ANNEX 6 -ATM SECURITY OVERSIGHT 1. INTRODUCTION 2

DSS/Support to CAA-NSA A6-1 Guidelines for NSAs for the Development of the ANSP Oversight Process Annex 6-ATM Security Oversight

Edition 1.0 June 2013

ANNEX 6 -ATM SECURITY OVERSIGHT

1. INTRODUCTION

Security oversight is a fundamental function to improve the overall security process in a pro-active manner. It is the responsibility of the State security authorities. It allows verifying compliance on one side, and even more important to identify improvements towards a dynamic efficient security able to anticipate and mitigate main threats and risk to ATM. This aim is best achieved by introducing a holistic and systemic approach to security, e.g. via the development and implementation of security managements systems.

By guaranteeing security compliance, security oversight contributes to improve trust in the ATM system.

It also facilitates security assurance and validation process on the part of the organisations implementing the security requirements and helps to improve the security loop Plan-Do-Check-Act, thus enhancing the quality of the security management systems.

Training, accreditation and designation of Security Auditors are key aspects of ATM security performance. The quality of security oversight will depend on the quality of training for security auditors, thus impacting on the overall result of the national aviation security programme. Therefore, the quality (and quantity) of security auditors is a major aspect of the national aviation security performance.

A national ATM Security Oversight Programme should not run in isolation but as an integral part of the broader National Aviation Security Programme.

2. SCOPE

The scope of this process is the oversight of ATM security at national level. FAB and network (Network Manager – NM) dimensions are not fully addressed within the scope of this document. However, initial requirements are tabled in Appendix 1.

ATM security must not be addressed in isolation but as an integral part of the overall aviation security system, following a holistic approach. A national ATM security oversight programme should consider all the aspects relevant to ATM security including possible interfaces with other aviation security related issues. A common understanding of what is ATM security, in the framework of the broader concept of aviation security, is therefore needed.

Holistic approach

ATM security, as a major component of the overall aviation security, also requires a holistic approach. ATM security needs to be addressed in a gate-to-gate concept. Interfaces with the other aviation security components deserve especial attention, e.g. CNS security (ADS-B, GNSS, Data links…), Airspace Security and Airport Security. ATM security must be embedded as an integral part of the aviation security system, and therefore it should be included in the National AVSEC Programme.

Understanding ATM Security

ATM Security is major component of aviation security (AVSEC). ATM security is concerned with those threats that are aimed at the ATM System directly, such as attacks on ATM assets, or where ATM plays a key role in the prevention of or response to threats aimed at other parts of the aviation system (including national and international high-value assets) and in limiting the effects of such threats on the overall ATM Network.

It comprises two key areas:

1. Self protection of the ATM system: this addresses security and resilience of physical infrastructure, personnel, information and communication systems, ATM/CNS infrastructure and networks;

2. ATM Collaborative Support to aviation security and civil and military authorities responsible for national security and defence.

ATM Security has an interface with Airspace Security revolving around the national security and defence requirements, operational aspects of collaborative support, and technological security and interoperability between civil and military systems.

Security threats may be directed at aircraft or through them to targets on the ground. The ATM facilities and systems may also become threat targets. Although ATM cannot by itself address all issues, it nevertheless has to provide responsible authorities with the requested help in all phases of the security occurrence in accordance with national, ICAO and other relevant international rules. The international dimension imposes the uniform and effective application of suitable measures.

ATM has to support national security in respect of the identification of flights entering a State’s national territory, and air defence organisations have to be provided with all ATM information relevant to their task.



On the other hand, particular attention will need to be paid to the preparation of contingence plans designed to handle degradations of the ATM system and security-related emergency situations. Indeed contingency planning is an essential part of the overall security cycle. It aims at getting the system back to ‘normal’ as soon as possible after an attack. This will prevent the attackers/terrorists to exploit ‘twice’ the success of an attack; hitting an ATM target and disrupting normal operations for a long period due to overreaction and lack of contingency plans. The associated economic impact of lack of contingency must also be considered. The figure below illustrates a complete resilience cycle, including contingency planning:

Figure 2.1: The ATM security resilience cycle

3. REGULATORY FRAMEWORK

The national ATM security oversight programme must look at the full range of security regulations at national and international level, relevant to the provision of air navigation services, in order to provide for a consistent and comprehensive security oversight function. ATM security auditors must be familiar with regulations in place and under development, as well as with on going ATM security activities at national, regional and global level.

The Global regulatory framework

Aviation security is one of the key activities within International Civil Aviation Organisation (ICAO). As from 9/11 ICAO has become extremely active in security awareness and support, facilitation, training and oversight. Provisions for international aviation security were first disseminated as Annex 17 to the Chicago Convention in 1974 and since then have been improved and updated 11 times.

A 12th amendment to the Annex has been approved by the ICAO Council and is applicable as off 1 July 2011. This amendment incorporates for the first time provisions for ATM security and Cyber security. An improved aviation security manual has also been published to support States to implement provision of Annex 17. Furthermore, an ATM Security Manual has also been published at the end of 2012.

A fundamental element within the ICAO aviation security programme is the ICAO Universal Security Audit Programme (USAP). It represents an important initiative in ICAO's strategy for strengthening aviation security worldwide and for attaining commitment from States in a collaborative effort to establish a global aviation security system. The programme, part of ICAO's aviation security plan of action, provides for mandatory and regular audits of all ICAO contracting States. The ICAO audit assesses the State's capability for providing security oversight by determining whether the critical elements of a security oversight system have been implemented effectively. . Implementation of the programme began with the first security audit in November 2000. The second cycle of security audits commenced in January 2008, and is expected to conclude in 2013. In addition to security audits, the programme entails audit follow-up visits that focus on the implementation of corrective action plans. It could be expected that ATM security and cyber security (included in amendment 12th of Annex 17) would be incorporated in the USAP in a near future. This would have an impact on the national ATM security oversight programme.

The European regulatory framework (SES I/SES II)

The initial SES package came into force in 2004. In the light of the SES, a specific regulatory framework for air navigation service (ANS) Security has been developing in the European Union since 2004 (e.g., Regulation (EC) No. 550/2004 and Regulation (EC) No. 1035/2011).

The service provision regulation (EC) No. 550/2004 establishes common requirements for the safe and efficient provision of ANS in the Community where security is one of requirements. The regulation includes a common system for the certification and designation of air navigation service providers. This enables the definition of their governing rules and obligations.

This regulatory framework is distinct from the regulatory framework for aviation security (e.g., former Regulation (EC) No. 2320/2002 and new Regulation (EC) No. 300/2008).

The security oversight responsibilities extend to all these aspects of ANS.



Figure 3.1: Typical organisation of ANS

Security aspects of Regulation (EC) No. 73/2010

The Regulation (EC) No. 73/2010, laying down requirements on the quality of aeronautical data and aeronautical information for the single European sky, lays down the requirements on the quality of aeronautical data and aeronautical information in terms of accuracy, resolution and integrity. The regulation mentions ISO 27002 as means of compliance. It should be welcomed since it could provide general baseline and grounds for harmonised INFOSEC in aviation. However, caution should be raised before considering ISOs as the complete or definite solution for cyber defence in the SES.

The National Regulatory Framework

National regulations complementing or extending global and regional regulations and standards are extremely important in order to adapt the regulatory framework to the local circumstances. Each State should tailor or customise the international security framework to its specific needs and constraints.

National security regulations are especially relevant in the case of the ATM Security/Collaborative Support area. This is because the link with national security and defence precludes any regulatory activity, other than national. Nevertheless, the international dimension of ATM security imposes the adoption of a harmonised global approach and the uniform and effective application of suitable measures.

