Who we are and why we exist.

Egis is a leading global architecture, consulting, construction engineering and operating firm. We work side by side with clients to build a more balanced, sustainable and resilient world.

About egis

Our purpose, our values

Our leadership team

Our awards

Vision

Our strategic vision

Our brands and acquisitions

Innovation

Digital transformation

About our CSR

Corporate Social Responsibility

Ethics and Compliance

Diversity and gender equality

Policies and charters

Egis Foundation

Our activities

We work alongside our clients on every step of their journey. Across every aspect of transport, infrastructure and the built environment. All around the globe.

Transport

Maritime and waterway

Major structures

Geotechnical engineering

City

Buildings

Cities

Industrial & Process Engineering

Sports & Events

Sustainable resources

From idea to operation.

Combining deep technical expertise with close collaboration, we help design and operate smart, sustainable transport, cities and utilities — unlocking success for our clients.

Advisory & Delivery

Architecture

Consultancy and advisory

Design and engineering

Programme and project management

Training and certification

Managing & operating

Infrastructure management

Mobility and urban services

Road users services

On street parking management

Transformation

Global footprint. Local perspective.

With a network that spans over 100 countries in Europe, the Middle East, India, Latin America, Africa and Asia-Pacific, we can resource projects in every region.

Europe & Central Asia

Middle East

Africa

Asia

Australia & New Zealand

Latin America

North America

Discover what’s next.

Explore emerging trends and discover in-depth reports on issues affecting the built environment, future transport and sustainable infrastructure, along with breaking company news.

News

All news

Press & media

Events

Insights & White papers

Publications

Projects •Built-In, Not Bolted-On: Security by Design in Avi...

Built-In, Not Bolted-On: Security by Design in Aviation.

Multiple countries

Building resilient aviation systems from the ground up — aligning security, operations, and compliance from day one

Share this project •

Clients

Air Navigation Service Providers and Airports

Timeline

2022 - ongoing

Benefits

Aviation systems with secure and resilient designs can reduce system downtime by 50% compared to legacy systems that lack integrated security measures and recovery plans.

Surge in Aviation cyber attacks.

$4.88 millionaverage cost of a data breach in 2024

The global average cost of a data breach reached $4.88 million in 2024, marking a 10% increase from the previous year.

61%of aviation sector hit by cyber attacks

In 2024, 61% of aviation organisations experienced a ransomware attack, with an average of 21 phishing incidents and six nation-state incidents per respondent.

70%prioritising cyber security

Cybersecurity emerges as a top priority, with almost 70% of all aviation entities identifying it as their primary concern.

The challenge.

Achieving ‘Secure by Design’

Cybersecurity in aviation is becoming increasingly critical as digital systems take on a more central role in Air Traffic Management (ATM), airport operations, and service provision. Air Navigation Service Providers (ANSPs) operate critical ATM systems that are essential to global aviation safety. As cyber threats grow, ANSPs must adopt a "Secure by Design" philosophy, embedding cybersecurity into system lifecycles. However, this must be carefully balanced with operational safety, as overly rigid security measures could introduce risks to safety-critical systems. Integrating Secure by Design into the systems engineering V-Model (i.e. Verification and Validation model) enables ANSPs to manage this balance while collaborating closely with Original Equipment Manufacturers (OEMs) and aligning with local regulations.

The V-Model is a long-established system engineering methodology, widely used within all sectors, including aviation. It provides a systematic framework for system development, transitioning from requirements analysis to system validation and operation. For ANSPs, embedding security into this framework requires careful consideration of operational realities such as legacy systems and technologies, which may not support modern security standards and could pose significant integration difficulties.

