ANNEX 6 -ATM SECURITY OVERSIGHT 1. INTRODUCTION 2. SCOPE. Holistic approach. Understanding ATM Security

Transcription

1 DSS/Support to CAA-NSA A6-1 ANNEX 6 -ATM SECURITY OVERSIGHT 1. INTRODUCTION Security oversight is a fundamental function to improve the overall security process in a pro-active manner. It is the responsibility of the State security authorities. It allows verifying compliance on one side, and even more important to identify improvements towards a dynamic efficient security able to anticipate and mitigate main threats and risk to ATM. This aim is best achieved by introducing a holistic and systemic approach to security, e.g. via the development and implementation of security managements systems. By guaranteeing security compliance, security oversight contributes to improve trust in the ATM system. It also facilitates security assurance and validation process on the part of the organisations implementing the security requirements and helps to improve the security loop Plan-Do-Check-Act, thus enhancing the quality of the security management systems. Training, accreditation and designation of Security Auditors are key aspects of ATM security performance. The quality of security oversight will depend on the quality of training for security auditors, thus impacting on the overall result of the national aviation security programme. Therefore, the quality (and quantity) of security auditors is a major aspect of the national aviation security performance. A national ATM Security Oversight Programme should not run in isolation but as an integral part of the broader National Aviation Security Programme. 2. SCOPE The scope of this process is the oversight of ATM security at national level. FAB and network (Network Manager NM) dimensions are not fully addressed within the scope of this document. However, initial requirements are tabled in Appendix 1. ATM security must not be addressed in isolation but as an integral part of the overall aviation security system, following a holistic approach. A national ATM security oversight programme should consider all the aspects relevant to ATM security including possible interfaces with other aviation security related issues. A common understanding of what is ATM security, in the framework of the broader concept of aviation security, is therefore needed. Holistic approach ATM security, as a major component of the overall aviation security, also requires a holistic approach. ATM security needs to be addressed in a gate-togate concept. Interfaces with the other aviation security components deserve especial attention, e.g. CNS security (ADS-B, GNSS, Data links ), Airspace Security and Airport Security. ATM security must be embedded as an integral part of the aviation security system, and therefore it should be included in the National AVSEC Programme. Understanding ATM Security ATM Security is major component of aviation security (AVSEC). ATM security is concerned with those threats that are aimed at the ATM System directly, such as attacks on ATM assets, or where ATM plays a key role in the prevention of or response to threats aimed at other parts of the aviation system (including national and international high-value assets) and in limiting the effects of such threats on the overall ATM Network. It comprises two key areas: 1. Self protection of the ATM system: this addresses security and resilience of physical infrastructure, personnel, information and communication systems, ATM/CNS infrastructure and networks; 2. ATM Collaborative Support to aviation security and civil and military authorities responsible for national security and defence. ATM Security has an interface with Airspace Security revolving around the national security and defence requirements, operational aspects of collaborative support, and technological security and interoperability between civil and military systems. Security threats may be directed at aircraft or through them to targets on the ground. The ATM facilities and systems may also become threat targets. Although ATM cannot by itself address all issues, it nevertheless has to provide responsible authorities with the requested help in all phases of the security occurrence in accordance with national, ICAO and other relevant international rules. The international dimension imposes the uniform and effective application of suitable measures. ATM has to support national security in respect of the identification of flights entering a State s national territory, and air defence organisations have to be provided with all ATM information relevant to their task.

