ACyS Guidance Material PART 1 Organization
ACyS Guidance Material PART 1 Organization
ACyS Guidance Material PART 1 Organization
□ Insertion
△ Amendment
⨂ Deletion
Revision Table
• FedEx
• IAG
• KLM
• Korean Air
• Lufthansa
• Qantas
• Qatar Airways
• United Airlines
1
ICAO Aviation Security Global Risk Context Statement, Second Edition, 2019 (Doc 10108).
2
IATA, Aviation Cyber Security Roundtable, Read Out, 2019.
3
ICAO, Aviation Cybersecurity Strategy, 2019.
4
ICAO, Annex 17 – Security, 10th edition, 2017.
5
IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.
6
FAA, Order 8900.1 Volume 3, Chapter 61.
7
NIST, SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, 2011.
8
ENISA, Cyber Security Culture in organisations, 2018.
9
IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
10
NIST, SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2011.
11
NIST, Cybersecurity Framework (CSF).
12
NIST, SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, 2020.
13
ISO/IEC, 27000 Family of Standards.
14
ISO/IEC, 27032:2012, Information technology — Security techniques — Guidelines for cybersecurity, 2012.
15
UK CAA, CAP1850, Cyber Assessment Framework (CAF) for Aviation, 2020.
The Cyber Security Strategy development process may touch multiple divisions within an organization. Therefore,
the Operator should compose a multi-disciplinary team responsible for the entire process of strategy development
and then implementation. Determining the action plan is key for developing the strategy. This needs to be followed
by setting the timeframe which can be different for each Operator, as it depends on the size, complexity, vision, and
mission of the organization, etc.
As a first step, the Operator should develop the strategic goals and define the scope of the strategy. Further, cyber
security needs should be identified to guide the development of achievable and actionable activities in support of
the goal and scope of one’s Cyber Security Strategy. Another step that should be considered while developing the
strategy should include defining Cyber Security Programs that would eventually determine performance indicators
over specific objectives and overarching the goals, determine the resources needed (amount of time and size of the
staff needed to address the cyber security efforts), as well as developing a communication plan within the
organization. The Cyber Security Strategy should be revisited and updated regularly.
16
NIST, Cybersecurity Framework (CSF).
17
NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.
The information security governance is defined by the NIST as the process of establishing and maintaining a
framework and supporting management structure and processes to assure that information security strategies are
aligned with and support business objectives, are consistent with applicable laws and regulations through adherence
to policies and internal controls, and provide assignment of responsibility, all to manage risk. 18
In general, referring to the NIST CSF and SP 800-100 the cyber security governance has different types of possible
structures, discussed in the previous section, requirements, challenges, and various activities. Moreover, the
cyber/information security governance will define the key roles and responsibilities within the organization and
support the development, oversight, and ongoing monitoring of the policies. Therefore, in order to ensure the
desired level of the organization’s mission support and implementation of compliance requirements, it is important
for the Operator to have a well-established governance framework and that it is applied to all aspects of the Flight
and Technical Operations organizations. As part of the governance, the Operator should identify the applicable
regulatory requirements at the national level (legislation, regulations, directives) as well as internal requirements.
The Operator should consider the integration of the cyber security governance with the overall organizational
structure and activities in order to ensure that the upper management is informed and participate in the process of
overseeing the implementation of security controls within the organization. his process can be facilitated by the
following elements:
• strategic planning;
• organizational structure and development;
• defined and established appropriate roles and responsibilities;
• integration with the overall architecture of the organization;
• documentation like policies and guidance put in place.
The figure below presents the Governance, Risk, and Compliance (GRC) Framework which aims to help in the process
of managing the organization’s overall governance, risk management, and compliance with the regulations and
standards. The governance is all about the regulations, standards, policies, processes, and procedures, as well as
controls to be put in place. Risk involves understanding one’s CSIAD, operations, and processes, as well as an
understanding of the business’ capability to endure losses. Moreover, the compliance part indicates the controls
implemented by the organization to fulfill compliance mandates.
18
NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.
Source: IATA
ISO/IEC 27001 and other frameworks can support the GRC activities within one’s organization as it helps with the
process of establishing an information/cyber security governance to be aligned with the organization governance,
preserving the information/cyber security by applying risk management, as well as establishing a set of controls
enabling the organization to be compliant with the regulations and standards.
For any Operator, the ultimate success of cyber security management and strategy depends on proactive support
from the organization’s senior management. The structured management framework ensures the oversight,
monitoring, and controlling of the right implementation of cyber/information security within the organization.
