15 February 2022

What is ESCP?

The ESCP is the European Strategic Cooperation Platform. It is an EASA lead initiative, initiated during the second EASA High Level Meeting (HLM) on Cybersecurity in Aviation in November 2016. In the Declaration from HLM Cybersecurity in Bucharest, in short: “Bucharest Declaration” , the ESCP has been initiated in the context of the raising consideration that Cyber security incidents are increasing in frequency, magnitude and complexity, and have no border. Civil aviation is an increasingly attractive target for adversaries. New technologies such as e-enabled aircraft, new generation CNS/ATM systems and drones are changing the risk landscape of the aviation system. At the same time, the rationalisation and concentration of the aviation IT infrastructure and the multiplication of network connections will create new vulnerabilities.

Objectives of the ESCP

The ESCP vision is to make the European Aviation System more resilient and more secure against cyber threats, by adopting a through-life tiered approach to security in design, production, operations and ultimately disposal of products, systems, and services. Its enabling objectives are:

Coordination
Sharing of Information and Reporting
Regulations
Risk Assessments
Cybersecurity Promotion, Awareness and Preparedness
Knowledge and Foresight
Commitment and Resources

To drive this vision, the aviation community (both civil and military) joined in this co-operative partnership, accepted the main objective of defining and coordinating the implementation of a European Strategy for Cybersecurity in Aviation. Other work streams are dealing with aspects of the enabling objectives of the Bucharest Declaration.

For the purpose of achieving adequate consistency and avoid duplications, this strategy considers the global context and included appropriate international coordination, taking into account, among other aspects, any relevant ICAO standards and initiatives, ECAC and EU initiatives, as well as any applicable EU regulation and Industry Standards. The success of the ESCP relies on a collaborative effort involving all members of the platform. Members of the platform engage, join, or leave on a voluntary basis.

Who are the ESCP members?

The members of the ESCP are European organisations and authorities. Observers are admitted also from international organisations or authorities. Members and observers are then represented by an appointed Management representative to the Executive Committee, more technical representatives are delegated to the Technical Advisory Committee (TAC) and work streams. These representatives are cybersecurity professionals who are part of the organisation’s staff and actively participate in the discussions and activities.

Activities and deliverables of the ESCP

The Corona SARS Cov 2 pandemic has split the activities of the ESCP into the two main phases, before the pandemic and after the pandemic, the main reason being that during the pandemic it proved difficult to conduct successful meetings. However, one exception was the continued work on the Regulatory Processes work stream, to finalise the EASA opinion 03/2021 Management of information security risks and to complement this with Acceptable Means of Compliance (AMC) and Guidance Material (GM).

Pre-Pandemic

The first meeting of the Executive Committee of the European Strategic Coordination Platform (ESCP) took place on 7 July 2017. The plan looked like this:

Subsequently the Technical Advisory Committee (TAC) has been established with the creation of two work streams. The first work stream was called “Consistency between Scopes and Subjects of national, regional and international Regulatory Processes for Cyber Security in Aviation” (Regulatory Processes), with it’s kick-off taking place 10^th October 2017. It aimed to coordinate the discussions and consultation with respect to the imminent regulatory work on Cybersecurity in Aviation. The second work stream was called “Establishment of the Charter of the ESCP” (Charter), with its kick-off taking place on 28^th November 2017. This work stream created the initial deliverable of the ESCP, the ESCP Charter Version 2.0. After the publication of the Charter in February 2019, the work stream was tasked with developing one of the key deliverables of the ESCP, the European Strategy for Cybersecurity in Aviation, which was published in September 2019 in its first version. Subsequently the work stream also developed an Action Plan, which the pandemic prevented to be finalised and published.

In parallel another work stream was established early 2018 and worked also until late 2019, called Shared Trans-Organisational Risk Management (STORM). Its objective was to address the risks the aviation community is facing from a holistic perspective – in a similar fashion as adversaries operate. It strives for reducing intra-community protections against benign co-operators and resulting operational constraints while strengthening its mutual risks in a concerted fashion. The regulatory work on Part-IS, conducted in the context of the Regulatory process work stream, has integrated its concepts, when its deliverable, the EASA opinion 03/2021 Management of information security risks had been published in June 2021.

Post-Pandemic

EASA is expecting to be able to (re-)establish the post-pandemic ESCP activities, which will consist of a total of 5 workstreams, in addition to the ESCP Executive Committee meetings. Also, for the first time, the Technical Advisory Committee, composed of representatives of all work streams, may be beneficial as a tool for coordination between the work streams.