2 DSS/Support to CAA-NSA A6-2 On the other hand, particular attention will need to be paid to the preparation of contingence plans designed to handle degradations of the ATM system and security-related emergency situations. Indeed contingency planning is an essential part of the overall security cycle. It aims at getting the system back to normal as soon as possible after an attack. This will prevent the attackers/terrorists to exploit twice the success of an attack; hitting an ATM target and disrupting normal operations for a long period due to overreaction and lack of contingency plans. The associated economic impact of lack of contingency must also be considered. The figure below illustrates a complete resilience cycle, including contingency planning: Figure 2.1: The ATM security resilience cycle 3. REGULATORY FRAMEWORK The national ATM security oversight programme must look at the full range of security regulations at national and international level, relevant to the provision of air navigation services, in order to provide for a consistent and comprehensive security oversight function. ATM security auditors must be familiar with regulations in place and under development, as well as with on going ATM security activities at national, regional and global level. The Global regulatory framework Aviation security is one of the key activities within International Civil Aviation Organisation (ICAO). As from 9/11 ICAO has become extremely active in security awareness and support, facilitation, training and oversight. Provisions for international aviation security were first disseminated as Annex 17 to the Chicago Convention in 1974 and since then have been improved and updated 11 times. A 12 th amendment to the Annex has been approved by the ICAO Council and is applicable as off 1 July This amendment incorporates for the first time provisions for ATM security and Cyber security. An improved aviation security manual has also been published to support States to implement provision of Annex 17. Furthermore, an ATM Security Manual has also been published at the end of A fundamental element within the ICAO aviation security programme is the ICAO Universal Security Audit Programme (USAP). It represents an important initiative in ICAO's strategy for strengthening aviation security worldwide and for attaining commitment from States in a collaborative effort to establish a global aviation security system. The programme, part of ICAO's aviation security plan of action, provides for mandatory and regular audits of all ICAO contracting States. The ICAO audit assesses the State's capability for providing security oversight by determining whether the critical elements of a security oversight system have been implemented effectively.. Implementation of the programme began with the first security audit in November The second cycle of security audits commenced in January 2008, and is expected to conclude in In addition to security audits, the programme entails audit follow-up visits that focus on the implementation of corrective action plans. It could be expected that ATM security and cyber security (included in amendment 12 th of Annex 17) would be incorporated in the USAP in a near future. This would have an impact on the national ATM security oversight programme. The European regulatory framework (SES I/SES II) The initial SES package came into force in In the light of the SES, a specific regulatory framework for air navigation service (ANS) Security has been developing in the European Union since 2004 (e.g., Regulation (EC) No. 550/2004 and Regulation (EC) No. 1035/2011). The service provision regulation (EC) No. 550/2004 establishes common requirements for the safe and efficient provision of ANS in the Community where security is one of requirements. The regulation includes a common system for the certification and designation of air navigation service providers. This enables the definition of their governing rules and obligations. This regulatory framework is distinct from the regulatory framework for aviation security (e.g., former Regulation (EC) No. 2320/2002 and new Regulation (EC) No. 300/2008). The security oversight responsibilities extend to all these aspects of ANS.

3 DSS/Support to CAA-NSA A6-3 Figure 3.1: Typical organisation of ANS Security aspects of Regulation (EC) No. 73/2010 The Regulation (EC) No. 73/2010, laying down requirements on the quality of aeronautical data and aeronautical information for the single European sky, lays down the requirements on the quality of aeronautical data and aeronautical information in terms of accuracy, resolution and integrity. The regulation mentions ISO as means of compliance. It should be welcomed since it could provide general baseline and grounds for harmonised INFOSEC in aviation. However, caution should be raised before considering ISOs as the complete or definite solution for cyber defence in the SES. The National Regulatory Framework National regulations complementing or extending global and regional regulations and standards are extremely important in order to adapt the regulatory framework to the local circumstances. Each State should tailor or customise the international security framework to its specific needs and constraints. National security regulations are especially relevant in the case of the ATM Security/Collaborative Support area. This is because the link with national security and defence precludes any regulatory activity, other than national. Nevertheless, the international dimension of ATM security imposes the adoption of a harmonised global approach and the uniform and effective application of suitable measures. Organisations like EUROCONTROL, NATO and ICAO (recently addressing civil military cooperation in ATM) play a role in this regard. The most critical aspect of the ATM collaborative support is the provision of information to the national civil and military authorities (i.e. Air Defence) and the support in case of security incidents (collaborative ATM security incident management). Following the 9/11 attacks, many States nominated a National Governmental Authority (NGA), responsible for the decision making and resolution of air space security incidents, like Renegade 1. Accordingly many States have reviewed or issued new legislation to cope with the new threat. The implementation of this legislation must be also part of the national ATM security oversight programme. 4. ORGANISATIONAL ASPECTS ICAO Annex 17 establishes that each contracting state shall designate and specify to ICAO an appropriate authority within its administration to be responsible for the development, implementation and maintenance of the national civil aviation security programme. This programme aims at safeguarding civil aviation operations against acts of unlawful interference, through regulations, practices and procedures which take into account the safety, regularity and efficiency of flights. The Appropriate Authority is responsible for the National Civil Aviation Security Programme and its associated National Civil Aviation Security Committee (NCASC). It is important that regulatory and oversight functions and the implementation functions be separated. In the case of ANS security for the SES it means that the ANSP must implement a SecMS (Security Management System) to comply with the Regulation (EC) No. 2096, and the NSA must oversight that the ANSP SecMS is compliant with the 2096 requirements. Oversight AA, NSA, EC, ICAO Regulator ICAO, EC, CAA Implementation ANSP, Airports, AO, Entities Figure 5.1.: Separation of regulatory, oversight and implementation functions 1 A situation where a civil aircraft is used as weapon to perpetrate a terrorist attack is usually referred to as a Renegade