Organisations like EUROCONTROL, NATO and ICAO (recently addressing civil military cooperation in ATM) play a role in this regard.

The most critical aspect of the ATM collaborative support is the provision of information to the national civil and military authorities (i.e. Air Defence) and the support in case of security incidents (collaborative ATM security incident management). Following the 9/11 attacks, many States nominated a National Governmental Authority (NGA), responsible for the decision making and resolution of air space security incidents, like Renegade1. Accordingly many States have reviewed or issued new legislation to cope with the new threat.

The implementation of this legislation must be also part of the national ATM security oversight programme.

4. ORGANISATIONAL ASPECTS

ICAO Annex 17 establishes that each contracting state shall designate and specify to ICAO an appropriate authority within its administration to be responsible for the development, implementation and maintenance of the national civil aviation security programme. This programme aims at safeguarding civil aviation operations against acts of unlawful interference, through regulations, practices and procedures which take into account the safety, regularity and efficiency of flights. The Appropriate Authority is responsible for the National Civil Aviation Security Programme and its associated National Civil Aviation Security Committee (NCASC).

It is important that regulatory and oversight functions and the implementation functions be separated. In the case of ANS security for the SES it means that the ANSP must implement a SecMS (Security Management System) to comply with the Regulation (EC) No. 2096, and the NSA must oversight that the ANSP SecMS is compliant with the 2096 requirements.

Figure 5.1.: Separation of regulatory, oversight and implementation functions

1 A situation where a civil aircraft is used as weapon to perpetrate a terrorist attack is usually referred to as a Renegade

Regulator

ICAO, EC, CAA

Oversight

AA, NSA, EC, ICAO

Implementation

ANSP, Airports, AO, Entities…



The CAA, the NSA and the Appropriate Authority (AA) are nominated by the State. They should normally belong to the Ministry of Transport. Nevertheless, the States might decide otherwise, for instance the oversight function can be assigned to a higher level when it includes national police or military involved in the protection of critical infrastructure, i.e. hubs, radar and communications sites.

It is a normal practice that the CAA will also perform as the NSA. The Appropriate Authority is, at present, normally involved in airport security issues only. Nevertheless, the new amendment of ICAO Annex 17 opens the door to include ANS (ATS in ICAO terminology) within the National Aviation Security Programme (NAVSECP). It is up to the States to decide whether:

1. the Appropriate Authority will be also responsible for the ATM security oversight, i.e. in support of the NSA, or;

2. ATM and Airport security oversight will remain separated (under the NSA and the AA respectively), or even;

3. decide to have a single oversight authority for all aviation security aspects (NSA = AA)

5. OVERSIGHT PROGRAMME

Security oversight is one of the three main aspects of a system approach to security, the other two being the regulatory and the provision (or implementation) functions, as depicted in the triangle in paragraph above.

When developing an ATM Security Oversight Programme, the following elements should be considered:

1. Scope;

2. Authority;

3. Organisation;

4. Policy setting;

5. Audit/Inspections Plan;

6. Current Status.

DSS/Support to CAA-NSA A6/App1-1 Guidelines for NSAs for the Development of the ANSP Oversight Process Annex 6-ATM Security Oversight Appendix 1: Steps for Oversight of ANSP ATM Security


APPENDIX 1: STEPS FOR OVERSIGHT OF ANSP ATM SECURITY

ATM Security System

An ATM Security System is a combination of organisation, means and doctrine (policies, regulations, procedures) established to protect the ATM system (people, aircraft, airspace, infrastructure and information) against attacks and acts of unlawful interference.

The implementation of an ATM security system shall ensure the achievement of the ATM security objective. The general objective of ATM security is to determine effective mechanisms and procedures to enhance the response of ATM to security threats and events affecting flights (aircraft and passengers) or the ATM system (EUROCONTROL ATM Strategy for the Years 2000+).

The ATM security system shall then protect the ATM System by preventing terrorist attacks and acts of unlawful interference (or any other threat) and by facilitating intervention when necessary.

The ATM security system should address all identified ATM threats, in line with the national threat assessment and security scenarios. Therefore, it should be tailored to give response to the full spectrum of security contingencies and to correct any identified ATM System security weaknesses.

It is important to note that a System does not necessarily stand for a sophisticated tool or state of the art hardware and software. On the contrary, often it just encompasses elements, activities, people or ideas.

The system should be robust and resilient enough to be able to cope with the full spectrum of threats. Therefore it must be intelligence driven and risk based. Security risk and threat assessments have to be carried out and updated on regular basis to permanently adapt the security preparedness and response to new, evolving and emerging threats.

ATM Security intelligence-led, threat-based and risk-managed

What are the threats to the SES ATM System?

It is a national responsibility to develop and update a threat and risk assessment for aviation. This assessment must be shared with the all involved aviation players, on a need to know basis. This national security assessment must be complemented with particular threat assessments carried out by the ATM organisations like the ANSP providing services in that State.

Initial check list for compliance with security requirements by ANSP and other ATM organisations follows.

DSS/Support to CAA-NSA A6/App1-2 Guidelines for NSAs for the Development of the ANSP Oversight Process Annex 6-ATM Security Oversight Appendix 1: Steps for Oversight of ANSP ATM Security


Figure …: The ATM security oversight process flow chart

DSS/Support to CAA-NSA A6/App1-3 Guidelines for NSAs for the Development of the ANSP Oversight Process Annex 6-ATM Security Oversight Appendix 1: Steps for the Oversight of ATM Security


ATM security oversight procedural steps

Note: Blue marks generic tasks; Yellow indicates explanatory material and additional guidelines.

Tasks Description and Comments

1. Security requirements

1.1 Definition of Security requirements in ATM/ANS

1.1.1

Identify and implement security requirements for ATM/ANS. Security requirements are normally imposed by national and international legislation. National authorities should base the oversight programme on these requirements which shall be met by the ATM/ANS entities. Security requirements shall be clearly established and reflected in the National Civil Aviation Security Programme (NCASP).

Security requirements are reviewed in line with new legislation and as a result of the threat and risk assessment process.

GUI

The starting point of security oversight is to know what has to be audited or inspected. The oversight programme must look into legal compliance (against security requirements). But also, and more important, oversight authorities should follow an ‘outcome based’ security approach. This means to check if, despite objective compliance with security requirements, the overall security environment is improving, by means of:

1. lifting the security culture within the organisation, through an education, awareness and training plan;

2. embedding security into the core business process;

3. full management and staff commitment to security;

4. improving security incident management, reporting and corrective actions implementation;

5. adapting the security system to the actual threat and risk environment; intelligence led, threat based, risk managed security;

6. holistic approach (consider all security aspects/scenarios), cost/effective, practical and sustainable security management system.

The regulatory framework for ATM security must be clearly defined within the NCASP. It includes:

1. ICAO framework: Annex 17, Aviation Security Manual, ATM Security Manual and other relevant security guidelines;

2. EU: Cyber security (EU cyber Security Strategy), aviation security (e.g. EC 300/2008, 859/2011) and SES security related legislation (e.g. EC 1035/2011, 73/2010);

3. ECAC: Doc 30 and associated guidance;

4. National applicable legislation for aviation and ATM security;

5. Other relevant national or international legal frameworks: e.g. security and defence treaties, protection of critical infrastructures, etc.

