Icao 10108 2022

Doc 10108 — Restricted
Aviation Security
Global Risk Context Statement
Third Edition, 2022
Approved by and published under the authority of the Secretary General
INTERNATIONAL CIVIL AVIATION ORGANIZATION

Doc 10108 — Restricted
Aviation Security
Global Risk Context Statement
Third Edition, 2022
Approved by and published under the authority of the Secretary General

Published in separate English, Arabic, Chinese, French, Russian
and Spanish editions by the
999 Robert-Bourassa Boulevard, Montréal, Quebec, Canada H3C 5H7
For ordering information and for a complete listing of sales agents

and booksellers, please go to the ICAO website at www.icao.int
First Edition, 2018

Second Edition, 2019
Third Edition, 2022
Doc 10108, Aviation Security Global Risk Context Statement

Order Number: 10108
ISBN 978-92-9265-878-6 (print version)
© ICAO 2022
All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system or transmitted in any form or by any means, without prior
permission in writing from the International Civil Aviation Organization.
GUIDANCE ON HANDLING RESTRICTED INFORMATION
The Aviation Security Global Risk Context Statement is not for public distribution as it is intended for the limited use of
government, industry and other aviation security stakeholders for risk assessment purposes. Copies should not be put on
publicly accessible web sites.
Any onward distribution of this document, electronically or in hard copy, should be accompanied by appropriate instructions
in line with the above.
If you have any questions about the sharing or handling of this document, please contact the ICAO Secretariat at
ASP@icao.int.
_____________________
(v)
AMENDMENTS
Amendments are announced in the supplements to the Products and

Services Catalogue; the Catalogue and its supplements are available
on the ICAO website at www.icao.int. The space below is provided to
keep a record of such amendments.
RECORD OF AMENDMENTS AND CORRIGENDA
AMENDMENTS CORRIGENDA
No. Date Entered by No. Date Entered by
(vii)
FOREWORD
This document contains a global aviation security risk assessment, including a global threat picture, and is intended to
help inform and support ICAO Member States’ processes for national and local aviation security risk assessment. Included
in Appendix A is the risk assessment methodology and process map used to conduct this global risk assessment and
other guidance information that may further assist Member States in their national processes.
References to threat, risk, and incidents within this document should be understood as referring to aviation security threats,
aviation security risks, and aviation security incidents, particularly those that are assessed as acts of unlawful
interference (AUI).
The Aviation Security Global Risk Context Statement should be made available to those who are responsible for
conducting national and other aviation security risk assessments and aviation security decision makers, practitioners and
other relevant stakeholders. Procedures for handling, transmission and storage of this document must be applied in
accordance with each Member State’s regulations for sensitive aviation security information.
_____________________
RESTRICTED
(ix)
CONTENTS
Page
Acronyms ......................................................................................................................................................... (xiii)
Chapter 1. Introduction ................................................................................................................................ 1-1
Chapter 2. The global aviation threat picture............................................................................................. 2-1
Global trends and security incidents in civil aviation .................................................................... 2-1
Chapter 3. Risk assessment results ........................................................................................................... 3-1
Overview of risk assessment results ............................................................................................ 3-1
Appendix A. Risk assessment method, process map and guidance information for Member States .. A-1
1. Risk assessment method and process map ......................................................................... A-1

2. Role of Member States in national and local risk management ............................................ A-9
3. Establishing the threat picture............................................................................................... A-10
Appendix B. Summary of WGTR risk assessments for all threat scenarios ........................................... B-1
1. Person-borne improvised explosive devices (on the body or in cabin baggage) .................. B-1
2. Improvised explosive devices in cargo and mail ................................................................... B-3
3. Attacks using unmanned aircraft systems (UAS) on aviation targets
in and outside of conflict zones ............................................................................................. B-5
4. Landside attacks (including landside vehicle-borne improvised explosive devices) ............. B-7
5. Aircraft used as a weapon .................................................................................................... B-8
6. Chemical threats ................................................................................................................... B-10
7. MANPADS, missiles and other attacks from a distance (other than by unmanned
aircraft systems) ................................................................................................................... B-13
8. Improvised explosive devices in hold baggage ..................................................................... B-15
9. Improvised explosive devices in services ............................................................................. B-16
10. Airport supplies ..................................................................................................................... B-18
11. Vehicle-borne airside attacks ................................................................................................ B-19
12. Cyber-attacks........................................................................................................................ B-20
13. Conventional hijack (with terrorist intent) .............................................................................. B-22
14. Biological and radiological threats ........................................................................................ B-23
15. Attacks on air traffic control facilities ..................................................................................... B-24
16. Other potential threats .......................................................................................................... B-25
RESTRICTED
(xi)
(xii) Aviation Security Global Risk Context Statement
Page
Appendix C. Insider threat ........................................................................................................................... C-1
1. Introduction ........................................................................................................................... C-1

2. Assessing risks from insider threats ..................................................................................... C-1
3. Insider threat mitigation measures — Additional considerations........................................... C-6
Appendix D. Additional detail on risk assessments for cyber threats .................................................... D-1
1. Air Traffic Management (ATM) systems................................................................................ D-1

2. Aircraft systems .................................................................................................................... D-3
3. Airport systems ..................................................................................................................... D-5
______________________
RESTRICTED
ACRONYMS
ATC Air traffic control

ATM Air traffic management
AUI Acts of unlawful interference
CBR Chemical, biological and radiological
CCTV Closed-circuit television
COTS Commercial off-the-shelf
EDS Explosives detection system
HME Homemade explosive
ICAO International Civil Aviation Organization
IED Improvised explosive device
IT/OT Information and operational technologies
LNMC Low- or no-metal content
MANPADS Man-portable air defence systems
PBIED Person-borne improvised explosive device
PoC Point of contact
RCS Aviation Security Global Risk Context Statement
RED/RDD Radiological exposure device/radiological dispersal device
SAM Surface-to-air missile
SARPs Standards and Recommended Practices
SATCOM Satellite communication
SRA Security restricted area
UAS Unmanned aircraft system(s)
VBIED Vehicle-borne improvised explosive device
WGTR Working Group on Threat and Risk
______________________
RESTRICTED
(xiii)
Chapter 1
INTRODUCTION
1.1 The continuing security threat to the global aviation system, mainly from terrorism, is most effectively
managed by identifying, understanding and addressing the potential risks to civil aviation, including risks to passengers
and goods (baggage, cargo, and mail). The identification of risks permits Member States to determine and implement
proportionate measures and controls to mitigate appropriately against each risk type.
1.2 To assist Member States in this process, the Aviation Security Global Risk Context Statement (RCS) has
been developed and is updated on a regular basis. The RCS aims to:
a) offer States a methodology and a framework to conduct risk assessments at the national level (see
Appendix A);
b) provide an overview of the current global aviation security threat;
c) present high-level global risk assessments to help inform States’ national civil aviation security
programmes; and
d) assist ICAO in improving and updating Standards and Recommended Practices (SARPs) and guidance
material to ensure that they address current threats and risks.
1.3 The development of the RCS is undertaken by the ICAO Aviation Security (AVSEC) Panel Working Group
on Threat and Risk (WGTR). The work is done in recognition of the importance of a risk-based approach to aviation
security and relies on the input of relevant experts, as well as the effective and timely reporting and sharing of information
by ICAO Member States.
1.4 The WGTR regularly reviews previously completed risk assessments or conducts new risk assessments,
updates the RCS on an annual basis, or as needed, and provides analysis and advice on risks to aviation to the AVSEC
Panel. ICAO also draws on the advice of the WGTR with regard to evolving threats and incidents. Information is often
available in the public domain about the specific nature of recent and current threats to aviation. However, there is also
much that cannot be put into the public domain or discussed in documents such as this one, because of the sensitive
nature of the information itself or of its sources. This includes information about actual attacks, but also aspirational or
planned attacks that may have been disrupted, not followed through, or not yet come to fruition. Such information may be
sought from States’ own security or intelligence services. However, it is important to note that a lack of information does
not equate to a lack of threat, as several high-profile attacks against aviation have occurred with no prior warning. A
diversifying array of non-terrorist threats over recent years means that intelligence collection has been spread more thinly
in some States, possibly resulting in a reduced collective insight into terrorist attack planning.
1.5 The RCS is aimed primarily at decision makers, practitioners and other relevant stakeholders within Member
States who are responsible for conducting aviation security risk assessments.
______________________
RESTRICTED
1-1
Chapter 2
THE GLOBAL AVIATION THREAT PICTURE
2.1 For many years, civil aviation has been an attractive target for criminals and terrorists, for a variety of reasons.
2.2 That remains especially true in the case of terrorists who continue to seek to exploit real or perceived
vulnerabilities in the international civil aviation system. Following successful and attempted terrorist attacks, security
measures are developed and enhanced to prevent similar attacks from reoccurring. However, terrorists continue to show
an interest in how they can circumvent or defeat security measures. Previous successes or partial successes in doing so
have motivated such perpetrators to continue to research and plan further attacks against civil aviation.
2.3 Terrorists, whether as part of an organized group or acting alone, generally aim to achieve one or more of
the following objectives in selecting aviation as a target for attack:
a) inflicting mass casualties;
b) causing economic disruption;
c) making a symbolic statement;
d) increasing their notoriety; and
e) generating public anxiety.
2.4 These objectives may lead to a variety of forms of attack on the aviation system. Terrorists have shown
themselves to be innovative, and may seek out a wide range of modus operandi and targets, influenced by the availability
and vulnerability of such targets and dependent upon capability and the perceived opportunity for success.
GLOBAL TRENDS AND SECURITY INCIDENTS IN CIVIL AVIATION
2.5 In 2021, 42 acts of unlawful interference (AUI) were recorded in the ICAO Database of Acts of Unlawful
Interference, a significant increase compared to the 18 acts recorded in 2020. They included 4 attacks on aircraft in flight;
9 attacks on, or at, aviation facilities; 9 unlawful seizures; 5 cyber-attacks; and 15 acts qualified as “others”, which include
breaches of secure areas and systems. Other occurrences or incidents, identified through media reports but not officially
reported as AUIs, continue to provide further evidence of planning by criminals, including terrorists, to commit AUIs against
aviation targets. It should be noted that this number of AUIs is assumed to represent a very small proportion of the security
incidents that actually take place globally, and the WGTR has assessed that the numbers of reported and unreported AUIs
were reduced by the global COVID-19 pandemic. The analysis that follows is primarily drawn from information provided
by WGTR members. The WGTR encourages Member States to proactively report AUIs to support its analysis and to
strengthen the content of the RCS.
RESTRICTED
2-1
2-2 Aviation Security Global Risk Context Statement
2.6 The pace of attacks against civil aviation assets has increased in recent years, particularly those against
airports and airfields in conflict zones 1 or regions of the world where there is proliferation of weapons such as rockets and
mortars. Attacks manifest themselves in a variety of diverse methods, including attacks at a distance using rockets or
mortars.
2.7 Globally, terrorists have consistently sought to identify and exploit vulnerabilities in security measures in an
attempt to find or create the path of least resistance to their targets. This could include the exploitation of
people (e.g. airport employees or other insiders) or processes (e.g. ineffective security measures) to allow or facilitate a
terrorist to conduct an attack using less sophisticated methods than may otherwise be necessary. Despite the reduction
in the number of flights and number of passengers globally caused by the COVID-19 pandemic, civil aviation remains a
desirable target for terrorists worldwide, with no loss of intent by terrorists to conduct attacks against commercial aviation
due to the pandemic.
2.8 Terrorist groups still demonstrate a preference to attack aircraft in flight. The terrorist threat on board an
aircraft can manifest itself in several ways. Improvised explosive devices (IEDs) have been the preferred attack method
over the last two decades, with terrorists continually innovating and developing new concealment tactics in order to bypass
or defeat aviation security measures. Terrorists have attempted to introduce IEDs on board aircraft concealed on the body
or in items carried by a person, or in checked baggage, cargo or aircraft supplies. Hijacking in flight remains an aspiration
for terrorists, with groups taking a long-term approach to developing the capabilities needed to support complex attacks.
Other potential means of attack on board an aircraft include the use of weapons or the use of chemical agents.
2.9 Cybersecurity incidents have recently sharply increased across all critical infrastructure sectors. With respect
to the transport sector, while there are no recorded cybersecurity incidents directly targeting aviation with the intent to
cause physical harm, there are signs that State-sponsored and malicious actors have enhanced their capability to disrupt
aviation operations in other ways. Considering ICAO’s burgeoning focus on cybersecurity, the WGTR encourages Member
States to review and consider strengthening their cybersecurity programmes 2.
2.10 Given that aviation security measures are rightfully perceived by criminals and terrorists as difficult to defeat,
there has been an expansion of incidents targeting more vulnerable and easily accessed targets, for example the public
areas of airport terminals, using less sophisticated weapons. Within the aviation security context, primary targets are
landside or public areas of the airport, specifically curbside areas, departure halls prior to the security checkpoint, arrival
halls, and areas of shared responsibility such as train and bus stations.
2.11 Attacks using unmanned aircraft systems (UAS) destined to disrupt aviation operations have also steadily
risen in recent years, particularly at airports in and close to conflict zones. This continues to illustrate an increase in both
capability and intent of terrorists to use this technology for nefarious purposes. Furthermore, UAS tactics used in conflict
zones could easily be used against commercial airport facilities outside of conflict zones. Owing to availability of
technological information and materials via the internet, the sophistication of home-made UAS range and payload
capabilities have risen.
1 Conflict zones. Airspace over areas where armed conflict is occurring or is likely to occur between militarized parties, and is also taken
to include airspace over areas where such parties are in a heightened state of military alert or tension, which might endanger civil aircraft
(Risk Assessment Manual for Civil Aircraft Operations Over or Near Conflict Zones (Doc 10084)).
2 The Aviation Cybersecurity Strategy, the Cybersecurity Action Plan and guidance material on cybersecurity are available to download
on the ICAO-NET.
RESTRICTED
Chapter 2. The global aviation threat picture 2-3
2.12 In relation to attacks against civil aviation, terrorist groups retain the ability to inspire or call directly upon
radicalized individuals to carry out attacks. With centralized attack planning, these groups have the ability to leverage
resources and skills to pursue sophisticated tactics against well-protected targets such as aircraft. However, there has
been instances of decentralized planning of attacks perpetrated by individuals with only loose connections to established
groups. In some regions, there has been a proliferation of violent extremist groups and individuals with a wider range of
ideologies, including anti-authoritarian and politically motivated extreme right and left wing. While there have been a
number of terrorist attacks carried out by such groups and individuals, there is no current known intent or plan to attack
civil aviation.
______________________
Chapter 3
RISK ASSESSMENT RESULTS
3.1 The WGTR has updated its global risk assessment each year since 2009. Risks are assessed by threat type.
Each threat category incorporates many scenarios or sub-scenarios, and for each of these there is an explanation of the
general scenario, including the target (e.g. an aircraft), the means of attack (e.g. armed assault) and, where necessary,
the type or perpetrator (e.g. a category of privileged insider). For each plausible threat scenario, the WGTR assesses the
likelihood, consequences, and vulnerability (taking in consideration existing mitigating measures in place) in order to
determine the residual risk. The detailed results are recorded on risk matrices compiled for each threat type, which are
then used as the basis for the WGTR’s advice to ICAO and for the broader summaries that are set out in the RCS.
3.2 It is important to keep in mind that these risk results attempt to reflect an overall global picture and not a
specific regional or national picture (two exceptions being the threat from missiles and other attacks from distance, and
UAS threats, as these are considered to vary significantly depending on the local proliferation of such weapons). It is also
important to note that the vulnerability level has been assessed for all scenarios as the residual vulnerability, assuming
that States have implemented effectively all relevant security measures currently required by ICAO, primarily those in
Annex 17 — Aviation Security.
3.3 The following sections of this document provide an overview of the risk assessment results and a summary
of the changes for this Edition of the RCS. A more complete summary of the results of the WGTR’s global risk assessments
is provided in Appendix B.
OVERVIEW OF RISK ASSESSMENT RESULTS
3.4 Table 3-1 provides a high-level overview of the results, grouped according to the threat type.
RESTRICTED
3-1
3-2 Aviation Security Global Risk Context Statement
Table 3-1. Threat-type risk levels 3
THREAT TYPE Likelihood Consequences Vulnerability RISK
PERSON-BORNE IEDs on the body or in cabin

HIGH HIGH MEDIUM-HIGH HIGH
baggage
IEDs IN CARGO/MAIL MEDIUM-HIGH HIGH MEDIUM-HIGH MEDIUM-HIGH
ATTACKS USING UAS (on aviation targets in

MEDIUM-HIGH HIGH MEDIUM-HIGH MEDIUM-HIGH
conflict zones)
LANDSIDE ATTACKS (including landside
MEDIUM-HIGH MEDIUM MEDIUM-HIGH MEDIUM-HIGH
vehicle-borne IEDs)
AIRCRAFT USED AS A WEAPON MEDIUM HIGH MEDIUM MEDIUM-HIGH
CHEMICAL THREATS MEDIUM MEDIUM-HIGH MEDIUM-HIGH MEDIUM-HIGH
MANPADS, MISSILES AND OTHER ATTACKS

FROM A DISTANCE (other than by UAS):
On airports in conflict/proliferation zones HIGH MEDIUM MEDIUM MEDIUM-HIGH
On aircraft in conflict/proliferation zones MEDIUM-HIGH HIGH MEDIUM MEDIUM-HIGH
On airports outside conflict/proliferation

MEDIUM-LOW MEDIUM MEDIUM MEDIUM
zones
On aircraft outside conflict/proliferation zones LOW HIGH MEDIUM MEDIUM
ATTACKS USING UAS (on aviation targets

MEDIUM-LOW HIGH MEDIUM-HIGH MEDIUM
outside of conflict zones)
IEDs IN HOLD BAGGAGE MEDIUM-LOW HIGH MEDIUM MEDIUM
IEDs IN SERVICES (catering, in-flight supplies,

