operated agroup is network servers “The Commercial products that do not allow for personalisation but are sold on the open market by by market open on the sold but are do not allow for that personalisation products Commercial Salvo Palazzolo, “I boss reclutano una banda di hacker e clonano migliaia di carte di credito”, di in carte di migliaia eclonano hacker di banda una reclutano boss “I Palazzolo, Salvo Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence technical monitoring of ordinary operations andperformance assessments; telecommunications provider with which ENAV has specific agreements on the the E-Net’s physical availability iscurrently ensuredthrough a , 29 September 2015, http://palermo.repubblica.it/cronaca/2015/09/29/news/i_boss_ 2015, September , 29 , cit. , , cit. , 226 224 conceal vulnerabilities that could affect the availability and 223 Attacks reported within this context have been on mobile 220 Themostfrequently employed anonymity 225 andothercommercial-off-the-shelf 221 andtheTor network. 222

52 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI authorisation must immediately be reviewed and, in the case of cessation of service, revoked. of service, of cessation case the in and, reviewed be immediately must authorisation their authorised, role of those in change any with that, is principle to the to know. Acorollary aright and needs user the information however, to exclusively the and, functioning allow normal model for network architecture (ISO 7498). (ISO architecture for network model 228 227 • • • • The Defence of Civilian Air Traffic Systems from CyberThreats 229 would bemuch more serious ifthe(D)DoSattack wereon theentire FDP system, complete inaccessibility does not appear to present any real problem. The situation and prescribed byENAV contingency plan.Even theapplication’s eventual if thisoccurs,thesituation isremedied bymethodsinusealso byothercountries the application becomes inaccessible tothemajority of legitimate users.However, In thecaseof successful (D)DoSattacks, theconsequences appear fairly limited, as hijacking andotherforms of command injection. many possible means,notably (D)DoS,SQL-injection, cross-site scripting, cookie As istrue of any webapplication, theSelfBriefing portal could be attacked by with otheroperational systems. the SelfBriefing isnotsituated on an operational network andisnotdirectly linked how ENAV usesits applications on public networks. It should bepointed out that replaced byadifferent application, evaluating theportal isuseful indescribing The experimental SelfBriefing portal wasthenanalysed. Although soon tobe • the cyber strategy framework, notably CNAIPIC, DIS and CERT. DIS and CNAIPIC, notably framework, strategy cyber the •

Here “layer 7” refers to the application layer of the Open Systems Interconnection (ISO/OSI) Interconnection Systems Open of the layer application to the refers 7” “layer Here The principle of least privilege is the practice of limiting access to the minimal level that will will that level minimal to the access of limiting practice the is privilege of least principle The With particular regard to the preventive measures provided by national organisations within within organisations national by provided measures preventive to the regard With particular principle of least privilege, with management of admissible ports basedon exceptional criteria andthe the Milano andRoma PoPs areevaluated aselements of maximum attention, the useof IDSlayer 7andProxy layer 7 system; the context of anadvanced Security Information andEvent Management (SIEM) ENAV employs for thedynamic control of userandapplication behaviour, in of Splunk data analysis software andspecific open source applications that traffic policies, third-partychecks,and internet traffic analysis through theuse connection with external network isheavily monitored with highly restrictive substantial service levels (contract service level agreement); are in place in the case of an incident, from the initial signals onward, as well as there iscoordination betweenthetwo SOCsandcrisismanagement procedures of thevarious security layers. periodic “black box” resilience tests allow to evaluate theexpected effectiveness and recognisability of thetraffic admitted through ports byrespective firewalls. sources. domain analyses andthrough information from qualified national and foreign aimed at revealing emergingthreat vectors, bothbymeansof product and COTS systempatching areclosely checked, inaddition tointelligence activities and results inthe significant reduction of attack surfaces; 228 229 which allows for thelimitation by type, nature 227 effectively strengthenstheperimeter 53 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI completed authentication. Such anoperation would constitute theftof credentials appropriate the cookie, displaying its contents totheserver toprove it hasalready 232 231 230 session cookies intheir browsers, possibly containing anauthentication token. hijacking operations. Oncelegitimate usersareauthenticated, theymay receive Cross-site scripting becomes more dangerous when associated with cookie case, bevisible through traffic management andbehavioural modelling systems. happen, it would have anirrelevant impact on ATM/ATC services andwould, inany malware installation, data exfiltration andregistration on abotnet. If thiswereto the SelfBriefing portal. Thepossible consequences for thetargetcomputer include the victim’s browser toharmful stresswith minor or nosignificant consequences to to that variant, often exploited through social engineeringactions, which subjects According toavailable data, thecross-site scripting vulnerability should belimited of theChicago Convention. in accordance with theinternational standardslaiddown inthetechnical annexes plan whatsoever: every flight planundergoes a multi-level operational validation Moreover, thesystemdoes notindiscriminately acceptdata contained inany flight Briefing systemismonitored byanIDSsensor capable of detectingsuch attacks. enter accurately fabricated data, or even erase/modifydata. Nevertheless, theSelf Once recognized as a legitimate user thank to the SQL-injection attack, it could attacker’s successful andunlawful authentication andaccesstoapplications. SQL-injection attacks areamong themostdangerous sincetheycanlead toan “demilitarised zones” is what moved ENAV, inaddition tostrengtheningtheperimeterwith substantial thus preventing theinsertion, elaboration andvisualisation of flight plans.This The Defence of Civilian Air Traffic Systems from CyberThreats 235 234 233 web sites.web authentication. of previous proof as subsequently displayed to be cookie, organisations that must necessarily be exposed externally but will, nevertheless be defended. be nevertheless but will, externally exposed be necessarily must that organisations of networks for the “outposts” form that “bastions” become servers exposed the Thus precluded. is services to other zone”, access non-trusted any while “demilitarised the in exclusively services endangered to the access allows isolation This network. internal to the access not allow attackers do zone” “demilitarised the in located applications that of ensuring capable stratum a security Network ManagerOperations Centre. is notdirectly connected totheFDP sinceflight plansareissued bythe Eurocontrol more traditional management services (commercial MPLS).TheSelfBriefing portal E-Net andnon-operational networks such astheSelfBriefing or thoseused for (SOP), The useof cross-site scripting, along with full compliance with SameOrigin Policy

