CANSO Cybersecurity Risk Assessment Guide – 2023

Air Navigation Service Providers (ANSPs) are a high value target for certain advanced persistent threats (APTs) as they are classified as critical national infrastructure (CNI) service providers. Criminals are constantly evolving into a more professional and organised threat to aviation, particularly as aviation continues its digital transformation which increases the attack potential. This highlights the need for aviation stakeholders to protect their systemsand operation, as an inability to do so can lead to unacceptable impacts on safety.

This guide provides a common risk assessment framework consistent with the ISO 27001 series of standards which allows ANSPs to identify, analyse, evaluate and mitigate cybersecurity risks. It highlights how cybersecurity and safety barriers should work together to mitigate risk. This common approach to risk management also facilitates an integrated approach to managing risk across different connected undesirable outcomes, e.g., cybersecurity, safety, business, or environmental impacts.