Threat and risk assessments for ATM/CNS should not be done in isolation (bottom-up) but in the context of the NCASP (top-down approach). State authorities are responsible to provide a coherent threat and risk context for all aviation and ATM organisations. In this regard, they must consider:

1. the ICAO Risk Context Statement (RCS) and outcome of the Threat and Risk Working Group;

2. the EU AVSEC Regulatory Committee relevant outcome;

3. the ECAC Vulnerability assessment programme;

4. general national threat and risk assessments;

5. national threat and risk assessments aviation and ATM specific ( as part of the NCASP).

ATM/ANS organisations must complement this threat and risk context with ‘local threat and risk assessments’ adapted to specific circumstances and location of the ATM/CNS infrastructure.

National authorities establishes and carry out their oversight programme mainly through dedicated audits of the critical areas/ elements of an ATM/ANS provider, on the basis of risk assessment and the identification of priority areas, rather than on periodic scheduling of large scale audits at random physical locations.




Other triggers for a specific oversight activity may be:

1. the need to follow-up/ verify effective implementation or compliance with a specific regulatory action or measure taken by the NSA as a result of previous oversight;

2. an unforeseen event (e.g. an incident or attack) which calls for an ad-hoc verification by the NSA;

3. a request by the ANSP that the NSA approves or accepts proposed new arrangements (e.g. a change to security processes, implementation of new security equipment);

4. the introduction of a change to a functional ATM/CNS system based on the verification or review of specific documented evidence (e.g. security arguments)

5. The need to certify an ANSP or other entity for the first time;

6. Entry into of force of new security requirements.

2. (Annual) inspection programme

2.1 Develop and maintain the (annual) inspections programme

2.1.1

Establish/ maintain an inspection programme based on assessment of risks and identified priorities (Art 2.2 SPR, Art 8 CR-IR).

ANSP included in the NCASP and the National Civil Aviation Security Quality Control Programme (NQCP) (ICAO Annex 17 and AVSEC Manual)

GUI

Security oversight is a compliance monitoring and verification process by which the security authorities obtain evidence that the required and expected security performance is met by the different players in the ATM system.

This can be done through the establishment of an inspection and audit programme. Inspections examine the implementation of relevant national civil aviation security programme requirements by an airline, ANSP, airport or other entity involved in security. Audits are an in-depth compliance examination of all aspects of the implementation of the national civil aviation security programme (see annex on Definitions). Nevertheless, both inspection and audits must not restrict themselves to compliance verification (prescription-based) but go beyond the regulatory compliance and concern the system-based and outcome-oriented aspects.

It is important that NSAs have a good understanding of what is mandatory and what is only optional, including what should be seen as good practice. Certainly, NSAs can not force ANSPs to implement optional requirements.

Article 8 CR-IR requires that an NSA ‘monitors annually the ongoing compliance of the ANSPs which it has certified.’

To this end, the NSA shall establish and update annually an indicative inspection programme covering all the providers it has certified and based on an assessment of the risks associated with the different operations constituting the services’.

It should be noted that an ‘inspection’ in the sense of SPR and CR-IR is not defined in EU law but may be subject to national law.

Besides audits and inspections, the overall annual oversight programme may in addition provide for surveys (Art. 2.2 SPR and Art 7 CR-IR), reviews and other forms of verification which may also be conducted within a desk-top procedure (i.e. not accompanied by on-site visits, unless necessary). The NSA may opt for such ‘simpler’ verifications in the case of oversight activities which do not pose the level of risks perceived in the areas/ elements verified for compliance by means of audits and inspections. Nonetheless, even if ‘simpler’ than a full-fledged security regulatory audit, desk-top oversight as per step 3.1 should also be carried out in accordance with audit procedures/ techniques.

A security survey is an evaluation of security needs:

Is intended to:

1. Highlight vulnerabilities that could be exploited to carry out an act of unlawful interference

2. Recommend corrective actions




3. Should be carried out whenever a threat necessitates an increased level of security

4. The scope ranges from targeted assessment focused on a specific operation to an overall evaluation of security measures

5. Timing: from a few hours to several weeks

6. Should include overt or covert security tests

A security tests is a simulation of an attempt to commit an unlawful act to test a security measure:

1. May be overt or cover security tests

2. Only demonstrate if a security measure or control proved effective at a specific place and time

3. Focus on access control to restricted areas, protection of assets, etc.

Before it is formally adopted, the audit/ inspections programme must be notified to and, if necessary, discussed with the ANSPs concerned and, possibly, with other NSAs concerned (Art 8 paragraph 2 CR-IR). The audit/ inspections programme must be implemented and managed effectively and efficiently, on authority granted by the NSA’s top management. The programme also includes all activities necessary for planning and organising the types and numbers of audits/ inspections, and for providing resources to conduct them effectively and efficiently within specified timeframes.

Finally, the oversight programme should provide for verifications required in the frame of specific IRs where the NSA or the State has to ensure that specific regulatory measures are implemented or deployed by the ANSPs or other stakeholders subject to the authority of that NSA or State. These verifications are mandated on the basis of specific target dates rather than on a periodic basis. Alternatively, such verifications may be effected through step 3.1 and step 3.2 of the oversight activities.

Further guidance material on annual audit planning is included in the ‘Manual for National ATM Security Oversight’.

2.2 Define an oversight case

GUI It is emphasised that the following steps 2.2., 2.3. and 2.4 are not related to the development of the inspection programme. These steps are actions for the inspection preparation covered by steps 3 and 4.

2.2.1 Examine the oversight case based on any trigger received and inform/consult ANSP accordingly.

2.2.2 Conduct initial oversight investigations to gain objective information to enable an NSA decision regarding further oversight activities.

GUI

As a result of the initial oversight investigations, the NSA may terminate the oversight process if it appears that it cannot be completed due to the lack of resources within the applicant’s structure or its lack of commitment to comply with the applicable requirements. Such a decision to be notified to the applicant together with the reasons.

2.3 Consultation with ANSP and other entities

2.3.1 The NSA consults the ANSPs concerned as well as any other national supervisory authority concerned, if appropriate, before establishing such a programme.

2.3.2 The NSA is to communicate the initial plan of to the ANSP and get their comments and proposals.

GUI Previous provisions do not mean that all security requirements are checked annually. Different areas of security requirements (e.g. cyber) may have different oversight cycles. Nonetheless, all security requirements arechecked at least once during the validity period of the certificate.

2.4 Preparation of the inspection

2.4.1 Identify the legal basis - regulatory requirements – which determine the oversight activity, the




expectations from the oversight authorities, the relevant means of compliance – MoC –, the evidences and detailed requirements.

GUI

1. Requirements: as laid down in the regulation/legislation or applicable directive or standard;

2. Expectation: of the oversight authority on how the inspected entities must fulfil the requirement. It must be communicated to the entities;

3. MoC: arguments claiming to fulfil the expectation, provided by the inspected entities and agreed by the oversight authority;

4. Evidence: to justify the arguments; provided by the inspected entities and assessed by the oversight authority;

5. Detailed requirements (questionnaires): used by the inspectors (normally shared, partly - not all - with the inspected entity).

Oversight activities can respond to 4 main reasons:

1. Initial oversight e.g. for certification/designation of the entity;

2. Scheduled oversight activities as per the approved ATM security oversight programme;

3. Non-scheduled security oversight activities (inspections, surveys and tests) as required by the NSA to assess the impact of new or evolving threats or as a consequence of threat assessments;

4. Follow-up audits/inspections to verify the implementation and effectiveness of corrective actions.

The ‘Manual for National ATM Security Oversight’ \developed by EUROCONTROL provides further guidance, relevant documentation and links.