MEDIUM-LOW HIGH MEDIUM MEDIUM
etc.)
AIRPORT SUPPLIES LOW HIGH MEDIUM-LOW MEDIUM
VEHICLE-BORNE AIRSIDE ATTACKS MEDIUM-LOW MEDIUM-HIGH MEDIUM MEDIUM
CYBER-ATTACKS LOW HIGH MEDIUM-LOW MEDIUM
CONVENTIONAL HIJACK (with terrorist intent) MEDIUM-LOW MEDIUM-LOW MEDIUM-LOW MEDIUM-LOW
BIOLOGICAL THREATS LOW MEDIUM MEDIUM MEDIUM-LOW
RADIOLOGICAL THREATS LOW MEDIUM MEDIUM MEDIUM-LOW
ATTACKS ON ATC FACILITIES LOW MEDIUM-LOW MEDIUM MEDIUM-LOW
3
Additional threat types have been added since the previous version to ensure all scenarios assessed by the WGTR in the detailed risk
matrices are covered. Scoring for conflict vs. non-conflict zones have also been separated for some threat types.
RESTRICTED
Chapter 3. Risk assessment results 3-3
3.5 According to this assessment, the threat type which still poses the greatest risk to international civil aviation
at the global level is person-borne IEDs, that is, explosive devices carried on board a plane by a passenger or crew
member either on their body or in cabin baggage and personal effects. The residual risk of this type of attack continues to
be assessed as HIGH. Within this category, it is considered that IEDs concealed in personal belongings, including
electronic or electro-mechanical devices, currently represent the greatest risk.
3.6 The threat types that are assessed to represent the next highest level of risk are landside attacks; IEDs
concealed in cargo (the importance of air cargo has greatly increased during the COVID-19 pandemic — this type of attack
continues to attract the interest of certain groups); and aircraft used as a weapon. These threat types continue to be
assessed as MEDIUM-HIGH. Chemical threats and attacks using UAS on aviation targets in conflict/proliferation zones
have moved into the MEDIUM-HIGH category of risk due to the changes in the WGTR’s risk assessment methodology
implemented since the previous version of this document (separation of UAS into two categories (in or outside conflict
zones), as outlined in Appendix A). The man-portable air defence systems (MANPADS) threat is now encompassed within
a broader category of MANPADS, missiles and other attacks from a distance (other than UAS). For airports and aircraft
in conflict/proliferation zones, the risk of an attack using this method is also assessed as MEDIUM-HIGH.
3.7 The threat from MANPADS, missiles and other attacks from a distance is assessed as MEDIUM for airports
and aircraft outside of conflict/proliferation zones. The threat from UAS attacks outside of conflict zones is also assessed
as MEDIUM. The threat of an attack using an IED in hold baggage, an IED in airport supplies and an airside vehicle-borne
attack remains at MEDIUM. There has been an upward shift in the overall risk from IEDs in services, which is now
assessed as MEDIUM due to the change in the risk assessment methodology referred to in 3.6. The change in
methodology has also resulted in the upwards movement of the risk of cyber-attacks to MEDIUM, and of biological and of
radiological attacks (which have now been separated into two distinct categories) upwards to MEDIUM-LOW. The risk of
a conventional hijack with terrorist intent and attacks on air traffic control (ATC) facilities are considered to have moved
downwards to MEDIUM-LOW.
_____________________
RESTRICTED
APPENDIX A
RISK ASSESSMENT METHOD, PROCESS MAP AND

GUIDANCE INFORMATION FOR MEMBER STATES
1. RISK ASSESSMENT METHOD AND PROCESS MAP
1.1 The risk assessment method set out below was developed to enable the WGTR to carry out its work in a
logical, consistent and clear manner, to explain the method used and its results to the recipients of the RCS, and to assist
States and other entities in performing risk assessments of their own. It is not a precise scientific exercise, but is designed
to generate an understanding and a relative ranking of current residual risk in order to inform policy-making, based on
numerical scores assigned to each assessed parameter, and on a simple mathematical formula used to calculate the
residual risk value.
1.2 Figure A-1 provides the risk assessment process map employed by the WGTR. This risk assessment
process comprises the following elements:
a) the identification and analysis of plausible threat scenarios and their likelihoods, and consequences;
b) the assessment of current mitigations and remaining vulnerabilities;
c) residual risk assessment taking into account the likelihood, consequences, and vulnerabilities of a
specific threat scenario; and
d) recommendations for further risk-based work and possible mitigation.
1.3 The key components for completion of the risk assessment are:
a) threat scenario — an identification and description of a credible act of unlawful interference comprising
a target (such as an airport terminal, associated infrastructure or an aircraft), the modus
operandi (including conveyance and concealment) and methods of an attack (such as an IED), and the
adversary (based on the role an adversary plays in the aviation system — passenger, non-travelling
person, and/or insider). This should be sufficiently detailed to permit accurate assessment and analysis;
“an attack against an aircraft” is not good enough as a scenario;
b) likelihood of an attack — the probability or likelihood of that attack being attempted, based on
perpetrators’ intentions and capabilities but NOT taking into account current security measures. The
WGTR utilizes likelihood as an indicator of threat, considering both the intent and capability of a
perpetrator to carry out a threat scenario;
c) consequences — the nature and scale of the impact of the specific attack, in human, economic, political,
and reputational terms under a reasonable worst-case scenario;
d) current mitigation measures — the relevant SARPs, which may not all be in Annex 17, and guidance –
both of which are assumed to be effectively implemented (where that is clearly not the case, the residual
risk will be higher). It is assumed that no threat can be entirely eliminated;
RESTRICTED
A-1
A-2 Aviation Security Global Risk Context Statement
e) vulnerability — the extent of the remaining vulnerabilities once the current mitigating measures have
been taken into account;
f) residual risk — the overall risk of a successful attack, taking into account the likelihood and
consequences of the threat scenario, and considering the remaining vulnerabilities after assuming
current mitigating measures have been implemented; and
g) possible additional mitigation — identified measures, not formally included in ICAO SARPs, that could
be implemented to further mitigate residual risks where necessary.
RESTRICTED
Appendix A. Risk assessment method, process map
and guidance information for Member States A-3
Figure A-1. Risk assessment process map
RESTRICTED
1.4 The risk assessment must identify the plausible scenarios carefully and in sufficient detail, being specific
and thorough in considering each form of threat. Threats could be directed at specific airports, terminals or other
infrastructure, such as fuel farms, air traffic control facilities or navigational equipment, as well as aircraft, including different
forms of aviation, such as general aviation, passenger aircraft, and cargo-only aircraft. The means and methods by which
a threat could be carried out should also be evaluated. This would include how a weapon or explosive device could be
constructed, the means by which it might be conveyed (e.g. whether person- or vehicle-borne) and by whom (e.g. insider,
passenger, or non-travelling person), how it could be concealed, and how it could be activated or utilized in order to
perpetrate an AUI. An indicative list of some possible threat scenarios is included in Appendix C (Table C-1). However,
this does not cover the full list of scenarios considered by the WGTR, and States or other entities conducting risk
assessments are encouraged to develop their own versions reflecting local circumstances, as appropriate.
Example of an individual threat scenario
1.5 The threat scenario will be the foundation of the risk analysis, and likelihood, consequence, and vulnerability
will be determined based upon each specific threat scenario. The template below is utilized by the WGTR and may be
used by States or others to assess individual threat scenarios. For illustrative purposes, an example risk matrix has been
included, considered under “Aircraft used as a weapon”, and using a 9/11 type scenario in which a large commercial
passenger aircraft (target) is commandeered by cabin crew (adversary) using a prohibited item/weapon (modus operandi)
and the aircraft is used as a weapon to attack a populous target on the ground. It should be noted that this example differs
from the specific 9/11 methodology in that it describes an attack perpetrated by the cabin crew rather than passengers.
Example risk matrix (scenario)
Additional
Scenario Likelihood Consequences Mitigations Vulnerabilities Residual risk mitigations
9/11 scenario:
large
commercial
passenger
aircraft
commandeered
by cabin crew
using a weapon
and aircraft
used as a
weapon itself
1.6 In this methodology, likelihood, consequences, and vulnerability have been scored on a ten-point scale from
HIGH to LOW. The general meanings of the scores, in each case, are given below.
1.7 For likelihood:
a) HIGH (rated as 9 or 10) means a very plausible scenario, with an actual attack of this kind having
occurred in the past few years, or strong evidence of capability, intent, and planning;
b) MEDIUM-HIGH (rated as 7 or 8) means a clearly plausible scenario, with relatively recent examples or
evidence of early attack planning or hostile reconnaissance;
c) MEDIUM (rated as 5 or 6) means an essentially plausible scenario, with some evidence of intent and
capability and possibly some examples, but no evidence of current attack planning;
RESTRICTED
d) MEDIUM-LOW (rated as 3 or 4) means a scenario for which there are no, or no recent, examples, but
some evidence of intent, yet with a method apparently not sufficiently developed for a successful attack
scenario or probably superseded by other forms of attack; and
e) LOW (rated as 1 or 2) means a theoretically plausible scenario but with no examples or signs of attack
or attack planning, and a theoretical intent but no apparent capability.
1.8 For likelihood, possible questions that could be asked to determine the score could include: whether there
is current intelligence of such an attack being planned or if there are previous known examples of similar attacks. An
example of likelihood scoring is included for the example threat scenario below.
Example risk matrix (likelihood)
Residual Additional
Scenario Likelihood Consequences Mitigations Vulnerabilities risk mitigations
9/11 scenario: MEDIUM-LOW

Large
commercial – No precedent
passenger or known
aircraft planning
commandeered related to
flight/cabin
by cabin crew
crew as an
using a weapon operative for a
and aircraft 9/11 style
used as a attack, but
weapon itself known
incidences of
radicalization
of flight crew or
information on
intent
– Noting German
Wings 9525 as
an indication of
the ability to
conduct an
attack
1.9 For consequences, the scores mean that, in a reasonable worst-case scenario, the outcome can be
expected to be along the lines shown in the following table.
RESTRICTED
Consequences
Impact rating Human Direct economic impact Other
HIGH Billions of United States Severe disruption to services and

Hundreds of deaths 4
(rated as 9 or 10) dollars confidence in the aviation system
MEDIUM-HIGH
Some but not all of the HIGH consequences above
(rated as 7 or 8)
MEDIUM Tens or hundreds of

Substantial disruption to services and
(rated as 5 or 6) Tens of deaths millions of United States
confidence in the aviation system
dollars
MEDIUM-LOW
Some but not all of the MEDIUM consequences above
(rated as 3 or 4)
LOW Possibly some deaths Some disruption to services and

Some economic impact
(rated as 1 or 2) and injuries confidence in the aviation system
1.10 It is recognized that this is not an exact science — where there is doubt, the best fit is selected where the
most criteria are met in a reasonable worst-case scenario. An example of consequences scoring is included for the
example threat scenario below.
Example risk matrix (consequences)
Residual Additional
Scenario Likelihood Consequences Mitigations Vulnerabilities risk mitigations
9/11 scenario: MEDIUM-LOW HIGH

large
commercial – No precedent – Loss of life of
passenger or known all on board
aircraft planning aircraft
commandeered related to
flight/cabin
by cabin crew – Loss of life and
crew as an
using a weapon operative for a damage to
and aircraft 9/11 style infrastructure
used as a attack, but on the ground
weapon itself known
incidences of – Widespread
radicalization economic
of flight crew or damage
information on
intent – Loss of
confidence as
– Noting German
attack
Wings 9525 as
an indication of perpetrated by
the ability to trusted insider
conduct an
attack
4 This scoring system means in practice that most scenarios involving the loss of a large passenger aircraft as a reasonable worst-case
are likely to be scored as HIGH. While this may reduce differentiation between scenarios, the WGTR considers this a fair reflection of the
impact of a successful attack on such an aircraft. It is also recognized that the HIGH categorization encompasses certain threat scenarios,
e.g. using a plane as a weapon (9/11 scenario), that may potentially result in thousands of deaths.
RESTRICTED
1.11 For vulnerability:
a) HIGH (rated as 9 or 10) means no mitigating measures are in general effect, either because there is
no Annex 17 requirement or because no realistic effective measures are available;
b) MEDIUM-HIGH (rated as 7 or 8) means that mitigation has a limited scope and that important areas
and aspects of the risk are not covered by Annex 17 requirements or measures in general effect;
c) MEDIUM (rated as 5 or 6) means that features of both MEDIUM-HIGH and MEDIUM-LOW are present;
d) MEDIUM-LOW (rated as 3 or 4) means that mitigating measures are generally in place, but they may
be immature or only partially effective. For instance, the broad Annex 17 requirements may be in place
for all areas and aspects, but they are capable of being further developed or better implemented in
practice; and
e) LOW (rated as 1 or 2) means that clear Annex 17 requirements exist and that mitigating measures
generally regarded as effective are in widespread use.
1.12 When analysing vulnerability, it is important to take into account how well the Annexes to the Convention on
Civil Aviation, national programmes and airport programmes address the specific threat scenario, as well as how effective
current security measures are in mitigating the scenario and, where reliable information is available, how well those
security measures are implemented and sustained over time. The RCS takes into account mitigating actions that are
already generally in place, including Annex 17 SARPs, and assumes that these are being effectively implemented (unless
there is clear and objective evidence to the contrary). In conducting their own assessments, States and other entities may
wish to assure themselves that the relevant measures are actually in place and are being effectively and continuously
implemented. Where this is not the case, the residual vulnerability scores would inevitably be higher.
Example risk matrix (vulnerabilities)
Additional
9/11 scenario: MEDIUM-LOW HIGH Annex 17: SCORE

large (To be
commercial – No precedent – Loss of life of – Background determined
passenger or known all on board checks and based on
aircraft planning aircraft recurrent residual
commandeered related to background vulnerabilities
flight/cabin
by cabin crew – Loss of life and checks (Annex after considering
crew as an
using a weapon operative for a damage to 17, Standard current
and aircraft 9/11 style infrastructure 3.5.2) mitigations in
used as a attack, but on the ground place)
weapon itself known – 100% Staff
incidences of – Widespread Screening
radicalization economic (Annex 17,
of flight crew or damage Standard 4.2.5)
information on
intent – Loss of Also take into
– Noting German confidence as account the
Wings 9525 as attack Aviation Security
an indication of perpetrated by Manual (Doc 8973
the ability to trusted insider - Restricted) and
conduct an national/airport
attack programmes
RESTRICTED
1.13 Each plausible scenario selected is then given a residual risk score based on a combination of the assessed
scores for likelihood, consequences, and vulnerability.
1.14 Residual risk is assessed on a five-point scale. The ranking is derived from the other scores, and it involves
some elements of judgement as well as the aggregation of the scores assigned to likelihood, consequences and
vulnerability. Scores assigned to each of the aforementioned parameters reflect a consensual analysis based on the
information currently available — reflecting the fact that there is generally limited data to draw upon. The mathematical
formula used to calculate residual risk in this methodology is presented below.
Threat (T) Consequence (C) Vulnerability (V) Risk score Risk rating
HIGH 9-10 + 9-10 + 9-10 25.6 to 30 HIGH
MEDIUM-HIGH 7-8 + 7-8 + 7-8 19.6 to 25.5 MEDIUM-HIGH
MEDIUM 5-6 + 5-6 + 5-6 13.6 to 19.5 MEDIUM
MEDIUM-LOW 3-4 + 3-4 + 3-4 7.6 to 13.5 MEDIUM-LOW
LOW 1-2 + 1-2 + 1-2 3.0 to 7.5 LOW
1.15 If the obtained risk rating after applying the calculation formula is not aligned with common knowledge of
what the residual risk should look like for a particular scenario, the assessment of each parameter’s score for a particular
scenario can be reviewed, and adjusted if necessary. If after this review any of the parameter assessments are modified,
the mathematical formula should be applied again using the updated scores.
1.16 It is helpful to record in the risk matrix or elsewhere the main reasons for the conclusions reached during the
risk assessment process. This will be important when reviewing the assessments or using them to inform policy responses.
1.17 The final rankings can only offer a guide to policy-making and to the relative prioritization of different threat
types. Local circumstances differ, and States or other entities should take into account all relevant local factors in
conducting their own risk assessments.
1.18 The different elements of the risk assessment are likely to evolve over time, for example, if there is a change
in the threat picture or if new mitigating measures are implemented; it is therefore important to keep these assessments
under periodic review and to reassess them in light of any relevant incidents or threat change.
1.19 For each threat scenario, having considered the residual risk and the extent to which it is already mitigated,
it will be helpful to capture any conclusions regarding further measures that could be taken to address residual
vulnerabilities that have been identified. At the global level this could include, for example, proposals to develop
amendments or updates to Annex 17 and the Aviation Security Manual (Doc 8973 – Restricted).
1.20 For States or other entities wishing to apply this method to their own risk assessments, any resulting residual
risks that are uncovered should be reviewed, and possible additional security measures evaluated, to see whether they
can provide effective, practicable, and sustainable mitigation commensurate with the threat.
RESTRICTED
Example risk matrix (residual risk and additional mitigations)
Additional
9/11 scenario: MEDIUM-LOW HIGH Annex 17: SCORE SCORE (To be What more
large (To be determined could be
commercial – No precedent or – Loss of life of– Background determined based on done to
passenger known planning all on board checks and based on residual assessments of mitigate this
aircraft related to aircraft recurrent vulnerabilities likelihood, threat
commandeered flight/cabin crew background after considering consequences scenario?
by cabin crew as an operative – Loss of life checks (Annex current and residual
using a weapon for a 9/11 style and damage to 17, Standard mitigations in vulnerabilities)
and aircraft attack, but known infrastructure 3.5.2) place)
used as a incidences of on the ground
weapon itself radicalization of – 100% Staff
flight crew or – Widespread Screening
information on economic (Annex 17,
intent damage Standard 4.2.5)
– Noting German
– Loss of Also take into
Wings 9525 as
confidence as account the
an indication of
attack Aviation Security
the ability to
perpetrated by Manual (Doc 8973
conduct an attack
trusted insider – Restricted) and
national/airport
programmes
2. ROLE OF MEMBER STATES IN NATIONAL AND

