Demo Roadmap Pricing Request Access
Technology

ATC Cybersecurity

Air traffic management systems are a complex mix of legacy radar, modern software platforms, surveillance networks, and databases. Cybersecurity incidents affecting these systems — whether accidental software failures or intentional attacks — have produced material operational disruption in recent years. This page summarises notable incidents and the regulatory posture.

Notable Incidents

Jan 2023 — FAA NOTAM system outage

Database corruption in the US NOTAM system caused a nationwide ground stop in January 2023. Root cause was internal (not attack); episode exposed single-point-of-failure design and prompted redesign initiatives.

Aug 2024 — SeaTac ransomware

Seattle-Tacoma International Airport targeted by ransomware. Airport operations rather than ATC were the primary affected domain. Several days of recovery activity.

Various 2024-2025

Multiple European regional airports and ANSPs have reported phishing-linked intrusions, typically managed without operational disruption. Details generally not publicly disclosed.

Regulatory Response

EASA Part-IS (Information Security) rule requires aviation organisations to implement formal information security management systems, mandatory reporting of significant incidents, and to demonstrate cyber-resilience as part of safety management. Phased implementation across 2025-2026.

NIS2 Directive (EU) extends to aviation as essential entity category. FAA has similar programmes in the US; ICAO working groups coordinate international baselines.

What Is Not at Risk in a Normal Cyber Event

Aircraft control systems — flight management, flight control, engine control — are air-gapped from the internet and use dedicated data buses. An ATC system outage or an airport network attack does not directly reach the flight deck. The operational consequence is typically ground stops, schedule disruption, and recovery delay — not loss of in-flight control.

Educational reference. Cybersecurity posture varies by operator; specific compliance status should be verified with applicable regulatory authorities. See Terms of Service.