Interview, November 2015. November Interview, Interview, November 2015. November Interview, Security criterion used by web pages, by which a script from one web page cannot refer to other to refer other cannot page one web from ascript which by pages, web by used criterion Security Interview, November 2015. November Interview, Random number generated by the server and delivered to the browser, often by means of a means by often browser, to the delivered and server the by generated number Random When giving external access to internal network servers or services, it is necessary to create necessary it is or services, servers network to internal access external giving When 235 could allow anapplication open on another panelof thesamebrowser to 230 andfirewalls, tocreate aclear separation betweenthe 232 231 234 233

54 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI security culture. compliance with strict policies, which comes with theconstant promotion of a effort notlimited tothesole dimension of awareness but, andabove all, thefull services, thehuman factor isextremely delicate, requiringanever-increasing that can protect against stupidity.” against protect can that cyber defence. The study found that the human factor wasacritical element andkeystone of ENAV The human factor should beconsidered low. the substantial counter-measures put inplacebyENAV, theprobability of attack regarded aspotential targets, considering non-state actors’ limited level of skill and Over theshort-term, therefore, although accessestothe public network might be design phase. the identification andconsideration of security requirements must bepart of the partners andtheeventual needfor confidentiality andaccesscontrol. To that end, regard for theintegrity andauthenticity of data, identification of communication communications, necessitates data security measuresdesigned with particular AMHS project, which, with theintroduction of digital technology into Also important to consider aretheproblems associated with theaforementioned data entry mode,with limited impact on ATC systems. situation isaddressedinthecontingency plan,which calls for analternative flight of interrupting theflow of data to ATC operations does exist. Nevertheless, this data. Theoretically, thepossibility of awell-orchestrated DoSattack capable activities depend heavily on the availability of current and continually updated Again, with regardtothetechnology factor, it must notbeforgotten that ATC specifically toweb application analysis. advanced technology, including Metasploit andBurp,which aretoolsdedicated risk of exposure,takinginto account theknown-vulnerabilities andemploying those carried out byexternal thirdparties) have, for themoment, ruled out the technology/2010/10/dont_stick_it_in.html. The dangers of USB drives”, in Slate in of drives”, USB dangers The It In. Stick “Don’t Manjoo, Farhad drives). (USB supports removable but through web the through 237 236 credential theft). Penetration testing(both “black box” and“white box,” command-injection offer attackers similar results (authentication, database access, and make it possible for athirdpartytoreplacethelegitimate user.Otherforms of The Defence of Civilian Air Traffic Systems from CyberThreats 238 implementing theprinciples of 27001ISOstandard.

Underscored by a slogan displayed in the ENAV SOC: “there hasn’t been a firewall yet invented yet afirewall been ENAV hasn’t the in “there SOC: displayed aslogan by Underscored Knowing the exact internal architecture, compilation codes and structure of the software. of the structure and compilation codes architecture, internal exact the Knowing To that end, it has been hypothesised that Stuxnet malware might be introduced not only introduced might be malware Stuxnet that hypothesised been it has To end, that 237 238 In ahighly technological environment such asairnavigation Consistent with thisareENAV’s setof procedures andprocesses , 5 October 2010, http://www.slate.com/articles/technology/ 2010, , 5October 236 especially 55 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI assessment alone that determines whether or not to ban BYOD. or not to whether ban determines alone that assessment however, risk it be should infrastructure, of critical case the In generate. it can productivity partner. or inany case counterfeit data, would hardly conceal it from his/hercontroller After all, anairtraffic controller whodecidesto provide anaircraft with “poisoned” ensure theproper performance of anavionic system. data andassistaircraft. Thistakes placeincompliance with measuresdesigned to entering control rooms, where theyhave accesstothevarious consoles, receive The study also confirms thepresence of identification procedures for controllers The Defence of Civilian Air Traffic Systems from CyberThreats 240 239 represents ariskfactor inmany organisations with high security requirements. ban thewell-known practice of Bring-Your-Own-Device (BYOD), which today send aircraft data different from those expected. Indeed, ENAV in-house policies to convince controllers of unrealistic situations inwhich theymay feel obliged to would therefore beproblematic for thecyberattacker toemploy social engineering ruling out theuseof smartphones or other personal devices on theworkplace. It controllers tousetheinstrumentation assigned for ATC purposes,categorically induced toprovide pilots with tampered information? Operational standardsoblige This, nevertheless, would beanextremecase.How could multiple controllers be aircraft separation isreduced toaminimum, leaving noroom for manoeuvre. executed bycontrollers, could create complex situations inwhich, for example, Another possible scenario isthat of multiple coordinated actions that, ifproperly radio contact with anotherACC or control tower. capable of reactingappropriately, furthermodifyingtheroute, possibly bymaking pilot hasthefinal say intheaircraft’s security andinsuch asituation would be aircraft into an obstacle or placeit on improbable route toexhaust fuel. In fact,the Equally unconvincing isahypothetical terrorist’s forcing acontroller tocrashthe to anotherACC, anothercontroller would communicate thepilot thewrong route. aircraft on thewrong route. Nonetheless, even inthiscase,with subsequent passage dangerous, sincethe worst effect thefalse data would have would betoplacethe security asavalue. enhancement of cultural practices, and of the indispensable need to elevate organisation’s andits suppliers will bekept acutely aware of thepromotion and the human factor it is,nevertheless, recommended that everyone within the Taking due account of thepolicies already enacted byENAV, when considering now inwidespreaduseon smartphones. allowing many malicious actors tosendmessages through unsecuredapplications In short, BYOD meanstobringpossible unsecureddevices into theworkplace,