4 DSS/Support to CAA-NSA A6-4 The CAA, the NSA and the Appropriate Authority (AA) are nominated by the State. They should normally belong to the Ministry of Transport. Nevertheless, the States might decide otherwise, for instance the oversight function can be assigned to a higher level when it includes national police or military involved in the protection of critical infrastructure, i.e. hubs, radar and communications sites. It is a normal practice that the CAA will also perform as the NSA. The Appropriate Authority is, at present, normally involved in airport security issues only. Nevertheless, the new amendment of ICAO Annex 17 opens the door to include ANS (ATS in ICAO terminology) within the National Aviation Security Programme (NAVSECP). It is up to the States to decide whether: 1. the Appropriate Authority will be also responsible for the ATM security oversight, i.e. in support of the NSA, or; 2. ATM and Airport security oversight will remain separated (under the NSA and the AA respectively), or even; 3. decide to have a single oversight authority for all aviation security aspects (NSA = AA) 5. OVERSIGHT PROGRAMME Security oversight is one of the three main aspects of a system approach to security, the other two being the regulatory and the provision (or implementation) functions, as depicted in the triangle in paragraph above. When developing an ATM Security Oversight Programme, the following elements should be considered: 1. Scope; 2. Authority; 3. Organisation; 4. Policy setting; 5. Audit/Inspections Plan; 6. Current Status.

5 DSS/Support to CAA-NSA Appendix 1: Steps for Oversight of ANSP ATM Security APPENDIX 1: STEPS FOR OVERSIGHT OF ANSP ATM SECURITY ATM Security System An ATM Security System is a combination of organisation, means and doctrine (policies, regulations, procedures) established to protect the ATM system (people, aircraft, airspace, infrastructure and information) against attacks and acts of unlawful interference. The implementation of an ATM security system shall ensure the achievement of the ATM security objective. The general objective of ATM security is to determine effective mechanisms and procedures to enhance the response of ATM to security threats and events affecting flights (aircraft and passengers) or the ATM system (EUROCONTROL ATM Strategy for the Years 2000+). The ATM security system shall then protect the ATM System by preventing terrorist attacks and acts of unlawful interference (or any other threat) and by facilitating intervention when necessary. The ATM security system should address all identified ATM threats, in line with the national threat assessment and security scenarios. Therefore, it should be tailored to give response to the full spectrum of security contingencies and to correct any identified ATM System security weaknesses. A6/App1-1 It is important to note that a System does not necessarily stand for a sophisticated tool or state of the art hardware and software. On the contrary, often it just encompasses elements, activities, people or ideas. The system should be robust and resilient enough to be able to cope with the full spectrum of threats. Therefore it must be intelligence driven and risk based. Security risk and threat assessments have to be carried out and updated on regular basis to permanently adapt the security preparedness and response to new, evolving and emerging threats. ATM Security intelligence-led, threat-based and risk-managed What are the threats to the SES ATM System? It is a national responsibility to develop and update a threat and risk assessment for aviation. This assessment must be shared with the all involved aviation players, on a need to know basis. This national security assessment must be complemented with particular threat assessments carried out by the ATM organisations like the ANSP providing services in that State. Initial check list for compliance with security requirements by ANSP and other ATM organisations follows.

6 DSS/Support to CAA-NSA Appendix 1: Steps for Oversight of ANSP ATM Security A6/App1-2 Figure : The ATM security oversight process flow chart

7 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-3 ATM security oversight procedural steps Note: Blue marks generic tasks; Yellow indicates explanatory material and additional guidelines. Tasks Description and Comments 1. Security requirements 1.1 Definition of Security requirements in ATM/ANS Identify and implement security requirements for ATM/ANS. Security requirements are normally imposed by national and international legislation. National authorities should base the oversight programme on these requirements which shall be met by the ATM/ANS entities. Security requirements shall be clearly established and reflected in the National Civil Aviation Security Programme (NCASP). Security requirements are reviewed in line with new legislation and as a result of the threat and risk assessment process. The starting point of security oversight is to know what has to be audited or inspected. The oversight programme must look into legal compliance (against security requirements). But also, and more important, oversight authorities should follow an outcome based security approach. This means to check if, despite objective compliance with security requirements, the overall security environment is improving, by means of: 1. lifting the security culture within the organisation, through an education, awareness and training plan; 2. embedding security into the core business process; 3. full management and staff commitment to security; 4. improving security incident management, reporting and corrective actions implementation; 5. adapting the security system to the actual threat and risk environment; intelligence led, threat based, risk managed security; 6. holistic approach (consider all security aspects/scenarios), cost/effective, practical and sustainable security management system. The regulatory framework for ATM security must be clearly defined within the NCASP. It includes: 1. ICAO framework: Annex 17, Aviation Security Manual, ATM Security Manual and other relevant security guidelines; 2. EU: Cyber security (EU cyber Security Strategy), aviation security (e.g. EC 300/2008, 859/2011) and SES security related legislation (e.g. EC 1035/2011, 73/2010); 3. ECAC: Doc 30 and associated guidance; 4. National applicable legislation for aviation and ATM security; 5. Other relevant national or international legal frameworks: e.g. security and defence treaties, protection of critical infrastructures, etc. Threat and risk assessments for ATM/CNS should not be done in isolation (bottom-up) but in the context of the NCASP (top-down approach). State authorities are responsible to provide a coherent threat and risk context for all aviation and ATM organisations. In this regard, they must consider: 1. the ICAO Risk Context Statement (RCS) and outcome of the Threat and Risk Working Group; 2. the EU AVSEC Regulatory Committee relevant outcome; 3. the ECAC Vulnerability assessment programme; 4. general national threat and risk assessments; 5. national threat and risk assessments aviation and ATM specific ( as part of the NCASP). ATM/ANS organisations must complement this threat and risk context with local threat and risk assessments adapted to specific circumstances and location of the ATM/CNS infrastructure. National authorities establishes and carry out their oversight programme mainly through dedicated audits of the critical areas/ elements of an ATM/ANS provider, on the basis of risk assessment and the identification of priority areas, rather than on periodic scheduling of large scale audits at random physical locations.

