Sofema Aviation Services (SAS) considers key aspects of EASA Information Security & Cyber System (Critical System & Critical Patch Considerations)
Based on the need to ensure compliance with EASA Regulations and the Information Security Management Manual (ISMM), the following criteria define Aviation Critical Systems and Aviation Critical Security Patches.
Critical System – Impact on Safety/Airworthiness; RPO ≤ 24 Hours; MRO/ERP Platforms. (ISMM Reference – §1.1.4.1, §1.1.4.2)
Critical Patch – Fixes High/Critical vulnerabilities; applies to Critical Systems; requires deployment within 14 days. (ISMM Reference – §8.3, §1.1.4.4)
Criteria for Defining Aviation Critical Systems
- Potential impact on flight safety, airworthiness, and business continuity defines aviation critical systems.
NOTE – Furthermore, we classify systems as “critical” when a loss of data integrity or availability could cause an unsafe condition or operational failure.
Primary Criteria (Safety & Airworthiness):
- Safety Impact (High Severity): Any system where a security breach could cause or contribute to an “unsafe condition,” defined as an occurrence resulting in fatal injury, serious injury, or substantial damage/structural failure to an aircraft.
- Data Integrity: Systems that process or store data are essential for the continuing airworthiness of the aircraft. This includes digital maintenance records, technical logs, and engineering data where “accuracy, completeness, and non-repudiation” must be safeguarded to prevent unauthorized modifications.
- Functional Chain Dependency: Systems located at the beginning of a “functional chain” (e.g., supply chain software) where a defect could propagate downstream and materialize as a safety effect at the aircraft level.
Operational Criteria (Availability & Continuity):
- Recovery Requirements: Systems that require strict Recovery Point Objectives (RPO). The ISMM defines critical systems as those requiring an RPO ≤ 24 hours (maximum acceptable data loss) to ensure business continuity.
- Specific Examples: The ISMM explicitly identifies the following as safety-critical systems:
- Maintenance, Repair, and Overhaul (MRO) platforms.
- Enterprise Resource Planning (ERP) systems used for engineering and logistics.
- Aircraft software loading systems and ground automation systems.
Criteria for Defining Aviation Critical Security Patches
- Critical security patches are defined by the severity of the vulnerability they fix and the criticality of the asset they protect. They require expedited implementation to prevent exploitation.
Definition Criteria:
- Risk Severity: Patches addressing vulnerabilities classified as “Critical” or “High Risk” by the vendor or through a scoring system (like CVSS). These vulnerabilities typically allow for remote code execution or unauthorized access without user interaction.
- Asset Association: A patch is deemed “aviation critical” if it applies to one of the Aviation Critical Systems defined above (e.g., a patch for the server hosting the MRO database).
- Regulatory & Policy Mandates:
- Timeframe: The ISMM establishes a strict criterion that critical security patches must be deployed within 14 calendar days of release.
- Performance Target: The organization sets a Key Performance Indicator (KPI) to achieve a ≥ 95% compliance rate for applying these patches within the 14-day window.
Note Sofema ISMM Template is available as part of the Information Security Cyber Implementation Project for details of availability please email [email protected]
Next Steps
Sofema Aviation Services and Sofema Online provide Regulatory Compliant and Vocational Classroom, Webinar and Online Training For EASA, FAA, UAE GCAA, Saudi GACA, OTAR – Please see the websites or email [email protected].
Tags:
EASA, Safety, Airworthiness, Critical Security Patches, MRO/ERP Platforms, ISMM, Critical System, Critical Patch, Recovery Requirements, Specific Examples, Policy Mandates