2.4.2

Assign clear responsibilities/ accountabilities. Evaluate the effort needed and allocate adequate resources for the oversight activity depending on its objectives, nature, scope, complexity and extent.

Allocated auditors/ inspectors must be properly qualified and empowered (Art 7 CR-IR; ICAO AVSEC Manual Chapter 7.3). Conflict of interest with the respective oversight activity must be avoided.

GUI

Allocation of staff/ resources is on the basis of a preliminary review of the documents under investigation and an evaluation of effort needed. Proactive internal NSA reporting/ review allows for corrections to the initial allocation, if this need arise before completion.

It should be emphasised that according to Art 7(4) SO-IR: national supervisory authorities may decide to modify the scope of pre-planned audits, and to include additional audits, wherever that need arises.

Depending on the overall NSA capabilities as well as the scope/ subject-matter of oversight, a dedicated team may be established for more complex activities (e.g. involving on-site audits) or in relation to a large provider or complex subject-matter. The NSA assigns properly qualified staff for specific oversight tasks on a longer or permanent basis such as for the airspace and military ATM/ ATS interface, cyber/CNS security, EATMN systems interoperability, etc.

Panels of experts may be established by the NSA in order to provide advice/ opinions to NSA management and the oversight experts. Such panels should encompass all security related internal interfaces of an NSA. Their opinions, however, should be only advisory, not binding.

The State authority for ATM security oversight must keep an up-to-date list of auditors. It should be noted that many aspects of security oversight are common to all aviation security areas, disregarding if they refer to an airport, an ACC or an aircraft operator centre. For example, oversight of physical security, personnel security, organisational security and cyber security do not require different skills for auditors of ANSP, airports or AO. A period of familiarisation with one or other operational environments should suffice. This consideration is extremely important because it provides a possibility to build on the experience of existing practices for aviation security oversight and, much more relevant, to re-use aviation security inspectors for ATM security oversight. In other words, aviation security inspectors/auditors are by default ATM security inspectors/auditors.

Inspectors can be obtained from:




1. Aviation security qualified inspectors;

2. Other Departments, e.g. Interior, Defence;

3. A third party e.g. industry bodies;

4. Relevant entities participating in the NQCP e.g. AO, ANSP, Airport Operators, government bodies. In this case, inspectors from a specific industry body should not perform oversight activities on an industry body of the same kind (e.g. an inspector coming from air navigation service provision should not inspect an ANSP);

5. Neighbouring countries e.g. in the context of FABs, if agreement for mutual recognition exits.

Associated material can be found in the ‘Manual for National ATM Security Oversight’.

2.4.3

In case of insufficient capabilities, the NSA commissions a qualified entity as per Art 3 SPR, to conduct part or all of the oversight tasks, acting on the NSA’s behalf.

In such a case, the NSA shall exercise oversight of the qualified entity and its deliverables.

2.4.4

The NSA establishs clear point(s) of contact/ interfaces with the ATM/ANS provider, inter-alia to facilitate communication, compliance monitoring (Art 7 CR-IR) and other formalities (e.g. arrange with the concerned ANSP for the assessment of documentation and for investigations at relevant locations).

Where the NSA is tasked by the State regulator to carry out oversight tasks having civil/ military implications or requiring interfaces with external entities, clear point(s) of contact/ interfaces shall be established with the respective civil and/or military authorities or other entities concerned.

GUI

The AA (Appropriate Authority)/NSA promotes fluent communication and transparent dialogue with the entities to be audited/inspected. The following is a guide to establish work and a communication plan. Some milestones may be altered depending on the maturity of the audit programme e.g. if it is the first inspection ever or on the contrary, some or many inspections had already taken place.

It is the privilege of the AA/NSA to carry out unannounced inspections, nevertheless it is recommended not to do it at the initiation of the oversight programme, before getting familiar with the process and issues associated to security inspections. The oversight authorities strive to minimise impact of unannounced inspections on normal operations.

ATM security oversight activities are carried out in a standardised systematic way in order to achieve consistency in the consolidation and comparison of findings and recommendations.

The national authority responsible for ATM security oversight (AA/NSA) and the oversight teams first gets familiar with the entities subject to the oversight programme (see paragraph 2.3 in this appendix). This knowledge includes as a minimum:

1. Mission of the entity;

2. Organisation chart;

3. Points of contact;

4. Geographical deployment (see example in figure 15 below);

5. Asset inventory;

6. Initial oversight or ongoing oversight activity;

Previous audit reports/ongoing compliance issues.

2.4.5 Verify that all documentary evidences submitted by an ATM/ANS provider for the purpose of a specific verification or review are approved/ endorsed at the competent level of authority in that organisation (preferably the Chief Executive Officer or equivalent position).

GUI

The NSA sets-up formal administrative processes/procedures, including the use of standardised forms, to facilitate working relationships with ANSPs, in accordance with their security categories. Inter-alia, ATM/ANS organisations are required to regularly update their documentary evidences submitted to the NSA e.g. as regards established arrangements to comply with the security requirements.

GUI By the end of the preparatory phase, the NSA must have built a clear security oversight case,




meaning:

1. clarification of the relevant legal basis (‘audit criteria’ in ISO terms, binding as well as non-binding regulatory material such as MoC);

2. provision of clearly defined responsibilities, objectives, tasks breakdown and schedule (audit plan); and proper understanding of what should be the outcome and/or deliverables from that activity;

3. identification of evidential material (‘audit evidence’ in ISO terms) required for review/ verification (already in the NSA’s possession or pending to be received);

4. allocation of staff who are competent for their oversight tasks (and certified, where required);

5. establishment of formalised and effective communication/ consultation with the concerned provider and/or other authorities.

3. Verification of compliance - desktop

3.1 Desk-top verification and documentation review

GUI

This is a stand-alone audit activity and does not preclude an oversight activity based on fully-fledged auditing as per step 3.2 below.

It is best practice to carry out desk-top review in line with audit procedures.

A desk-top verification or review can be carried out in relation to any of the security oversight areas or criteria, e.g.:

1. Compliance with specific security requirements (as per the NCASP);

2. Holistic/system approach: ATM security system; Policy, organisation, internal monitoring, equipment;

3. Personnel security: human resources, recruitment, education, awareness and training of security and noon-security staff;

4. Asset management and physical protection/access control;

5. Cyber and CNS security;

6. Threat and risk assessments;

7. Incident/crisis management/contingency plans;

8. Safety/security interface;

Audit team actions for desktop audit:

1. Identify the objective and scope of the oversight activity;

2. Contact the target entity; provide the list of security Requirements and Expectations;

3. Request proposed Means of compliance and Evidence against high level requirement and expectations;

4. Obtain copy of relevant documents;

5. Review documentation; compare against requirements;

6. Check where compliance against criteria is not documented; provide feedback to the entity for possible corrections;

7. Develop schedule for on-site audit, if required;

8. Define audit lots for each audit team member;

9. Develop detailed questionnaires/checklists; detailed questionnaires can be totally or partly shared with the entity.

3.1.1

Perform an initial review of the concerned documentation; determine if any relevant information or evidential material is missing (in particular if the documentation was submitted by an ATM/ANS provider).

Determine how to proceed in such cases and take action. For example, inform the concerned party and ask for reasons for the omissions and request corrective measures.

GUI This may be addressed in the administrative procedures, depending on the nature and context of




the oversight activity, The NSA may:

1. request that the other party completes the documentation; or do this through arrangements for the assessment of additional documentation and investigations at the relevant location(s);

2. proceed with the oversight case without waiting for additional info/ evidence;

3. temporarily stop or definitively terminate the activity.

