Reframing Aviation Safety in the Digital Age
Aviation today is no longer defined only by aircraft, runways, and air navigation facilities. It is an interconnected digital ecosystem where every component—from flight planning systems and radar networks to airport operational databases and passenger processing platforms—relies on layers of software, data exchange, and automated decision-support tools. As Indonesia expands its air traffic capacity, enhances airport infrastructure, and accelerates digitalization across Angkasa Pura Indonesia, AirNav Indonesia, airlines, and the Directorate General of Civil Aviation (DGCA), the nation’s aviation system is increasingly exposed to cyber-induced safety risks.
In many jurisdictions, cyber threats are traditionally framed as cybersecurity issues. However, for aviation, the challenge is more complex: cyber failures can quickly evolve into hazards that affect operational safety. For Indonesia, this means that cyber safety—not just cybersecurity—must be embedded within the Safety Management System (SMS), not treated as a standalone IT function. The growing dependence on digital systems makes cyber safety an inseparable part of Indonesia’s overall safety assurance landscape.
Why Cyber Safety Must Stand on Equal Footing with Cybersecurity
Cybersecurity focuses on protecting digital assets, systems, and networks from unauthorized access, manipulation, or disruption. Cyber safety, in contrast, concerns the cascading operational consequences resulting from cyber-induced failures that jeopardize the core aviation safety objectives. A cyber breach in an airline’s reservation system may be a cybersecurity incident, but a cyber compromise in an air traffic communication network that causes loss of separation between aircraft clearly becomes a cyber safety threat.
Several international regulators now explicitly separate both domains. ICAO Annex 19 and ICAO Doc 10147 emphasize that cybersecurity alone does not capture the safety impact of digital vulnerabilities. EASA’s “Cybersecurity in Aviation” and FAA’s Aviation Cyber Initiative similarly outline the dual responsibility for safeguarding both digital integrity and operational safety. ICAO’s 2024 State Cybersecurity Action Plan baseline further strengthens this alignment by requiring states to integrate cyber risks into their safety governance ecosystem.
Indonesia cannot depend solely on conventional cybersecurity measures, because the aviation system increasingly relies on integrated digital platforms. The rise of remote towers, digital NOTAMs, satellite-based CNS/ATM systems, biometric passenger processing, and AI-supported maintenance analytics means that any cyber disruption can escalate into operational failures.
The challenge for Indonesia is clear:
How do we embed cyber safety into the existing ICAO Safety Management System (SMS) framework, ensuring that digital reliability becomes an inherent component of safety governance?
To answer this, we must treat aviation as a System of Systems (SoS)—a tightly coupled ecosystem where aircraft avionics, ATS systems, airport digital platforms, telecom infrastructure, regulatory frameworks, and human operators interact dynamically. Cyber safety cannot be addressed in isolation. It must be woven into the fabric of Indonesia’s SMS.
The System-of-Systems Logic for Indonesia
Indonesia’s aviation ecosystem is best understood as a system-of-systems, where airlines, airports, air navigation, regulators, ground handlers, fuel providers, and oversight bodies are interconnected. Each component operates independently yet relies on the proper functioning of the others to maintain safety.
In this system-of-systems environment, cyber weaknesses in one organization can easily propagate to others. A malware intrusion in an airport’s network may disrupt A-CDM processes, triggering misalignment in slot allocation, departure sequencing, and ATC coordination. A failure in AirNav’s surveillance data processing could affect airline situational awareness and scheduling reliability. A compromised maintenance data system could generate erroneous predictions that affect aircraft airworthiness decisions.
Recognizing this interconnectedness is essential to embedding cyber safety within Indonesia’s SMS, because cyber hazards must be assessed not only at the individual organizational level but also across the entire aviation ecosystem.
Cyber Safety within the First Pillar: Safety Policy and Objectives
Integrating cyber safety begins with an explicit policy recognition that cyber-induced hazards are part of the safety domain. This requires DGCA to articulate cyber safety principles within national SMS regulations and governance frameworks, making cyber issues reportable, measurable, and auditable as safety concerns. For operators and service providers—particularly Angkasa Pura Indonesia, AirNav Indonesia, and airlines—this means restructuring their internal policy documents to reflect cyber safety commitments within their safety objectives, rather than isolating them within IT or security departments.
People, processes, and premises play a key role. Leadership must ensure that cyber safety responsibilities are defined for all operational personnel, not confined to cybersecurity teams. Processes must embed cyber safety assessments into decision-making on system upgrades, digital procurement, and operational changes. Premises—both physical and digital—must be governed by consistent standards that treat digital infrastructure as part of the operational environment. Recognizing digital assets as safety-critical infrastructure allows Indonesia to align policy with actual operational dependencies.
Cyber Safety within the Second Pillar: Safety Risk Management
Safety risk management must evolve to reflect cyber hazards as integral components of operational risk. Identifying cyber-related safety hazards requires collaboration between IT experts and operational safety personnel. Instead of relying solely on penetration testing or vulnerability assessments, Indonesia must adopt predictive approaches that map how digital failures propagate through flight operations, air navigation, or airport management processes.
Risk analysis must consider scenarios such as corrupted surveillance data affecting ATC decision-making, unauthorized access to airport operational databases altering stand allocation or passenger processing sequences, manipulation of airline maintenance records leading to incorrect airworthiness decisions, or ransomware disrupting A-CDM flows and triggering departure delays that compromise airspace capacity. These scenarios illustrate how cyber failures can evolve into traditional safety hazards.
