Hello and a happy new year to everyone!

I've got a question about how to deal with a new kind of ICAs, affecting every airline operating e-enabled aircraft.

OEMs are providing Aircraft Security Operator Guidance (ASOG) (e.g., Security Handbook or (U)ANSOG) to operators to ensure the safe operation of the aircraft. These documents - or to be more precise: the contained instructions - are categorized as ICAs (Instructions for Continued Airworthiness). Usually, it is the responsibility of CAMO to ensure all ICAs are taken care of.
The topics addressed in, and tasks required by the ASOGs are exceeding the common CAMO scope, reaching into areas of others responsibility (e.g., Flight Ops for Crew Processes and Procedures), IT for Digital Certificate management). The instructions are written, following the form of "The operator shall" or "xyz shall be ensured...".
EUROCAE ED-204A is recommending, operators are having an "Aircraft Information Security Center" (AISC) with trained specialists, "acting as the operator's point of contact for aircraft information security events".

Has anyone any experience or is willing to share his/her thoughts about how this could be implemented? Thinking of actions falling into the area and responsibility of others: Does each such tasks need to be interpreted as "subcontracted continuing airworthiness management tasks" (SCAMT)? Is there any more efficient, but regulatory wise acceptable, way to manage this kind of new type of ICAs?

Thank you very much in advance and with kind regards.

MARWAN ALTAIMEH
MARWAN ALTAIMEH

Hello Marc-Christian,

Thank you for initiating this discussion – it's always been and continues to be a challenging area.

Currently, it appears that the specialists are still spread across various departments, working in a somewhat dynamic team structure to ensure compliance. While this approach is functional, I believe it may not be the most efficient or optimal.

In my view, the ideal scenario would involve the creation of an AISC team under CAMO (Continuing Airworthiness Management Organization), as CAMO is ultimately responsible for the airworthiness of the fleet. Additionally, it would be crucial to have GRC (Governance, Risk, and Compliance) and Security as primary stakeholders in ensuring cybersecurity approval.

I believe this would streamline the process and improve efficiency, aligning all necessary parties under a clear and focused structure.

Marc-Ch. Reichle
Marc-Ch. Reichle

Hello Marwan,
Thank you for your thoughts and I fully agree that the specialists are usually spread across multiple departments. I can see pros and cons for having them at one place. While it would make communication within the Aircraft Information Security Specialists (AISS) easier and more efficient, when having them all together, leaving them in their environment provides the benefit of them being involved in the daily operation and up to date about what is currently going on in their area.

But coming back to the original question: How can CAMO take advantage of a specialist belonging to a different department or BU (e.g., IT taking care of PKI)?
Would it be acceptable to interpret the responsibility of the CAMO to ensure all the ICAs provided through the ASOG documents are implemented properly by the relevant departments or BU - even if there is no SCAMT contract with every single one?

John Straiton
John Straiton

Hi Marc-Christian,
The EU 2023/203 regulation more commonly referred to as EASA Part IS is requiring all EASA Approved Organisation to introduce an Information Security Management System, that will cover the needs of the ICA you are highlighting, please see the Cybersecurity Community Network for more details.


Please log in or sign up to comment.