The other party should be informed accordingly of the NSA’s decision and of its reasons.

3.1.2 Maintain records of all relevant documents generated and received during the oversight investigations.

GUI This task is addressed procedurally in the NSA’s document management system.

3.1.3

Review/ assess the collected documentary evidence (‘audit evidence’) in respect of the related criteria and document the findings (‘audit findings’ in ISO terms):

1. Look for evidence that the applicable requirements have been understood and for clear indications that processes have been developed or adapted to meet/ fulfil them.

2. Identify needs for corrective and preventive actions; and opportunities for improvement.

3.1.4 Decide if further investigations, such as an on-site visit (an audit or inspection), is necessary. This may be the case e.g. if the documentation review indicates possible areas of weakness or concern regarding the service provider’s implementing arrangements to meet associated requirements.

GUI

The documentation review is linked with the particularities of ATM security. However, the review is not necessarily to be confined to the documents referenced by the applicant in its exposition (e.g. the organisational exposition in a certification process). It may also cover:

3. operational documentation (e.g. operational, technical manuals/ procedures, etc.);

4. technical systems documentation (e.g. implementing arrangements or specifications related to the installation and maintenance of equipment, etc.);

5. various documentation in the areas of safety, quality, performance and human resources;

6. the outcome/ deliverables from previous oversight activities which might be relevant in the context of this particular oversight activity;

If the documentation review reveals serious concerns about the ATM/ANS organisation’s level of understanding of the applicable security requirements or of the processes that should be put in place to meet them, the person responsible for the oversight activity may opt to stop it (e.g. not proceed with an on-site audit) and refer the matter to NSA management for further decision/ action.

3.2 Steps in the particular field (security)

3.2.1

For each entity subject to security oversight a generic plan is developed. The following phases are considered in the work plan:

1. Initiation;

2. Preparation;

3. Execution.

GUI

Initiation

1. The entity is informed in written by the national authority (for this example the NSA) that will be subject of security oversight, in line with national legislation and procedures. The entity is invited to acknowledge and provide any comment or concern;

2. The NSA calls for a coordination meeting with the entity;

Explain the launching of the oversight programme (initial oversight or ongoing) starting next year;

Its background and legal basis e.g. security requirements;

Expectations from the NSA side;

Invites for feedback;




o The entity informs about the current situation, problems encountered and corrective measures implemented;

The NSA proposes an initial schedule for planned oversight activities for the following year (audits, inspections, tests and surveys)2;

The entity provides remarks to the plan;

The ATM security oversight programme is approved.

Preparation

For each oversight activity within the programme, a number of preparatory activities take place. The most relevant are:

1. Preparatory phase. As a general rule, it last a minimum of 10 weeks prior to the audit/inspection. It includes preparation and review of documents. The NSA must appoint an audit team leader who compose his/her audit team in accordance with the nature of the oversight activity and the entity subject.

A standard audit team is composed of:

1. A team leader;

2. Security inspectors: the required number of inspectors and their qualifications should cover all sites and areas to be inspected e.g. cyber security, communications security, SeMS, threat assessments, physical/personnel/technical/organisational security;

3. (An) assistant(s).

Execution

The following are basic milestones in the execution of an oversight programme:

2. Visiting Phase • Conduct of on-site audit(s)/inspection(s). It is based on the detailed

questionnaires/checklist. However, the audit team is legitimate to address any other issue as required;

• It includes interviews with all relevant security players at the entity,

3. Reporting phase

As a general rule, it last a maximum of 12 weeks following the audit/inspection.

2 The NSA retains its privilege to conduct non-announced in advance inspections, surveys and tests




4. Oversight compliance on site

4.1 On-site visit

GUI

National ATM security oversight makes use of national and international best practices and standards. This contributes to lifting the reputation of the State regarding ATM security management and reaching harmonisation across States.

The security oversight programme consists of a schedule of planned oversight activities which are aimed at assessing the security maturity level of the entity and its compliance with the regulatory framework and associated security requirements.

The programme establishes a schedule of events that will be carried out during a twelve-month period. When required, there can be deviations from planned activities. Deviations are coordinated between the authority (NSA) and the inspected entity and revisions and amendments issued.

The ATM security oversight schedule could be laid down in tables, charts, graphics or any other supporting tool to help the NSA visualise the milestones and oversight activities. The schedule is flexible enough to accommodate non-scheduled activities.

4.1.1 Verify that the arrangements described in the documentation are effectively implemented and indeed applied by the organisation.

GUI

Depending on the objectives and complexity of the oversight activity, the review of documentation may be deferred until the on-site visit commences; or review may be preceded by a preliminary site visit in order to obtain a suitable overview of available information.

This step may involve one or several on-site visits to the relevant site(s) of the organisation, based on an oversight visit schedule/ plan and, possibly, sampling techniques based on prior assessment of risks and the identification of priority areas for oversight (see step 1.1). Sampling is applied according to risk relevance and the level of confidence gained from previous oversight.

At least one on-site audit visit is conducted, even in the case of a small organisation applying to provide services.

4.1.2 On-site visits to verify compliance with security requirements shall be carried out in accordance with guidance provided by the ICAO Aviation Security Manual (Chapter 7).

GUI

Depending on the security criticality of an ATM/ANS organisation’s services, functions, products, operations, systems, procedures etc, the NSA may verify compliance in several possible ways:

1. Review of documentation (minimum approach);

2. Review of documentation and on-site audit/ inspection = Regular approach for addressing areas where review of documentation does not provide sufficient evidence of compliance with applicable requirements or where possible areas of weakness or concern are identified;

3. Review of documentation & on site security regulatory audit(s) in accordance with ICAO Aviation Security Manual, to verify compliance with the applicable security requirements.

See additional guidelines in the Manual for National ATM Security Oversight.

4.1.3 Evaluate audit evidential material against the audit criteria to generate the audit findings. Record the non-conformities and their supporting audit evidence. Record any non-resolved points (i.e. divergent opinions).

GUI

Non-conformities may be graded. They are reviewed with the auditee to ensure that the audit evidence is accurate and that the non-conformities are understood. Efforts are made to resolve any divergent opinions concerning the audit evidences and/or findings – any unresolved points are recorded.

4.1.4 Prepare the on-site visit conclusions. Depending on objectives, prepare recommendations and discuss audit follow-up, if included in the audit plan.

4.1.5 Conclude the on-site visit with a formal closing meeting or (e.g. for small organisations) by communicating the audit findings and conclusions.




Present the results first in a summarised form, and then in more detail by the individual team members for their respective assessment areas, clearly showing management the facts which led to the conclusions.

GUI The audit team not forces the audited organisation to decide during the closing meeting what corrective actions are to be taken.

5. Resulting actions

5.1 Audit/inspection report on findings

5.1.1

Upon conclusion of the investigations of an oversight activity involving one or several step activities (3.1 and/or step 3.2., 4.1), draw up a report of the findings and conclusions.

The audit/inspection report shall include the details of the non-conformities and conclusions, documenting all audit observations. The observations shall be supported by evidence and identified in terms of the applicable security requirements and their implementing arrangements against which the audit has been conducted.

GUI

Assessment by the audit team. An audit report must be issued in a standard format addressing all findings of the audit/inspection including the assessment of security compliance.

1. The report must be formally submitted to the entity;

2. It must clearly identify any corrective action needed, including time of completion;

3. A corrective action plan must be proposed by the entity and approved by the audit team leader or the NSA. The action plan must identify the corrective actions with immediate priority, which requires action without delay. Proposals should address the “root cause” of the revealed problem.