Indonesia has experienced incidents that illustrate the real-world nature of cyber safety threats. Cyber disruptions at several major airports caused check-in delays when airline systems were compromised, creating operational pressures that increased the risk of human error at check-in counters and boarding gates. AirNav Indonesia has previously reported temporary disruptions in information systems that, although contained, demonstrated how digital disturbances could escalate into operational risk if not properly managed. These examples reinforce the need for cyber risk modelling that integrates technical vulnerabilities with operational consequences.
People, processes, and premises again form the backbone of implementation. Personnel at the front line—from controllers to technicians and airport duty managers—must understand how cyber anomalies may manifest in operational environments. Processes for risk identification, analysis, and mitigation must incorporate cyber scenarios in the same manner as traditional hazards. Operational premises, including digital data centres and network infrastructures, must be assessed as part of the safety environment, not solely as IT assets.
Cyber Safety within the Third Pillar: Safety Assurance
Safety assurance requires continuous monitoring, performance evaluation, and compliance verification for cyber safety risks. In Indonesia, this means embedding cyber monitoring indicators into existing safety dashboards, ensuring that deviations in digital system performance are treated as potential early warnings of operational hazards. AirNav Indonesia, for example, has begun strengthening redundancies and failover capacities in key systems after past disturbances highlighted systemic vulnerabilities. Angkasa Pura Indonesia increasingly integrates digital monitoring within its airport operations control centres, ensuring information system anomalies are escalated as potential safety events.
Safety assurance also depends on reviewing cyber event reports to detect latent conditions that could trigger operational failures. A minor intrusion in a non-critical system may reveal a broader systemic weakness that, if left unaddressed, could affect critical systems. Assurance audits must therefore include digital infrastructures, system interfaces, and data governance practices.
People, processes, and premises again shape implementation. Safety teams must be trained to interpret digital anomalies and understand their operational implications. Processes must ensure that digital performance data is integrated into safety performance indicators. Premises, including server rooms, network hardware, and cloud-based infrastructures, must be incorporated into safety assurance inspections.
Cyber Safety within the Fourth Pillar: Safety Promotion
For cyber safety to be mainstreamed, Indonesia must develop a safety culture that recognizes digital hazards as part of daily operational reality. Awareness programs, case studies, scenario-based learning, and cross-disciplinary safety dialogues are essential to building literacy among aviation personnel. Safety promotion should highlight real incidents from global aviation, such as ATC system disruptions in the Philippines, ransomware attacks targeting airlines, or GPS spoofing events near operational flight corridors. These examples can be contextualized for the Indonesian environment, demonstrating how cyber disruptions translate into operational safety challenges.
Promotion also requires breaking silos. Safety teams, IT professionals, cybersecurity experts, and operational managers must engage in regular safety exchanges to build shared understanding. Cyber safety is not an abstract concept; it is a lived operational risk that requires cross-functional collaboration.
People, processes, and premises continue to anchor promotion efforts. Personnel must be equipped with the knowledge to recognize and respond to cyber anomalies. Training and communication processes must emphasize the operational impact of cyber threats. Digital and physical premises must support collaborative safety education, from briefing rooms to digital training platforms.
Bringing Cyber Safety and Cybersecurity onto Equal Footing
One of the most significant challenges in Indonesia is ensuring that cyber safety receives the same strategic attention as cybersecurity. While Indonesia has made substantial regulatory progress through the National Cyber and Crypto Agency (BSSN), DGCA’s aviation-specific frameworks need further alignment with ICAO’s cyber safety principles. The country has already shown strong steps in this direction. The development of Indonesia’s National Cybersecurity Strategy, the ongoing digital modernization of AirNav Indonesia, and Angkasa Pura Indonesia’s initiatives to implement integrated airport command centers demonstrate a national commitment to strengthening cyber resilience across the aviation ecosystem.
However, cybersecurity measures alone do not fully address the operational consequences of digital disruptions. A system might be secure against unauthorized access yet still experience failures that cause operational safety hazards. Elevating cyber safety to parity with cybersecurity ensures that Indonesia’s aviation digital transformation is both secure and safe.
A System-of-Systems Path Forward for Indonesia
Indonesia’s aviation sector is entering a new era defined by rapid digital integration. Remote towers, digital CNS/ATM systems, biometric passenger processes, predictive maintenance, integrated operations centres, and AI-supported decision-making will reshape the air transport landscape. These innovations introduce new efficiencies but also expand the nation’s exposure to cyber-induced hazards that must be managed holistically.
Integrating cyber safety into SMS through a system-of-systems lens ensures that cyber risk is governed not within organizational silos but across the interconnected aviation ecosystem. It establishes a unified safety governance paradigm where cyber threats are recognized as operational hazards, where digital anomalies are treated as safety indicators, and where the responsibility for cyber resilience is shared across airports, airlines, AirNav, and regulators.
Indonesia’s path forward demands leadership commitment, regulatory evolution, collaborative risk management, and a culture that embraces cyber safety as an integral part of aviation safety. By adopting the system-of-systems integration approach, Indonesia positions itself not only to meet international expectations but to lead within the region as a champion of digital-era aviation safety.
REFERENCES
ICAO. (2020). Aviation Cybersecurity Strategy.
ICAO. (2018). Annex 17: Security – Safeguarding International Civil Aviation Against Acts of Unlawful Interference.
ICAO. (2022). Safety Management Manual (Doc 9859).
EASA. (2024). European Aviation Digital Resilience Study.