Therefore, it is important to have established a strong leadership and ownership of the topic with the relevant
elements embedded in respective business units.
The Board of Directors is ultimately responsible for the whole governance of the organization. However, the
executive responsibilities over most governance matters rest with the CEO. The CEO is ultimately accountable for
ensuring all required resources are appointed throughout the organization. Therefore, the CEO appoints the CISO,
who reports directly to the CEO. The CISO is responsible for the cyber security operations and ensuring the
successful implementation of the cyber security strategy of the organization.19 This role may be also appointed to
19
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.
The cyber security program should fulfill the Cyber Security Strategy and it often refers to the industry framework
standards and recommended practices. The cyber security program will establish all the policies and processes
required to protect the confidentiality, integrity, and availability of one’s identified CSIAD. It is important to note, that
based on the strategic objectives and regulatory requirements, the individual element and sub-elements of the cyber
security program may vary between different Operators. However, there are certain elements that the effective
cyber security program components should include, i.e. policies, cyber security framework, and process as well as
the way to measure them. Each cyber security program element and the relevant documentation must be
implemented to specific business units of one’s organization. Therefore, the cyber security program should be
tailored specifically to one’s organization.
One of the key elements for an Operator in support of the management of cyber security within an organization is
the development and establishment of the cyber security program. The cyber security program should align with the
mission and vision of the organization. It should be based on the risk appetite determined by the Board of Directors.
The goal of the program is also to identify different business units and appoint staff in order to support the strategic
objectives of the organization.
The process of devising a cyber security program is very important and to do so, the organization needs to appoint
a strong leadership with a strategic resource who will ensure that the program aligns with the mission and vision,
mission, and risk appetite of the Operator.
The very first step for the Operator should be to identify the individuals within the organization to be involved in the
process of devising a cyber security program. Therefore, the Board of Directors or the CEO should appoint the
Senior Officer who will provide the lead and direction of the entire organization. As the cyber security lead for the
organization, and the cyber operational aviation aspects as well, meaning the fleet of aircraft, this Senior Officer
bridges the organization program with cyber security tactical aviation implementation. However, it is also important
that the Senior Officer is in control of the budget, can plan and allocate necessary resources, as well as has the
capacity to execute the devised cyber security program. The Senior Officer will provide direction to the entire
organization and ensure consistency throughout the management.
20
IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
21
NIST, Cybersecurity Framework (CSF).
22
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.
• Identify organization vision and mission objectives along with high-level organizational priorities;
• Make strategic cyber security implementation decisions as well as determine the scope of the systems
and assets;
Step 2: Orient
• Identify related systems and assets, regulatory requirements and the program’s overall risk approach;
• Identify vulnerabilities of, and threats to, these systems and assets;
• Analyze the operational environment of the organization in order to determine the likelihood of cyber
security events and their related impact;
• Create a target profile that focuses on the CSF Categories and Subcategories assessment describing
the desired cyber security outcomes (based on the organizational risks and considering the risk
appetite);
• Determine, analyze and prioritize any gaps that exist, based on the created Target Profile;
• Determine which actions to take and carry out said actions to address the gaps;
• Document the roadmap to achive the strategic goals;
23
NIST, Cybersecurity Framework (CSF).
The NIST in the Framework for Improving Critical Infrastructure Cybersecurity 24 outlines that there is no one-size-
fits solution for all. Operators may have identified different CSIAD which would infer different risks. In general, the
goal of Cyber Security Risk Management is to identify the risks, understand the likelihood as well as their impact on
the operations. as well as to implement, measure and update security controls in order to mitigate the risks to an
acceptable level.
Many frameworks are available that can be considered by the Operator in order to develop risk management for the
organization. It can be based on the NIST CSF, ISO/IEC 27001:201325, or ISO 27005:201826. The documentation like
NIST SP 800-37 Rev. 227 (or latest version), and NIST SP 800-82 Rev. 228 (or latest version) provides the information
that can be used by the Operator to establish a baseline.
In the process of devising the organization’s Cyber Security Risk Management, the Federal Information Security
Modernization Act (FISMA)29 Implementation Project of the NIST CSF and developed by NIST the Risk Management,
which is a key element of the FISMA, may be useful. The Risk Management Framework (RMF) will provide one with
information on the processes integrating security and risk management activities. It represents a risk-based
approach and covers the following steps: prepare, categorize, select, implement, assess, authorize and monitor. The
figure below outlines all the steps with the relevant documentation for each step of the RMF.
1 2
4 3
24
NIST, Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, 2018.
25
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.
