March 05, 2025

Steven Bentley

Sofema Aviation Services (SAS) www.sassofia.com considers key elements related to Cybersecurity Compliance within an EASA Part 145 Organisation.

Introduction – Cybersecurity in Aviation

Cybersecurity within EASA Part 145 Organisations involves protecting systems, networks, and data from unauthorized access, attacks, or disruptions. The focus is on safeguarding maintenance operations, ensuring safety, and securing data and systems.

Compliance with Regulation (EU) 2023/203 is critical for managing cyber risks effectively.

Key focus areas include:

  • Maintenance Systems Security: Safeguarding software used for planning, tracking, and storing maintenance data.
  • Data Protection: Ensuring secure communication and handling of maintenance records across organizations and stakeholders.
  • Incident Management: Establishing processes to detect, report, and address cybersecurity incidents.
  • Employee and Supplier Awareness: Training staff and ensuring third-party compliance to minimize vulnerabilities.

Key Definitions

  • Cybersecurity: Protection of digital systems, networks, and data used in aircraft maintenance.
  • Information Security: Ensuring the confidentiality, integrity, and availability of maintenance-related information.
  • Cybersecurity Threats: Risks such as hacking, insider threats, or software vulnerabilities that could disrupt maintenance or compromise safety.

Scope of Cybersecurity for Part 145 Organizations

  • Management System Implementation – Establish and maintain a system addressing information security risks affecting aviation safety (Part-IS.I.OR.200).
  • Risk Assessment and Treatment – Conduct assessments to identify, classify, and mitigate risks without introducing new safety concerns (Part-IS.I.OR.205 & Part-IS.I.OR.210).
  • Incident Response and Reporting – Detect, report, and respond to cybersecurity events internally and externally (Part-IS.I.OR.215, Part-IS.I.OR.220 & Part-IS.I.OR.230).
  • Personnel and Supplier Oversight – Ensure adequate staffing, training, and compliance with cybersecurity standards for internal teams and suppliers (Part-IS.I.OR.240 & Part-IS.I.OR.235).
  • Record-Keeping and Continuous Improvement – Maintain traceable records of activities, risks, and personnel qualifications (Part-IS.I.OR.245).
  • Regularly assess and improve the management system (Part-IS.I.OR.260).
  • Change and Interface Management – Notify authorities of significant system changes and manage risks at organizational interfaces (Part-IS.I.OR.255).
  • ISMM Development – Develop and maintain an Information Security Management Manual outlining policies, roles, and processes (Part-IS.I.OR.250).

Key Areas of Focus for Cybersecurity

  • Implement security controls to address vulnerabilities in IT and operational technologies (e.g., diagnostic tools, maintenance software).
  • Incident Detection and Recovery – Develop capabilities for early detection, containment, and recovery from cybersecurity incidents.
  • Employee and Supply Chain Security – Train personnel on best practices and ensure suppliers meet cybersecurity requirements.
  • Compliance and Physical Asset Protection – Secure digital and physical assets (e.g., maintenance equipment interfaces, databases) against unauthorized access.
  • Follow Regulation (EU) 2023/203 and associated AMC/GM guidelines.

 

Primary Organizational Responsibilities

Accountable Manager – Ensure cybersecurity is integrated into the management system and compliance is demonstrated.

Compliance Manager – Oversee adherence to cybersecurity regulations and conduct regular audits.

Safety Manager – Align cybersecurity initiatives with the Safety Management System (SMS).

Demonstrating Compliance – To meet cybersecurity requirements, Part 145 organizations should:

  • Develop a Cybersecurity Management System: Align with ISO 27001 and EASA’s AMC/GM for Part-IS.I.OR.
  • Conduct Risk Assessments: Regularly identify and address risks in IT systems.
  • Implement Technical and Organizational Measures: Use encryption, access controls, and intrusion detection systems.
  • Engage in Continuous Monitoring and Improvement: Update security protocols to address emerging threats and ensure compliance through regular audits.

Next Steps

Sofema Aviation Services  and Sofema Online  provide Classroom, Webinar and Online training – please see the websites or email team@sassofia.com for questions & guidance.

Share this with your network:

Tags:

continuous monitoring, AMC/GM guidelines, Physical Asset Protection, ISMM Development, (Part-IS.I.OR.245), cybersecurity standards, (Part-IS.I.OR.200), Supply Chain Security, (EU) 2023/203, cybersecurity incidents, System Vulnerabilities, Blog Series, Incident Management, Aircraft Maintenance, insider threats, Aircraft Compliance, Cybersecurity Threats, digital systems, Cybersecurity, Maintenance Operations, Cyber Risks, SAS blogs, EASA Part 145 Organisation, Maintenance Software, EASA Part 145, aviation safety