- Governance and standards: ICAO/FAA/EASA-aligned cyber programs; risk management per NIST CSF, NIST 800-82, and IEC 62443 for OT/ICS; continuous compliance audits and vendor security requirements.
- Segmentation and isolation: Strict network zoning (corporate IT, ATC/ATM, airfield OT); firewalled interfaces; jump hosts; unidirectional gateways/data diodes for monitoring; air-gapping of safety-critical runway control where feasible.
- Access control: Least privilege, role-based access, MFA, privileged access management, secure remote access with short-lived credentials; detailed logging and tamper-evident trails.
- Hardening and patching: Baseline configurations, application allowlisting, disabled unused services/ports, timely patching with OT-safe windows, firmware/code signing, secure boot.
- Monitoring and detection: SOC with SIEM, IDS/IPS for IT and OT, protocol-aware anomaly detection (e.g., for A-SMGCS, ILS/lighting PLCs), threat intelligence, honeypots, and continuous integrity checks.
- Communications security: Encrypted, authenticated links for ground networks and controller–pilot data link; RF intrusion monitoring; fallback to secure voice; shielding and EMI resilience for nav/landing aids.
- Resilience and safety: Redundant paths/systems (radar/multilateration/ADS-B cross-checks, independent sensors), fail-safe modes for lighting/ILS, UPS/generators, manual reversion procedures and light-gun signals.
- Validation: Red teaming, penetration tests, tabletop and live exercises; safety-cyber co-assurance and change control.
- Runway systems protection: Secure SCADA/PLC architectures for lighting/PAPI/stop bars; physical security of cabinets/handholes; tamper alarms; authenticated fieldbus; local interlocks to prevent unsafe states.
- GNSS/ADS-B risk mitigations: RAIM/GBAS monitoring, spoofing/jamming detection, multilateration verification, geofencing/trajectory anomaly alerts; progressive adoption of authenticated services.
- Incident response: Playbooks with OT-aware isolation, rapid reconfiguration, forensics, and coordinated NOTAMs and operational restrictions.
- Training and awareness: Ops/engineering joint drills; insider threat controls; supply-chain assurance for integrators and component vendors.