Flight controllers always work pairs. always in controllers Flight BYOD is currently rather controversial, since its supporters appeal to the increases in in increases to the appeal supporters its since controversial, rather BYOD currently is 239 Moreover, even ifthiswerefeasible, thepossible results do notappear 240

56 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI intelligence or law enforcement agencies. observers have pointed out how thegroup’s actions could interfere with thoseof planning and execution of ISIS and Al-Qaeda cyber operations, although some of ISISaffiliates and supporters hasadded an ulterior element ofdifficulty tothe Finally, and as much as it may seem paradoxical, Anonymous’ recent “policing” cyber spaceoperations. assumption that they arerelying exclusively on external hackers tocarryout their specific targetsin Italy, nor do theyseemcapable of doing so, which leads tothe and Al-Qaeda do not seem to have developed any particular malware for striking sophistication. From what hasbeenobserved todate, terrorist groups such asISIS propaganda and recruitment, and hasnotthus far revealed a high level of technical attack on theDefence Ministry, ISIScyberactivity inItaly toohasbeenlimited to imminent attack on Italian civil aviation or infrastructure. Apart from thealleged infrastructures isreal. As seeninpart3,however, noindications thus farpoint to the (more probable future thanpresent) intention toattack Italian critical ICT in thecaseof theUnited States, theUnited Kingdom andotherWestern countries, in Iraq andSyria, Italy toohasbecome aterrorist target. This meansthat, exactly as ever that wereneeded–that like othercountries engagedin theanti-ISIS coalition Scientific American Scientific Intelligence”, in attack on theDefence Ministryshowed. That skill notwithstanding, thereisno as compared with Islamic terrorist organisations, asthecaseof theSQL-injection In linewith the discussion inpart3,hacktivists inItaly display greater technical skill network istherefore highly improbable. emulation of theactions of Ardit Ferizi. Theexfiltration of data from aprotected Italian military personnel from open sources andchannelthedata totheISHDin there is reasonable certainty that one or more individuals managed to profile the was later revealed tobefalse. TheItalian casealso raisesstrong doubts. Indeed, names, email addresses and other personal data of American military staff, which similar tothealleged exfiltration of data that allowed thesamegroup topostthe and photosof some Italian military personnel. In its intentions, thisactwasvery successfully penetrated Defence MinistryITsystemsandstolen theaddresses The mostsignificant episodetook placeinMay 2015, when ISHDclaimedtohave Al-Qaeda seemstohave faded,theonline activism of ISISstill soundsanalarm. threat associated with jihadistterrorist organisations. Although thedangerof The case-study presented in part 4 shows that Italy is not exempt from thecyber The cyberthreat improvement, also inthecontext of thenational cyberstrategy framework. intelligence forces inverifying theirreliability, could represent averifiable The monitoring of suppliers, andthedesirable collaboration of police and The Defence of Civilian Air Traffic Systems from CyberThreats 242 241

Interview, October 2015. Interview, October Larry Greenemeier, “Anonymous’s Cyber War with ISIS Could Compromise Terrorism Terrorism Compromise Could ISIS War with “Anonymous’s Greenemeier, Cyber Larry , 19 November 2015, http://bit.ly/1I1bCql. 2015, November , 19 241 242 Nevertheless, thisepisodeisproof –if 57 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI at damaging,compromising andexploiting theweb. the spreadof propaganda andrecruitment messagesandillegal activities aimed national critical ICT infrastructure. Theirrangeof intervention includes preventing to prevent andcounter ordinary, organised andterror-related cyberattacks against The Italian postal andcommunications police –andparticularly theCNAIPIC –work preventing andcountering potential cyberterrorism events. and communications police and theSecurity Intelligence Department (DIS) in against themmust include therole of government authorities such asthepostal A holistic assessment of theweaknessesof ATM/ATC systemsandthreats and less riskyoperations. would jeopardise theiranonymity andrisk“blowing thecover” of more profitable improbable that cybercriminals areadangertotheENAV ATM systems.An attack per la sicurezza 2014 sicurezza la per began in2007andismore active thanever today, with a24-hour/7-day aweektask anonymous-1.187319. http://espresso.repubblica.it/visioni/tecnologia/2014/11/10/news/vi-spiego-le-mille-facce-di- 244 243 could bedeemedhigh due topossible recruitment of highly skilled hackers, Yet, although thethreat posedbycybercrime inassociation with organised crime instruments that have previously beennearly thesole precinctof governments. the technical skill level of cybercriminals tothepoint of allowing themto master impetus tothecreation anddevelopment of newmalware. Thisdynamic haslifted Their needtoensurepartsof the digital blackmarket hasgiven major innovative The same considerations seem to apply to cyber criminals and organised crime. as “concrete, immediate and real ina medium/long-term projection,” collective’s logic. And even though thelevel of thethreat theyposecanbeassessed – attacks capable of placinghuman lives at risk–appears toruncounter tothe these actors will directtheirattacks againstICT facilities such asATM systems Ministry) andnon-governmental concerns (No TAV, Expo,etc.),thepossibility that expanded theirobjectives againstvarious government institutions (i.e.theDefence freedom of information. Although it hasbeenobserved that Anonymous Italia have The Anonymous movement, inparticular, wasborn of anideological belief inthe An additional element nottobeoverlooked ishacktivists’ underlying motivation. are not easy to obtain in the case of facilities associated with national security. to acertaintechnical expertise,awell-developed capacity for harvesting data that certainty of theirability toviolate complex ITnetworks that require,inaddition The Defence of Civilian Air Traffic Systems from CyberThreats 246 245 per la sicurezza 2014 sicurezza la per do that theywould bedoomed aspolitical activists.” Attacking anelectrical gridis,but that hasnever happened. If Anonymous wereto expert Gabriella Coleman hassaid,“takingdown awebsite isnotterrorism […].

Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Rapporto Clusit 2015 sulla sicurezza Ict in Ict Italia sicurezza sulla 2015 Clusit Rapporto for security, ICT association Italian Carola Frediani, “Vi racconto le mille facce di Anonymous”, in l’Espresso in Anonymous”, di racconto facce le mille “Vi Frediani, Carola , cit., p. 86. p. , cit., , cit., p. 85. p. , cit., 244 246 Constant webmonitoring , 12 November 2014, 2014, November , 12 243 as hacktivist , cit. , 245 it is 58 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI http://www.poliziamoderna.it/articolo.php?cod_art=3757. per la sicurezza 2014 sicurezza la per 247 248 boost cybersecurity. including ENAV, that allows for information and technical data sharing inorder to Collaboration Platform with national public services andcritical infrastructures, and intelligence activities. What’s more, theDIS hasestablished aspecial Cyber between the DIS and the CNAIPIC is aimed at consolidating threat containment entities. Arecently drafted(andyet tobefinalised) protocol of understanding both asregardsthepublic sector aswell asindustry andstrategic private sector The DIS also plays anessential role incyberthreat prevention andintelligence, activities of various othermembercountries. with thefurtherenhancement of aEuropol database containing theresults of the entities, such asInterpol andEuropol, which offer real-time information exchanges, These monitoring activities are carried out in collaboration with other international Source: Italian Ministryof Interior. Table 1|Postal police activity againstISIScybercrime(January-October 2015) force of over 20 staff and the additional support of the DIS and Prevention police. The Defence of Civilian Air Traffic Systems from CyberThreats 250 249 police, whose role wasfurtherreinforced inthelatest counter-terrorism decree. ISIS propaganda and recruitment bears witness to the effectiveness of thepostal of thisstudy, thearrestin2015of aTunisianandPakistani for alleged online pro- before the courtsare an indication of the level of police activity. In the specific case of cyberattack againstgovernment bodies andfirms, the 114persons brought of thisresearch tofully evaluate CNAIPIC’s work, themore than200investigations Cronaca web”, su Ansa in jihadisti scoviamo così Postale, “Polizia legge:2015-02-18;7; Quarantino, Enzo Total Reported toA.G. Facebook Twitter Media Blogs Forums Sites Web space

Ibid. Roberto Di Legami, “La minaccia corre sul Web”, sul corre Poliziamoderna in minaccia “La Legami, Di Roberto Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Decree No. 7 of 18 February 2015, http://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:decreto. 2015, No. February 7of 18 Decree , 22 July 2015, http://t.co/HkCAiv2tz5. July, 22 2015, , cit., p. 107. p. , cit., 250 Number 10,939 11,300 275 20 32 10 18 6 Monitored 488 350 85 10 18 19 6 248 Although it isnotwithin thescope Blocked 6,409 6,386 22 1 / / / , February 2015, p. 12-17, p. 2015, , February 249 247 59 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI cfm?newsId=19375. cost. a newATM systemcapable of managingaconstant increaseinairtraffic ata lower subsequently created Single European SkyATM Research (SESAR) should produce Transitions to NextGen Transitions connected with those of non-European countries. those with connected ATC CERT, of aEuropean creation closely on the providers services navigation air and Eurocontrol with cooperation include noteworthy especially those undertakings; security significant in remote accesstoavionic systems. growing interface with theInternet will increasethepossibility of unauthorised adequate security modelwill lead toserious risks. In thesameway, modern aircraft’s dangers and,according totheAmerican authorities, theFAA’s failure todevelop an GAO report, these new technologies riskexposingATM systemstosome inherent bis of Law no.124/2007,addafurtherdegreeof security. 256 255 254 253 252 251 (SES) programme whose aimistoreform theentire European ATM complex. Similarly, in 2004, the European Commission launched the Single European Sky creation of ahighly integrated management system. from radar-basedtosatellite navigation, voice todigital communications andthe United States intends toimplement intheyears tocome, which calls for atransition Next Generation Air Transportation System (NextGen) isanewATM systemthe considerable problems asregardstheircybersecurity. Civil aviation’s ATM systemsarefacingalong transformation process that will pose 4.3.2 Medium- tolong-term assessment which Italian ATM/ATC systemsaresubject islow, at least over theshort-term. efforts by Italian authorities, make it possible toassertthat the level of dangerto of ISIS,different objectives of hacktivists andcybercriminals andtheprevention To conclude, thesecurity measuresadopted byENAV, thelimited technical skills 2008 on thebasisof thePisanu Decree, In thiscontext, thecollaboration that ENAV hasput inplacewith CNAIPIC, since The Defence of Civilian Air Traffic Systems from CyberThreats 257 an atentimeslower environmental impact. traffic, to lower route unit costs, to have tentimes higher security coefficient and traffic control systems. The goal is to cope with a capacity for three timesthe current channel sector research anddevelopment (R&D)toward modern, homogeneous air EN?CurrentPath=/enav/en/services/international_activities/KPP/sesar.