A deficiency exists when the oversight activity reveals non-compliance with national regulations, NCASP provisions or international standards.

The level of compliance is established in accordance with national requirements. Classifying the levels of compliance will help the audited entity prioritise corrective actions. The following compliance classification is provided by ICAO (AVSEC Manual):

1. Category 1: meets the requirements;

2. Category 2: does not meet the requirements and has minor deficiencies that need improvement;

3. Category 3: does not meet the requirements and has serious deficiencies that need improvement;

4. NA (not applicable): measure or procedure does not exist at the given airport or is not available;

5. NC (not confirmed): when a measure has been either not verified or not observed due to a lack of time or other circumstances.

5.2 Oversight records archive

5.2.1 The NSA keeps appropriate records related to their oversight processes. These records are properly used as main input to the ongoing compliance monitoring.

GUI

In order to effectively conduct follow-up audits and to monitor implementation of corrective actions, NSA establishes good record keeping procedure.

NSAs formalises:

1. keeping important records related to the oversight processes including all the reports of security regulatory audits, inspections, tests and surveys and other records related to certificates and designations.

2. how these records will be used to ensure that the oversight is done properly and transparently, to provide confidence about ANSP performance and compliance and to share with other authorised parties.

3. issues regarding record keeping (integrity, availability, accessibility, software)




4. confidentiality policy (Art. 18. of SPR).

5.3 Resolution of non-conformities, follow-up and conclusion of oversight

5.3.1

Communicate the findings to the concerned organisation, including details of the identified non-conformities, their perceived significance, the responses received at the time of the visit and the conclusions. Depending on the objectives, this may also address identified needs of preventive measures and opportunities for improvement.

Simultaneously request that the concerned organisation proposes corrective actions to address each non-conformity and a timeframe for implementation that pays due regard to the significance and impact.

All tasks mentioned above apply for audits/inspections as well as for desk-top verifications/ reviews.

In particular it is important (mandatory) that the NSA follows closely the resolution of all identified security deficiencies and concerns.

5.3..2

Assess the corrective actions proposed and the implementation determined by the audited organisation and accept them if the assessment concludes that they are sufficient to address the nonconformities.

Issue a final oversight report only after all non-conformities have been implemented and this has been verified (very important in the specific case of initial oversight, before a certificate is issued).

5.3..3

Where a certified ANSP does not, or no longer comply with the applicable security requirements or with the conditions attached to the certificate, the competent NSA shall take a decision within a time period not exceeding one month. Through this decision, the NSA shall require the ANSP to take corrective action.

The decision shall be immediately notified to the relevant ANSP (Art 6.3 CR-IR).

GUI

Corrective actions deals with the root cause of the problem and when implemented are fully effective in eliminating the identified non-compliance. In the case that effective corrective actions are not being taken by the entity or no indication is given as to when it will be fully implemented, the NSA may consider an enforcement action.

The organisation placed under oversight is required to:

1. determine the corrective actions deemed necessary to correct every non-conformity and the time frame for their implementation. ;

2. initiate the corrective actions accepted by the NSA and complete the process within the time period accepted by the NSA (Art 8.4 SO-IR; best practice for non-safety as well);

3. update/ modify accordingly the relevant documentation submitted to the NSA.

4. follow-up actions resulting from security recommendations/ directives must be monitored to ensure that corrective and mitigation actions are implemented by the audited organisation.

GUI More detailed guidance material can be found in the ICAO AVSEC Manual (Chapter 7).

5.4 Issue documented conclusions of conformities

5.4.1 Should no non-conformities be identified, or when non-conformities have been satisfactorily rectified, the NSA will issue proper documented conclusions and regulatory actions (e.g. a conformity report).

GUI Associated guidance material can be found in the ICAO AVSEC Manual (Chapter 7).

5.5 Issue documented conclusions of non conformities




5.5.1

Where the NSA considers that corrective actions have not been properly implemented by an ATM/ANS organisation concerned, the NSA has the legal obligation (Art 6.3 CR-IR) to take appropriate enforcement measures in accordance with Art 7.7 SPR and Art 9 FR while taking into account the need to ensure the continuity of services on condition that security and safety is not compromised. Such measures/actions may include the revocation of the certificate (Art 7.7 SPR).

Documented conclusions of non-conformities are issued as appropriate for further regulatory measures/actions by the State (e.g. a non-conformity report).

GUI

Notwithstanding the fact that such a report is subject to local/ internal arrangements and may vary significantly depending on the nature and scope of the security oversight activity, the report includes:

1. relevant information regarding the objectives, applicable requirements and scope of the respective activity/ investigations conducted,

2. a description of the relevant tasks, the methods employed and their outputs/ deliverables,

3. name(s) of the individuals and team members having carried out specific tasks,

4. references of the documentary evidence subject to review/ verification, including copies of the most significant,

5. findings, including difficulties encountered, details of the identified non-conformities and/or other shortcomings/ deficiencies; where applicable, details of the non-conformities and other concerns that could be resolved during the security oversight activity, prior to drafting the report;

6. conclusions and recommendations, on a case by case basis.

The final decision on the outcome of an oversight activity is made by a different NSA official than originally appointed as responsible for the respective activity or on the oversight team.

The release of enforcement measures decided or proposed by the NSA in accordance with Art 7.7 SPR and Art 9 FR, and other measures of greater relevance such as issuing certificate, measures in application of safeguards, or decisions rejecting proposed changes to ATM/ANS are subject of signature of the NSA’s most senior manager (e.g. Head of the NSA).

Appeal procedures are in place, in accordance with national law. Confidentiality requirements apply in accordance with Art 18 SPR and national law.

GUI

Generic NSA actions/measures resulting from the security oversight process and NSA or State obligations under the SES legislation are detailed in the list below.

Regarding the supervisory tasks of the State, the involvement of NSAs may vary on a case-by-case basis, depending on national law and delegation of competences to the NSA by the State. For such situations, the syntax used is “Take/ propose measures in relation to.

The list can be further elaborated, at the discretion of each NSA, to reflect specific national legislation.

1. Delegate (tasks to) a Qualified Entity (Art 3 SPR)

2. Grant derogations for certification based on verification/monitoring of whether the ANSP qualifies for such derogations (Art 5 CR-IR)

3. Issue a certificate and conditions attached, and modifications, revocation, suspension or limitation (Art 2.15 FR, Art 7 & Annex II SPR, CR-IR)

4. Take appropriate measures based on monitoring/verification of compliance (Art 2.4 & 7.7 SPR, CR-IR)

5. Update the outcome of 1.1 with new security requirements

6. Accept the procedures of ATM/ANS organisations for introducing security-related changes to their functional systems

7. Apply follow-up oversight of corrective actions

8. Propose/ take measures in relation to State legal obligations (civil and military relevance), as appropriate under national law & institutional arrangements, in relation to:

1. Airspace organisation and utilisation and the interface with military (possible delegation by State to the NSA as per Art 11 SPR, ASR, FUA-IR, NF-IR, (EU) 730/2006, national law &




institutional arrangements)

2. ADQ-IR: the State obligations in respect of the quality and security requirements for aeronautical data (Art 10 and Annex VII, Part C ADQ-IR)

3. Propose safeguards in relation to State-related matters, security and defence (Art 13 FR)

5.6 Monitoring on going compliance/improve

5.5.1 Soon after the completion and close-out of the security oversight process, the NSA starts monitoring the on going compliance on the particular subject or in general according to Art 5 SO-IR.

GUI

The NSA develops a procedure for monitoring ongoing compliance.

Follow-Up Phase. As a general rule, it last a maximum of 16 weeks following the reporting phase.