26
ISO/IEC 27005: 2018, Information technology — Security techniques — Information security risk management, 2018.
27
NIST, SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy,
2018.
28
NIST, SP 800-82 Revision 2, NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security, 2015.
29
NIST, Federal Information Security Modernization Act, 2014
Source: NIST
The Cyber Security Risk Management of the Operator needs to be revisited annually and improved if any changes to
the strategic objectives were made or any new critical system introduced.
The considerations for the aircraft specific Cyber Security Risk Management is further discussed in
Part 2-Chapter 3 of this guidance material.
2.2.3 Workforce
Planning of the Operator’s workforce is another key element of the Cyber Security Program. As cyber threats against
civil aviation constantly emerge, and the number and sophistication of cyber-attacks are increasing, the need for
cyber security professionals is also growing.
Currently, the aviation industry is lacking the cyber security professionals to meet the regulatory compliance and
changing landscape of aircraft cyber security. In order to fill this current gap between the need and available
workforce, cyber security professionals need to undergo the process of skills development relative to aviation and
aircraft cyber security.
The area of cyber security requires professionals to constantly grow, evolve and maintain highly technical skills.
Therefore, effective workforce planning for the Operator is crucial. This will enable the development of processes
that will help to identify where the gaps are present as well as give one information on how to shape the workforce
to achieve the vision and mission of the organization. The Operator should ensure how to attract, assess, and
develop a specialized workforce.
A companion document to the NIST CSF, the NIST Roadmap for Improving Critical Infrastructure Cybersecurity31
points out the importance of a skilled cyber security workforce to meet the needs of the critical infrastructure. As
30
NIST, FISMA Implementation Project.
31
NIST, Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, 2019.
Training, raising awareness, and developing cyber security skills, best practices, and processes, are critical elements
of the Cyber Security Program and culture within the organization. Its importance should not be underestimated; the
Operator should ensure its entire workforce complete cyber security awareness training, including the
understanding of cyber security hygiene and behavior best practices, alertness to unexpected system responses
and procedures to mitigate the consequences of the cyber-attack.
The purpose of the awareness training is to provide the relevant workforce with sufficient knowledge to understand
the cyber threats landscape, typical levels of vulnerability across the organization, one’s responsibilities, and how
one should react when a cyber-attack occurs or may have occurred.
The organization should provide other cyber-related training depending on specific roles or relevant groups of staff
and identify corresponding risks (e.g. cockpit and cabin crew, developers, privilege access users, personnel with
access to the most sensitive information in an organization, maintenance technicians, etc.). For example, the
Operator should ensure that the individuals responsible for the CSIAD complete suitable and sufficient cyber
security training and skills development before being appointed to the role and its responsibilities. To measure the
evolution of the cyber security culture of the workforce, the organization should have in place some testing tools
such as white phishing exercises, etc. The organization should have a process in place to review and update its
training courses to ensure one remains up to date. Such updates should consider business and regulatory changes
(i.e., acquisition of new software, discontinuation of software, new services or business lines, new regulations,
standards, and best practices).
More details on the awareness and training can be found in the latest Edition 4 of the SeMS Manual. 35 Moreover, the
Operators may consider the NIST guidelines for building and maintaining a comprehensive awareness and training
program for their workforce that is included in the NIST SP 800-50.36
32
NIST, SP 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework), 2020.
33
NIST, NISTIR 8287, A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce, 2020.
34
ENISA, Cybersecurity Skills Development in the EU, 2020.
35
IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
36
NIST, SP 800-50, Building an Information Technology Security Awareness and Training Program, 2003.
Airline Connected
Elements
Aircraft
Source: IATA
As presented in the figure above, to understand the complexity of the entire aviation ecosystem and its
interconnected elements we will have a look now at the different stakeholders or entities of this sector. Then, we will
focus on the airline organization and connecting element and finally the critical part which is the aircraft itself and its
connecting elements.
For this document, referring to the EUROCAE ED-201: Aeronautical Information System Security Framework
Guidance, aviation stakeholder framework, we can distinguish the following, but not limited to, list of stakeholders37:
• Manufacturers like Original Equipment Manufacturers (OEMs), System Suppliers, Design Approval
Holders (DAHs) of aircraft, systems, and devices integrated into the aircraft;
• Operators: i.e., airlines, airports, Air Navigation Service Providers (ANSPs);
• Maintenance and repair providers of aircraft, systems, networks, etc.;
• Regulatory and governance entities: legislators, regulators, auditors, etc.;
37
EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.