ENAV, ENAV,

GAO, GAO, Sicurezza: rinnovato l’accordo tra Polizia di Enav Stato ed Polizia rinnovato l’accordo tra Sicurezza: Stato, di Polizia FAA, F FAA, Background on Single Sky European Background Joint Undertaking, SESAR Stefania Ducci, “Moving Toward an Italian Cyber Defense and Security Strategy”, cit. Strategy”, Security and Defense Cyber Italian Toward an “Moving Ducci, Stefania ENAV has been highly present since the programme’s inception and actively participates participates actively and inception programme’s the since highly present ENAV been has 256 Theprogramme intends toovercome existingnational fragmentation and FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Agency As Cybersecurity to Approach Address aMore Comprehensive Needs FAA act Sheet: NextGen Sheet: act SESAR , http://www.enav.it/portal/page/portal/PortaleENAV/Home_EN/ServiziEAttivita_ , , April 2015, http://www.gao.gov/assets/670/669627.pdf. 2015, , April , 19 August 2015, http://www.faa.gov/news/fact_sheets/news_story. 2015, August , 19 254 251 andwith DIS, on thestrengthof Art. 13- 257 Thenewtechnology will permit a 253 , http://www.sesarju.eu/node/37. , According toanApril 2015 252 , cit. , 255 The 60 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI net/news/bits/2015/09/23/cyber-security-education/1. education”, bit-tech in security for cyber funds pledges government “UK Halfacree, gov/issues/foreign-policy/cybersecurity/national-initiative; Gareth http://www.sesarju.eu/node/1821. doc/2010_the_future_of_flying_en.pdf. 259 258 20 years. air traffic, which isdestinedtoincreaseby5percent annually over the coming ATM systemsinanattempt toreduce costsandimprove theefficiency ofmanaging unlikely tobeexempt from risk.TheUnited States andEurope will beadopting new This brief study shows that thefuture of aviation, andATM systemsinparticular, is also with otherentities andactors. greater exchange of information notonly among flight controllers andaircraft, but The Defence of Civilian Air Traffic Systems from CyberThreats 261 260 response toasteadily risingdemand. major resources touniversity education aimedat raisinglevels of expertisein systems more secure. Western nations such astheUSandGreat Britain areallocating heavily inICT security inaneffort tomake bothprivate sector and government over themedium andlong terms.Some more advanced countries areinvesting In termsof cyberthreats, critical infrastructure could bemore exposedtodanger of national security. with thelatter playing anincreasingly important role inthedefence of citizens and will make therelationship betweencivil aviation andcybersecurity even closer, vulnerabilities exploitable byactors with criminal intent. An evolution of thissort the increasedinterface among thesystem’s parts,will multiply thenumber of studying computer technology inorder tomake theircontribution tothe“holy was already claimingbackin2005that thousandsof Al-Qaeda sympathisers were over themedium tolong-term. Oneof Al-Qaeda’s leaders, OmarBakriMuhammad, Although thethreat posedbyISIS or Al-Qaeda iscurrently nothigh, it could increase ISIS, isemblematic. case of Briton national Junaid Hussain of Birmingham, an ICT expert lured in by skilled technicians istempted tojoin theranksof terrorist or criminal groups. The top national security priority toavoid that none of that growing number of highly of services will be provided and managed online. Consequently, it will become a gradual interdependence, asmore andmore devices will belinked andthemajority to ensureit. More advanced technical sophistication will also beassociated with for protection, thegreater theprobable presenceof educated experts qualified for instance,already boastarelatively high ICT literacy level. Thegreater theneed American NextGen. that increaseits efficiency but also its vulnerability inamannersimilar tothe within 2020,will notbewithout acertainamount of riskdue toanumber of factors

SESAR, SESAR, Airbus, Airbus, The Comprehensive National Cybersecurity Initiative Cybersecurity National Comprehensive The House, White Study launched to address cyber-security in SESAR cyber-security to launched address Study Joint Undertaking, SESAR 260 SESAR: The future of flying future The SESAR: Global Market Forecast 2015-2034 Thetransition from one communication modetoanother,along with 259 , July 2010, http://ec.europa.eu/transport/modes/air/sesar/ 258 261 , http://www.airbus.com/company/market/forecast. Thenewsystem,slated for implementation Othernotwesterncountries, such asIndia , 23 September 2015, http://www.bit-tech. 2015, September , 23 , https://www.whitehouse. , 22 May 2015, 2015, May , 22 61 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI media spectacles –or convince online sympathisers tolaunch attacks inits name. tactics andtoolsthat have led tomajor cyberspacesuccesses –for themostpart The Wall Street Journal Wall Weapon’”, Street The in ‘Secret underscoring alow credibility due tolackof technical expertise. that ISIShadmadeattempts toattack theAmerican energyindustry, nevertheless 2015, ahigh-ranking official oftheUSDepartment of Homeland Security said Engage in Cyber Jihad”, cit. Cyber in Engage will become daily fare. recruitment, andwould have left hackingoperations toother“crews” notunder himself. Some believe theBirmingham native dealt mainly with propaganda and us whether Hussain ordered thealleged ISIScyberoperations or carried them out institutionalised ISIS’interests inthe cybersphere.Nevertheless, thisdoes nottell a zero-day exploit. ISIS membershimself.In one online conversation, heisalleged tohave discussed the recruitment of ICT experts,including hackers andprogrammers, andtrained have supported theencryption of communication among ISISmembers,promoted assembled malware tobeuseinattacking computer systems.He isalso believed to Hussain helped ISISraiseits guardagainstWestern electronic surveillance and will have on theevolution of ISIS’technical capabilities. According toUSsources, be seenwhat impact theAugust 2015killing of alleged ISHDchief Junaid Hussain point, that kindof evolution iscurrently difficult to foresee. Finally, itremainsto establish cyberwarrior units such asthoseof othergovernments. However, at this europeans. icsr.archivestud.io/2013/12/icsr-insight-11000-foreign-fighters-syria-steep-rise-among-western- Insights in ICSR Europeans”, among Western rise steep Syria; in fighters cnnmon.ie/1PjyZmf. thehill.com/node/242280. 267 266 265 264 263 262 war,” The Defence of Civilian Air Traffic Systems from CyberThreats 269 268 already done. to espousethecause, asindeedthousands–even from Western nations –have rapidly for ISIS,all themore soifthoseof thenewwell-trained generations were cit. Syria and Iraq. capacity among its priorities, given its heavy involvement inmilitary operations in the terrorist organisation could notbeincluding thesignificant upgrade of ICT evolution could come with ISIS’achievement of true statehood. For thetimebeing, critical infrastructure attacks usingcomplex malware. According to FBI director James Comey, ISIS “is waking up” to the idea of launching

