Developing Cybersecurity Regulations in Aviation & Part-IS

Developing Cybersecurity Regulations in Aviation & Part-IS

The aviation sector worldwide is targeted by cyberattacks on a daily basis. Airports and airlines are increasingly becoming the target of DDoS, ransomware or other types of attacks, not only putting pressure on those organisations but in certain cases running the risk of also having a potential impact on aviation safety. [1]

As the european regulator for aviation safety, EASA has developed regulations that aim to safeguard not only the safety of aeronautical products but to address also security threats and vulnerabilities that aviation organisations face and might have an impact on safety. [2]

To what extent however, does the dynamic threat landscape of aviation cybersecurity makes the developing of such regulations feasible and how can the rules continue to be meaningful in a constant changing environment driven by the malicious intent of perpetrators?

According to Bill Bryant, a technical fellow (MTSI) specialising in aviation cybersecurity solutions:

“I think there's a lot of great work going on (when it comes to developing standards and regulations) [..] but we can't expect too much of it. Because, whatever approach we took, attackers will come around [..]. It doesn't mean stop [developing standards and regulations]. It just means you're never done. Because when a solution closes one hole, attackers are going to try to create another one.” [3]

Given that this complex and dynamic environment creates challenges in the development of standards and regulations in the aviation domain, it is important to create rules that allow to develop frameworks that can be flexibly adjusted not only to the needs of different kinds of organisations in aviation but also to new types of threats that have not yet been identified.

Furthermore, rules or standards alone are not intended to stop malicious activity, However they should aim at defining the minimum level of protection and resilience of the sector without prescribing rigid solutions, but rather setting security targets.

Part-IS - A proactive and flexible approach

With the implementation of the regulatory package of Part-IS, aviation organisations in Europe will have to identify and manage their information security risks which could affect information and communication technology systems and data used for civil aviation purposes, to detect information security events, identifying those which are considered information security incidents, and to respond to and recover from, the information security incidents to a level commensurate with their impact on aviation safety.

Some of the key provisions of Part-IS that provide the necessary flexibility to this Information Security Management System (ISMS) include, among others:

• Continuous improvement, aiming to continuously improve the effectiveness, suitability and adequacy of the ISMS with a proactive and systematic assessment of the ISMS and all its elements — including its maturity.
• Updates on the risk assessment and treatment process in regular intervals
• Risk information sharing between interfacing organisations

The regulatory package of Part-IS and its accompanying AMC/GM aim to provide a flexible tool in the form of an ISMS that is tailored to the needs of the aviation domain and will facilitate both organisations and authorities to follow a systematic approach towards identifying and addressing information security risks that aviation is and will continue to face.

What are your thoughts on the challenges of developing regulations and standards that are able to remain up to date and meaningful in the dynamic environment of cybersecurity in aviation and how do you assess Part-IS in this regard?