Getting ready for cybersecurity regulations

Francesca Popescu and Yann Berger from Airbus explored Part-IS, a European Aviation Safety Agency (EASA) initiative that introduces requirements for the management of security risks that could affect information and communication technology systems and data used for civil aviation purposes.

Lock on the converging point on a circuit, security concept

Presenting at the Indra Theatre, Popescu and Berger gave an in-depth of analysis of what is technically Regulation 2023/203, noting it will align with the US Federal Aviation Administration requirements and is broader in applicability than many EASA regulations.

They pointed out that Part-IS – which will come into effect from October 2025 – is far more than a requirement for an Information Security Management System (ISMS) and should be studied carefully.

Berger said the goal should be to go beyond compliance. An ISMS is based on the idea of continuous improvement and so there will doubtless be additional requirements in future.

Indeed, he noted the industry must ultimately aim towards integrated risk management where physical safety meets cybersecurity. Organisations affected should perform a gap assessment and then define an implementation strategy to overcome any shortcomings.

In a wide-ranging discussion, the differences between risk management in the air and on the ground were also highlighted, as each is exposed to distinct types of attack and risk.

Aircraft, for example, don’t have cyber specialists on board and cannot immediately adjust systems. The aim therefore is to ensure prevention – attackers must not be able to get at aircraft systems inflight.

On the ground, there are not such clearly defined boundaries, and the vulnerabilities are far greater. Because it is impossible to protect against every potential attack, a combination of prevention, detection and reaction is the most viable way forward. Organisations should also have a good reporting system so that authorities and relevant third parties can anticipate an attack or react as necessary.

Berger concluded that the aim must always be an end-to-end approach that ensures safety and security risks are minimised.