ICS-CERT, CNN Money (and failing)”, CNN in grid energy U.S. the attacking is “ISIS Steven Stalinsky and R. Sosnow, “From Al-Qaeda to the Islamic State (ISIS), Jihadi Groups Groups Jihadi (ISIS), State Islamic to the Al-Qaeda Sosnow, “From R. and Stalinsky Steven The Hill The in war”, for cyber preps “ISIS Viebeck, Elise and Bennett Cory Roland Heickerö, “Cyber Terrorism: Electronic Jihad”, cit., p. 558. p. Jihad”, cit., Electronic Terrorism: “Cyber Heickerö, Roland Margaret Coker, Danny Yadron, Damian Paletta, “Hacker Killed by Drone Was Islamic State’s Was Drone by Islamic Killed “Hacker Paletta, Yadron, Coker, Damian Danny Margaret Steven Stalinsky and R. Sosnow, “Hacking in the Name of the Islamic State (ISIS)”, State cit. Islamic of the Name the in Sosnow, “Hacking R. and Stalinsky Steven Emma Graham-Harrison, “Could Isis’s ‘cyber caliphate’ unleash a deadly attack on key targets?”, on targets?”, key attack adeadly unleash caliphate’ ‘cyber Isis’s “Could Graham-Harrison, Emma 262 andspecialised research centres confirm that Al-Qaeda’s cyberactivities Cyber Threat Source Descriptions Source Threat Cyber 264 268 It isconsidered highly probable that ISISwill develop thesort of In the case it were to succeed in consolidating as a state, it might 269 In short, Hussain isthought tohave consolidated and 263 Ariseinthelevel of technical expertisecould also come , 27 August 2015, http://on.wsj.com/1WVAfhO. 2015, , 27August , cit; Aaron Y. Zelin et al., “Up to 11,000 foreign foreign to 11,000 “Up Y. al., et Aaron Zelin , cit; 266 At aconference inOctober , 16 October 2015, http:// 2015, , 16 October , 17 December 2013, http:// 2013, , 17 December , 17 May 2015, http:// 2015, , 17 May 267 Further 265

62 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI actors totheairtraffic system will probably remainrelatively low inthe future. UNMASK-Finale-20-maggio-2015-1.pdf. News Valtellina in not seemtohave beenany particular response internationally. certain importance againstItalian institutional sites, although todate theredoes to the arrest of these two members, it is probable that there will be campaigns of a appealed to the rest of the collective for their support. If the global movement reacts declared waron theItalian government for thedetention of thetwo hackers, and by theItalian authorities will have major repercussions. Anonymous has already a less technically adeptgeneral membership iscorrect, it ispossible that thiscoup the supposition that Anonymous Italia ismadeup of niches of experthackers and only topolice andintelligence agencies. cyber attack that wasfollowed bytheonline distribution of products normally sold after HackingTeam, aMilanese firmspecialised insurveillance software, suffered a will gain access to highly sophisticated instruments such as those made available competition inthemalware market. Thereisalso thepossibility that cybercriminals serious byvirtue of therising number of interconnected devices andthemounting recent trendcontinues, thethreat associated with thistypeof actor will grow more organised crimewill increasingly rely on hackers for its illegal activities. If the It isprobable that cybercriminals will continue toevolve technically, and that ATM systems. predict whether thiscould result inattacks againstcritical infrastructures such as responsible for therecent operations againstExpoandtheDefence Ministry. large on thenational andinternational hacktivist panorama andarebeingheld arrest of Fabio Meier andValerio Camici who, according toinvestigators, loomed in history isnosimple task.Anonymous Italia suffered heavy losses with the Understanding Italian hacktivism’s future prospects at this particular moment they will continue inthecoming months. if ISIS-led operations have been carried out by affiliated hackers, it is probable that although it will beafew months before that canbeascertained.Ontheotherhand, possible that hisdeath will slow theterrorist organisation’s technological evolution, 273 272 271 270 direct ISIS control. The Defence of Civilian Air Traffic Systems from CyberThreats 274 per la sicurezza 2014 sicurezza la per entities for thepursuit of objectives otherthanonline protests,” “enough torender themvulnerable tomanipulation andinfluence by organised judgement that thefuture elevated capability acquiredbydigital activists will be com/node/1838426. Team”,Hacking Morningin South China Post firm cybersecurity onItalian attack after leaked tools used hackers “Chinese Griffiths, James See: tools. harvesting