1. The audit team shall monitor, in coordination with the entity, the implementation of the corrective action plan;

2. Verify and close-out of corrective actions, when duly implemented;

3. Follow-up audits can be organised to verify implementation of corrective actions,

A follow-up audit is a formal activity conducted to verify implementation of corrective actions. This should be done after receiving details of the corrective actions proposed together with associated timescales.

Closure Phase, to take place at the end of the follow-up phase. It will mean that all corrective actions have been duly completed. All documentation relating to the audit/inspection are filed and a letter sent to the entity informing of the closure of the activity.

The NSA must produce a report and keep a record of every oversight activity (audit, inspection, survey, test) in written form. Reports includes:

1. date and place of the inspection;

2. name of the entity;

3. composition of the audit team;

4. list of persons met or interviewed;

5. the subject matter;

6. security aspects observed;

7. finding, results and level of compliance,

The reports must be classified and disseminated in accordance with national rules for the protection of classified or sensitive information.

8. Administrative actions:

Verbal advice for minor deficiencies, with record-keeping as official evidence;

Formal letter to the entity requiring a corrective action and expected outcome in case of a serious deficiency;

Enforcement notice when serious deficiencies remain or in case of major deficiencies;

Revocation of certificate (EC 550/2004, Art. 7.7);

Monetary penalties;

9. Judicial actions (if CAA is so empowered by the State legislation).

DSS/Support to CAA-NSA A6/App2 Guidelines for NSAs for the Development of the ANSP Oversight Process Annex 6-ATM Security Oversight Appendix 2: Assessment Questionnaires


APPENDIX 2: NSA ASSESSMENT QUESTIONNAIRES

National Supervisory Authority A6/App2-1 ANSP Oversight Process Annex 6-ATM Security Oversight Appendix 2: Assessment Questionnaires


QUESTIONNAIRE ON ATM SECURITY IMPLEMENTATION STATUS FOR NSAs1

COMPLIANCE SELF-ASSESSMENT

REQUIREMENT REGULATORY FRAMEWORK

EXPECTATIONS MEANS OF

COMPLIANCE EVIDENCE

Yes On

going No

RMKS (e.g. issues encountered,

corrective actions, completion dates,

etc.)

1. National AVSEC Authority (Appropriate Authority) nominated

2. National AVSEC Committee (NCASC) established (ToR)

3. The ATM players, e.g. ANSP and aircraft operators (AO) participate in the NCASC

4. National AVSEC programme (NCASP), approved by the competent authority and implemented, including:

a) Organisation

b) Policies/framework

c) quality control programme

d) training programme

R1:

Holistic approach: ATM Security embedded into the National AVSEC Programme

(as per ICAO Annex 17, amendment 12th ,

Chapter 3.5:

Each Contracting State shall require air traffic service providers operating in that State to establish and implement appropriate security provisions to meet the requirements of the national civil aviation security programme of that State)

ATM security is part of the overall national AVSEC programme, including quality control and training programmes

Harmonised national ATM security systems are integrated in the national AVSEC system

National AVSEC Programme and its constituents

5. Security Programmes for AO and ANSP are included in the NCASP

R2:

Security Oversight

- ICAO Annex 17, chapter 3.4

- EC 550/2004; role

- Oversight function is executed as part of the AVSEC Programme/Quality

National AVSEC Programme and its constituents (quality

1. Security oversight plan as part of the Quality control programme

1 The questionnaire, once filled in, shall be classified as Restricted and subject to applicable national protective measures







COMPLIANCE EVIDENCE

Yes On

going No



etc.)

2. Clear roles and responsibilities are defined in the AVSEC Programme

3. ANSP Audits/inspections reports

of NSAs (inspections and surveys)

- ECAC Doc. 30, Chapter 13 (ATM Security)

- EC 300/2008; national AVSEC quality control programme

control programme

- Separation between oversight function, regulatory function and service provision

control programme)

4. Aircraft operators Audits/inspections reports

1. Documented parts of the AVSEC Programme addressing both the self protection and the collaborative support ATM security areas

2. Comprehensive composition of the AVSEC committee (NCASC), e.g. airlines, ANSP and military participate

3. ANSP security programmes or SeMS approved and implemented

4. Aircraft operators Security Programmes or SeMS approved and implemented

R3:

Comprehensive ATM security/holistic approach

- ICAO ATM Security Guidance2

- ECAC Doc. 30 (Chapter 13)

ATM Security key areas;

- Self Protection and

- Collaborative Support to national civil and military authorities

are addressed by the AVSEC programme

The national regulatory framework includes specific legislation for airspace security/support to NGA

ATM support to national and international security and defence requirements is fully recognised and integrated in the NCASP and associated SeMS and security programmes, including interface with airspace security, in line with national

National AVSEC Programme and its constituents (ATM security and its 2 key areas)

5. Documented specific legislation for airspace

2 The Guidance is expected to be published by the end of 2012







COMPLIANCE EVIDENCE

Yes On

going No



etc.)

and international requirements

security/support to NGA

1. Cyber security is part of the AVSEC Programme, included oversight and training

2. Cyber security is part of the threat and risk assessment plan

3. threat and risk assessment reports

R4:

Cyber security

- ICAO Annex 17, 12th amendment, chapter 4.9, and it AVSEC Manual (Chapter 18)

- ECAC Doc. 30 (Chapter 14th)

- EC 1035/2011

- EC 73/2010

Cyber security issues are part of the overall AVSEC activities

National AVSEC Programme and its constituents (cyber security programme)

4. ANSP, AO and other entities audits/inspection reports

1. National AVSEC Threat and Risk assessment plan is part of the AVSEC Programme

2. Threat and Risk assessment studies carried out. National threat assessments are available and are used to carry out local security threat and risk assessments, which are updated on a regular basis

R5:

Security is intelligence driven, threat based and Risk managed

- ICAO AVSEC Manual, 8th Edition

- ICAO ATM Security Guidance

- EC 1035/2011

AVSEC activities are based on continuous threat and risk assessments, with support from the national security and intelligence organisations

Security is monitored and improved based on lessons learnt

National AVSEC Programme and its constituents (Threat and Risk Assessments, security monitoring and improvement)

3. Security monitoring system, Lessons learnt and mitigation actions implemented







COMPLIANCE EVIDENCE

Yes On

going No



etc.)

1. There is a system established, including procedures, for incident management (e.g. airspace security incidents). The system is regularly exercised and updated with lessons learnt

2. There is an aviation crisis management system established, which interfaces with the national crisis management organisations and the EACCC (European Aviation Crisis Coordination Cell in the Network Manager). The system is regularly exercised and updated with lessons learnt

3. National aviation and ATM security Contingency Plans have been developed and approved by the Appropriate Authority. They cater for both pre-defined and ‘unknown’ scenarios. The plans are regularly exercised and updated with lessons learnt

R6:

Incident and Crisis management, contingency planning

- ICAO AVSEC Manual, 8th Edition

- ICAO ATM Security Guidance

- EC 1035/2011

- The management of security incidents and crisis is fully addressed by the National AVSEC Programme, at organisational and procedural level

- Contingency planning is part of the National AVSEC Programme

National AVSEC Programme and its constituents (incident/crisis management system, contingency plans for ATM)

4. As part of the security management systems of ANSP and other concerned organisations, there is a







COMPLIANCE EVIDENCE

Yes On

going No



etc.)

system in place for security breach detection, incident notification, lessons learnt and implementation of corrective measures

5. As part of the security management systems of ANSP and other concerned organisations, there are contingency and crisis management plans approved and implemented. The plans are regularly exercised and updated with lessons learnt.