LOCAL RISK MANAGEMENT
2.1 Annex 17, Standard 3.1.3, requires that:
Each Contracting State shall keep under constant review the level and nature of threat to civil aviation within its territory
and airspace above it, and establish and implement policies and procedures to adjust relevant elements of its national
civil aviation security programme accordingly, based upon a security risk assessment carried out by the relevant national
authorities.
2.2 Assessment of national, regional or even local aviation security risks, in conjunction with the overall risk
factors, provides important and useful information on potential perpetrators, including terrorists, methods and types of
attacks. While the RCS provides a global high-level view of aviation security risks, it does not attempt to create a detailed
view of national or local risks, or to suggest that one State has higher levels of risk associated with it than another State.
It is therefore the duty of each Member State to make its own assessment of the risk applying to its territory, airspace and
assets, and to implement appropriate risk mitigating measures, taking into account the high-level view presented in the
global RCS.
2.3 Each Member State should document and review its risk assessment periodically, or when significant new
developments arise, in order to maintain an accurate, complete, and up-to-date picture of the risk environment. Member
States also have an obligation to share information with their aviation industry entities to allow them to carry out their own
risk assessments specific to their operations.
RESTRICTED
2.4 Annex 17, Standard 3.1.5, requires that:
Each Contracting State shall establish and implement procedures to share, as appropriate, with relevant airport operators,
aircraft operators, air traffic service providers or other entities concerned, in a practical and timely manner, relevant
information to assist them to conduct effective security risk assessments relating to their operations.
Note 1.— Guidance on security risk assessment can be found in the Aviation Security Manual (Doc 8973)
and the Aviation Security Global Risk Context Statement (Doc 10108).
Note 2.— Guidance on safety risk management can be found in the Safety Management Manual (SMM)
(Doc 9859).
Note 3.— Guidance on assessing risk over or near conflict zones can be found in the Risk Assessment
Manual for Civil Aircraft Operations Over or Near Conflict Zones (Doc 10084).
Note 4.— Refer to Annex 6, Part I, Chapter 4, Standard 4.1.2 and Annex 11, Chapter 2, Standards 2.19.3
and 2.19.3.1.
2.5 According to Annex 17, Standard 5.3.1, each Member State has the obligation to exchange information and
report to ICAO all pertinent information concerning the security aspects of an AUI. The sharing of information with all
Member States allows for a broader understanding of the global threat to aviation.
3. ESTABLISHING THE THREAT PICTURE
3.1 All national aviation systems are linked to global aviation networks, and terrorists may attack from anywhere
within the international civil aviation system by identifying vulnerabilities to gain access to their intended target. Decision
makers in national authorities and industry entities must therefore take into account how the threat to civil aviation is
developing globally. This does not mean that threat levels are identical around the world; there are regional, national, and
even local variations. However, many threats have the potential to jump national borders very quickly and may manifest
themselves across many regions. This has been exacerbated as terrorist groups have sought to radicalize and inspire
potential adherents around the world through social media, and to proliferate knowledge about possible attack methods.
All States should be aware of the vulnerabilities and consequences associated with such threats. Terrorists are constantly
seeking to identify the perceived limitations of aviation security measures and to identify and exploit remaining
vulnerabilities and weak points within the global system.
3.2 The increasing globalization of travel and of the airline industry means that a successful attack on any aircraft
is likely to involve the citizens of many different countries. And beyond that, the economic consequences of terrorist attacks
on the global aviation system mean that an attack upon the aviation interests of even one State is effectively an attack
upon the aviation interests of all. This further reinforces the need for all States and aviation organizations to pay close
attention to threats to aviation, even if they do not consider themselves to be directly threatened by a terrorist attack.
3.3 Given the global character of the terrorist threat to the aviation system (and the global nature of the aviation
system generally), it follows that terrorist attacks upon the aviation system have global consequences. Public anxiety and
economic disruption caused by a terrorist attack — two of the key terrorist objectives — will manifest themselves well
beyond the borders of States that are the locations of or direct targets for terrorist attacks. Even terrorist attacks failing to
have direct consequences have the demonstrated ability to achieve terrorist objectives, because the fear and uncertainty
that they generate are often no less than that arising from a successful attack. Further, the global span of the media and
the internet — specifically exploited by increasingly aware and capable terrorist groups — grants terrorists the ability to
reach audiences worldwide, via news reporting or their own propaganda, almost instantaneously.
RESTRICTED
Potential perpetrators of terrorism
3.4 Terrorists have varied cultural and social backgrounds, live in differing social circumstances and act from a
number of different extreme motivations and intentions in committing or planning acts of terrorism. They may act for
political, religious, social, environmental and/or personal (e.g. economic or mental health) reasons. Terrorists that have
been involved in attacks against civil aviation have included:
a) members of established and organized terrorist groups;
b) members of regional affiliates and allies of such groups;
c) insiders within the aviation sector recruited by such groups to help facilitate attacks;
d) so called ‘lone wolf’ terrorists, who have limited or no links to such groups; and
e) radicalized individuals who travel to areas of conflict and undergo training and militarization, then plan
and execute an attack outside of the conflict zone.
3.5 Terrorists may act on their own initiative — the self-radicalized and self-organized — or as a part of wider
groups and support structures. In both cases, they may be employed in the aviation industry or in supply chains serving
it. Terrorists continue to view insiders, depending on their role, as a potentially useful resource to facilitate attack planning,
either knowingly or unknowingly, willingly or through coercion, because of their specialized knowledge of security
measures and potential access to security restricted areas (SRAs) and aircraft. Guidance on possible methods for
assessing the risk from threat scenarios involving insiders is contained in Appendix C.
Terrorism and criminality
3.6 Consideration should be given to the possibility of connections between criminality and terrorism. Criminal
activity in the aviation and transportation arenas, when recognized, may point out vulnerabilities in security practices,
expose weaknesses in security posture or identify individuals who may be coerced or persuaded to assist terrorists. Where
weaknesses are exploited for criminal purposes, they may also be exploited for terrorist purposes.
3.7 There may also in some cases be links between criminal networks and terrorist groups or sympathizers.
Criminal activity may provide funding, weapons and/or facilitation for terrorist groups and activities. As States continue to
seize terrorist assets worldwide, extremist groups resort to criminal activities to fund their operations of violence and terror.
The following criminal activity can sometimes be linked to the funding or facilitation of terrorist groups and activity:
a) smuggling of humans, drugs, cash and/or contraband;
b) drug trafficking;
c) kidnapping;
d) provision of weapons; and
e) use of fraudulent documentation or identity.
3.8 Criminal activity may also be used by terrorists in attempts to test specific security measures and learn how
to overcome them. In addition, surveillance can be carried out by terrorists in order to check security systems, processes,
and habitual activity in any setting, either covert or overt.
RESTRICTED
3.9 Identifying criminal activity in the aviation security environment may lead to identifying terrorist activities or
evidence of support of terrorist missions. Any unusual or increased incidence of criminal activity in transportation sectors
should be noted and, where practicable, shared among relevant State agencies and jurisdictions, such as law enforcement,
and between Member States.
Sharing of threat information
Types of information
3.10 In conducting a risk assessment, it is necessary to assemble information about the threat, particularly
possible targets and modus operandi. Such information may come from a variety of sources, such as:
a) actual security incidents and occurrences, including successful or thwarted attacks on aviation, which
provide information on terrorist objectives and methodologies. Guidance material on the reporting of
aviation security occurrences and incidents can be found on the ICAO website 5;
b) closed sources, primarily counter-terrorist intelligence and assessments, which may be gathered or
generated by intelligence, law enforcement and other agencies of States; and
c) open sources, which may include publicly-available information on unusual or suspicious occurrences,
and the availability of items that could be used for terrorist purposes, and any other information that may
contribute to the threat picture.
Bilateral, multilateral, and global information sharing
3.11 Open lines of communication, both formal and informal, between the aviation security officials of States
assist in the rapid exchange of information between States, including any change in the threat level or the nature of the
threat. The timely dissemination of such information to other States and to industry, to the extent possible, can often help
in the mitigation of such threats, and should be considered as part of the response to a new or increased threat. The
exchange of information on techniques used to try to breach security, experience with security equipment, and operational
practices are also extremely advantageous. States are reminded that Chapter 2, Section 2.4 of Annex 17 places
obligations on them to cooperate in such exchanges of information.
3.12 States should develop internal procedures for the analysis and dissemination of threat information in order
to ensure that appropriate actions are taken by aircraft and airport operators to counter the identified threat, and to assist
with their own risk assessment processes. Information should be disseminated to individuals with appropriate security
clearances where such information can assist them to carry out their security functions effectively and develop a better
understanding of the threat and risk environment.
3.13 States with limited resources for collecting and disseminating threat information may wish to seek assistance
from others within their region or elsewhere who may be able to provide assistance in this regard. States may also consider
implementing security occurrence and incident reporting mechanisms, as indicated in 3.10, to enable individuals, entities
and organizations in the aviation system to communicate these occurrences and incidents.
3.14 Details of important developments, such as actual or attempted attacks on aviation, and new or unusual
methods of operation and techniques used by perpetrators, should be promptly disseminated to other States and ICAO.
The WGTR will help provide advice and relevant guidance in such cases. While public knowledge of such matters is
undesirable, officials responsible for airport and aviation security should be informed as soon as possible to facilitate the
early development and implementation of effective countermeasures and procedures.
5 https://www.icao.int/Security/SFP/Pages/Incident-Reporting-Guidance-and-Taxonomy.aspx
RESTRICTED
3.15 Urgent communications may be facilitated through use of the ICAO Aviation Security Point of Contact (PoC)
Network, established for the communication of imminent threats to civil air transport operations. Pursuant to Assembly
Resolution A40-11: Consolidated statement of continuing ICAO policies related to aviation security, States who have not
done so are urged to participate in the ICAO PoC Network.
3.16 If a State has specific information about a possible incident involving an aircraft operator or airport, it should
immediately and concurrently inform the State(s) where the incident may take place, directly through the ICAO PoC
Network or through the local diplomatic mission or other appropriate channels. If a State is unable to communicate urgent
information to another State, it should immediately request the assistance of a third State or ICAO.
3.17 Security incidents reported by staff, crew, ground personnel, subcontractors, media, the public and/or
passengers should be analysed by a security subject matter expert, or the authorities in case of direct reporting. Immediate
corrective actions should be taken to address vulnerabilities identified in the report. To allow for a structured and
harmonized collection of relevant data, security incident reports should at least contain the information outlined in the
guidance material on the reporting of aviation security occurrences and incidents 6.
3.18 As soon as possible after the appropriate authority is made aware of a security incident, a review and
analysis of the event should be conducted by the appropriate authority. The results of this review and analysis should be
made available to all participants, along with the recommendations of the appropriate authority for civil aviation security
for general improvement and for the correction of any vulnerabilities or deficiencies identified. ICAO should be notified, at
the earliest opportunity, of any action undertaken by a State to correct a deficiency.
3.19 States concerned with an act of unlawful interference should provide ICAO with all pertinent information
concerning the security aspects of the occurrence as soon as practicable after the act is resolved. States should, whenever
appropriate, provide copies of reports prepared for ICAO to other States that may have an interest. Reported incidents
can be classified and categorized using the following table (from the guidance material on reporting of aviation security
occurrences and incidents, please visit the ICAO website for the most up-to-date version 7).
Class* Category**
Landside security
Discovery or use of vehicle-borne improvised explosive device (IED)
Discovery or use of person-delivered IED
Armed attack
Unattended/suspicious items (also applicable airside)
Chemical, biological and radiological (CBR) attack
Damage to critical infrastructure/vulnerable points
Suspicious behaviour
Unplanned disruptions, including bomb threat or hoax

Passengers and cabin baggage
Discovery or use of prohibited item/IED
Deficiency in the security checkpoint screening process
Mixing of screened and unscreened passengers
Suspicious behaviour
6,7 https://www.icao.int/Security/SFP/Pages/Incident-Reporting-Guidance-and-Taxonomy.aspx
RESTRICTED
Class* Category**
Staff and crew

Deficiency in the security checkpoint screening process
Sabotage
Insider bypassing security controls
Deliberate attempt to circumvent vetting/background check regime

Access control
Breach or attempted breach of perimeter
Unauthorized access to security
restricted area (SRA) or other controlled area (non-staff)
Unauthorized/unescorted access within SRA (staff)
Suspicious behaviour of staff
Deficiency in the access control system
Deficiency in the ID pass issuing system

Deficiency in the vehicle access control system including application of
security controls and/or screening of occupants and vehicles
Hold baggage
Deficiency in protecting screened hold baggage
Evidence of tampering of screened hold baggage

Deficiency in the hold baggage screening (HBS) system or process
(including passenger baggage reconciliation)
Deficiency in the process of transportation of dispatched weapons

In-flight supplies
Unauthorized access to in-flight supply facility
Deficiency in protecting secure supplies
Evidence of tampering of secured in flight supplies
Deficiency in applying security controls

Airport supplies
Unauthorized access to facility
Deficiency in protecting secure supplies
Evidence of tampering of secured airport supplies
Deficiency in applying security controls

Aircraft protection on the ground
Unauthorized passenger on the aircraft
Unauthorized staff on the aircraft
Deficiency in the aircraft security search/check
RESTRICTED
Class* Category**
Deficiency in aircraft protection measures, including where aircraft are
parked overnight
Discovery or use of prohibited item/IED in the aircraft cabin or hold

Aircraft in-flight security measures Unruly passenger (to be considered for level 3 and 4 (see ICAO Aviation
Security Manual) only to be reported)
Deficiency in the cockpit door process/protection
CBR attack
Hijacking in flight
Bomb threat in flight

Cargo and mail
Unauthorized access to cargo screening facility
Deficiency in the screening process
Deficiency in protecting secured cargo
Evidence of tampering of secured cargo
Deficiency in the acceptance process
Suspicious activity
Air Traffic Control
Armed attack against air traffic control (ATC) facility
Destruction or damage of air navigation aids
Unauthorized access
Digital information and technologies
Attack against aircraft system(s)
Attack against air traffic management (ATM) system(s)
Attack against airport system(s)
Attack against other critical systems and data

Unmanned aircraft system(s) (UAS) /
Unauthorized incursion into controlled airspace
Unmanned aerial vehicle (UAV) /
Near miss/Encounter with aircraft in flight
Remotely-piloted aircraft system(s)
Strike/Collision with aircraft in flight
(RPAS)
Sighting from aircraft/airport
Unmanned aerial vehicle (UAV) caused threat against aircraft
UAV caused threat against airport infrastructure
UAV caused threat against passengers
RESTRICTED
Stand-off weapon (MANPADs, etc.)

Attack on aircraft or airport facility
Reported sighting
Lasers 8
Attack on aircraft or airport facility
Reported sighting
Suspicious activity
Aviation security information
Deficiency in protecting sensitive aviation security information
Loss of integrity and availability of information systems

General Aviation/Aeroclubs
Unauthorized access
Discovery of prohibited item/IED
*Class: describes the topic the security incident would refer to, such as ‘access controls’, ‘hold baggage’ or ‘cargo/mail’.
The chosen identifiers are already commonly used in Annex 17 and the Aviation Security Manual, and are expected to be
easy for entities to refer to and relevant for authorities to make assessments.
**Category: indicates a more specific description of the security incident involved. The categories differ per class as the
possible security incidents vary depending on which aviation security process they relate to. For instance, the class ‘aircraft
protection on the ground’ includes the category ‘deficiency in the aircraft security search/check’, whereas the class ‘hold
baggage’ includes the category ‘deficiency in protecting screened hold baggage’. There would also be a category ‘other’
for those incidents that may be too rare to justify a separate category or which may be considered a new threat or
vulnerability. However, this option should only be used when none of the other categories seems suitable.
3.20 States should consider ways in which they can improve their existing systems for sharing information
internally and to industry. For example, some States occasionally issue information bulletins on matters that may be
relevant to the threat and risk to aviation, and circulate them at an unclassified level. Others review classified information
and, if it is deemed useful to the wider aviation security community, rework it at a lower level of classification to enable its
wider dissemination.
3.21 At the same time, care must be taken to avoid or limit the public dissemination of sensitive information,
including its availability on the internet, where this may potentially assist perpetrators in researching, preparing or
conducting attacks against aviation. This includes information about the capabilities or vulnerabilities of security systems.
While security information, if used correctly and carefully, can have a significant and important deterrent effect, attention
must be paid to the risk that some information, for example, about vulnerabilities, may facilitate or even inspire attacks.
______________________
8 Incidents involving the use of lasers may be reported as part of safety reporting programmes and safety management systems. It is
therefore recommended that relevant national authorities provide clear guidance on how best to report such incidents.
RESTRICTED
APPENDIX B
SUMMARY OF WGTR RISK ASSESSMENTS

FOR ALL THREAT SCENARIOS
The following provides a high-level assessment of the relative risk from each major threat category, as
currently assessed by the WGTR. A single threat category will normally cover many separate scenarios or sub-scenarios,
which have been analysed individually using the methodology outlined elsewhere in this document.
Under each threat category is an explanation of the general scenario, as well as findings with regard to each
threat scenario, specifically the likelihood, consequences, mitigating measures, residual vulnerability, and residual risk.
It is important to keep in mind that these risk results reflect the global picture and not a regional or national
picture.
1. PERSON-BORNE IMPROVISED EXPLOSIVE DEVICES