Polizia di Stato, Polizia delle Telecomunicazioni, “Comunicato Stampa: Operazione Unmask”, Unmask”, Operazione Stampa: “Comunicato delle Telecomunicazioni, Polizia Stato, di Polizia It appears that some Chinese hacker groups have already begun to use some of the firm’s data data firm’s of some the to use begun already have groups hacker Chinese some that It appears Relazione sulla politica dell’informazione dell’informazione politica sulla Relazione Republic, of the Security for the System Intelligence Interview, October 2015. Interview, October Interview, October 2015. Interview, October , 19 May 2015, http://www.valtellinanews.it/assets/Uploads/Comunicato-stampa- , cit., p. 85. p. , cit., 270 If he was, in fact, the key player in ISISonline campaigns, it is 274 That said,thedangerposedbythese , 20 July 2015, http://www.scmp. July, 20 2015, 273 272 it isdifficult to As regardsthe 271 If If 63 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI is decidedly higher, and could poseathreat tocivil aviation, it isimprobable that earned themconsiderable media attention. While Anonymous’ technical prowess Al-Qaeda have thus farbeenshown tobelimited, despite their actions having including Italy. Thecyber capabilities of terrorist organisations such asISISand currently constitutes aserious threat totheATM/ATC systemsof any country, criminals asposingthegreatest threat to that sector. None of theseactors, however, aviation authorities have identified terrorist organisations, hacktivists and cyber analysis must also include assessment of possible attackers’ technical skills. Civil Defence, therefore, must notbethesole variable considered, sinceacomplete other systems. weaknesses, especially inlight of an increasingopenness andinteroperability with interests. Such vigilance calls for theconstant assessment of riskandof changing vigilance over thetechnological, andprocess andsystem-related aspectsof national result must also take into account theneedfor constant, and indeedincreasing, did notfindvulnerabilities that set off any significant alarms. Conversely, this system remainsat riskgiven theimpossibility of achieving total security, thestudy and instruments necessary for confronting this type of threat; and even though the In thefirstplace,from thetechnological point of view, ENAV hasthemethodologies actors islow, andthisthesisissupported byaseries of factors. possibility that ENAV ATM/ATC systemswill besuccessfully attacked bynon-State On ascale from low, tomedium tohigh, this study maintains that theshort-term or cannotbedeveloped. that various levels of protection reduce theenormity of such athreat, do notexist zero-day. Theideathat protection cannever becomplete, however, does notmean before that. Even asystemconsidered secureandprotected canbeviolated with a risk only when it hasbeenturnedoff –ifahacker hasnotmanagedtopenetrate it threat? Theobvious answertothiskindof query would bethat asystemiswithout as it iscomplex inits analysis: aretheENAV ATM/ATC systemssafe from thecyber The purpose of this study was to respond to a question as simple in its formulation Conclusions that would placenational andinternational cyberinfrastructure inserious peril. infrastructure. Any alliance of that sort would result incapabilities andresources and terrorist organisations or powerful criminal groups targetingcritical national does notseemtobeany solidarity between hackers of acertainproven expertise do have such capability do notfindareason touse it maliciously. To date, there attack critical infrastructure do nothave theability todo so,andthat thosewho police andintelligence agencies will have tomake surethat thosewho intend to the possible options, something that hasthus farnever taken place.Essentially, Finally, aneventuality that should beavoided at all costsisthecombination of all The Defence of Civilian Air Traffic Systems from CyberThreats 64 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI cyber criminals will allow sensitive targets such asairtraffic control systemsinthe makes it necessary to keep a watchful eye on these actors, it isalso improbable that more sophisticated tools.Although theirpotential for accesstotechnical expertise continually expandingonline blackmarket will beanincentive todevelop ever if for no other reason than because competition between malware vendors and a The technical skill of cybercriminals will continue toimprove intheyears tocome, their operational objectives. infrastructures, which it isbelieved (andhoped) will continue tobeabsent from probably will notchange arethehacktivists’ intentions regardingcritical ATM/ATC level. Although thelevel of hackingmay vary, andperhaps decrease,what most have certainly provided a certain amount of leadership, at least at a technical is noreal hierarchy, thecollective will regroup after theloss of two membersthat figures on the Italian hacktivist panorama. It isdifficult topredict how, while there The future of Anonymous Italia isuncertainafterthearrestof two high-profile those virtual spacesfrom which thefirst alarming signals could come. preventing andcountering illegal online activity will, inany case,have tomonitor some who doubt thelikelihood of theseconditions, theauthorities concerned with Obviously, all thesefactors cannotbetaken for granted, andalthough thereare obtain support from hackers distributed inthemostdisparate regions of theworld. its ability toestablish statehood, attract well educated membersor continue to threat tocritical infrastructure. Thiswill dependon many variables, among which It cannot be ruled out a priori that ISIS will acquire the skills to make it a serious at anindividual level. difficulties inherent to identifying andstopping phenomena that often germinate case of Junaid Hussain beingemblematic of theproblem –keeping inmindall the future expertsavoid andresisttheattraction of extremistor radical ideologies –the From anational security standpoint, it isgoing tobeessential toensurethat those respond toICT market demandsbyturningout more computer science specialists. It isreasonable toexpectthat, inthemedium-long term,educational systemswill level of risk,with theconsequent needtoreinforce thosesystems’defences. interconnected andpotentially more vulnerable. Thiswill inevitably increasethe deep technological transition that will renderthemmore efficient, but also more In thenot-too-distant future, USandEuropean ATM/ATC systemswill undergo a some points for reflection andtogive a glance at themedium-long term. remain unaltered in thefuture. For that reason, an attempt has been made to offer That theseassessments arevalid for theshort term does notmeanthesituation will a furtherobstacle topossible attacks againstcritical ICT infrastructure. and financial levels. Finally, the efforts of institutions such as CNAIPIC and DIS are have aninterest inattacking thecivil aviation sector, but mainly at commercial that would endangerpeople’s lives. Cybercriminals andorganised crime could the hacktivist collective would beinterested incompromising ICT systemsinways The Defence of Civilian Air Traffic Systems from CyberThreats 65 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI 2011, http://smallwarsjournal.com/jrnl/art/cyberwar-case-study-georgia-2008. Wars Journal Small in 2008”, Georgia ow.ly/xlq1T; Study: Case “Cyberwar Hollis, David Blog Research Threat in FireEye Rises”, Activity Malware Continues, Conflict Blog conflict situations. Sea have led toconsideration of how spaceandcyberweapons might beusedin conflicts inGeorgia andUkraine and thediplomatic skirmishes intheSouth China infrastructure. As remoteasthiseventuality may currently appear, therecent state, but also of state andpara-state actors posingathreat tocritical national Future efforts at analysis will also have toconsider thepossibility not only of non- of thecyberthreat tocivil aviation. continue toinvestigate theseaspects inorder topaint thebroadest possible picture of airports and on-board aircraft systems. Future sector studies will presumably the sector’s many vulnerable elements, such astheinternal computer systems present report proceeded from abroad-based perspective toanalyse some of in thecontext of therelationship betweencybersecurity andcivil aviation. The This study has certainly notexhausted all thepossible topics worth examining commercial andfinancial divisions of civil aviation. future todistractthem from much more profitable and less riskytargetssuch asthe The Defence of Civilian Air Traffic Systems from CyberThreats 275 quality logical, physical andprocess security, inlinewith thebestsector standards. systems as secure as possible. This while combining the maintenance of a high factor inthedegreeof sophistication of theseactors intheirefforts torendertheir years, expertsinthedefence of critical ICT infrastructure will inevitably have to security objectives, will bethedriving force behindcyberinnovation inthecoming

