How air traffic control systems must adapt to ensure cybersecurity

Credit: 18percentgrey / GettyImages

air traffic control (ATC) plays a critical aspect in aerospace safety, and yet many ATC centres still rely on aging infrastructure and legacy software.

These networks are prime targets for ransomware attacks, which can lock staff out of critical systems, leading to grounded flights or halted operations, and yet many lack even basic cybersecurity features like encryption and modern access controls.

It’s imperative that ATC systems strengthen cyber security in order to reduce risk vectors and keep everyone safe, but where do they start?

Unfortunately, cybersecurity experts see many weak points in older ATC systems still in use today that need to be addressed in order to lock criminals out.

The biggest issue that Bill Cantrell, chief strategy officer at software company XONA sees, is that ATC systems often rely on legacy infrastructure that lacks native authentication, encryption or segmentation, and centralised systems present a single point of failure, which means if compromised, the entire network can go down.

“Many still operate with flat networks or jump-server-based remote access, which allow for easy attacker lateral movement if breached,” he says. “However, unpatched software, undocumented or shadow remote access paths and insufficient visibility into vendor access are common issues as well.”

Weak access controls also leave systems open to insider threats – whether from unqualified personnel or intentional misuse, says Atal Bansal, founder of software provider NearMissTracker.

"Many current systems lack real-time threat detection, which delays mitigation when security breaches do occur,” Bansal adds.

Another area of concern is social engineering attacks. These involve manipulating people into sharing sensitive information like log in details through phishing emails or text messages, amongst other tactics.

If successful, hackers can trick staff into giving unauthorised access to critical systems like flight tracking platforms, internal communication networks and radar or navigation systems, which can disrupt air traffic coordination and put operations at risk.

Finally, malware is another serious threat that can compromise or even shut down essential systems, directly impacting operational continuity and aviation safety.

From the experience of Davide Raro, senior associate for ATM Cyber Security and Systems Engineering at aviation consultancy Air Traffic Solutions, the biggest cybersecurity gap in ATC systems is patch management.

“Vendors offer maintenance contracts that include releases every trimester or quarter, leaving systems vulnerable. Air navigation service providers (ANSPs) can’t risk updating anything if not tested by the vendors,” he notes.

From an Internet of Things (IOT) perspective, the biggest gap remains a lack of basic security hygiene, says Sonu Shankar, CPO at Phosphorus Cybersecurity. Unlike IT assets, these devices don’t run endpoint security agents, leaving them invisible to standard security monitoring.

“The Akira ransomware incident underscores this: attackers exploited an IoT device to deploy ransomware precisely because it lacked oversight. In ATC environments this gap could allow a compromised peripheral device like a networked display or sensor to serve as an entry point to critical systems with no centralised management or monitoring in place,” Shankar explains.

“Operators must urgently prioritise asset visibility, enforce basic device security hygiene – such as password rotation schedules, and adopt IoT-specific management solutions,” he advises.
 
While bridging these gaps may feel overwhelming, there are several simple steps that can be taken to start strengthening ATC cybersecurity.

A good place to start is with staff training, as humans are often the weakest link. Ensuring that regular training is introduced that teaches people password management, how to recognise a phishing email or text, and the risks related to introducing external devices such as USB drives and laptops, is key according to Raro.

“Alongside this, be sure that strict bring you own device (BYOD) and user access policies are put in place – and policed,” he adds.

It's also worth considering penetration (pen) testing. This can be a game-changer for a company’s cybersecurity, as it simulates real-world attacks to expose weaknesses before adversaries can exploit them.

“By attempting to exploit default passwords, testers can identify devices that haven’t been hardened – think of a radar interface still using ‘admin/admin’,” says Shankar. “They would also probe for configuration weaknesses, like an active remote network service on a communication gateway, showing where remote attack vectors exist.”

Firmware vulnerabilities are another focus, as pen tests can reveal devices running outdated firmware that’s susceptible to known exploits, prompting timely updates or mitigations.

Balancing efficiency and security in ATC is tricky because uptime is non-negotiable, but hygiene fixes should not be ignored. Shankar advises starting with low-impact changes, such as mandating password rotations and configuration checks during scheduled maintenance windows to avoid disrupting operations.

The key is layering defences that don’t bottleneck performance – such as encryption, multifactor authentication, and anomaly detection. These will make systems more resilient to cyberattacks without sacrificing performance and availability.

No ATC system can ever be completely immune to cyber threats, but these actions lay a strong foundation for resilience. Cybersecurity is a continuous effort, and sustained vigilance is key to staying ahead of the risks.

There are several trends worth watching closely advises Cantrell, including AI-driven phishing and impersonation attacks targeting voice and identity systems and GNNS jamming and spoofing, which can degrade navigation systems.

Keeping lookout for software supply chain attacks on ATC systems or support environments, and malicious insiders or social engineering targeting contractors is also important – especially as reliance on third-party remote support increases.

“Cybersecurity resilience will depend on adopting defence-in-depth approaches and continuously evaluating access controls across the cyber-physical systems environment,” Cantrell says.

“Security mustn’t be viewed as a compliance exercise, but as a core enabler of safety, reliability and public trust in aviation operations. As ATC systems evolve and modernise, cybersecurity is a prerequisite for safe and reliable aviation operations.”