(ON THE BODY OR IN CABIN BAGGAGE)
1.1 This scenario covers person-borne improvised explosive devices (PBIEDs), whether borne by passengers
or crew. PBIEDs may be concealed and/or detonated while on the body of a person or in the possessions they are carrying,
such as cabin baggage, in a suicide attack. This remains a highly likely and favoured modus operandi among some
terrorist groups, who continue to devote considerable innovative effort to developing novel forms of construction,
concealment, and conveyance of such IEDs. The principal target for this type of attack is assessed to be an aircraft in
flight, but an IED may also be deployed to attack airport targets in landside or, less likely, in controlled airside environments.
Noting the relatively high number of such plots and attacks (e.g. the shoe bomber in 2001, the liquid explosives plot in
2006, the attack on NW253 in 2009, the second underwear bomber plot in 2012, the toothpaste explosives plot in 2014,
the Daallo airlines attack in 2016, and the Sydney, Australia plot in 2017) and current technical detection capabilities,
which continue to improve, the following have been identified as key variables for consideration within this threat category:
a) means of concealment and conveyance — directly as a PBIED either on the body or in cabin baggage,
as for instance in large complex devices, either mechanical, electric or electronic;
b) whether the IED is brought to the airport fully assembled or taken through security controls in component
form, possibly using novel and challenging forms of concealment for later assembly;
c) perpetrator: passenger or member of staff (in which the latter may also facilitate the former);
d) construction: low- or no-metal content (LNMC) or metallic parts; and
e) the use of liquid or solid explosives.
RESTRICTED
B-1
B-2 Aviation Security Global Risk Context Statement
Likelihood
1.2 The risk assessments in the scenario used for the RCS identify specific scenarios to take these various
factors into account in different combinations. These produced a range of residual risks and the following broad
conclusions:
a) IEDs using liquid explosives are harder to construct than those using solid explosives;
b) metallic components are currently easier to detect than devices with LNMC;
c) the concealment potential of a complex IED in cluttered cabin baggage is considerable; and
d) the use of passengers to deliver such devices appears more likely than the use of insiders.
1.3 Low- or no-metal content PBIEDs containing solid explosives carried by passengers or staff are the most
likely threat scenarios as currently assessed by the WGTR.
1.4 PBIEDs carried by passengers, including those in electronic and electromechanical devices, represent the
greatest concern, with intent and capability present leading to a likelihood assessment of HIGH.
Consequences
1.5 It is highly likely that detonation of an IED on an aircraft in flight would produce catastrophic consequences,
resulting in mass fatalities, loss of the aircraft, and considerable collateral damage on the ground, especially if the location
at the point of detonation is taken into account, as in the attempted attack on flight NW253 in 2009.
1.6 Taking a reasonable worst-case scenario, the consequences of an attack using a PBIED are considered
HIGH.
Mitigating measures
1.7 Key current mitigating measures include control of access to the target, guarding and searching of aircraft,
and screening of passengers and persons other than passengers and their possessions. However, it is recognized that
such devices are unlikely to be detected at a screening point where the focus is on metal detection, especially if the device,
or its component parts, are artfully concealed, thereby posing a challenge for simple screening methods. New screening
technologies provide better explosive detection capability but are not globally implemented.
Residual vulnerability
1.8 In the specific case of IEDs concealed in large electronic devices such as laptops, tablets or larger mobile
phones, or in larger electromechanical items such as household equipment containing electrical motors, which some
terrorist groups are known to have been actively exploring in efforts to defeat some current common security measures,
the overall vulnerability for this specific scenario is assessed as MEDIUM-HIGH.
Residual risk
1.9 The overall residual risk for PBIEDs as a category is therefore assessed as HIGH.
RESTRICTED
Appendix B. Summary of WGTR risk assessments
for all threat scenarios B-3
Possible additional measures
1.10 Other possible mitigating measures include:
a) use of appropriate screening methods that are capable of detecting the presence of explosives and
explosive devices carried by passengers on their persons or in cabin baggage, used either continuously
or in an unpredictable manner;
b) upgrades to new EDS that have enhanced capability due to more advanced algorithms with a higher
probability of detection and lower probability of false alarms; and
c) training of ground security officers and flight crew in the detection, reporting, and disruption of post-
security assembly of IEDs. This is one aspect of suspicious activity that behavioural detection
techniques might identify.
2. IMPROVISED EXPLOSIVE DEVICES IN CARGO AND MAIL
2.1 This scenario involves an IED concealed in and taken to its target in an item of cargo. Prior to 2010, there
had been little direct evidence of interest from terrorists in exploiting this route, in spite of much commentary about
perceived vulnerabilities in the cargo system. However, the attempted attacks which both exploited and targeted the
aviation cargo system in October 2010 (printer cartridge bomb plot) and July 2017 provided clear evidence of intent and
capability to carry out attacks of this kind, and there have been further indications of intent in recent years.
2.2 Passenger aircraft, on which the majority of cargo is transported, may be regarded as a more attractive
terrorist target than all-cargo aircraft due to the potential to inflict greater loss of life. However, the 2010 event showed that
the latter may also be a target. Freight may be considered higher risk if it comes from an unknown or private consignor,
containing a mix of items, so as to make detection of an IED more difficult, or originates from a location where terrorists
are known to be active.
Likelihood
2.3 The fact that cargo often travels by indirect routes with multiple sectors, and that the routings and timings
may be difficult to predict, make it more difficult for terrorists to target a particular flight or type of flight. On the other hand,
terrorist groups have sent “dummy” parcels for the purposes of tracking routes and times (as well as to test screening
procedures). The perpetrators could be private consignees of cargo, or insiders with access that would enable them to
interfere with the cargo post-security screening procedures before it is loaded on to an aircraft. Furthermore, the lower
consequence, compared to mixed passenger and cargo flights due to the significantly lower number of potential victims,
makes all-cargo flights a less attractive target for terrorist groups.
2.4 Given the previous examples and continued interest in this attack path, the overall likelihood is currently
considered MEDIUM-HIGH.
Consequences
2.5 An IED in cargo is capable of having similar consequences to other IEDs in flight if detonated on board a
passenger aircraft. An attack could result in the death of all passengers and crew on an aircraft, destruction of the aircraft,
and damage and possible casualties on the ground. On a cargo-only aircraft, the consequences are likely to include
substantially fewer deaths on board the aircraft, but could still cause collateral damage and possible casualties on the
ground, as well as significant economic damage arising from loss of confidence at the global level in air cargo security.
RESTRICTED
2.6 Accordingly, the reasonable worst-case consequences for this type of attack are assessed to range from
MEDIUM-HIGH (for all-cargo aircraft) to HIGH (for passenger aircraft), resulting in an overall consequence score of HIGH.
Mitigating measures
2.7 Possible additional mitigating measures include:
a) controlling access to areas where cargo is processed, screened and stored;
b) screening individuals entering such areas for prohibited items that could be inserted in cargo;
c) applying appropriate screening methods to cargo that are capable of detecting plausible IED types
within the type of cargo consignment in question;
d) training screeners to identify IED characteristics and proper reporting procedures;
e) identifying cargo categorized as high-risk and applying more rigorous screening methods to it;
f) implementing effective known consignor and regulated agent regimes;
g) ensuring effective security controls and/or screening procedures are implemented by appropriate
entities throughout the secure supply chain to prevent insertion of an IED in a consignment;
h) ensuring that the security history of an item can be verified by entities for the entirety of the supply chain
once the item has been identified as air freight;
i) cooperating with other agencies such as customs and border control in the sharing of information that
might identify items of concern being consigned for carriage by air or weaknesses in security
arrangements; and
j) checking or analysis of cargo data, such as pre-load data, to identify possible anomalies or other factors
of concern.
2.8 Annex 17 and the associated revisions to the guidance in the Aviation Security Manual (Doc 8973 –
Restricted) have incorporated many of the above mitigations, significantly enhancing previous SARPs that could reduce
vulnerability. However, at this stage, it is not clear if these measures are in general effect at the global level. In addition,
there remains vulnerabilities in the end-to-end cargo process that are not yet addressed by the SARPs contained in
Annex 17.
2.9 Therefore, the current residual vulnerability is considered MEDIUM-HIGH.
Residual risk
2.10 The overall global residual risk of such an attack against an aviation target is considered MEDIUM-HIGH.
RESTRICTED
3. ATTACKS USING UNMANNED AIRCRAFT SYSTEMS (UAS)

ON AVIATION TARGETS IN AND OUTSIDE OF CONFLICT ZONES
General overview
3.1 The WGTR continues to review the possible risks posed by UAS across a range of potentially plausible
scenarios, within and outside conflict zones, and operated by a range of actors, but focusing particularly on those where
smaller UAS (also known as drones) could be weaponized and used by terrorists to conduct an attack, for example by
attaching a payload to them. Such attacks may be directed at a range of aviation targets.
3.2 Attacks using smaller UAS, which are freely available and now very widely used, are relatively limited in their
destructive power because of the short range and small payload of such devices. While larger, military-grade UAS are
currently much more difficult to acquire, developments in technology mean that there is a growing market for medium-
sized UAS, which could put systems with a range of hundreds of kilometres and capable of transporting payloads of a few
kilograms within reach of terrorist organizations.
3.3 In addition to scenarios involving direct attacks on airports or aircraft, the WGTR has also considered
scenarios involving substance dispersal and scenarios involving disruption to airport operations.
Likelihood
3.4 Smaller UAS are easily obtained and now widely used for both commercial and recreational purposes. They
are a common sight in many parts of the world, where their purchase, construction and use in a number of environments
would not attract suspicion. Owing to the availability on the internet of technological information and materials, the
sophistication of home-made UAS’ range and payload capabilities has risen.
3.5 Use of UAS may also be attractive because it requires little to no infrastructure, can be carried out remotely
and could potentially circumvent security controls on the ground. While direct targeting of an aircraft in flight would be
challenging to carry out successfully, an attack on a taxiing aircraft would be plausible, and attacks on fixed aviation assets
are not only feasible, but have been attempted. There is increasing terrorist interest in using biological and chemical
agents, including interest in disseminating those substances in crowded places, but there is no known intent to use UAS
to deliver such agents against aviation targets.
Conflict zones
3.6 Attacks using UAS against civil aviation assets in conflict zones have steadily increased in recent years.
Terrorists have both the capability and intent to use this technology for nefarious purposes, particularly as lighter, military
grade explosives are easier to source within conflict zones, as are certain chemical agents.
3.7 The WGTR considers that the trend for use of weaponized UAS is likely to continue, and the likelihood of an
UAS attack against an aviation target in conflict zones is MEDIUM-HIGH.
Outside of conflict zones
3.8 UAS tactics used in conflict zones could be used against commercial airport facilities outside of conflict
zones. There have been examples of weaponized UAS being used against non-aviation targets, and the techniques are
readily transferable to civilian scenarios. Attack planning on civilian targets has been reported in a number of States.
Disruption caused by the reckless or malicious use of small UAS in airspace around airports has also revealed the ease
with which incursions can occur. However, tight controls on military and commercial explosives in non-conflict zones
implies that terrorists would almost certainly need to manufacture their own homemade explosives. Manufacturing
RESTRICTED
homemade explosives (HME) at a high enough fidelity and a low enough weight to be able to be fitted and carried
successfully remain a barrier to the use of UAS as a delivery mechanism for explosives outside of conflict zones. The
most likely scenario outside of conflict zones is the deliberate disruptive use of either one or more UAS, where previous
incidents have occurred, and where the capability and intent exists.
3.9 The overall WGTR assessment of the likelihood of an UAS attack against an aviation target outside a conflict
zone is MEDIUM-LOW.
Consequences
3.10 In general terms, the larger the UAS, the greater the potential for structural damage caused by explosion,
deaths of people on the ground, loss of aircraft and all on board. Attacks using UAS are likely to have an enormous direct
economic cost, as can deliberate disruptive UAS use.
3.11 The WGTR has classified the reasonable worst-case consequences of a successful attack on an in-flight
aircraft with an UAS carrying an IED payload, both for conflict zone and non-conflict zone situations, as HIGH.
Mitigating measures
3.12 The primary mitigation measures for UAS-themed attacks against aviation are surveillance of areas
surrounding airports that may serve as potential launch sites, and the development of response plans to mitigate risk by
controlled evacuation, combined with resilience plans to enable services to be restored in the event of disruption.
3.13 Other measures include regulatory systems, such as licensing and registration, and technical solutions to
disrupt UAS in flight. UAS designed for specific commercial purposes (e.g. agricultural sprayers) are often subjected to
more stringent safety regulatory requirements. However, some of these built-in safety mechanisms can be disabled and
regulatory regimes can be bypassed. While counter-drone disruption solutions, such as jamming, have matured over the
course of the past few years, each of the solutions has its limitations, including the ability of UAS to avoid disruption and
the potential disruptive side effects of the use of interception and disruption techniques in the civilian airport environment.
Regardless, these solutions are not widely deployed and, in addition, homemade UAS are very complicated to disrupt
using technological solutions.
3.14 The inherent difficulty in preventing the acquisition and malicious use of UAS devices, the increasing range
and payload of UAS, and the limited ability to track and prevent use near airports, means the WGTR has assessed the
vulnerability to attacks on aviation facilities in conflict zones and outside conflict zones as MEDIUM-HIGH.
Residual risk
3.15 In light of the development of this threat, in particular the increasing use of this methodology in conflict zones,
and the likelihood of this type of attack increasing faster than mitigations can be developed, leads the WGTR to assess
the residual risk of an attack by UAS on aviation targets in conflict zones as MEDIUM-HIGH. The WGTR has assessed
the residual risk of an attack on aviation targets outside conflict zones as MEDIUM.
RESTRICTED
4. LANDSIDE ATTACKS
(INCLUDING LANDSIDE VEHICLE-BORNE IMPROVISED EXPLOSIVE DEVICES)
4.1 Attacks on the landside area of an airport considered in this category include attacks using a person-borne
IED (PBIED), vehicle-borne IED (VBIED), vehicle ramming, armed assault, and other such attacks (CBR attacks have
been considered separately). An attack launched in the public area of an airport, where entry screening is not generally in
place, is likely to be easier to perpetrate than an attack in the SRA of an airport, which can usually only be accessed by
going through screening.
4.2 Some of the latest examples of landside attacks include: June 2022, an individual who opened fire in the
check-in area of Dallas Love Field Airport in the United States; and January 2017, an individual who opened fire in the
arrivals hall of Fort Lauderdale-Hollywood International Airport in the United States. In June 2016, two assailants armed
with firearms and explosives belts approached the security checkpoint, opened fire, and detonated IEDs on their persons
at Istanbul’s Ataturk Airport in Turkey. A third attacker set off an explosion in a parking lot across the street from the
terminal. In March 2016, terrorist-affiliated attackers detonated two IEDs in the check-in area of Brussels’ Zaventem Airport
in Belgium. All four attacks caused multiple deaths and injuries and, in the case of Brussels, substantial damage to the
airport and disruption to its operations.
Likelihood
4.3 Not only have several landside attacks occurred in the last few years at airports, but there is evidence of
intent among terrorists to conduct further similar attacks in a range of crowded places. These types of attack are relatively
simple to perpetrate, and do not require the level of planning associated with attacks on aircraft, as security measures of
the SRA do not need to be defeated for an attack to be successful. Due to recent military conflicts, arms and ammunition,
as well as explosives, may be more easily accessible to those intending to carry out these types of attacks even in non-
conflict zones. Therefore, the WGTR has taken into account the proliferation of weapons in its analysis.
4.4 The likelihood of a landside attack is assessed as MEDIUM-HIGH.
Consequences
4.5 While the attacks in Moscow (2011), Brussels and Istanbul have shown that the human costs may result in
many deaths, and there is the possibility of significant physical damage to facilities, the reputational and other
consequences of such an attack may not be as high as those associated with, for instance, a successful attack on an
aircraft. This is because a landside attack would be more closely associated in the public mind with other types of attacks
on crowded places, and without the additional fear factor that may be associated with a successful attack on an aircraft in
flight and the defeat of aviation security measures designed to prevent this.
4.6 In the case of an attack by multiple shooters or bombers, as in Brussels, both human and economic
consequences will naturally tend to be more severe, with attack strategies potentially evolving to maximize both.
4.7 While the consequences of such attacks could vary depending on the nature of an attack, the current overall
assessment is considered MEDIUM.
Mitigating measures
4.8 Annex 17 Standards 4.8.2 and 4.8.3 require security measures to be applied in landside areas and to be
coordinated across relevant national and other entities. The primary mitigation measure at most airports is likely to be a
strong law enforcement presence that can both deter and respond rapidly to an attack. Other possible mitigating measures
include:
RESTRICTED
a) training of staff to spot anomalous behaviours or actions;
b) random and unpredictable screening measures (likely to be effective as deterrents and/or disruptions
rather than for detection);
c) increased law enforcement patrols;
d) other visible deterrents, such as canine teams;
e) public awareness and security culture campaigns;
f) design of airports to disperse crowds and thus reduce the casualties from a blast, such as by dispersing
self check-in points rather than creating centralized check-in queues;
g) screening of all passengers before entry into the terminal (though such screening can be challenging to
deliver effectively and may serve only to displace the threat);
h) development and regular testing of escalation plans in periods of heightened threat, and response and
recovery plans in the event of an incident; and
i) adapting airport infrastructure to protect people, such as substantial stand-off distances for vehicles via
barriers, relocation of car parks from terminal buildings and vehicle management procedures, as
consistent with risk assessment.
4.9 The residual vulnerability to a landside attack is currently assessed as MEDIUM-HIGH due to the open
nature of the landside areas of most airports.
Residual risk
4.10 Attacks at landside areas do not require any aviation-specific targeting expertise and therefore allow
terrorists the option of carrying out attacks using a number of different methodologies. Mitigation measures in publicly
accessible areas have their limitations; therefore, the overall global residual risk of an attack against a landside aviation
target is assessed as MEDIUM-HIGH.
5. AIRCRAFT USED AS A WEAPON
5.1 The use of an aircraft as a weapon involves the commandeering of a small or large, commercial or general
aviation aircraft. This type of threat remains an attractive modus operandi among terrorists, given its spectacular and
devastating use on 11 September 2001, and would clearly achieve terrorists’ aims. Such a scenario may involve the use
of any aircraft capable of having large scale impacts on a ground-based target as a result of the kinetic energy generated
by its size, speed and weight and, possibly, by any additional fuel or explosive, chemical, or other materials on board.
Smaller, slower, and lighter aircraft generate less kinetic energy and are capable of carrying a smaller payload, but the
reputational and other implications may mean that the use of such an aircraft in this way might still be attractive to terrorists.
The perpetrators could feasibly be passengers or stowaways on cargo-only aircraft, who would need to commandeer the
aircraft; those renting or chartering private aircraft; cabin crew, who would have periodic legitimate access to the flight
crew compartment; or flight crew themselves, who are in control of the aircraft and have the necessary skills to attack a
pre-determined target.
RESTRICTED
5.2 Despite reductions in the number of hijacks compared to previous decades, multiple attempted and
successful hijackings of aircraft continue to be reported each year. In 2016, EGYPTAIR Flight 181 was hijacked by an
individual claiming to be wearing an explosive belt and directed to fly to Larnaca. While hijacks may generally be for
personal motivations or gain rather than a deliberate act of terrorism, this highlights the possibility for passengers with little
to no technical capabilities to exploit gaps in security measures to take control of an aircraft.
Likelihood
5.3 The WGTR considers the most likely scenarios involve seizure of a larger commercial aircraft, and
understands that terrorist groups have shown a renewed interest in attempting this sort of attack in recent years, with
some examples of aspirational or early stage planning. The events of 11 September 2001 remain the only significant
example of terrorists hijacking an aircraft for use as a weapon, although terrorist propaganda has sought to encourage
similar attacks. There is no precedent or known planning related to flight crew, but the WGTR noted known instances of
crew radicalization. Use of aircraft as a weapon requires a significant amount of planning and resources, including
undertaking pilot training, getting weapons on an aircraft, having sufficient manpower to overcome aircraft crew or
passengers to access the flight deck and/or recruiting insiders. It is likely that terrorists’ perception of the evolving security
measures in place at civil aviation airports have in turn influenced terrorist intent.
5.4 Therefore, the WGTR currently assesses the overall likelihood of such an attack as MEDIUM.
Consequences
5.5 Depending on the size of the aircraft, the human consequences may vary, but the reputational consequences
and negative impact on confidence will still be high, especially if the incident is associated with a high-profile target or
event.
5.6 The consequences remain HIGH in human, confidence, reputational and economic terms.
Mitigating measures
5.7 The most significant single mitigating measure is certainly the use of lockable reinforced cockpit doors on
larger passenger aircraft, and seizures of aircraft have declined considerably since these were generally introduced.
However, their effectiveness as a mitigation is heavily dependent on crews observing correct procedures around cockpit
door security during flight. Other measures to mitigate airborne threats may include both security screening of passengers
and of staff to prevent a weapon or IED being taken onto an aircraft in order to commandeer it, and air-defence measures
to respond to a hijacking. On the basis of risk assessment, tolerance and management, consideration should be given to
which aircraft, such as lighter and smaller general aviation aircraft, may be exempt from such measures by Member States.
5.8 Possible additional mitigating measures could include:
a) installation and operation of lockable flight crew compartment doors on any aircraft felt to be a potential
threat, including, but not necessarily limited to, all aircraft over 45.5 tonnes;
b) installation of secondary cockpit doors to make breaches even more difficult;
c) recruitment, training and potential deployment of an in-flight security officer capability, as per Annex 17,
which may have a significant deterrent effect whether such officers are deployed or not and are able to
react to an incident or not;
RESTRICTED
d) application of current passenger screening and access control, as per Annex 17, to more categories of
general aviation aircraft;
e) employment and background checks, both initial and recurring, for air crew, including procedures for
identifying and reacting to suspicious behaviour;
f) regular training of crew on appropriate response procedures, as per Annex 6, and associated guidance;
g) promotion of passenger awareness in identifying and reporting any suspicious behaviour;
h) consideration of guidance on response planning and preparedness to deal with renegade aircraft, and
behaviour detection as part of staff screening or crew awareness and reporting programmes; and
i) enhanced background checks on students enrolling in flight school training.
5.9 Even assuming effective implementation of current measures, the WGTR identified a number of remaining
vulnerability factors: the opening of the cockpit doors in flight for operational reasons; that multiple attackers will make it
more difficult for crew and other passengers to intervene; and that if the cockpit is breached then it protects the attacker(s)
and hinders attempts to disrupt the attack.
5.10 The vulnerability score has therefore been assessed as MEDIUM.
Residual risk
5.11 The overall assessed risk reflects the fact that protection against such attacks is generally good on large
commercial aircraft and an assumption that the measures in place are generally being properly implemented. It is
recognized though that greater vulnerabilities exist on business jets, etc., while accepting that the consequences of the
use of smaller, lighter and slower aircraft as a weapon are likely to be lower. The current residual risk of such an attack
using an aircraft as a weapon is currently assessed as MEDIUM-HIGH.
6. CHEMICAL THREATS
6.1 The use of chemical weapons in past terrorist attacks against non-aviation targets and on the battlefield in
recent conflicts has underlined both the potential consequences of attacks involving the use of chemical agents and the
importance of conducting assessments of the risk of attacks on civil aviation using these agents.
6.2 Because of the extremely wide range of agents that could potentially be used, the WGTR’s risk assessment
is based on a number of “marker” chemical agents which were considered to be representative of a particular group of
agents with broadly similar characteristics and effects, and/or those most likely to be used. In selecting these marker
agents, consideration was given to a wide range of factors including the physical nature of the substance, its toxicity,
persistence and lethality, ease of production or acquisition, and ease of transportation, concealment and dispersal. The
same factors were also taken into account in conducting the risk assessments.
RESTRICTED
Likelihood
6.3 Chemical agents are by their nature most effective in closed and weather-proofed environments. Therefore,
threat scenarios involving the distribution of chemical agents in the aircraft cabin or in closed and crowded places such as
airport terminals have been identified as plausible scenarios. The use of poison or toxin to contaminate catered items has
also been considered as a possible means of attack.
6.4 The use of common chemical agents in conflicts evolved during the last century, and has further developed
since. Chemical agents have also been used by terrorist groups for attacks on critical infrastructures in the past (e.g. the
1995 attack on the Tokyo underground). The recent use of chemical agents in conflicts has enhanced the possibility for
certain terrorist groups to gain access to chemical agent stocks and/or knowledge on how they may be used.
6.5 Terrorist groups are known to have an interest in developing and using chemical weapons. However, there
is no clear indication that they currently have the expert knowledge, resources or technical means to deliver more complex
chemical plots. There are instructions on the production of chemical devices on the internet which can be accessed by
individuals globally, but this suggests scenarios involving cruder devices and more readily available substances that can
easily be purchased and/or produced.
6.6 Although aviation may be a target for use of chemical agents in a terrorist attack, based on the reasons
above, other confined and/or crowded places may be perceived as easier and therefore more attractive targets. Aircraft
are less likely to be preferred targets for non-suicide attacks.
6.7 Terrorists have shown interest in the past in obtaining and using chemical agents in landside attacks. Most
recently, in July 2017, the Australian authorities disrupted the activities of a terrorist cell which included attempting to
detonate an IED on board an aircraft departing Sydney. The Australian Federal Police also reported the discovery of
attempts by the plotters to construct an “improvised chemical dispersion device” using readily available materials to
produce a compound that could easily be used to release highly toxic gases. No indication was given of the likely target
of such a device, and none is currently available via open source reporting. However, as noted above, while there may be
easier and more readily accessible targets, an attack against aircraft using such materials is an entirely plausible scenario
which cannot be discounted.
6.8 In light of this, the WGTR assessed the overall likelihood of a chemical attack against aviation as MEDIUM.
Consequences
6.9 Consequences vary extensively from one threat scenario and agent used to another, but many scenarios
are assessed potentially to cause loss of life and considerable economic and reputational damage, as well as negative
impact on confidence. Poisoning scenarios are expected to result in fewer consequences, including perhaps dozens of
deaths. The number of human casualties would depend largely on the poison used and the length of time it would take
individuals to exhibit symptoms or have their lives threatened. While some toxins are fast acting, others may lead to early
symptoms that may allow for an aircraft to be diverted in order for medical attention to be sought. Potential victims would
be only those who directly ingest the toxin and, unless all of the pilots were affected, it could reasonably be assumed that
the aircraft would not be destroyed. If this were the case, there might be the opportunity to take emergency measures to
land the aircraft once symptoms became apparent.
6.10 Overall, taking into account the wide range of scenarios, but primarily based on those which are currently
assessed as more likely, the consequences are considered MEDIUM-HIGH.
RESTRICTED
Mitigating measures
6.11 While most current aviation security measures are not specifically aimed at the detection or prevention of
chemical attacks, they do offer some potential to deter, detect or disrupt such attacks, particularly those against aircraft.
These include, for example, restrictions on the carriage of liquids within the aircraft cabin. Safety-related measures such
as restrictions on the carriage of dangerous goods on aircraft and the provision of separate air supplies in the flight deck
and passenger cabin may also be partial mitigating factors.
6.12 Banning the carriage in the aircraft cabin of certain substances by including them on a prohibited items list
could be considered, but given the wide range of agents that could be used, and the relatively small amounts required in
some cases, detection is likely to be challenging. Detection algorithms for certain substances are now available for use
on some X-ray equipment alongside automatic explosives detection systems. This offers some mitigation and has the
potential in the future to be expanded to include additional substances, as might explosives trace detection equipment
and explosives detection dogs, if suitably adapted.
6.13 Following the Australia plot in 2017, a number of States introduced measures related to the carriage of
powders in the cabin. These ranged from bans on the carriage of powders above a particular volume, to applying greater
scrutiny to powders during the security screening process to deter the carriage of threat items and assist the identification
of anomalous or potentially harmful powders. These measures are likely to have had some mitigating impact, both as a
deterrent and as a means of detecting unusual or suspicious powders.
6.14 In scenarios where, due to the nature of the chemical agent used and the modus operandi chosen,
prevention of attacks with the current baseline security measures may be unlikely, emergency response procedures are
important in limiting the consequences of the attack. In the event of chemical attacks, the correct and quick handling of
the situation through effective response plans can make a significant difference in the number of casualties that will be
incurred. Therefore, while there may in some cases be limited mitigation against the attack occurring, effective measures
can be put in place in order to limit or reduce the consequences. ICAO guidance on response plans exists for chemical
incidents both on board aircraft and in airports.
6.15 Prevention of certain types of chemical attacks is challenging under existing security arrangements. And
while some airports and aircraft operators may have emergency response procedures in place for chemical attacks, more
may need to be done to ensure that they are generally in place and could be implemented effectively. Measures to detect
an insider intending to contaminate catered goods with toxins may be of limited effectiveness and may not be applied at
off-site facilities located outside the SRA, which raises the possibility that contamination may not be detected. However,
pilots have separate food and individual flight crew members often eat at different times, thus reducing the possibility of
targeting an entire crew.
6.16 So while vulnerability to chemical attacks differs significantly depending on the agents and method used,
overall it is currently assessed as MEDIUM-HIGH.
Residual risk
6.17 The general conclusion that is drawn from the risk assessment conducted by the WGTR is that the relative
global risk of an attack on civil aviation using chemical agents is currently MEDIUM-HIGH.
RESTRICTED
7. MANPADS, MISSILES AND OTHER ATTACKS FROM A DISTANCE