CrowdStrike Sea”, CrowdStrike in China South the in Activity Cyber Foreshadows “Rhetoric CrowdStrike, , 1 June 2015, http://t.co/Ifl4L5xDr7; Kenneth Geers, “Strategic Analysis: As Russia-Ukraine Russia-Ukraine As Analysis: “Strategic Geers, http://t.co/Ifl4L5xDr7; , 1June 2015, Kenneth 275 Since governments, asaresult of theirresources andnational Updated 5May 2016 , 28 May 2014, http:// 2014, May , 28 , 6 January , 6January 66 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI The report wastranslated from Italian toEnglish with thesupport of ENAV. This study wasdone with thesupport of Vitrociset. Nicolò Sartori andAlessandra Scalia, IAISecurity andDefence Programme. Other contributors tothestudy include Daniele Fattibene, Francesca Monaco, (IAI) Stefano Silvestri, Scientific Advisor andpastPresident, Istituto Affari Internationali Information Security (ENISA) Treat Landscape Stakeholder Group of European Union Agency for Network and Pierluigi Paganini, Chief Information Security Officer at Bit4Id andmember ofthe Affari Internazionali (IAI) Jean Pierre Darnis,Deputy Director, Security andDefence Programme, Istituto Research Institute (UNICRI) Francesca Bosco,Project Officer, United Nations Interregional Crimeand Justice Special thanksalso go to: The Office ofthePrimeMinister The Italian Ministryof Transport The Italian Ministryof Interior The Italian Civil Aviation Authority (ENAC) The Italian Air Navigation Service Provider (ENAV) The Italian Air Force study possible, inparticular: The authors would like tothankall those who kindly contributed tomakingthis Acknowledgements The Defence of Civilian Air Traffic Systems from CyberThreats 67 DOCUMENTI IAI 15 | 23E - DECEMBER 2015 ISSN 2280-6164 © 2016 IAI Latest DOCUMENTIIAI The Defence of Civilian Air Traffic Systems from CyberThreats www.iai.it [email protected] F +39 T +39 Via Angelo Brunetti, 9-I-00186 Rome, Italy and otherpapers’ series related toIAIresearch projects. (AffarInternazionali), two series of research papers (QuaderniIAIand Research Papers) publishes anEnglish-language quarterly (TheInternational Spectator), anonline webzine and theMiddle East;defence economy andpolicy; andtransatlantic relations. TheIAI in the global economy and internationalisation processes in Italy; the Mediterranean research sectors are:European institutions andpolicies; Italian foreign policy; trends and abroad andisamemberof various international networks. More specifically, themain that end,it cooperates with otherresearch institutes, universities andfoundations inItaly and disseminate knowledge through research studies, conferences andpublications. To economy andinternational security. Anon-profit organisation, theIAIaimstofurther Founded byAltiero Spinelli in1965,does research inthefields of foreign policy, political Istituto Affari Internazionali (IAI) 15 | 15 |16 15 |17 15 |18 15 |19 15 |20 15 |21 15 |22 15 |23 15 |23e 06 3224360 06 3224363 and Investment Partnership Umberto Marengo, Italian Exports and theTransatlantic Trade Role of Private Equity, Venture Capital and Private Debt Anna Gervasoni, Alternative Funding Sources for Growth: The and Europe Eleonora Poli andMariaElena Sandalli, Financing SMEsin Asia Protezione del traffico aereo civile dalla minaccia cibernetica Tommaso DeZan,Fabrizio d’Amore eFederica DiCamillo, The Defenceof Civilian Air Traffic Systemsfrom Cyber Threats Tommaso DeZan,Fabrizio d’Amore andFederica DiCamillo, Ucraina Serena Giusti, La Politica europea di vicinato elacrisiin Silvia Colombo, Lacrisilibica eil ruolo dell’Europa the European Union? Five Themesfor Reflection and Action Pier Domenico Tortola andLorenzo Vai, Government What for Politica europea di vicinato Nicoletta Pirozzi eLorenzo Vai, Proposte di riforma della Addressing theMilitary Conflict in Ukraine Irene Fellin, TheRole of Women and Gender Policies in