V-Model system engineering

Key challenges include:

Stakeholder complexity – Coordinating cybersecurity responsibilities across airports, ANSPs, OEMs, and service providers with differing risk appetites and capabilities.
Legacy systems – Difficulty and risk involved in retrofitting cybersecurity to ageing infrastructure.
Alignment between safety and security – Ensuring that security measures do not compromise the safety or availability of critical ATM and airport systems.
Regulatory uncertainty – Interpreting and applying emerging cybersecurity regulations across international and national frameworks.
Evolving threat landscape – Designing systems today that remain resilient against tomorrow’s unknown threats.
Supply chain risk – Managing third-party vendors and ensuring secure practices are applied throughout the lifecycle.
Cross-domain collaboration – Encouraging cooperation between traditionally separate areas such as IT, engineering, safety, cybersecurity, legal, compliance, and operations.

Imagine.

Customised support and guidance to help aviation industry entities make informed decisions

On the back of decades-long consulting and engineering support to aviation, Egis today offers a specialist team to help ANSPs, airports and OEMs throughout the system development lifecycle, ensuring cybersecurity and safety are seamlessly integrated. Working with your teams, we can design and implement Secure by Design strategies tailored to local regulatory and operational needs. Our role can range from conducting Security Risk Assessments and facilitating collaborative risk evaluations to implementing advanced security frameworks, ensuring systems are resilient and aligned with global best practices. We also provide ongoing support in validating system performance, optimising solutions during integration, maintaining compliance during operations, and training staff on system security best practices. By bridging the gap between ANSPs, airports and OEMs, Egis fosters collaboration, helping both parties navigate the complexities of cybersecurity while preserving safety and operational excellence.

Laying the groundwork for Security by Design

The Secure by Design approach, integrated with the V-Model, enables ANSPs to strike a balance between safety and security. Conducting an Information Security Assessment as part of the design process ensures vulnerabilities are addressed early, while collaboration with OEMs ensures alignment with operational needs and regulatory requirements. By embedding security into the development lifecycle and leveraging the expertise of partners like Egis, ANSPs can safeguard operations and passengers in an increasingly complex and interconnected threat landscape.

Laying the groundwork for Security by Design involves a comprehensive approach to embedding security into the core of system development. This process begins with understanding the operational requirements from which the local technical concepts are derived, which provides a foundational understanding of the system's technical framework. A thorough system review and validation ensure that potential vulnerabilities are identified and addressed early on. This is followed by developing detailed system requirements that prioritise security as a fundamental component. Finally, the development of cybersecurity specifications delivers specific protocols and standards to safeguard the system against threats, ensuring a robust and resilient design from the beginning.

Security Risk Assessment

Conducting a Security Risk Assessment is a critical process for safeguarding key information assets and ensuring system security. It starts with identifying the key information assets to be protected through scoping and establishing the architectural basis for a comprehensive security review. Risk analysis follows, determining the likelihood and impact of potential threats to assess their severity. This is complemented by an evaluation of the high-level design architecture to pinpoint vulnerabilities within the system's structure. An initial risk register is then developed, capturing the uncontrolled security risk exposure before mitigation efforts. Finally, applicable security controls are identified to address the assessed risks, laying the foundation for targeted protective measures to enhance overall security resilience.

Development of cybersecurity requirements

The development of cybersecurity requirements involves a comprehensive approach that begins with understanding the current environment and identifying critical aspects that support the system’s performance, availability, and reliability. To ensure long-term effectiveness, these requirements must be developed with an appreciation of the Air Traffic Control (ATC) operational environment and context and be adaptable to future evolving security and functional needs. Justification for the requirements is achieved by mapping them to both aviation-specific security standards and relevant non-aviation standards, ensuring a robust and well-rounded framework that addresses the unique challenges of the domain while leveraging broader industry best practices.

Review of the regulatory landscape

The review of the security regulatory landscape involves a systematic assessment of existing regulations, directives, and standards that govern cybersecurity within the aviation sector. This process starts with identifying applicable international, regional, and national regulations and standards from bodies such as the International Civil Aviation Organisation (ICAO), European Union Aviation Safety Agency (EASA), European Organisation for Civil Aviation Equipment (EUROCAE), and others. Special attention is given to areas of overlap, gaps, and emerging regulatory trends that may impact the compliance of system design. The objective is to ensure alignment with current obligations while anticipating future requirements, thereby supporting proactive security governance and informed decision-making across all levels of the organisation.