8 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-4 Tasks Description and Comments Other triggers for a specific oversight activity may be: 1. the need to follow-up/ verify effective implementation or compliance with a specific regulatory action or measure taken by the NSA as a result of previous oversight; 2. an unforeseen event (e.g. an incident or attack) which calls for an ad-hoc verification by the NSA; 3. a request by the ANSP that the NSA approves or accepts proposed new arrangements (e.g. a change to security processes, implementation of new security equipment); 4. the introduction of a change to a functional ATM/CNS system based on the verification or review of specific documented evidence (e.g. security arguments) 5. The need to certify an ANSP or other entity for the first time; 6. Entry into of force of new security requirements. 2. (Annual) inspection programme 2.1 Develop and maintain the (annual) inspections programme Establish/ maintain an inspection programme based on assessment of risks and identified priorities (Art 2.2 SPR, Art 8 CR-IR). ANSP included in the NCASP and the National Civil Aviation Security Quality Control Programme (NQCP) (ICAO Annex 17 and AVSEC Manual) Security oversight is a compliance monitoring and verification process by which the security authorities obtain evidence that the required and expected security performance is met by the different players in the ATM system. This can be done through the establishment of an inspection and audit programme. Inspections examine the implementation of relevant national civil aviation security programme requirements by an airline, ANSP, airport or other entity involved in security. Audits are an in-depth compliance examination of all aspects of the implementation of the national civil aviation security programme (see annex on Definitions). Nevertheless, both inspection and audits must not restrict themselves to compliance verification (prescription-based) but go beyond the regulatory compliance and concern the system-based and outcome-oriented aspects. It is important that NSAs have a good understanding of what is mandatory and what is only optional, including what should be seen as good practice. Certainly, NSAs can not force ANSPs to implement optional requirements. Article 8 CR-IR requires that an NSA monitors annually the ongoing compliance of the ANSPs which it has certified. To this end, the NSA shall establish and update annually an indicative inspection programme covering all the providers it has certified and based on an assessment of the risks associated with the different operations constituting the services. It should be noted that an inspection in the sense of SPR and CR-IR is not defined in EU law but may be subject to national law. Besides audits and inspections, the overall annual oversight programme may in addition provide for surveys (Art. 2.2 SPR and Art 7 CR-IR), reviews and other forms of verification which may also be conducted within a desk-top procedure (i.e. not accompanied by on-site visits, unless necessary). The NSA may opt for such simpler verifications in the case of oversight activities which do not pose the level of risks perceived in the areas/ elements verified for compliance by means of audits and inspections. Nonetheless, even if simpler than a full-fledged security regulatory audit, desk-top oversight as per step 3.1 should also be carried out in accordance with audit procedures/ techniques. A security survey is an evaluation of security needs: Is intended to: 1. Highlight vulnerabilities that could be exploited to carry out an act of unlawful interference 2. Recommend corrective actions