1. ATM security training chapter within the NCASTP

2. ATM security training needs and requirements identified in the NCASTP: security culture, education , awareness, training and exercise plan, qualifications, training centres, etc

3. Clear roles and responsibilities for ATM security training established

R7:

Training

- ICAO Annex 17, chapter 3.1

- ICAO AVSEC Manual, 8th Edition, Chapter 8

- the ATM Security training function is executed as part of the AVSEC Programme, within the National Civil Aviation Security Training Programme (NCASTP)

- National AVSEC Programme and its constituents, i.e. National Civil Aviation Security Training Programme (NCASTP)

4. ATM security training includes both self protection and collaborative support aspects







COMPLIANCE EVIDENCE

Yes On

going No



etc.)

1. Risk Management processes consider all hazard approach

2. Risk management is exercised at highest level (national, e.g. NCASC and board corporate for AO and ANSP)

3. Safety and security managers coordination meetings

4. Joint complementary multidisciplinary audits inspections

R8:

Safety/Security Interface


- EC 1035/2011

Security management is integrated or at least coordinated and aligned with safety management (and ideally with other management systems, e.g. Quality), in order to exploit synergies, avoid overlaps and make sure that security developments do not jeopardise safety and vice versa

- National AVSEC Programme and its constituents (Safety and security interface definition)

- Documented process of Safety/security (and ideally quality) integration, coordination and alignment, included in security programmes of ANSP, AO and other applicable entities

5. Integrated security/safety (and ideally quality) management systems for ANSP, AO and other applicable entities

1. Security information and Threat and Risk assessments are shared within the State ATM security partners

R9:

Security Information Exchange


National security activities are based on continuous sharing of security information, like threat and risk assessments, with support from the national security and intelligence organisations.

Bilateral and regional agreements are in place,

Federated collaborative security information exchange mechanism, for mutual support :

- within the State

- with neighbouring and other States

including provisions for the protection of classified and sensitive

2. Security information and Threat and Risk assessments are shared with neighbouring and other States







COMPLIANCE EVIDENCE

Yes On

going No



etc.)

3. Intelligence inputs are provided to established the Threat level Security alerts

4. Security incidents; post incident analysis and reports; lesson learnt

5. A point of contact network is established for dissemination of security information

including provisions for the protection of classified and sensitive information

information

6. Documented nomination and job description of security officers for the protection of classified information, and its rules of procedure

1. Documented bi-lateral, multi-lateral and regional security agreements are in place and exercised

2. Cross-border arrangements with neighbouring (FAB) States are documented and exercised

R10:

International collaboration

- ICAO AVSEC Manual, 8th Edition, Chapter 3 and 4

The NCASP caters for bi-lateral, multi-lateral and regional security agreements in order to improve and harmonise global security and facilitate cross-border arrangements and handling of incidents

Bi-lateral, multi-lateral and regional security agreements established.

3. Provisions of international agreements are documented in the NCASP and included in its associated elements, i.e. NCASTP, NCASQCP (Quality Control Programme)



QUESTIONNAIRE ON REGULATORY GAP ANALYSIS REGARDING THE SES AND NATIONAL LEGISLATION3

REGULATION NAME SECURITY ASPECT Is the current regulatory framework sufficient to address ATM security?

Could it be improved and how?

EC 550/2004

ANS Provision Regulation, establishing common requirements for the safe and efficient provision of ANS in the Community

Includes the obligation of the national supervisory authorities (NSA) to organise inspections and surveys to verify compliance with the requirements (laid down in EC Reg. N° 1035/2011)

EC 1035/2011 Laying down common requirements for the provision of air navigation services

An air navigation service provider shall establish a security management system to ensure:

(a) the security of its facilities and personnel so as to prevent unlawful interference with the provision of services;

(b) the security of operational data it receives or produces or otherwise employs so that access to it is restricted only to those authorised.

The security management system shall define:

(a) the procedures relating to security risk assessment and mitigation, security monitoring and improvement, security reviews and lesson dissemination;

(b) the means designed to detect security breaches and to alert personnel with appropriate security warnings;

(c) the means of containing the effects of security breaches and to identify recovery action and mitigation procedures to prevent re-occurrence.

An air navigation service provider shall ensure the security clearance of its personnel, if appropriate, and coordinate with the relevant civil and military authorities to ensure the security of its facilities, personnel and data.

At the latest one year after certification, an air navigation service provider shall have in place contingency plans for all the services it provides in the case of events which result in significant degradation or interruption of its services.

‘A provider of aeronautical information services shall ensure the integrity of data and confirm the level of accuracy of the information distributed for operations, including the source of such information, before such information is distributed’.

‘A provider of communication, navigation or surveillance services shall ensure the availability, continuity, accuracy and integrity of its services’

EC 73/2010 laying down requirements on the Lays down the requirements on the quality of aeronautical data and aeronautical

3 The questionnaire, once filled in, shall be classified as Restricted and subject to applicable national protective measures

4 The current name of the standard is ISO 27002



QUESTIONNAIRE ON REGULATORY GAP ANALYSIS REGARDING THE SES AND NATIONAL LEGISLATION3

REGULATION NAME SECURITY ASPECT Is the current regulatory framework sufficient to address ATM security?

Could it be improved and how? quality of aeronautical data and aeronautical information for the Single European Sky

information in terms of accuracy, resolution and integrity.

List Security management objectives:

- to ensure the security of aeronautical data and aeronautical information received, produced or otherwise employed so that it is protected from interference and access to it is restricted only to those authorised;

- to ensure that the security management measures of an organisation meet appropriate national or international requirements for critical infrastructure and business continuity, and international standards for security management, including the ISO standards referred to hereafter;

Regarding the ISO standards, the relevant certificate issued by an appropriately accredited organisation, shall be considered as a sufficient means of compliance.

ISO referred to:

- International Organisation for Standardisation, ISO/IEC 17799:20054 — Information technology — Security techniques — Code of practice for information security management (Edition 2 — 10.6.2005).

- International Organisation for Standardisation, ISO 28000:2007: — Specification for security management systems for the supply chain (Edition 1 — 21.9.2007 under revision, to be replaced by Edition 2 target date 31.1.2008 [At enquiry stage])

EC 300/2008 Common rules in the field of civil aviation security

Includes requirements for:

Common basic standards for safeguarding civil aviation against acts of unlawful interference that jeopardise the security of civil aviation. Most of these common standards refer to security on the ground. However, there are also ‘IN-FLIGHT SECURITY MEASURES’, namely:

1. Without prejudice to the applicable aviation safety rules:

(a) unauthorised persons shall be prevented from entering the flight crew compartment during a flight;

(b) potentially disruptive passengers shall be subjected to appropriate security measures during a flight.

2. Appropriate security measures such as training of flight crew and cabin staff shall be taken to prevent acts of unlawful interference during a flight.

3. Weapons, with the exception of those carried in the hold, shall not be carried on board an aircraft unless the required security conditions in accordance with national laws have been fulfilled and authorisation has been given by the states involved.



NATIONAL REGULATORY FRAMEWORK5

Num. Rank (e.g. Law, Decree,

regulation…) Title

Subject/Content extract

Relevant aspects

Assessment (Is the current regulatory

framework sufficient to address ATM security? Could it be

improved? How?)

1

2

3

4

5

5 e.g. National regulations for Aviation Security, ATM Security, Airspace Security/support to NSAs, etc

Documents

ANNEX 6 -ATM SECURITY OVERSIGHT 1. INTRODUCTION 2