It needs to be underlined that the complexity of multiple stakeholders, especially product suppliers and service
providers, relationships on both the aircraft and the industry, in general, create a challenge for the industry in terms
of the responsibilities, who holds the responsibility, and which area. This is very important to have a clear picture and
understanding of where one’s responsibility sits and to what extent to ensure clear accountability for safety and
38
AIAA, The Connectivity Challenge: Protecting Critical Assets in a Networked World, A Framework for Aviation Cybersecurity, August 2013, Figure 1 at p. 8.
Manufacturers,
System
Suppliers,
Service
Providers
Airports Governments
Airline
Organization
Passengers
Source: IATA
The two tables below present a non-exhaustive list of the airline business and aircraft operations systems for which
the Operator is responsible. However, it needs to be underlined that for each system different players/individuals
have a responsibility, both internal to the organization and external where systems are supplied by different
stakeholders what is covered by the Service Level Agreements (SLAs). More information and recommendations on
Figure 3.2(2). Airline Business Systems Figure 3.2(3). Aircraft Operations Systems
Corporate Applications
• E-mail
• Network (VPN)
• Accounting
• Revenue Management
Cargo Applications
• Cargo Booking System
Source: IATA
39
EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.
Airline
Passenger Information Aircraft
Information
and Entertainment Control
Service
System Domain Domain
Domain
Source: IATA
The principal function of the Aircraft Control Domain (ACD) is to ensure safe aircraft operation. The secure
exchange of the ACD helps also to track and manage the aircraft in a more accurate way. It requires adherence to
the highest standards of international aviation safety. Because of the critical nature of this domain, the exchange of
data always needs to be guaranteed. It should be noted that the ACS is comprised of different systems including
control from the cockpit, environmental systems, and other things like smoke detectors, doors, and the evacuation
slides.
The Aircraft/Airline Information Services Domain (AISD) contains systems providing services that are not critical,
with the principal function to ensure the connectivity between other domains. The systems in the AISD play a key
role in the aircraft operation, however, do not bear on the control of the aircraft. This domain is used by the airlines
to support the applications and content either for cabin or flight crew. The systems are not defined as mission-critical
• In-Flight Entertainment (IFE) • Flight Support Systems (EFB, NavDB, ACARS) • Flight Control Systems (FMS)
• Pub Device Connection & Web • Aircraft Data Network • Cabin Core Systems
Access • Aircraft Health Monitoring (AHM)
• Admin/Cabin Support (Crew Devices, PAX, POS)
• Maintenance Support (Softw Updates, Sensor Data,
Pred Maint.)
• Air-Ground Network Telecom • Air-Ground Network Telecom (Wi-Fi, LAN, Cellular, • Air-Ground Network Telecom
(Wi-Fi, LAN, Cellular, SAT) SAT) (VHF, HF, SATCOM, GPS/GNSS)
Source: IATA
40
ARINC, 664P1-2 Aircraft Data Network, Part 1, Systems Concepts and Overview, 2019.
41
ARINC, 664P5 Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection, 2005.
• Aircraft Communications Systems: digital air-to-ground communication systems using links like Very
High Frequency (VHF) or SATCOM.
• Aircraft-Ground Links: emerging satellite air-ground communication systems, etc.
• Aircraft Maintenance: maintenance of the aircraft is now more based on the technology, enabling data
transmission directly to the maintenance teams. This process is crucial in terms of the continuing
airworthiness of the aircraft and aircraft parts. Therefore, it is important to secure the systems and
devices responsible for this process, as this contributes to flight safety.
• Aircraft Health Monitoring (AHM): OEMs/Systems Suppliers provide a connected technology to
support the Operators in terms of the AHM to enable addressing any issues and more accurate
maintenance as early as possible.
• Electronic Flight Bag (EFB): portable devices used for storage and display of many different aviation
data, considered as computing platforms to reduce/replace any paper-based information and
documentation ( flight charts, maps, engineering information) used by the crew during the flight.
• Non-trusted Services/Networks: aircraft systems connecting to non-trusted services and networks,
including airport gate link networks (e.g. GateLink), cellular networks, and portable electronic devices.
• In-Flight Entertainment (IFE): cabin communications and connectivity, also with wireless distribution,
providing on-board entertainment and better passengers experience.
For a better understanding of where each component is placed in terms of aircraft domains, please refer to Figure
3.3(2) above.
42
EU GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
EU European Union
EUROCAE European Organization for Civil Aviation Equipment
FAA Federal Aviation Administration
FANS Future Air Navigation System
FISMA Federal Information Security Modernization Act
GDPR General Data Protection Regulation
(END)