(OTHER THAN BY UNMANNED AIRCRAFT SYSTEMS)
7.1 This threat type involves attacks against civil aviation using MANPADS, missiles and other attacks from a
distance, such as long range surface-to-air missiles (SAMs), and other stand-off weapons (e.g. machine guns, anti-aircraft
guns, rockets, grenade launchers and mortars). Although these represent distinct modes of attack, particularly with regard
to mitigations and responses, their locations and targets present sufficient similarities for them to be assessed and
presented together.
7.2 However, clear distinctions in likelihood and residual risk scores can be drawn between conflict zones or
other areas that have experienced a proliferation of missiles and other weapons, and those areas where such weapons
are not readily available. For that reason, the WGTR has not assessed a single global risk score but has considered it
necessary to differentiate based on the target and the location of attack to include airports in conflict/proliferation zones;
aircraft in conflict/proliferation zones; airports outside conflict/proliferation zones; and aircraft outside conflict/proliferation
zones.
Likelihood – in conflict/proliferation zones
7.3 Attacks against civil aviation from a distance continue to take place, targeting airports in conflict zones, such
as those in East Africa, Eastern Europe and the Gulf States. Multiple terrorist groups globally have access to MANPADS
and, although more modern systems are likely to be more difficult to acquire than previous generation systems, the newer
generation MANPADS are easier to use with limited training and more accuracy. Several MANPADS attacks and planned
attacks have occurred in recent years, and the WGTR judges that MANPADS will continue to provide a potential method
of attack for terrorists.
7.4 Attacks using long range SAMs are less likely as, unlike MANPADS, in most cases, SAMs are held by State
forces and not by terrorist groups. However, the unintentional targeting of civil aircraft at cruising altitudes by SAMs may
occur due to misidentification, miscalculation or defective missiles. Although rare, there have been examples of such
occurrences, and the WGTR considers that overflying areas of armed conflict is likely to involve heightened risk,
particularly where certain risk factors are present. These risk factors include the use of aircraft in the conflict (either in a
combat role or for transportation), lack of command and control over the weapons, operation by poorly trained or
inexperienced personnel (e.g. non-State actors), absence of effective ATM or oversight in the area, and routing over
locations or assets of high strategic importance.
7.5 Stand-off weapons other than MANPADS or SAMs, for example machine guns, anti-aircraft guns and
grenade launchers, may not receive the same international notoriety, nor have as great a negative impact. However, such
attacks have the benefit of using weapons that are in greater supply, usually much less expensive to procure and easier
to operate. Trafficking of small arms and light weapons, which includes most types of stand-off weapons, continues
throughout the world. Such weapons have been used against civil aviation with varying success, resulting in fatalities and
damage to airports and aircraft. It should be noted that the target of such attacks is not usually civil aviation, but military
assets co-located at dual-use airports, and the WGTR assesses that trend will continue.
7.6 As terrorist intent is well known and there is strong evidence of capability, the likelihood of an attack of this
kind in conflict/proliferation zones is considered HIGH for attacks against airports and MEDIUM-HIGH for attacks against
aircraft.
RESTRICTED
Likelihood – outside of conflict/proliferation zones
7.7 Attacks from a distance have typically occurred within conflict zones. While terrorists certainly maintain the
ambition to launch MANPADS attacks on civil aviation outside conflict/proliferation zones, they have so far been thwarted,
and the wide dispersal of MANPADS that was feared in past years has not materialized. There have been instances where,
outside of conflict zones, stand-off weapons have been used against airport facilities, and terrorist groups retain the
ambition to carry out these type of attacks.
7.8 The WGTR considers the likelihood of an attack from a distance being launched against an airport outside
of conflict zones as MEDIUM-LOW and on aircraft outside of conflict zones as LOW.
Consequences
7.9 While an aircraft might not always be destroyed by an attack from a distance, the consequences in a
reasonable worst-case scenario of an attack would involve the loss of an aircraft and all persons on board. Whether the
aircraft is downed or not, the economic and reputational consequences, as well as negative impact in confidence, would
be high in all scenarios, but especially if the attack were to occur outside a conflict zone.
7.10 For these reasons, the consequences of an attack from a distance against aircraft in both conflict/proliferation
zones and outside conflict/proliferation zones is assessed as HIGH.
7.11 In comparison, the consequences of an attack from a distance on an airport both in conflict/proliferation
zones and outside conflict/proliferation zones would potentially entail a reduced number of deaths within the airport
environment. Disruption of service and potential economic consequences would likely not be widespread and/or sustained.
7.12 The consequences of an attack from a distance on an airport both in conflict/proliferation zones and outside
conflict/proliferation zones are assessed as MEDIUM.
Mitigations
7.13 Stand-off attacks allow terrorists to conduct an attack without having to pass through airport screening or
most airport security controls. The locations to launch attacks using MANPADS and similar stand-off weapons are likely
to be external to the airport environment, i.e. originate from outside the perimeter of the airport, making the introduction of
mitigation measures more challenging.
7.14 Possible mitigating measures are as follows:
a) conduct of airport neighbourhood vulnerability assessments to identify higher-risk launch areas;
b) implementation of patrolling and community awareness;
c) secure storage and transportation of MANPADS;
d) implementation of non-proliferation measures;
e) training of pilots to use in-flight countermeasures (although they are limited, and there may be no
opportunity to use them);
f) implementation of air traffic control measures (e.g. avoiding the overflight of vulnerable locations such
as elevated ground and conflict zones where possible); and
RESTRICTED
g) design of facilities and certain equipment to make it more difficult to get in the proximity of possible
targets (e.g. car park design, roof top design, and fences located at a distance from possible targets).
7.15 In general, there are few mitigation measures that could significantly reduce the vulnerability of an attack
from a distance on airports due to the open nature of airports and the capability of some stand-off weapons to attack from
uncontrolled/unsecured off-airport locations.
7.16 The vulnerability to an attack from a distance for both airports and aircraft in conflict/proliferation zones and
outside conflict/proliferation zones is assessed as MEDIUM.
Residual risk
7.17 The risk associated with attacks from a distance on airports and aircraft in conflict/proliferation zones is
considered MEDIUM-HIGH, and is assessed as MEDIUM for airports and aircraft outside conflict/proliferation zones.
8. IMPROVISED EXPLOSIVE DEVICES IN HOLD BAGGAGE
8.1 For IEDs in hold baggage, which may be placed by passengers or by persons with access to the baggage,
including insiders, the WGTR has developed different scenarios for commercial (e.g. military) and HMEs. Each scenario
involves an attack using a fully assembled IED detonated in-flight.
Likelihood
8.2 Terrorists have long aspired to perpetrate attacks via the placement of an IED in hold baggage. This method
of attack offers the possibility of being launched from an entry point upstream from the intended target, as was the case
with Pan Am 103 – Lockerbie. An attack involving an IED in hold baggage need not involve suicide methodologies, which
may present some advantages as a means of attack; however, these advantages are likely to be offset by the
disadvantages associated with loss of control over the IED once it has entered the hold baggage system, making a PBIED
a more attractive attack methodology than an IED in hold baggage. Materials for HMEs are not considered difficult to
acquire, and instructions for building them are easily accessible. The WGTR also notes that adversaries have previously
chosen to use commercial explosives based on known tactics, techniques and procedures. Although these explosives are
potentially more powerful than HMEs, they are more difficult to acquire.
8.3 Taking into account the factors above, the overall likelihood of terrorists perpetrating an attack using an
assembled IED in hold baggage is assessed as MEDIUM-LOW.
Consequences
8.4 It is highly likely that detonation of an IED on an aircraft in flight would produce catastrophic consequences in
mass fatalities, loss of the aircraft, considerable collateral damage on the ground, as well as economic damage.
8.5 Taking a reasonable worst-case scenario, the consequences of an attack using an assembled IED in hold
baggage is considered HIGH.
RESTRICTED
Mitigating measures
8.6 Hold baggage screening, reconciliation of hold bags and post-screening baggage protection are the principle
mitigations against an attack using an IED in hold baggage. Amendment 18 to Annex 17 introduced the requirement for
hold baggage screening methods to be capable of detecting explosives (Standard 4.5.2), but there remains some variance
in the screening standards, techniques and equipment in use.
8.7 Whilst there are multi-layered mitigations in place to mitigate an attack via IED in hold baggage, some
implementation vulnerabilities remain, particularly in relation to screening of transfer hold baggage and the possible use
of IEDs that may be ingeniously concealed.
8.8 The vulnerability to this threat type is therefore assessed as MEDIUM.
Residual risk
8.9 The overall residual risk for IEDs in hold baggage is currently assessed as MEDIUM.
Possible additional measures
8.10 Other possible mitigating measures include:
a) consideration to be given to the employment of enhanced screening methods to detect a wider range
of explosives types and plausible IEDs (both commercial and HMEs), and preserving the integrity of the
baggage along the chain of custody between screening of hold baggage and loading onto the plane. In
particular, closer examination could be given, mainly with everyday items, including through the use of
random and unpredictable screening methods;
b) upgrades to new EDS that have enhanced capability due to more advanced algorithms with a higher
probability of detection and lower probability of false alarms; and
c) training of security officers and flight crew in the detection, reporting and disruption of post-security
assembly of IEDs. This is one aspect of suspicious activity that behavioural detection techniques might
identify.
9. IMPROVISED EXPLOSIVE DEVICES IN SERVICES
9.1 The WGTR assessed a range of scenarios related to the introduction of an IED into catering supplies and
aircraft services, most likely by an insider, to target passengers and/or crew on a commercial aircraft. The assessment
included risks related to catering items such as food and beverages (including liquor) provided by the aircraft operators,
as well as in-flight supplies (e.g. pillows and blankets). The WGTR assessed the risks associated with the introduction of
these threat items via “on-airport” facilities that operate within or have direct access to SRAs and “off-airport” facilities
within the supply chain that are not located on airport premises.
9.2 The WGTR also assessed a range of scenarios related to the introduction or misuse of IEDs in airport
supplies — that is to say, materials introduced to the airport, including SRAs, but not necessarily destined to be taken on
board an aircraft. These scenarios mostly reflected variations of those already considered in the assessment of risks
RESTRICTED
relating to in-flight supplies, or lower-consequence scenarios involving misuse of knives, tools, etc., introduced legitimately
into the airport. The assessment below therefore concentrates on scenarios involving in-flight supplies whose residual risk
is higher than the airport scenarios also considered.
Likelihood
9.3 There is known capability to construct and detonate IEDs, and it is possible to conceal such prohibited items
and take them on board as part of the servicing of aircraft on the ground, for example inside catering trolleys. However,
catering and other supplies are not known to have been used as a means of concealment to date, and there is no current
indication of intention in this regard, possibly due to the difficulty in targeting a specific flight and a high level of uncertainty
regarding timing and delivery of catering and supplies to an aircraft from off-site locations. The possibility of the coercion
or collusion of individuals to hide a device inside catering or other on-board supplies cannot, however, be discounted.
9.4 The likelihood of an IED attack via catering or other services is currently assessed as MEDIUM-LOW.
Consequences
9.5 The detonation of an IED successfully introduced onto an aircraft in catering and in-flight supplies could be
expected to destroy the aircraft in a reasonable worst-case scenario. This would result in hundreds of lives lost and
far-reaching and sustained economic damage. It is likely that there would also be a loss of public confidence in the security
of air travel.
9.6 Given the attendant loss of life, economic consequences and reputational costs associated with a successful
insider IED attack, the consequences for this type of attack are considered HIGH.
Mitigating measures
9.7 Measures such as staff screening, background checks and the inspection and protection of supplies in transit
and at the airport each provide an opportunity to detect IEDs, although many of these measures may not be in place at
off-site facilities located outside the SRA, where ICAO SARPs may not be applied.
9.8 Additional mitigations to be considered might include:
a) establishment of secure supply chains, and assuring the security of those supply chains by regulation
and other means, as for cargo;
b) location of catering facilities within the SRA;
c) comprehensive intelligence-based background checks, both initial and recurring, on staff with direct
access to catering and flight supplies;
d) physical security and access controls for staff, catering and in-flight supplies;
e) staff screening at supplier premises and for goods in transit, as well as for those staff with direct access
to items destined for the aircraft;
f) employee awareness campaigns;
g) application of appropriate security controls on different types of supplies; and
RESTRICTED
h) limitation of access to relevant flight information for caterers and other suppliers to make targeting of
specific flights more difficult.
9.9 Significant vulnerabilities may exist from catering and other supplier facilities located outside the SRA, given
that these operate outside ICAO SARPs, especially if supplies are delivered and introduced directly to aircraft with no or
limited further checks, or where those checks may easily be circumvented by a knowledgeable insider. The highest
residual vulnerability was assessed to be the introduction of IEDs into catering supplies by insiders during the
transport/loading of materials brought in from off-site. Even where ICAO SARPs apply, there is limited confidence in the
effective application of mitigating measures at the global level.
9.10 Overall, the residual vulnerability related to an insider introducing an IED into catering and aircraft supplies
is currently assessed as MEDIUM.
Residual risk
9.11 The overall residual risk associated with an attack against aviation using an IED concealed in catering and
aircraft supplies is currently assessed as MEDIUM.
10. AIRPORT SUPPLIES
10.1 The WGTR has assessed a range of scenarios involving the use of IEDs, firearms or other prohibited articles
being introduced to the SRA via airport supplies. The group also considered the possibility of the tampering with safety-
critical supplies and equipment (i.e. fuel, de-icer, etc.) to bring down an aircraft.
Likelihood
10.2 There is known terrorist capacity to construct IEDs, and, in recent years, terrorists have taken greater interest
in the use of insiders following enhancements to passenger screening. While there has been some previous signs of intent
to conduct attacks based on insertion of a threat item by an insider, there is no evidence to date that this would involve
the use of airport supplies, and such an attack would likely require the collusion of at least two individuals and some very
careful planning and coordination.
10.3 The likelihood of an attack via airport supplies is assessed as LOW.
Consequences
10.4 The detonation of an IED successfully introduced onto an aircraft via airport supplies could be expected to
destroy an aircraft in a reasonable worst-case scenario. This would result in hundreds of lives lost and far-reaching and
sustained economic damage. It is likely that there would also be a loss of public confidence in the security of air travel.
10.5 Given the attendant loss of life, economic consequences and reputational costs associated with a successful
insider IED attack, the consequences of an attack via airport supplies are considered HIGH.
RESTRICTED
Mitigations
10.6 The principle mitigation against an attack via airport supplies is the application of security controls to the
supplies. This may include a supply chain security process or screening. Access control measures, as well as background
checks of staff, also provide some mitigation against this threat scenario. Additional mitigations include background checks
for workers at facilities in the supply chain who handle airport supplies, facility security measures such as closed-circuit
television (CCTV) and employee security awareness campaigns.
10.7 The quality of the controls applied to airport supplies varies significantly and vulnerabilities may exist within
the supply chain process. There is a huge variety of types of supply required by airports at airside, and screening large
volumes and certain types of supply is difficult or inappropriate. However, the layered mitigations in place at most airports
limit the opportunity for this type of attack.
10.8 The WGTR has therefore assessed the residual vulnerability of an attack via airport supplies as MEDIUM-
LOW.
Residual risk
10.9 While there are some vulnerabilities in the airport supplies security regime and an intent to use insiders to
perpetrate attacks, there are no previous signs of intent to conduct an attack via airport services, and significant planning
and collusion would be required.
10.10 The WGTR has therefore assessed the residual risk of an attack via airport supplies as MEDIUM.
11. VEHICLE-BORNE AIRSIDE ATTACKS
11.1 This threat scenario now covers vehicle-borne airside attacks only, as vehicle attacks landside are now
considered in the landside attacks threat category. Vehicle-borne airside attacks could be an IED concealed by an insider
with legitimate airside access and detonated inside a vehicle targeting an airport facility or a parked or moving aircraft; an
attack by the ramming of a vehicle into an airport facility airside where passengers are present; or the use of a fake
emergency or liveried vehicle to pass a vehicle checkpoint with the intent of attacking parked or moving aircraft on the
airside. These attack methods do not need to be a suicide attack.
Likelihood
11.2 Vehicle attacks against landside targets are generally easier to perpetrate than those within the airside,
making this a less attractive option to terrorist groups.
11.3 Across all scenarios, the general likelihood of this type of attack is currently assessed as MEDIUM-LOW.
Consequences
11.4 The consequences of an attack using a VBIED airside may be considerable, resulting in large scale damage
to critical facilities, or the loss of an aircraft with all persons on board.
RESTRICTED
11.5 The consequences have therefore been assessed as MEDIUM-HIGH.
Mitigating measures
11.6 Possible mitigating measures include:
a) integration of security considerations into the design and construction of airport facilities, or modification
of existing ones. Vulnerability to ram raid type attacks and to VBIEDs in parked vehicles may be
significantly mitigated by the use of designs and materials to mitigate the destructive impact of a bomb
blast, such as strengthened glazing;
b) effective detection and response measures to mitigate the risk of attacks involving vehicles targeting
parked or moving aircraft; and
c) for access control, checkpoint screening of staff and vehicles, airside vehicle management and
background checks can all provide some mitigation against insider vulnerabilities, if implemented
effectively.
11.7 The vulnerability to such an attack is considered MEDIUM.
Residual risk
11.8 The overall risk of such an attack is currently assessed as MEDIUM.
12. CYBER-ATTACKS
General overview
12.1 A cyber-attack refers to an attack on civil aviation critical systems, data or information. This could include
the interdependent network of information technology infrastructures, including the internet, telecommunications networks,
computer systems and embedded processors and controllers. The cyber domain may be seen as a target for attack or as
a vector or facilitator for physical aviation security attacks.
12.2 The WGTR has considered only cyber-attacks that could result in the loss of aircraft in its risk assessments
to-date, i.e. intentional acts perpetrated to cause loss of life and/or significant disruption and economic damage to the
aviation sector. The assessments cover direct attacks on ATM systems, aircraft systems and airport systems and their
associated components. They do not address wider cyber-attacks that may impact civil aviation stakeholders’ systems
and that may cause reputational damages, disruptions, espionage, or financial losses (e.g. from ransomware demands),
or activities by State actors, although these types of attacks may point to vulnerabilities and can create possibly unintended
safety or security concerns.
Likelihood
12.3 While there is some evidence of intent by malicious non-state actors and terrorist organizations to use digital
means to commit acts of interference and terrorism that could endanger aircraft or cause loss of life, at present their
capability to do so appears relatively limited. Low-level (i.e. relatively crude) cyber-attacks against aviation entities occur
RESTRICTED
frequently, as they do in many sectors, and a small number of these have been linked to terrorist groups. False reports
about cyber-attacks as well as claims by hackers and others about specific vulnerabilities and their wider implications
often appear in the media. For example, there have been reports of claims by white-hat cybersecurity researchers to have
“hacked” aircraft systems. However, there is little or no evidence of being able to replicate this in a “real world”, and outside
of a controlled environment. While the media coverage may bring the issue to the attention of extremists wishing to
compromise aviation security, the WGTR understands it is unlikely that such individuals would possess the level of
technical skill to exploit any vulnerabilities that do exist, without direct, advance knowledge from an insider or State-level
assistance.
12.4 The overall likelihood of a cyber-attack that could result in the loss of an aircraft is currently assessed as
LOW.
Consequences
12.5 The potential consequences of an attack which would result in the loss of an aircraft in the worst-case
scenario are assessed as HIGH.
12.6 While mitigations are in place, such as in Annex 17, Standard 4.9.1, vulnerabilities that remain following
implementation of mitigation measures have been identified in certain scenarios.
12.7 The residual vulnerability is currently assessed as MEDIUM-LOW.
Residual risk
12.8 Based on the above, and in particular on the current threat likelihood, the overall residual risk of a cyber-
attack is currently assessed as MEDIUM.
Future considerations
12.9 As technology progresses and the integration of systems moves forward, the opportunity for exploitation is
continuously evolving, and manufacturers of information and operational technologies (IT/OT), aviation security service
providers and regulators will need to stay ahead of hostile actors. The WGTR assesses that the growing complexity,
connectivity and integration of ATM, aircraft and airport systems means that cybersecurity will continue to be an issue in
the design and operation of civil aircraft. The following general factors, individually or collectively, may increase the
vulnerabilities which may be exploited by an able attacker:
a) increasing reliance on digital technology and information systems for safety-critical functions;
b) increasing connectivity with and dependence on IT/OT, which may have a high safety assurance but an
unknown level of security; and
c) greater inter-connectivity, both within aircraft and with external sources, either via remote data links or
devices brought on board the aircraft. This includes increased internet connectivity and the use of
commercial-off-the-shelf (COTS) equipment and remotely deployed software updates. This may
increase the chance of inadvertent attack on aviation, i.e. an attack on a system and/or non-aviation
target which has unplanned or unintended consequences for civil aviation using the same system.
RESTRICTED