9 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-5 Tasks Description and Comments 3. Should be carried out whenever a threat necessitates an increased level of security 4. The scope ranges from targeted assessment focused on a specific operation to an overall evaluation of security measures 5. Timing: from a few hours to several weeks 6. Should include overt or covert security tests A security tests is a simulation of an attempt to commit an unlawful act to test a security measure: 1. May be overt or cover security tests 2. Only demonstrate if a security measure or control proved effective at a specific place and time 3. Focus on access control to restricted areas, protection of assets, etc. Before it is formally adopted, the audit/ inspections programme must be notified to and, if necessary, discussed with the ANSPs concerned and, possibly, with other NSAs concerned (Art 8 paragraph 2 CR-IR). The audit/ inspections programme must be implemented and managed effectively and efficiently, on authority granted by the NSA s top management. The programme also includes all activities necessary for planning and organising the types and numbers of audits/ inspections, and for providing resources to conduct them effectively and efficiently within specified timeframes. Finally, the oversight programme should provide for verifications required in the frame of specific IRs where the NSA or the State has to ensure that specific regulatory measures are implemented or deployed by the ANSPs or other stakeholders subject to the authority of that NSA or State. These verifications are mandated on the basis of specific target dates rather than on a periodic basis. Alternatively, such verifications may be effected through step 3.1 and step 3.2 of the oversight activities. Further guidance material on annual audit planning is included in the Manual for National ATM Security Oversight. 2.2 Define an oversight case It is emphasised that the following steps 2.2., 2.3. and 2.4 are not related to the development of the inspection programme. These steps are actions for the inspection preparation covered by steps 3 and Examine the oversight case based on any trigger received and inform/consult ANSP accordingly Conduct initial oversight investigations to gain objective information to enable an NSA decision regarding further oversight activities. As a result of the initial oversight investigations, the NSA may terminate the oversight process if it appears that it cannot be completed due to the lack of resources within the applicant s structure or its lack of commitment to comply with the applicable requirements. Such a decision to be notified to the applicant together with the reasons. 2.3 Consultation with ANSP and other entities The NSA consults the ANSPs concerned as well as any other national supervisory authority concerned, if appropriate, before establishing such a programme The NSA is to communicate the initial plan of to the ANSP and get their comments and proposals. Previous provisions do not mean that all security requirements are checked annually. Different areas of security requirements (e.g. cyber) may have different oversight cycles. Nonetheless, all security requirements arechecked at least once during the validity period of the certificate. 2.4 Preparation of the inspection Identify the legal basis - regulatory requirements which determine the oversight activity, the

10 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-6 Tasks Description and Comments expectations from the oversight authorities, the relevant means of compliance MoC, the evidences and detailed requirements. 1. Requirements: as laid down in the regulation/legislation or applicable directive or standard; 2. Expectation: of the oversight authority on how the inspected entities must fulfil the requirement. It must be communicated to the entities; 3. MoC: arguments claiming to fulfil the expectation, provided by the inspected entities and agreed by the oversight authority; 4. Evidence: to justify the arguments; provided by the inspected entities and assessed by the oversight authority; 5. Detailed requirements (questionnaires): used by the inspectors (normally shared, partly - not all - with the inspected entity). Oversight activities can respond to 4 main reasons: 1. Initial oversight e.g. for certification/designation of the entity; 2. Scheduled oversight activities as per the approved ATM security oversight programme; 3. Non-scheduled security oversight activities (inspections, surveys and tests) as required by the NSA to assess the impact of new or evolving threats or as a consequence of threat assessments; 4. Follow-up audits/inspections to verify the implementation and effectiveness of corrective actions. The Manual for National ATM Security Oversight \developed by EUROCONTROL provides further guidance, relevant documentation and links. Assign clear responsibilities/ accountabilities. Evaluate the effort needed and allocate adequate resources for the oversight activity depending on its objectives, nature, scope, complexity and extent. Allocated auditors/ inspectors must be properly qualified and empowered (Art 7 CR-IR; ICAO AVSEC Manual Chapter 7.3). Conflict of interest with the respective oversight activity must be avoided. Allocation of staff/ resources is on the basis of a preliminary review of the documents under investigation and an evaluation of effort needed. Proactive internal NSA reporting/ review allows for corrections to the initial allocation, if this need arise before completion. It should be emphasised that according to Art 7(4) SO-IR: national supervisory authorities may decide to modify the scope of pre-planned audits, and to include additional audits, wherever that need arises. Depending on the overall NSA capabilities as well as the scope/ subject-matter of oversight, a dedicated team may be established for more complex activities (e.g. involving on-site audits) or in relation to a large provider or complex subject-matter. The NSA assigns properly qualified staff for specific oversight tasks on a longer or permanent basis such as for the airspace and military ATM/ ATS interface, cyber/cns security, EATMN systems interoperability, etc. Panels of experts may be established by the NSA in order to provide advice/ opinions to NSA management and the oversight experts. Such panels should encompass all security related internal interfaces of an NSA. Their opinions, however, should be only advisory, not binding. The State authority for ATM security oversight must keep an up-to-date list of auditors. It should be noted that many aspects of security oversight are common to all aviation security areas, disregarding if they refer to an airport, an ACC or an aircraft operator centre. For example, oversight of physical security, personnel security, organisational security and cyber security do not require different skills for auditors of ANSP, airports or AO. A period of familiarisation with one or other operational environments should suffice. This consideration is extremely important because it provides a possibility to build on the experience of existing practices for aviation security oversight and, much more relevant, to re-use aviation security inspectors for ATM security oversight. In other words, aviation security inspectors/auditors are by default ATM security inspectors/auditors. Inspectors can be obtained from:

11 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-7 Tasks Description and Comments 1. Aviation security qualified inspectors; 2. Other Departments, e.g. Interior, Defence; 3. A third party e.g. industry bodies; 4. Relevant entities participating in the NQCP e.g. AO, ANSP, Airport Operators, government bodies. In this case, inspectors from a specific industry body should not perform oversight activities on an industry body of the same kind (e.g. an inspector coming from air navigation service provision should not inspect an ANSP); 5. Neighbouring countries e.g. in the context of FABs, if agreement for mutual recognition exits. Associated material can be found in the Manual for National ATM Security Oversight In case of insufficient capabilities, the NSA commissions a qualified entity as per Art 3 SPR, to conduct part or all of the oversight tasks, acting on the NSA s behalf. In such a case, the NSA shall exercise oversight of the qualified entity and its deliverables. The NSA establishs clear point(s) of contact/ interfaces with the ATM/ANS provider, inter-alia to facilitate communication, compliance monitoring (Art 7 CR-IR) and other formalities (e.g. arrange with the concerned ANSP for the assessment of documentation and for investigations at relevant locations). Where the NSA is tasked by the State regulator to carry out oversight tasks having civil/ military implications or requiring interfaces with external entities, clear point(s) of contact/ interfaces shall be established with the respective civil and/or military authorities or other entities concerned. The AA (Appropriate Authority)/NSA promotes fluent communication and transparent dialogue with the entities to be audited/inspected. The following is a guide to establish work and a communication plan. Some milestones may be altered depending on the maturity of the audit programme e.g. if it is the first inspection ever or on the contrary, some or many inspections had already taken place. It is the privilege of the AA/NSA to carry out unannounced inspections, nevertheless it is recommended not to do it at the initiation of the oversight programme, before getting familiar with the process and issues associated to security inspections. The oversight authorities strive to minimise impact of unannounced inspections on normal operations. ATM security oversight activities are carried out in a standardised systematic way in order to achieve consistency in the consolidation and comparison of findings and recommendations. The national authority responsible for ATM security oversight (AA/NSA) and the oversight teams first gets familiar with the entities subject to the oversight programme (see paragraph 2.3 in this appendix). This knowledge includes as a minimum: 1. Mission of the entity; 2. Organisation chart; 3. Points of contact; 4. Geographical deployment (see example in figure 15 below); 5. Asset inventory; 6. Initial oversight or ongoing oversight activity; Previous audit reports/ongoing compliance issues Verify that all documentary evidences submitted by an ATM/ANS provider for the purpose of a specific verification or review are approved/ endorsed at the competent level of authority in that organisation (preferably the Chief Executive Officer or equivalent position). The NSA sets-up formal administrative processes/procedures, including the use of standardised forms, to facilitate working relationships with ANSPs, in accordance with their security categories. Inter-alia, ATM/ANS organisations are required to regularly update their documentary evidences submitted to the NSA e.g. as regards established arrangements to comply with the security requirements. By the end of the preparatory phase, the NSA must have built a clear security oversight case,

12 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-8 Tasks Description and Comments meaning: 1. clarification of the relevant legal basis ( audit criteria in ISO terms, binding as well as nonbinding regulatory material such as MoC); 2. provision of clearly defined responsibilities, objectives, tasks breakdown and schedule (audit plan); and proper understanding of what should be the outcome and/or deliverables from that activity; 3. identification of evidential material ( audit evidence in ISO terms) required for review/ verification (already in the NSA s possession or pending to be received); 4. allocation of staff who are competent for their oversight tasks (and certified, where required); 5. establishment of formalised and effective communication/ consultation with the concerned provider and/or other authorities. 3. Verification of compliance - desktop 3.1 Desk-top verification and documentation review This is a stand-alone audit activity and does not preclude an oversight activity based on fullyfledged auditing as per step 3.2 below. It is best practice to carry out desk-top review in line with audit procedures. A desk-top verification or review can be carried out in relation to any of the security oversight areas or criteria, e.g.: 1. Compliance with specific security requirements (as per the NCASP); 2. Holistic/system approach: ATM security system; Policy, organisation, internal monitoring, equipment; 3. Personnel security: human resources, recruitment, education, awareness and training of security and noon-security staff; 4. Asset management and physical protection/access control; 5. Cyber and CNS security; 6. Threat and risk assessments; 7. Incident/crisis management/contingency plans; 8. Safety/security interface; Audit team actions for desktop audit: 1. Identify the objective and scope of the oversight activity; 2. Contact the target entity; provide the list of security Requirements and Expectations; 3. Request proposed Means of compliance and Evidence against high level requirement and expectations; 4. Obtain copy of relevant documents; 5. Review documentation; compare against requirements; 6. Check where compliance against criteria is not documented; provide feedback to the entity for possible corrections; 7. Develop schedule for on-site audit, if required; 8. Define audit lots for each audit team member; 9. Develop detailed questionnaires/checklists; detailed questionnaires can be totally or partly shared with the entity. Perform an initial review of the concerned documentation; determine if any relevant information or evidential material is missing (in particular if the documentation was submitted by an ATM/ANS provider). Determine how to proceed in such cases and take action. For example, inform the concerned party and ask for reasons for the omissions and request corrective measures. This may be addressed in the administrative procedures, depending on the nature and context of

