Cybersecurity Responsibilities in EASA Part 145 Maintenance – Safety System Integration

Sofema Aviation Services (SAS) considers a practical level of engagement for typical Small to Medium EASA Part 145 Maintenance Organisations.

Introduction

For an EASA Part 145 approved maintenance organization to achieve the integration of cybersecurity into the operational framework, including the Safety Management System (SMS), requires practical, resource-conscious strategies.

Adapting a Risk Management Framework

• Train employees to recognize phishing attempts and report them to the Safety Manager.
• Ensure critical data is backed up to an offline location at least weekly.
• Enforce a policy of not installing unauthorized software on maintenance systems.
• Limit access to sensitive information like maintenance logs or aircraft records to authorized personnel only.
• Use strong, regularly updated passwords for all systems.
• Maintain a basic access log for critical systems to track unauthorized attempts.
• Conduct pre-employment background checks for staff with access to sensitive systems.

Practical Incident Response and Reporting

• Use basic monitoring tools (e.g., log analyzers) to identify unusual activity.
• Encourage employees to report cybersecurity incidents directly to the Safety Manager.
• Develop a simple incident response plan (e.g., isolate affected systems, notify outsourced IT, inform management).

• Document all incidents, including potential safety impacts, in the SMS as required by IS.I.OR.220.
• Notify relevant authorities (e.g., EASA) of significant incidents in compliance with IS.I.OR.230.

Safety Manager – Responsibilities

• Act as the central coordinator for integrating cybersecurity into the SMS.
• Identify and assess cybersecurity risks that could impact safety-critical operations.
• Develop and oversee procedures to manage and report cybersecurity incidents, focusing on their safety implications.
• Uses existing SMS tools to document and monitor cybersecurity risks alongside operational safety risks.
• Include cybersecurity in the organization’s regular safety risk assessments (SRAs).
• Create simplified workflows for incident escalation, including third-party IT providers where necessary.
• Provide regular updates to senior management on the status of cybersecurity integration.

Maintenance Manager / Technical Director – Responsibilities

• Ensure cybersecurity measures are implemented in daily operations without disrupting maintenance activities.
• Educate maintenance staff on recognizing and reporting potential cybersecurity threats (e.g., phishing emails, suspicious USB devices).
• Establish basic access control protocols for maintenance systems (e.g., unique logins for tools like AMOS or OASES).

• • Implement a checklist for secure use of portable devices used in maintenance activities, ensuring compliance with EASA data protection guidelines.

IT Department or Outsourced IT Support – Responsibilities

• Provide technical expertise on cybersecurity, including system configuration, updates, and threat monitoring.
• Respond to incidents requiring IT intervention (e.g., ransomware attacks, data breaches).
• Set up a service level agreement (SLA) to ensure timely response to incidents.
• Schedule periodic reviews of systems and networks for vulnerabilities and ensure they are patched regularly.
• Conduct annual penetration testing and provide a report on the organization’s cybersecurity posture.

Line Maintenance Supervisors & Certifying Staffs – Responsibilities

• Act as the first point of contact for reporting suspicious activities or potential cybersecurity issues.
• Implement cybersecurity best practices during tool usage and data entry.
• Train Staff to recognize basic cybersecurity threats and escalate them to outsourced IT or the Safety Manager.
• Include simple cybersecurity guidelines in daily toolbox talks (e.g., “Do not open unknown email attachments”).
• Maintain awareness of basic cybersecurity practices relevant to their roles.
• Report any suspicious activity, potential phishing attempts, or unusual system behavior immediately.
• Take part in periodic cybersecurity awareness sessions, focusing on phishing, secure password management, and safe handling of devices.
• Use posters or quick-reference cards to remind employees of key cybersecurity practices.

 Training and Awareness – For All Staff

• Conduct quarterly cybersecurity briefings focusing on real-world examples of threats (e.g., a phishing simulation).
• Include cybersecurity training as part of the onboarding process.
• Provide the Safety Manager with additional training on the basics of cybersecurity risk management.
• Offer supervisors access to free or low-cost online courses on identifying and managing cyber risks.

Cost-Effective Technical Controls

• Password management: Implement password complexity requirements using built-in system controls.
• Backups: Use external hard drives or cloud services with encryption for critical data.
• Segment networks where possible to isolate critical systems from less secure areas.
• Disable USB ports on computers unless explicitly required.

Audits and Compliance

• Use a checklist approach to support compliance with Part-IS and EASA cybersecurity requirements.
• Include third-party IT assessments in annual compliance reviews.

Next Steps

• Follow this link to our Library to find & download related documents for Free.
• See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
  for comments or questions please email team@sassofia.com

Tags:

AMOS, Part-IS, third-party IT, Backups, Password management, cybersecurity risk management, Certifying Staffs, IT Department, IT Support, OASES, EASA, oversee procedures, IT, operational framework, BlogSeries, Training and Awareness, Aviation Cyber Security, SAS blogs, Safety Management System SMS, EASA Part 145