Educate staff on security best practices in the aviation industry

Educating staff on security best practices in the aviation industry requires a comprehensive training approach that begins by aligning staff education with the latest security best practice guidance coming from both international security frameworks and the aviation sector. The training also integrates wider security areas such as risk management, security controls, risk assessments, and ATM-specific system security. This continuous education fosters a security-conscious culture, enabling employees to make informed decisions that contribute to operational resilience and regulatory adherence.

Create.

Security by design through real-world implementation

In one recent and ongoing project, our team collaborated with a major Asia Pacific civil aviation authority during its new ATM system procurement and supported its secure-by-design lifecycle.

This involved preparing cybersecurity plans, defining cybersecurity specifications and requirements, and conducting system security reviews. We also undertook a Security Risk Assessment in line with both aviation specific (Civil Air Navigation Services Organisation (CANSO)) and international (National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and International Organisation for Standardisation (ISO) 2700X) guidelines and supported the specific regional regulatory risk assessment needs from the National Security Agency. This required the concurrent use of top-down and bottom-up approaches to risk assessment and taking the superset of the outputs of both.

By applying both top-down and bottom-up approaches, Egis provided expert guidance to ensure that the procurement specifications addressed operational needs, managed identified risks, and required suppliers to demonstrate that security risks were effectively mitigated.

Achieve.

Cybersecurity, system design, safety and resilience

Project name	Country	Description
skeyes - Digital Tower Programme and ISO 27001 Certification Support	Belgium	Egis supported skeyes during its Digital Tower procurement and implementation by developing strategy, selection criteria, and tender requirements through cross-departmental workshops, and assessing feasibility, contingency scenarios, cyber resilience, ATCO performance, and commercial models to ensure safe, future-ready, and interoperable remote air traffic service. Egis also helped skeyes define and coordinate all tasks related to achieving ISO 27001 certification.
ROMATSA - Cybersecurity and SWIM Capability Enhancement	Romania	Egis supported ROMATSA in enhancing aviation cybersecurity through SOC development and in advancing SWIM implementation by assessing existing systems, defining future capabilities, and providing technical, organisational, and cost-effective strategies aligned with EU regulations to improve threat response and information exchange in air traffic management.
ESSP - IRIS Communication Service Provider Security Certification	France	Egis supported the cyber and information security aspects of certification for the IRIS service. Egis also supported the ESSP security team with the implementation of the IRIS Information Security Management System (ISMS) as part of its certification as a Communication Service Provider.
Austro Control - Cyber Resilience Assessment	Austria	Egis conducted an independent Cyber Security Resilience Review for Austro Control, assessing operational cyber risks, maturity, and ongoing improvements. The holistic review informed a management report and board presentation with key findings and strategic recommendations to enhance cyber resilience.
ANSL - Cyber Maturity Assessment for Edinburgh and Gatwick Airports	United Kingdom	Egis helped the client in identifying critical assets and performing maturity assessments against the Cyber Assessment Framework for Aviation (CAP 1850) for Edinburgh and Gatwick Airports. Egis also helped develop critical systems scoping diagrams and collate evidence packs in support of the CAP 1753 ASSURE audit.
ADAC - Approach Radar System Security Requirements Development	United Arab Emirates	Development of security requirements for an approach radar system to replace an end-of-life system, including interfacing with existing systems and providing future-proofed connectivity for next generation systems.
EUROCAE – Supporting WG-72 with Aeronautical Systems Security	France	Development and regular delivery of cybersecurity training packages to guide aviation professionals and regulatory audiences through proliferating standards and guidance in cybersecurity. Supporting development of an e-learning variant.
Southend Airport - CAP 1753 ASSURE Audit Preparation	United Kingdom	Egis supported Southend Airport in the preparation of an audit pack for the CAP 1753 ASSURE audit. This involved interviewing staff, collecting evidence, completing the Cyber Assessment Framework for aviation and producing critical systems scoping diagrams.

Related projects.

Cybersecurity Network Rail © Belish Adobestock

Cybersecurity support to Network Rail

United Kingdom