13 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-9 Tasks Description and Comments the oversight activity, The NSA may: 1. request that the other party completes the documentation; or do this through arrangements for the assessment of additional documentation and investigations at the relevant location(s); 2. proceed with the oversight case without waiting for additional info/ evidence; 3. temporarily stop or definitively terminate the activity. The other party should be informed accordingly of the NSA s decision and of its reasons. Maintain records of all relevant documents generated and received during the oversight investigations. This task is addressed procedurally in the NSA s document management system. Review/ assess the collected documentary evidence ( audit evidence ) in respect of the related criteria and document the findings ( audit findings in ISO terms): 1. Look for evidence that the applicable requirements have been understood and for clear indications that processes have been developed or adapted to meet/ fulfil them. 2. Identify needs for corrective and preventive actions; and opportunities for improvement. Decide if further investigations, such as an on-site visit (an audit or inspection), is necessary. This may be the case e.g. if the documentation review indicates possible areas of weakness or concern regarding the service provider s implementing arrangements to meet associated requirements. The documentation review is linked with the particularities of ATM security. However, the review is not necessarily to be confined to the documents referenced by the applicant in its exposition (e.g. the organisational exposition in a certification process). It may also cover: 3. operational documentation (e.g. operational, technical manuals/ procedures, etc.); 4. technical systems documentation (e.g. implementing arrangements or specifications related to the installation and maintenance of equipment, etc.); 5. various documentation in the areas of safety, quality, performance and human resources; 6. the outcome/ deliverables from previous oversight activities which might be relevant in the context of this particular oversight activity; If the documentation review reveals serious concerns about the ATM/ANS organisation s level of understanding of the applicable security requirements or of the processes that should be put in place to meet them, the person responsible for the oversight activity may opt to stop it (e.g. not proceed with an on-site audit) and refer the matter to NSA management for further decision/ action. 3.2 Steps in the particular field (security) For each entity subject to security oversight a generic plan is developed. The following phases are considered in the work plan: 1. Initiation; 2. Preparation; 3. Execution. Initiation 1. The entity is informed in written by the national authority (for this example the NSA) that will be subject of security oversight, in line with national legislation and procedures. The entity is invited to acknowledge and provide any comment or concern; 2. The NSA calls for a coordination meeting with the entity; Explain the launching of the oversight programme (initial oversight or ongoing) starting next year; Its background and legal basis e.g. security requirements; Expectations from the NSA side; Invites for feedback;

14 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-10 Tasks Description and Comments o The entity informs about the current situation, problems encountered and corrective measures implemented; The NSA proposes an initial schedule for planned oversight activities for the following year (audits, inspections, tests and surveys)2; The entity provides remarks to the plan; The ATM security oversight programme is approved. Preparation For each oversight activity within the programme, a number of preparatory activities take place. The most relevant are: 1. Preparatory phase. As a general rule, it last a minimum of 10 weeks prior to the audit/inspection. It includes preparation and review of documents. The NSA must appoint an audit team leader who compose his/her audit team in accordance with the nature of the oversight activity and the entity subject. A standard audit team is composed of: 1. A team leader; 2. Security inspectors: the required number of inspectors and their qualifications should cover all sites and areas to be inspected e.g. cyber security, communications security, SeMS, threat assessments, physical/personnel/technical/organisational security; 3. (An) assistant(s). Execution The following are basic milestones in the execution of an oversight programme: 2. Visiting Phase Conduct of on-site audit(s)/inspection(s). It is based on the detailed questionnaires/checklist. However, the audit team is legitimate to address any other issue as required; It includes interviews with all relevant security players at the entity, 3. Reporting phase As a general rule, it last a maximum of 12 weeks following the audit/inspection. 2 The NSA retains its privilege to conduct non-announced in advance inspections, surveys and tests

