EASA proposes new rules to protect against cyber attacks

The European Union Aviation Safety Agency (EASA) has published an Opinion on Management of Information Security Risks, aimed at safeguarding the entire civil aviation system against potential safety effects caused by cyberattacks.

As information systems become more and more interconnected and are increasingly the target of malicious acts (whether directly or indirectly), the risks of such attacks, events and incidents in civil aviation are constantly increasing. The proposed new rules will make the aviation system more resilient to these information security events.

“Such attacks typically target the weakest link in the chain,” said EASA Executive Director Patrick Ky. “We need to take a holistic view to guard against situations where one weak link can compromise the entire aviation system. This Opinion is an important milestone in mitigating these emerging and growing risks.”

The Opinion defines ways to identify and manage information security risks which could affect communication technology systems and data used for civil aviation purposes, and so in turn have an impact on aviation safety. In particular, it proposes the introduction of an information security management system (ISMS) for the competent authorities – including EASA – and for organizations in all aviation domains and requires them to report incidents and vulnerabilities related to information security.

This ISMS will complement the existing management systems which these organisations and authorities already have in place.

In an indication of its breadth, the scope of organisations covered by the Opinion is listed out as follows: production and design organisations, air operators, maintenance organisations, continuing airworthiness management organisations (CAMOs), training organisations, aero-medical centres, operators of flight simulation training devices (FSTDs), air traffic management/air navigation services (ATM/ANS) providers, U-space service providers and single common information service providers, aerodrome operators and apron management service providers.

The proposed provisions include high-level, performance-based requirements, and will be supported by acceptable means of compliance, guidance material, and industry standards.

The proposed measures should contribute to the creation of a seamless and consistent regulatory framework where the interfaces between security and safety are appropriately covered, and where special attention is paid to avoiding gaps, loopholes and duplications with other information security and cybersecurity requirements, such as those contained in Commission Implementing Regulation (EU) 2015/1998 and in the national requirements stemming from Directive (EU) 2016/1148 (NIS Directive).

The Opinion was developed in close coordination, consultation and discussion with the European Strategic Coordination Platform (ESCP). It will now enter the adoption process of the European Commission.