Concerning European Aviation Information Security (Cybersecurity)
Sofema Online (SOL) www.sofemaonline.com looks at the role of EASA Commission Delegated Regulation (EU) 2022/1645. Issues with Managing Cybersecurity in Aviation and Best Practices for Cybersecurity Management.
Introduction
The Commission Delegated Regulation (EU) 2022/1645, adopted on July 14, 2022, provides specific rules for managing information security risks in the aviation sector. This regulation is a supplement to the broader Regulation (EU) 2018/1139, which sets out common rules in civil aviation and establishes the European Union Aviation Safety Agency.
This regulation represents a significant step in strengthening the management of information security risks in the aviation sector, ensuring a higher level of safety in civil aviation.
Key points of the 2022/1645 regulation include:
>> Objective: The regulation aims to identify and manage information security risks that could impact aviation safety, focusing on information and communication technology systems and data used in civil aviation.
>> Scope: It applies to specific organizations, including production and design organizations under Regulation (EU) No 748/2012, as well as aerodrome operators and apron management service providers under Regulation (EU) No 139/2014.
>> Information Security Requirements: Organizations are required to implement an information security management system (ISMS), addressing confidentiality, integrity, authenticity, and availability of network and information systems. They must also handle information security incidents and vulnerabilities, including detection, response, and recovery processes.
>> Risk Management: The regulation mandates organizations to conduct risk assessments, identifying potential information security risks and implementing appropriate measures to manage them.
>> Reporting Obligations: Organizations must establish internal and external reporting schemes for information security events and incidents, ensuring timely communication with competent authorities and other relevant entities.
>> Personnel and Record-Keeping: Organizations need to appoint responsible persons for information security compliance, ensure staff competence, and maintain records of information security management activities.
Amendments to Existing Regulations: The regulation amends Commission Regulations (EU) No 748/2012 and (EU) No 139/2014 to integrate information security management requirements.
Implementation Timeline: It will become applicable three years after its entry into force, providing organizations time to comply with the new rules and procedures. (July 14, 2025)
Guidelines and Continuous Improvement: The Commission may issue guidelines for assessing equivalence of requirements, and organizations are expected to continuously assess and improve their ISMS.
Challenges in Managing Cybersecurity in Aviation
Managing cybersecurity in the aviation workplace, in light of the Commission Delegated Regulation (EU) 2022/1645, involves several challenges and best practices. Here's a guide to navigate these aspects effectively:
>> Complexity of Aviation Systems: Aviation systems are intricate, with interconnected networks and dependencies on various information technologies. Ensuring comprehensive cybersecurity amidst this complexity is challenging.
>> Rapid Technological Advances: The fast pace of technological evolution in aviation means that cybersecurity measures must continually adapt to new threats and technologies.
>> Insider Threats: Employees or insiders with access to sensitive systems can pose significant risks if their actions are malicious or negligent.
>> Compliance with Regulations: Keeping up with regulatory requirements, such as those set out in EU 2022/1645, and ensuring continuous compliance is a significant challenge.
>> Supply Chain Vulnerabilities: Aviation operations depend on a wide range of external suppliers and partners, making the entire network susceptible to vulnerabilities in the supply chain.
>> Awareness and Training: Maintaining a high level of cybersecurity awareness and training among all employees is challenging but crucial.
>> Data Privacy and Protection: Safeguarding the privacy and protection of sensitive data, including passenger information, is a constant concern.
Best Practices for Cybersecurity Management
>> Risk Assessment and Management: Regularly conduct comprehensive risk assessments to identify vulnerabilities and implement appropriate risk management strategies as mandated in the regulation.
>> Implement Robust ISMS: Establish a robust Information Security Management System (ISMS) that aligns with international standards (e.g., ISO 27001) and integrates with existing safety management systems.
>> Continuous Monitoring and Incident Response: Develop capabilities for continuous monitoring of systems and swift response to cybersecurity incidents.
>> Staff Training and Awareness Programs: Regularly conduct training and awareness programs for all staff members to recognize and respond to cybersecurity threats.
>> Access Control and Insider Threat Management: Implement strict access control measures and monitor for insider threats. Ensure that employees' access to systems is commensurate with their role and responsibilities.
>> Compliance with Regulations: Regularly review and update practices to ensure compliance with evolving regulations like EU 2022/1645.
>> Supply Chain Security: Work closely with suppliers and partners to ensure they meet your cybersecurity standards.
>> Data Protection Measures: Implement strong encryption and other data protection measures to safeguard sensitive information.
>> Incident Reporting and External Communication: Establish clear protocols for incident reporting and communication with external authorities as required by regulation.
>> Invest in Cybersecurity Technologies: Continually invest in and update cybersecurity technologies to counter emerging threats.
>> Regular Audits and Reviews: Conduct regular audits and reviews of cybersecurity practices to identify areas for improvement.
Next Steps
Please see the following course available online EASA Compliant Organization Cyber Security Responsibilities
For questions or group enrolments please email team@sassofia.com