12.10 This is especially true for “e-enabled” aircraft. However, while older aircraft with legacy systems may appear
to be less vulnerable due to more limited external connectivity and proprietary systems, they are also being retrofitted with
more modern systems or maintained using newer techniques (i.e. wireless data loaders) where the security impact may
be less well understood by manufacturers and regulators.
12.11 Cybersecurity cannot be confined to aircraft alone. ATM security is becoming a more integrated operating
environment where the “connected aircraft” is one element in a complex and interconnected system composed of multiple
airborne and ground-based elements. The increased internet connectivity and bandwidth available in the latest satellite
communications systems potentially allow the traffic to be profiled and manipulated. Aircraft are increasingly dependent
on the security of the connections to and from the ground. Previously these communications were confined to proprietary
or government-regulated infrastructure but are increasingly making use of public networks and local or cellular wireless
connections.
12.12 As laid out in Annex 17, Standard 4.9.1, industry stakeholders such as airport and aircraft operators as well
as service providers should undertake their own detailed risk assessments for their own operations, which will vary
considerably.
13. CONVENTIONAL HIJACK (WITH TERRORIST INTENT)
13.1 This type of threat covers the commandeering of an aircraft to perpetrate a conventional hijack where
hostages are taken and demands made which may be resolved by negotiation or force.
Likelihood
13.2 In terms of the threat of a “traditional” hijack where the aircraft and those on board are used as a bargaining
tool to demand a specific outcome, the WGTR noted that such incidents occur relatively regularly with an average of 2-3
hijacks recorded per year on the Aviation Safety Network database.
13.3 Given that such attacks continue to take place on an annual basis, albeit at relatively low levels compared
to previous eras, and recognizing that the motivation in many cases is primarily for reasons other than those associated
with international terrorism, the likelihood score for such a hijack is assessed as MEDIUM-LOW.
Consequences
13.4 In the event of a successful conventional hijack, while in most of the cases there is limited loss of life or
destruction of the aircraft, there may be considerable disruption in the air and at the reception airport and some loss of
public confidence.
13.5 The consequences of a conventional hijack are assessed as MEDIUM-LOW.
13.6 The WGTR considers that the existent mitigation measures are well deployed and effective, recognizing that
cockpit doors may be opened in flight for operational reasons, that multiple attackers will make it more difficult for crew
and other passengers to intervene, and that if the cockpit is breached, it will then protect the attacker(s) and hinder
attempts to disrupt the attack for a lengthy period of time.
RESTRICTED
13.7 The WGTR again assesses the vulnerability score as MEDIUM-LOW.
Residual risk
13.8 As a result of the abovementioned factors, in particular the ongoing relatively high likelihood of hijack attacks
taking place, the residual risk of such an attack is considered MEDIUM-LOW.
14. BIOLOGICAL AND RADIOLOGICAL THREATS
14.1 The threat of a biological or radiological attack against aircraft has some similarities with the threat of a
chemical attack, and these threats were for some time considered as one category of threat (CBR). However, due to
differences in likelihood and residual risk scores, the chemical threat scenarios have been covered separately in Section 6.
14.2 The WGTR has, as with chemical threats, conducted a risk assessment based on a number of representative
“marker” agents, giving consideration to factors including physical nature, toxicity, persistence and lethality, ease of
production or acquisition, and ease of transportation, concealment and dispersal.
Likelihood
14.3 There is some evidence of terrorist interest in relation to biological and radiological threats generally, though
there is no evidence of current attack planning against civil aviation. There has been evidence of terrorist interest in the
use of Ricin as a means of attack as a weapon, as well as previous history of attacks using anthrax in non-aviation
environments. This interest could have some crossover to potential attacks in airport facilities or in the confined space of
an aircraft, but in general, the slower acting nature of biological and radiological agents makes them a less attractive
methodology than more immediate dispersal threats, such as the use of chemicals.
14.4 In light of this, the WGTR assesses the overall likelihood of biological or radiological attacks against aviation
as LOW for both methods.
Consequences
14.5 Most biological and radiological attacks have a delayed effect on the victims of the attack. So while the
longer-term consequences for those exposed to such an attack could be very severe, the immediate effects are not deadly
and in normal circumstances such an attack would not threaten the aircraft itself. The highest consequence outcome
(the resultant crashing of an aircraft full of passengers) is unlikely with these types of attacks.
14.6 Economic damage resulting from disruption and loss of public confidence could be very high due to the
difficulties and expense of decontamination after biological and radiological attacks, and a high level of public fear of such
risks.
14.7 While the consequences would vary greatly depending on the type of attack and the substances used, the
WGTR considers the consequences for either a biological attack or radiological attack as MEDIUM.
RESTRICTED
Mitigating measures
14.8 Screening techniques to detect the substances that might be used in such an attack are not commonly
deployed in airport search combs, though screening for radiological materials has been used for border protection
purposes in some States. Such methods could possibly be adapted to the airport environment, perhaps being used in the
landside area rather than during the security screening process if this is more practical. Screening might also be used to
detect containers and dispersal mechanisms associated with this kind of threat rather than the agent itself. A visible and
efficient screening operation that concerns itself not just with explicitly prohibited items, but also with anomalous items,
particularly powders, and indicators of suspicious behaviour could enhance deterrence of such attacks.
14.9 Other security measures such as searches, patrols, staff vigilance, and CCTV surveillance could also have
a mitigating effect. Fixed radiation detection systems at airports may also be developed, or security staff may be equipped
with portable radiation detection. Additionally, the effects of an attack when launched overtly could be mitigated by planned
evacuation procedures, planned medical care and swift treatment of those affected by the attack.
14.10 Prevention of certain types of biological and radiological attacks is, as with chemical attacks, challenging
under existing security arrangements. Some airports and aircraft operators may have emergency response procedures in
place for these types of attacks, which may also be used to take action during an overt biological or radiological attack to
lessen the consequences, understanding that these threats may be slower to take effect than chemical threats.
14.11 While vulnerability to biological and radiological attacks differs very greatly depending on the agents and
method used, overall the WGTR assesses the residual vulnerability as MEDIUM.
Residual risk
14.12 The general conclusion that is drawn from the risk assessment conducted by the WGTR is that the risk of
an attack on civil aviation using a biological or a radiological agent is currently MEDIUM-LOW for both threats.
15. ATTACKS ON AIR TRAFFIC CONTROL FACILITIES
15.1 The WGTR has assessed a range of scenarios involving the destruction or disabling of ATC facilities. The
scenarios do not include the disabling or disruption of air traffic services due to a cyber-attack, as this threat scenario is
covered under the cyber-attacks section.
Likelihood
15.2 The scenarios considered include the possibility of a firearm or IED attack perpetrated by an insider, as well
as attacks carried out by outside attackers. Whilst terrorists have taken greater interest in the use of insiders following
enhancements to passenger screening in recent years, air traffic facilities are not judged to be a prime target, and there
is no reporting to suggest that this type of attack is of interest to terrorist groups.
15.3 The likelihood of an attack on ATC facilities is therefore considered LOW.
RESTRICTED
Consequences
15.4 Depending on the nature of the attack (e.g. IED, firearm, stand-off attack), immediate consequences for staff
would likely be tens of deaths in the facility. The scale and duration of impacts over air traffic management in the airport
vicinity will vary based on the airport and the ability of other control systems to take over tower functions. A successful
attack would involve infrastructure and repair costs, as well as the costs arising from associated disruption to services.
15.5 The overall consequences of an attack on ATC facilities are assessed as MEDIUM-LOW.
Mitigations
15.6 The primary mitigations against an attack on an ATC facility include access control to the facility itself and
access controls to the wider airport. Background checks on ATC staff will provide additional mitigation, as will airport
design measures, such as bomb blast mitigation.
15.7 ATC facilities are usually situated outside of an airport’s SRA where security screening will not apply. Access
to ATC facilities is likely to be easier than to other airport facilities; however, wider airport access controls and perimeter
security may deter or delay access to towers. Although ATC staff may be subject to background checks, these checks
may not be as in-depth as for workers in other areas of the airport, and would not prevent an insider attack by an individual
with a clean record.
15.8 The residual vulnerability of an attack on an ATC facility is assessed as MEDIUM.
Residual risk
15.9 Taking into account the relatively low attractiveness of ATC facilities as a target for terrorist groups, as well
as the mitigations that are in place, the likelihood of an attack on an ATC facility is assessed as MEDIUM-LOW.
16. OTHER POTENTIAL THREATS
Sabotage
16.1 Sabotage in this context is taken to mean perpetrating deliberate and hidden damage to aircraft or aviation
facilities with a view to causing an apparent accident when the aircraft or facilities are put into service.
16.2 Physical sabotage is plausible but currently not a likely threat. The possible methods of sabotage are limited
only by the imagination, but the majority would cause only limited harm before they would be identified through existing
safety processes. Those which might cause catastrophic damage would, in general, be difficult to carry out with any
prospect of success, not least because they would be apparent during pre-flight checks and other existing safety and
security measures. Measures such as access control, and screening and vetting of staff may have mitigating effects as,
depending on their role, insiders would likely have greater knowledge and access to perpetrate a more successful attack.
Therefore, it is prudent for States and other actors to consider the extent to which such measures could be adapted to
prevent sabotage of the kind envisaged above.
RESTRICTED
Hoaxes
16.3 A hoax, involving a written or verbal threat against an aviation target, may be the result of a wide variety of
motivations, not necessarily linked to terrorist groups or inspired by an extremist ideology, and the intent may not be clear.
However, they may cause concern and disruption until resolved as a false alarm and are therefore a form of unlawful
interference, and in some cases may be considered as an act of terrorism. It is not possible to conduct a generic risk
assessment given the multitude of possible scenarios. However, statistics suggest that such events are common, and
these may continue to occur in the future. Depending on what is being threatened, the level of detail provided on the target,
the method, and the credibility of the threat made, the consequences in terms of concern and disruption caused may be
quite significant.
16.4 States are strongly advised to ensure that they and/or their aircraft and airport operators have trained threat
assessors available at all times of operation in order that the available information can be collated and analysed correctly.
Appendix 38 to the Aviation Security Manual (Doc 8973 — Restricted) contains information on managing response to
security threats.
Airport disruptions caused by unauthorized activism
16.5 Disruptions at airports due to activism have become more prevalent in recent years and are a growing
concern for aviation operators. While this type of activity does not generally pose a direct threat to life, the activities can
disrupt airport operations and have impacts on security measures.
16.6 Rules and regulations regarding the manner in which activism can be performed vary significantly by State,
and it is often difficult for airport stakeholders to prevent these protests and to maintain both safety and security during
these events. As seen in recent years, activism can quickly turn into major disruptions at airports, including damage to
aircraft, blockage of transport into and out of the airport, concerns over landside crowd control and unauthorized access
to the SRA. In addition, groups with nefarious intent could use the cover of activism to conduct terrorist activities against
civil aviation in the future.
______________________
RESTRICTED
APPENDIX C
INSIDER THREAT
1. INTRODUCTION
1.1 Terrorists consistently look to exploit vulnerabilities in security controls in an attempt to find the path of least
resistance to their targets. This could mean the exploitation of people in the form of employees working in or for the aviation
sector whose role provides them with privileged access to secured locations, secured items or security sensitive
information, thus giving them a potential tactical advantage in perpetrating or facilitating an AUI. This includes flight crew
and all ground-based employees in airports or other facilities related to civil air transport and its supply chains and
encompasses contract, temporary or self-employed personnel as well as full- or part-time staff members.
1.2 The specific vulnerability of aviation to attacks involving the use of insiders in order to by-pass security
controls has long been understood and reflected in risk assessments and mitigation measures. However, recent terrorist
attacks on aviation (including those on Metrojet in 2015 and Daallo Airlines in 2016) have drawn renewed attention to
potential exploitation of those vulnerabilities, and therefore the resultant risks.
1.3 Concern is heightened by well documented indications that terrorist groups are actively looking for insiders
to assist in their attempts to target civil aviation. It is further heightened by the phenomenon of increasingly rapid
radicalization (including self-radicalization over the internet and through social media) of individuals in many parts of the
world, thus reducing the opportunities for their detection by conventional vetting methods, by people close to them, or by
security or law enforcement services.
1.4 It may be assumed that “known” staff represent a lower threat than “unknown” passengers. This is certainly
true in some respects, for example because staff in sensitive positions are usually subject to initial and ongoing
background checks and/or vetting, and because they have established a history of trustworthiness. However, there is
some evidence to suggest that the majority of those who commit illegal acts using insider access or knowledge acquire
the intention to do so only after taking up employment. Initial pre-employment background checks may be ineffective in
such cases. In addition, terrorists may actively seek to place, or more likely recruit, blackmail or coerce individuals in
sensitive roles particularly because they present no history or indications of likely intent.
2. ASSESSING RISKS FROM INSIDER THREATS
2.1 In development of the RCS, the insider threat has not been considered as a separate category. Insiders are
best viewed as one dimension of a particular threat type, and not as a separate threat type in themselves. Instead, threat
types have been considered with an insider element included within each category, where appropriate.
2.2 This approach also makes it easier to identify, and therefore address, through analysis of different attack
scenarios, the tactical advantage and increased vulnerability that an insider represents in the perpetration of that particular
form of attack. For example, in the case of a VBIED, measures may be established to prevent unauthorized persons
driving a vehicle into or close to sensitive areas of the airport. If such measures are in place and effectively implemented,
then the residual risk may reside primarily in scenarios where an authorized person, with relevant access rights, is involved
in driving the vehicle and/or facilitating its access, and additional mitigations may be developed accordingly. Some aspects
of the analysis (e.g. capability, consequences) may be similar even where the type of perpetrator changes, and also
insiders may simply act as facilitators rather than perpetrators in many scenarios.
RESTRICTED
C-1
C-2 Aviation Security Global Risk Context Statement
2.3 It is suggested that, in developing their own security risk assessments, States adopt a similar approach. For
instance, in considering a threat category, such as a PBIED used to attack an aircraft, those conducting an assessment
should consider, separately, both PBIED used to attack an aircraft and PBIED introduced by crew used to attack an aircraft.
2.4 The assessment should take into account how the risk from a particular threat may differ when the threat
comes from a staff member and when it comes from a passenger. For example, the:
a) vulnerability associated with insiders might be greater if they have access to the last layer of security in
a way that a passenger does not;
b) likelihood associated with insiders might be less if they have already been subject to vetting and
selection procedures; and
c) consequences of a threat associated with insiders might be greater if an insider has access deeper
within the system. For instance, an insider could perpetrate a more credible and thus more disruptive
hoax.
2.5 The types of attack potentially involving an insider component are wide-ranging, but are considered in
general more likely to be directed at aircraft rather than airports, since attacks on the latter can be carried out in the public
(landside) areas where insider access or knowledge is unnecessary. Current versions of the risk assessment matrices
which underpin the RCS incorporate possible insider involvement scenarios in most types of attack. But they are
particularly prominent in those involving the use of IEDs against an aircraft in flight, whether through insertion in hold
baggage, cargo, or in-flight supplies, or through direct placement in the aircraft. Insiders are also seen as a potentially
important component in the vulnerability to attacks involving the hijack and use of aircraft as a weapon, and in some types
of potential cyber threat.
2.6 Further guidance on identifying and assessing the security concerns presented by insiders across a range
of defined threats is provided below. This includes a list of threat types in Table C-1 and a further list of security-relevant
job roles in the aviation sector in Table C-2. In developing and assessing insider threat scenarios, each relevant role can
be identified and examined to consider whether they offer a tactical advantage in relation to each threat type. In applying
this methodology, it is possible to consider insider vulnerabilities as part of an integrated risk assessment. Consideration
of the risks associated with individual job roles can also be used as a basis for determining where additional mitigations
should be applied, such as enhanced vetting or increased surveillance and supervision.
Definitions
2.7 The following terms have been defined for ease of reference:
a) insiders refers to all staff, including full-time, part-time, self-employed, agency, and contracted
employees;
b) tactical advantage comprises preferential access to restricted locations and information, situations
where work may be done alone and not subject to quality control, and suspicious behaviour may not be
detected;
c) direct attack is a terrorist attack carried out by an insider; and
d) indirect attack is a terrorist attack carried out by a third party facilitated by an insider either actively,
e.g. through the provision of access or information, or passively, e.g. through neglect of duties.
RESTRICTED
Appendix C. Insider threat C-3
Principles
2.8 An insider represents a vulnerability and NOT a separate threat. Insiders are potentially one dimension of a
threat scenario; for example, in the case of an IED placed on board an aircraft by a member of staff rather than a passenger:
a) vulnerability should be measured by role and NOT by the individual, against the baseline of what a
passenger may be able to do (i.e. does a staff member’s tactical advantage give that staff member a
better chance of success over and above a passenger); and
b) the risk assessment process should capture which staff members could:
1) carry out what sort of direct attack, the effectiveness of current security measures to prevent this,
and the resultant residual risk; and
2) facilitate an attack by others, the effectiveness of current security measures to prevent this, and the
resultant residual risk.
Process
2.9 The risk assessment process should involve:
a) devising and agreeing on a list of credible threat scenarios against specific targets, specifically aircraft
and airport infrastructure. A suggested list is provided in Table C-1;
b) devising and agreeing on a list of security-relevant roles in the aviation sector. A suggested generic list
is provided in Table C-2;
c) identifying and scoring the additional tactical advantage of each role against each threat. A possible
scoring system for each role is as follows, depending on whether the role gives:
1) no tactical advantage over being a passenger or member of the public: Score = 1;
2) a tactical advantage and suspicious behaviour that IS likely to be noticed: Score = 2;
3) a tactical advantage and suspicious behaviour that IS NOT likely to be noticed: Score = 3;
4) a major tactical advantage and suspicious behaviour that IS likely to be noticed: Score = 4; and
5) a major tactical advantage and suspicious behaviour that IS NOT likely to be noticed: Score = 5;
RESTRICTED
d) if a tactical advantage is identified, considering the national and local context such as the economic and
political situation, terrorist activity, serious and organized crime and corruption, etc., to gauge the
likelihood, and current mitigating security measures in order to assess the residual risk; and
e) assessing the vulnerability of existing personnel, and physical, procedural, and information security
measures to being compromised by an insider, in order to identify any increased residual risk arising
from indirect insider facilitation of an attack.
Security measures
2.10 These comprise both personnel and physical security measures. Personnel security requirements include
background checks and references prior to employment, identification card issuance, specific and general security
awareness training, and aftercare once employed. Physical security measures include access control, and screening and
searching of staff. If the residual risk is deemed to be unacceptable, additional and/or differing measures should be
considered for the job role in question. Both the analysis of risks and any subsequent action should be considered
alongside other security risk assessment work. The aim should be to create a multi-layered security regime, avoiding
single points of failure.
Employee involvement
2.11 Employees are a valuable source of information on vulnerabilities and how to address them, and their
opinions should be taken into account whenever possible. They should be motivated and informed through regular
briefings on security issues, and have a clear process for reporting any concerns.
Table C-1. Types of threat scenarios
Threat to airport Threat to aircraft
VBIED parked near terminal PBIED
VBIED parked near ATC tower PBIED — liquid
VBIED parked near other facilities, e.g. fuel farm PBIED — solid
VBIED parked near cargo sheds VBIED
VBIED driven into terminal IED in in-flight supplies
VBIED driven into air traffic control tower IED in cargo
VBIED driven into other facilities (e.g. fuel farm) IED in cleaning supplies
VBIED driven into cargo sheds IED in hold baggage
IED placed landside IED in aircraft operator mail
IED (solid/liquid) placed airside (carried on foot) IED left on board aircraft
IED (solid/liquid) placed airside (carried in vehicle) Improvised incendiary device
PBIED — landside IED thrown over perimeter fence
RESTRICTED
Threat to airport Threat to aircraft
PBIED (liquid) — airside VBIED detonated near aircraft
PBIED (solid) — airside VBIED detonated near aircraft from outside airport
IED thrown over perimeter fence Ramming of aircraft from inside SRA
Improvised incendiary device Ramming of aircraft from outside airport
Armed attack (guns) — landside Armed attack — guns/knives
Armed attack — mortars Armed attack — small knives/no weapons
Chemical — covert/overt; persistent/non-persistent; remote Armed attack — non-metallic weapons