15 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-11 Tasks Description and Comments 4. Oversight compliance on site 4.1 On-site visit National ATM security oversight makes use of national and international best practices and standards. This contributes to lifting the reputation of the State regarding ATM security management and reaching harmonisation across States. The security oversight programme consists of a schedule of planned oversight activities which are aimed at assessing the security maturity level of the entity and its compliance with the regulatory framework and associated security requirements. The programme establishes a schedule of events that will be carried out during a twelve-month period. When required, there can be deviations from planned activities. Deviations are coordinated between the authority (NSA) and the inspected entity and revisions and amendments issued. The ATM security oversight schedule could be laid down in tables, charts, graphics or any other supporting tool to help the NSA visualise the milestones and oversight activities. The schedule is flexible enough to accommodate non-scheduled activities Verify that the arrangements described in the documentation are effectively implemented and indeed applied by the organisation. Depending on the objectives and complexity of the oversight activity, the review of documentation may be deferred until the on-site visit commences; or review may be preceded by a preliminary site visit in order to obtain a suitable overview of available information. This step may involve one or several on-site visits to the relevant site(s) of the organisation, based on an oversight visit schedule/ plan and, possibly, sampling techniques based on prior assessment of risks and the identification of priority areas for oversight (see step 1.1). Sampling is applied according to risk relevance and the level of confidence gained from previous oversight. At least one on-site audit visit is conducted, even in the case of a small organisation applying to provide services. On-site visits to verify compliance with security requirements shall be carried out in accordance with guidance provided by the ICAO Aviation Security Manual (Chapter 7). Depending on the security criticality of an ATM/ANS organisation s services, functions, products, operations, systems, procedures etc, the NSA may verify compliance in several possible ways: 1. Review of documentation (minimum approach); 2. Review of documentation and on-site audit/ inspection = Regular approach for addressing areas where review of documentation does not provide sufficient evidence of compliance with applicable requirements or where possible areas of weakness or concern are identified; 3. Review of documentation & on site security regulatory audit(s) in accordance with ICAO Aviation Security Manual, to verify compliance with the applicable security requirements. See additional guidelines in the Manual for National ATM Security Oversight. Evaluate audit evidential material against the audit criteria to generate the audit findings. Record the non-conformities and their supporting audit evidence. Record any non-resolved points (i.e. divergent opinions). Non-conformities may be graded. They are reviewed with the auditee to ensure that the audit evidence is accurate and that the non-conformities are understood. Efforts are made to resolve any divergent opinions concerning the audit evidences and/or findings any unresolved points are recorded. Prepare the on-site visit conclusions. Depending on objectives, prepare recommendations and discuss audit follow-up, if included in the audit plan. Conclude the on-site visit with a formal closing meeting or (e.g. for small organisations) by communicating the audit findings and conclusions.

16 DSS/Support to CAA-NSA Appendix 1: Steps for the Oversight of ATM Security A6/App1-12 Tasks Description and Comments Present the results first in a summarised form, and then in more detail by the individual team members for their respective assessment areas, clearly showing management the facts which led to the conclusions. The audit team not forces the audited organisation to decide during the closing meeting what corrective actions are to be taken. 5. Resulting actions 5.1 Audit/inspection report on findings Upon conclusion of the investigations of an oversight activity involving one or several step activities (3.1 and/or step 3.2., 4.1), draw up a report of the findings and conclusions. The audit/inspection report shall include the details of the non-conformities and conclusions, documenting all audit observations. The observations shall be supported by evidence and identified in terms of the applicable security requirements and their implementing arrangements against which the audit has been conducted. Assessment by the audit team. An audit report must be issued in a standard format addressing all findings of the audit/inspection including the assessment of security compliance. 1. The report must be formally submitted to the entity; 2. It must clearly identify any corrective action needed, including time of completion; 3. A corrective action plan must be proposed by the entity and approved by the audit team leader or the NSA. The action plan must identify the corrective actions with immediate priority, which requires action without delay. Proposals should address the root cause of the revealed problem. A deficiency exists when the oversight activity reveals non-compliance with national regulations, NCASP provisions or international standards. The level of compliance is established in accordance with national requirements. Classifying the levels of compliance will help the audited entity prioritise corrective actions. The following compliance classification is provided by ICAO (AVSEC Manual): 1. Category 1: meets the requirements; 2. Category 2: does not meet the requirements and has minor deficiencies that need improvement; 3. Category 3: does not meet the requirements and has serious deficiencies that need improvement; 4. NA (not applicable): measure or procedure does not exist at the given airport or is not available; 5. NC (not confirmed): when a measure has been either not verified or not observed due to a lack of time or other circumstances. 5.2 Oversight records archive The NSA keeps appropriate records related to their oversight processes. These records are properly used as main input to the ongoing compliance monitoring. In order to effectively conduct follow-up audits and to monitor implementation of corrective actions, NSA establishes good record keeping procedure. NSAs formalises: 1. keeping important records related to the oversight processes including all the reports of security regulatory audits, inspections, tests and surveys and other records related to certificates and designations. 2. how these records will be used to ensure that the oversight is done properly and transparently, to provide confidence about ANSP performance and compliance and to share with other authorised parties. 3. issues regarding record keeping (integrity, availability, accessibility, software)