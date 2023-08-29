air traffic control

As thousands of fliers were left stranded and frustrated on one of the busiest weekends of the year for summer getaways, the spotlight has been thrown onto the obscure organisation keeping planes in Britain’s skies.

NATS, or National Air Traffic Control Services, is the partly privatised company that manages the air travel above the UK from command centres in Swanwick in Hampshire and Prestwick in Scotland.

The company runs Britain’s air traffic network, communicating with aircraft and monitoring airspace with radar to make sure they do not crash into each other. In a typical year, it handles 2.5 million flights.

Monday’s bank holiday outage, which grounded more than 1,000 flights, has been blamed on a technical mishap with the group’s automated flight-planning technology, which lasted several hours before being resolved by 3.15pm on Monday.

On Tuesday, Mark Harper, the Transport Secretary, ruled out the possibility of a hack.

However, the huge disruption caused by the incident highlights just how calamitous a cyber attack would be.

The threat of a cyber attack on critical national infrastructure (CNI), such as air traffic control, has long been feared.

A 2018 report from the Department for Transport on cyber readiness of the aviation sector warned: “It is not a matter of if but when cyber attacks or system compromises are perpetrated against or impact upon the aviation sector.”

In practice, under a doomsday scenario a successful hack by a nation state or terror group could lead to mass groundings, delays and huge losses for airlines.

While officials believe the risk to life from such an attack is “low”, a catastrophic cyber attack could still be “highly damaging” commercially, the DfT said in its 2018 report.

Ciaran Martin, the former head of GCHQ’s National Cyber Security Centre (NCSC), said on Twitter: “People ask: ‘What if hackers took down air traffic control?’ That answer is what we’re seeing today with accidental failure: move to backup methods, massive delays and costs but no extra risk to human safety.”

Controllers were forced to input flight data manually, rather than relying on an automated system, which led to a massive slowdown, although short of a full grounding of aircraft.

Air traffic control systems have been targeted in the past. Earlier this year, Europe’s air traffic control body came under attack by Russian hackers. Eurocontrol said it was targeted, though it was able to successfully defend itself and there was no disruption to flights.

NATS maintains a “close working relationship” with Britain’s security services to guard against the risk of a cyber attack, according to its annual report, including NCSC.

As a company viewed as critical infrastructure, Britain’s security services would be involved in helping to ready the company for possible cyber attacks. This would involve testing its defences with so-called “penetration testing”, where hackers try to find vulnerabilities that bad actors might exploit.

Previous National Air Traffic Services problems

NCSC would not, however, have oversight of every aspect of its IT.

A spokesman for NATS said it could not comment on cyber security matters, but said it had “many layers of provision”.

Professor Alan Woodward, a computing expert at the University of Surrey, says the recent failures demonstrates that a cyber attack on a “peripheral” system, such as the one to upload flight plans, could wreak havoc.

He said: “It shows that if you could have taken it out, it would be highly disruptive. You could certainly stop a lot of aircraft on the ground.”

As for the risk of hacking an aircraft itself, so far planes are largely viewed as extremely difficult targets. They rely on closed systems that would require a hacker to gain physical access to the aircraft’s internal IT.

Although the cause of the software glitch at NATS has not yet been confirmed, the group – which is partly owned by the Government, airlines and Heathrow Airport and makes its money from fees paid by aircraft operators – has suffered faults in the past.

In 2013, its internal telephone lines went down, causing cancellations. In 2019, 50 flights were cancelled due to radar issues.

NATS has been undergoing a massive IT modernisation, including £750m phasing out of old technology and tools. In some cases, this has involved moving record keeping from paper to digital systems. Just two weeks ago, it signed up BT to undertake a major upgrade of its cyber security technology.

Sune Engsig, of technology company Leapwork, said: “Aviation, like many industries, relies on a patchwork of old and new technologies and software components that have evolved over time.

“With every update and new technology that comes along, entire processes and workflows need to be re-tested to check things work as they should, and the result is that thinly stretched IT teams have a lot to juggle.”