location/crowded place
Biological — deposited/sprayed Armed attack — MANPADS
Radiological exposure device/radiological dispersal device Armed attack — rocket-propelled grenades/mortars

(RED/RDD), remote location/crowded place
Sabotage — power Hijack — conventional
Sabotage — water Aircraft as weapon by flight deck crew
Sabotage — telecommunications Aircraft as weapon commandeered with weapon/IED
Sabotage — electronic (denial of service/importation of Aircraft as weapon — theft

false data)
Hoax Aircraft as weapon — stowaway in cargo-only aircraft
Table C-2. Examples of security-relevant job roles in the aviation sector

(depending on the airport, many of these roles may be located in the SRA)
Job role
Screening persons and cabin baggage In-flight supply company staff (i.e. administration)
Screening hold baggage Airport supply company staff
Screening and security controls for in-flight Cargo company staff

supplies
Screening and security controls for airport Haulier drivers with access to known cargo
supplies (access secured by third party)
Searching vehicles Account consignors with access to known cargo
Searching/Checking aircraft Check-in staff
Aircraft protection Police/Control authority
Access control (including surveillance and patrols) Emergency services (fire, ambulance)
Security supervisors Air traffic controllers
Security managers Compliance authority personnel
RESTRICTED
Job role
Retail staff Aviation security trainers
Baggage handlers Validators of known cargo consignors
Baggage reconciliation Issuers of airport identification cards or vehicle

passes
Cleaners (terminal) Diplomats
Cleaners (aircraft) Background check counter signatories
Aircraft service providers Public bus drivers
Cargo loader (onto aircraft) Utilities
In-flight supplies loader Airport authority senior management
Dispatcher Drivers of authorized vehicles
Aircrew — passenger aircraft Fuel tanker drivers (to fuel farms)
Aircrew — cargo-only aircraft Airport maintenance (including contractors)
3. INSIDER THREAT MITIGATION MEASURES — ADDITIONAL CONSIDERATIONS
Physical screening
3.1 An increasing emphasis is being placed on the importance of unpredictability of staff screening measures.
For example, staff may be subject to a range of different physical screening methods (including methods designed to
detect explosives, such as the use of explosives trace detection equipment), which may be applied on a random and/or
unpredictable basis. Use of methods that fully match passenger screening, including screening of all staff upon entry into
the SRAs, can help provide a high level of assurance if done effectively. Screening of staff at other times and locations
(including on a random and/or unpredictable basis), can offer further mitigation by both increasing the likelihood of
detection and potentially having a significant deterrent effect.
3.2 The same applies to the search of vehicles entering SRAs, which present risks which are particularly difficult
to mitigate effectively. A wide range of vehicles have authorized and legitimate entry to SRAs, and these can provide
multiple complex concealment options. Again, varying the search methods in unpredictable ways can improve both
detection and deterrence.
3.3 Beyond the SRAs of airports, physical screening for personnel with access to cargo or in-flight supplies
within secure supply chains or cargo sheds, as well as other security-sensitive facilities such as engineering bases, can
provide additional mitigation where this does not currently occur.
3.4 Understanding and eliminating routes by which insiders engaged in non-terrorist criminal activities — such
as smuggling of drugs, arms or people — seek to by-pass physical security measures at airports can also help to identify
and reduce vulnerabilities.
RESTRICTED
Personnel security measures
3.5 Many States are reviewing their existing procedures for conducting background checks and security vetting
of personnel. This appears to be driven by the perceived need to improve the probability of timely detection of indicators
of possible intent. Potential measures in this area include the creation of national databases of airside passes and other
airport identification documents, the use of enhanced intelligence-based background checks, the introduction of
continuous or perpetual vetting (which may involve the regular interrogation of airport pass databases), behavioural
detection techniques and reporting mechanisms whereby concerns can be reported. Analysis of social media and the use
of data analytics (to examine, for example, airport pass applications, employee records and pass usage) offer additional
ways to help identify anomalies and issues of potential concern.
3.6 Ensuring effective linkages within States between intelligence sources and aviation industry employers has
been identified as an important factor. Concerns have been identified in many States around the need to establish a sound
legal basis for the use of intelligence information to facilitate effective action against an employee who is suspected of
insider activities, particularly where that person may not yet have committed criminal acts.
3.7 Establishing an effective security culture throughout the aviation sector, and especially among those
engaged in security-sensitive functions, is a crucial element in mitigating insider threats. Personnel can be motivated and
informed about the risks through regular briefings on threats and wider security issues, can be trained to identify
anomalous or suspicious behaviours, and should have access to a clear process for reporting any concerns. At the same
time employees can be a valuable source of information on vulnerabilities and how to address them, and their input should
be sought and used whenever possible in the assessment and management of insider risks.
3.8 Other potential additional measures identified by the WGTR that could be considered, where not already in
use, include:
a) limiting access rights to particular areas for airside pass-holders;
b) adequate protection of perimeter and access control points to ensure that staff security screening cannot
be by-passed;
c) supervision protocols and wider use of CCTV for people working alone in sensitive areas;
d) enhanced oversight of, and awareness training for, staff involved in issuing passes or conducting
background checks;
e) oversight of third parties with airside access; and
f) use of anti-tamper technologies.
______________________
RESTRICTED
APPENDIX D
ADDITIONAL DETAIL ON RISK ASSESSMENTS

FOR CYBER THREATS 9
1. AIR TRAFFIC MANAGEMENT (ATM) SYSTEMS
Likelihood
1.1 Relatively few attacks to date have targeted civil aviation directly but, in recent years, terrorists have
displayed heightened interest in cyber-attacks and general intent to carry them out. However, current extremist hacking
activity is characterized by relatively basic “denial of service” attacks. No examples have been found of successful or
attempted cyber-attacks or credible threat of cyber-attacks from malicious actors or terrorists against aircraft or airports,
nor have indications been found that such groups have acquired or are developing advanced skills, or that they currently
envisage this as an effective way to perpetrate a mass effect attack, particularly when compared to more obvious and
proven attack methodologies. However, these possibilities cannot be excluded.
1.2 Overall, the current threat likelihood is therefore assessed as LOW.
Consequences
1.3 The potential consequences are of concern in view of the sector’s high and growing reliance on electronic
systems for safety-critical functions, both on board aircraft and on the ground, and the potential consequences of such an
attack on aircraft in flight.
1.4 The majority of attacks to date have caused a temporary and very overt denial of service. A likely outcome
in the event of a successful attack on ATM systems would be a deterioration in the safety environment for aircraft in the
affected airspace, with attendant disruption and reduced capacity in the ATM system for a period of time. It is also
acknowledged that any consequences are very dependent on the volume of air traffic in the airspace concerned. It is,
however, assumed that any terrorist attack would aim to destroy one or more aircraft, with attendant loss of life and
consequent economic damage to, and loss of confidence in, the aviation sector.
1.5 Taking a reasonable worst-case approach, under most scenarios the consequences of a successful terrorist
cyber-attack on aircraft in flight through ATM systems are assessed as HIGH.
Mitigating measures
1.6 There is currently a range of different ATM technologies or methods in use which is in itself a mitigation.
However, there appears to be a general trend towards the removal of redundant or back-up systems in favour of new,
cheaper, automated, single-technology solutions, which could potentially increase the overall vulnerability to a successful
attack.
9
This Appendix reflects the initial risk assessments completed by the WGTR covering a wide range of cyber-attacks. However, going
forward, the WGTR has determined that scenarios that could not result in the potential loss of aircraft should be considered by the newly
constituted ICAO Cybersecurity Panel Working Group on Cyber Threat and Risk (WGCTR). This analysis may therefore change.
RESTRICTED
D-1
D-2 Aviation Security Global Risk Context Statement
1.7 Broadly speaking, covert attacks involving the importation of false but credible data into a system that
continues to function are of greater concern than more overt denial of service attacks. This is because it may be more
problematic to monitor, recognize and deal with such issues, especially in busy airspace.
1.8 The only completely failsafe barrier is the physical separation of ATM relevant systems of other, more
business-oriented systems, and especially the ones exposed to any public networks. All firewalls, virus scanners and other
logical separations may be considered to be penetrable given sufficient expertise and time. Systems which share any
device, including mobile devices, cannot be considered to be physically separate.
1.9 However, the level of risk of collision is likely to remain very low. Because the systems used in ATM are
safety critical, a variety of mitigations are already in place in many environments in case of loss or disruption of signals.
These mitigating measures include cross-checks, backup systems, built-in redundancy and duplication, IT security
measures, physical security measures, and well-established incident response procedures and contingency plans. Many
rely on the training and skills of pilots and air traffic controllers to monitor situations and react to issues using other, often
non-automated, techniques and procedures.
1.10 Air traffic control systems typically have in place numerous cross-checks and tests, for example correlations
across different surveillance systems and checks against the filed flight plan, that are designed to detect false or
incongruous data received, which can occur for a variety of reasons, including equipment failure. These arrangements are
designed to reduce the impact of such false data to a nuisance rather than a danger.
1.11 In addition, aircraft collision avoidance systems provide an important mitigation against catastrophic
consequences arising from interference with ATM data. It is important to protect these systems from disruption.
1.12 False data will often be evident to, and questioned by, the flight crew. Direct voice communication between
the ground controller and the pilot provides an effective backup in any situation where data flow is interrupted or interfered
with. It is important to protect this form of direct communication and mitigate against spoofing.
1.13 For the majority of the scenarios examined, the vulnerability after mitigation was found to be LOW. However,
this was not so for all scenarios, and further work could usefully be focused on those scenarios where a higher residual
vulnerability was identified.
Residual risk
1.14 The general conclusion from the initial risk assessment conducted by the WGTR is that the residual risk of
a cyber-attack on civil aviation through the ATM system is currently LOW. However, this is a rapidly evolving area. ATM
security is becoming a more integrated operating environment where the “connected aircraft” is one element in a complex
and interconnected system composed of multiple airborne and ground-based elements. For example, the increased
internet connectivity and bandwidth available in the latest satellite communication systems potentially allow the traffic to
be profiled and manipulated. Aircraft are increasingly dependent on the security of the connections to and from the ground.
Previously, these communications were confined to proprietary or government regulated infrastructure but are increasingly
making use of public networks and local or cellular wireless connections. These findings will be kept under close review.
RESTRICTED
Appendix D. Additional detail on risk assessments
for cyber threats D-3
2. AIRCRAFT SYSTEMS
2.1 The growing complexity, connectivity and integration of such systems mean that cybersecurity is increasingly
becoming an issue in the design and operation of civil aircraft.
2.2 An aircraft’s operation can be divided into the three distinct domains below, which separate the safety critical
functions from other less critical information systems:
a) aircraft control systems, i.e. the closed network of safety critical systems required to fly the aircraft and
supporting systems found in the cockpit environment where data corruption or denial of service could
directly impact safety;
b) cabin operational systems, i.e. the private network of systems used to operate the aircraft where data
corruption or denial of service could impact business critical operations and possibly maintenance; and
c) cabin passenger systems, which are publicly accessible (such as in-flight entertainment), where data
corruption or denial of service has minimal impact on safety.
2.3 This is based on existing industry standards but such segregation may not exist in all aircraft. Also, the
segregation between domains could be compromised via attacks on internal systems/interfaces or where external
connectivity (via communication links or maintenance and supply chains) presents a potential attack vector. The approach
assumes a high level of integration commensurate with recent “e-enabled” aircraft now entering service. Consequently,
not all the scenarios considered will be relevant to older aircraft models — unless they have been retrofitted or where
certain devices are used.
Likelihood
2.4 As with ATM systems, despite broad encouragement for individuals to undertake “electronic warfare”, no
successful or attempted cyber-attacks, or credible threat of cyber-attacks, from malicious actors or terrorists against
aircraft or airports have been identified, nor is there any evidence of meaningful advances in terrorist capability in this area,
as perpetrators continue to concentrate on more conventional and proven attack methodologies. Individuals have made
claims about the vulnerabilities of aircraft information systems, but the WGTR has seen no evidence that this has
influenced terrorist intentions. However, this could encourage terrorists to try to develop this capability in the future.
2.5 Most of the scenarios were considered to have a low likelihood due to the absence of the levels of skill,
knowledge, access and preparation required to conduct them. Simply connecting or interacting with systems is not the
same as manipulating the function of a safety-critical system to endanger the aircraft. In some scenarios, the uncertainty
around the likely impact of successfully exploiting a particular vulnerability may mean that they have limited appeal to a
terrorist. As ever, the possibilities offered by a skilled insider need to be considered.
2.6 However, overall, the current threat likelihood is assessed as LOW.
Consequences
2.7 Overall, the reasonable worst-case consequences of a successful terrorist cyber-attack which endangers an
aircraft, with the associated human, economic and reputational consequences for the aviation sector, is assessed as HIGH.
RESTRICTED
D-4 Aviation Security Global Risk Context Statement
Mitigating measures
2.8 The temporary or sustained loss of a system in a denial of service attack is immediately apparent. It would
only present a safety issue if it were a key avionics system (such as the flight management system) and even then reverting
to manual control should effectively neutralize the incident. Pilot awareness and training and their ability to recognize
problems and to intervene where systems fail or are unavailable is therefore vital. This also depends on how busy the
airspace is and the availability of means to cross-check information (such as through ATM communication, visual aids and
other instruments).
2.9 Covert credible corruption of data attacks are of much greater concern as they may affect a safety-critical
system or cause a pilot to act in error and endanger the aircraft. In some cases (such as some electronic flight bags), a
device that is also used outside the aircraft could be a means of accessing other systems as well as jeopardizing the
safety-related functions it performs. However, an advanced level of capability and considerable knowledge of the target
aircraft would be needed to conduct a successful attack.
2.10 Maintaining logical or physical segregation between systems using air gaps, firewalls, data diodes and
network extension devices still remains important. Connectivity with enterprise networks operated by a range of companies
is potentially an issue as well as the availability of certain information (i.e. software) on the internet.
2.11 Attacks via passenger or cabin crew facing systems (such as in-flight entertainment and passenger or crew
devices) were not considered to be credible but the WGTR will seek further clarity on the segregation and effectiveness
of the measures in place.
2.12 Today’s aircraft navigation by aircrew relies mostly on global navigation satellite systems (GNSS) (e.g. global
positioning systems (GPS), Galileo, GLONASS, BeiDou), which are subject to jamming and spoofing attacks. It is
important that traditional VHF ground-based navigation aids and inertial navigation systems (INS) remain available as
backup navigation systems.
2.13 The WGTR notes that there have been reports of claims by cybersecurity researchers to have hacked aircraft
systems. However, they are usually done under laboratory conditions, with little or no evidence of being able to do this in
the real world. Aviation authorities and aircraft manufacturers have said it is not possible to take full control of an aircraft
using cyber techniques.
2.14 For most scenarios, the vulnerability after mitigation was LOW to MEDIUM-LOW. However, the following
factors, individually or collectively, may in the future increase the vulnerabilities which may be exploited by an able attacker:
a) increasing reliance on and criticality of some information systems;
b) increasing connectivity with and the dependence on IT/OT, which may have an unknown level of
security; and
c) greater inter-connectivity both within aircraft and with external sources either via remote data links or
devices brought on board the aircraft. This includes increased internet connectivity and the use of COTS
equipment and remotely-deployed software updates. This may increase the chance of an inadvertent
attack, i.e. an attack on a system and/or non-aviation target which has unplanned or unintended
consequences for civil aviation using the same system.
RESTRICTED
Appendix D. Additional detail on risk assessments
for cyber threats D-5
2.15 This is especially true for “e-enabled” aircraft. Legacy aircraft may be less vulnerable due to more limited
external connectivity and proprietary systems, but they are also being retrofitted with more modern systems or maintained
using newer techniques (such as wireless data loaders) where the security impact may be poorly understood. Additional
work will be undertaken to reach a firmer conclusion on the effectiveness of existing mitigations.
Residual risk
2.16 Overall, the current likelihood of a terrorist cyber-attack on civil aviation is still assessed as LOW but the
potential worst-case consequences are assessed as HIGH. Some mitigations are in place so the overall residual risk is
assessed as LOW at present.
3. AIRPORT SYSTEMS
3.1 The scenarios identified fell into two broad categories:
a) attacks that could facilitate a conventional attack by degrading aviation security measures (screening,
access control, etc.). Despite the claims of various commentators at conferences, etc., it was judged to
be very difficult for an attacker to manipulate the screening technology, usually operated by teams of
security staff at airports, in order to get a prohibited article into a SRA. However, vulnerabilities do exist,
e.g. disabling access control that may then assist an attacker to perpetrate another form of attack that
the WGTR has analysed elsewhere; and
b) attacks intended to disrupt airport or airline operations, principally around passenger facilitation (such
as departure control, baggage handling, etc.). These are mostly overt denial of service attacks or caused
by ransomware, where the worst-case outcome would be disruption to an airport or potentially a number
of airports if wider, possibly international, feeds of data were disrupted. These are matters of operational
resilience rather than conventional aviation security and so should be considered as part of business
continuity. Again, given the range of differently sized operations and the variety of systems and
interconnectivity, it is impossible to produce a single accurate risk scenario.
3.2 Appropriate authorities and industry should consider how security measures they rely on may be disabled
or circumvented in their own risk analyses. Developments in screening technology, the increasing amount of equipment
in use, its interconnectivity and the possibilities offered by remote screening may present future issues, so the WGTR will
keep this threat area under review.
— END —
RESTRICTED

Icao 10108 2022

Uploaded by

Copyright:

Available Formats

Icao 10108 2022

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Icao 10108 2022

Uploaded by

Copyright:

Available Formats

Doc 10108 — Restricted

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION

Approved by and published under the authority of the Secretary General

INTERNATIONAL CIVIL AVIATION ORGANIZATION

For ordering information and for a complete listing of sales agents

First Edition, 2018

Doc 10108, Aviation Security Global Risk Context Statement

All rights reserved. No part of this publication may be reproduced, stored in a

Amendments are announced in the supplements to the Products and

RECORD OF AMENDMENTS AND CORRIGENDA

No. Date Entered by No. Date Entered by

Acronyms ......................................................................................................................................................... (xiii)

Chapter 1. Introduction ................................................................................................................................ 1-1

Chapter 2. The global aviation threat picture............................................................................................. 2-1

Global trends and security incidents in civil aviation .................................................................... 2-1

Chapter 3. Risk assessment results ........................................................................................................... 3-1

Overview of risk assessment results ............................................................................................ 3-1

1. Risk assessment method and process map ......................................................................... A-1

1. Introduction ........................................................................................................................... C-1

1. Air Traffic Management (ATM) systems................................................................................ D-1

ATC Air traffic control

b) provide an overview of the current global aviation security threat;

THE GLOBAL AVIATION THREAT PICTURE

a) inflicting mass casualties;

b) causing economic disruption;

c) making a symbolic statement;

d) increasing their notoriety; and

e) generating public anxiety.

GLOBAL TRENDS AND SECURITY INCIDENTS IN CIVIL AVIATION

RISK ASSESSMENT RESULTS

OVERVIEW OF RISK ASSESSMENT RESULTS

Table 3-1. Threat-type risk levels 3

THREAT TYPE Likelihood Consequences Vulnerability RISK

PERSON-BORNE IEDs on the body or in cabin

IEDs IN CARGO/MAIL MEDIUM-HIGH HIGH MEDIUM-HIGH MEDIUM-HIGH

ATTACKS USING UAS (on aviation targets in

AIRCRAFT USED AS A WEAPON MEDIUM HIGH MEDIUM MEDIUM-HIGH

CHEMICAL THREATS MEDIUM MEDIUM-HIGH MEDIUM-HIGH MEDIUM-HIGH

MANPADS, MISSILES AND OTHER ATTACKS

On airports in conflict/proliferation zones HIGH MEDIUM MEDIUM MEDIUM-HIGH

On aircraft in conflict/proliferation zones MEDIUM-HIGH HIGH MEDIUM MEDIUM-HIGH

On airports outside conflict/proliferation

On aircraft outside conflict/proliferation zones LOW HIGH MEDIUM MEDIUM

ATTACKS USING UAS (on aviation targets

IEDs IN HOLD BAGGAGE MEDIUM-LOW HIGH MEDIUM MEDIUM

IEDs IN SERVICES (catering, in-flight supplies,

AIRPORT SUPPLIES LOW HIGH MEDIUM-LOW MEDIUM

VEHICLE-BORNE AIRSIDE ATTACKS MEDIUM-LOW MEDIUM-HIGH MEDIUM MEDIUM

CYBER-ATTACKS LOW HIGH MEDIUM-LOW MEDIUM

CONVENTIONAL HIJACK (with terrorist intent) MEDIUM-LOW MEDIUM-LOW MEDIUM-LOW MEDIUM-LOW

BIOLOGICAL THREATS LOW MEDIUM MEDIUM MEDIUM-LOW

RADIOLOGICAL THREATS LOW MEDIUM MEDIUM MEDIUM-LOW

ATTACKS ON ATC FACILITIES LOW MEDIUM-LOW MEDIUM MEDIUM-LOW

RISK ASSESSMENT METHOD, PROCESS MAP AND

1. RISK ASSESSMENT METHOD AND PROCESS MAP

b) the assessment of current mitigations and remaining vulnerabilities;

d) recommendations for further risk-based work and possible mitigation.

Figure A-1. Risk assessment process map