Cyber Security – EASA’s STORM initiative —Shared Trans-Organisational Risk Management

Sofema Aviation Services (SAS)  tackles the challenge of addressing cyber security threats within EASA-regulated organizations, focusing on EASA’s STORM (Shared Trans-Organisational Risk Management)

Introduction

EASA’s STORM initiative—Shared Trans-Organisational Risk Management addresses the interconnected risks within the aviation ecosystem, recognizing that risks cannot be managed in isolation due to the increasing digitization and interdependencies across stakeholders.

• EASA’s STORM approach is a proactive and collaborative response to the interconnected cyber risks in aviation.
• By managing shared risks through transparency, standardization, and coordinated action, stakeholders can collectively strengthen the cyber resilience of the global aviation system.

Consider the Following STORM Elements and its application to cyber security:

Overview of EASA’s STORM in Cyber Security

• Definition: STORM focuses on managing risks that are shared between organizations rather than confined to a single entity. This includes suppliers, airlines, maintenance providers, air navigation service providers (ANSPs), and manufacturers.
• Relevance: In the aviation industry, digital transformation (e.g., connected aircraft, electronic data transfer, cloud-based systems) creates a growing risk of cyber attacks that affect multiple organizations simultaneously.

Key Challenges in Shared Risk Management

• Interdependencies: Cyber vulnerabilities in one organization (e.g., a maintenance data provider) can expose other entities in the supply chain.
• Lack of Visibility: Organizations may not have full visibility into the risks introduced by third-party service providers or subcontractors.
• Cooperation Barriers: Sharing information about cyber risks can be limited due to competitive concerns, regulatory constraints, or confidentiality.

Core Objectives of EASA’s STORM in Cyber Security

EASA’s STORM approach aims to:

• Facilitate Collaboration: Develop a cooperative risk management framework for all aviation stakeholders to share risk insights, threat intelligence, and mitigation strategies.
• Enhance Awareness: Encourage organizations to adopt a “system-wide” perspective when identifying, assessing, and mitigating cyber risks.
• Promote Resilience: Build shared capabilities to anticipate, detect, and respond to cyber incidents in real time.

Application of EASA’s STORM Principles

1. Cross-Organizational Risk Assessment

• Establishing joint processes for identifying shared vulnerabilities (e.g., systems reliant on common software, network infrastructure, or cloud services).
• Developing shared cyber risk indicators to assess the likelihood and impact of cascading failures.

1. Information Sharing Mechanisms

• Promoting secure and trusted platforms for exchanging threat intelligence among stakeholders.
• Encouraging participation in cyber incident reporting programs like EASA’s Data4Safety. (See Separate Information)

1. Unified Mitigation Strategies

• Aligning cyber security controls across organizations to ensure consistent protection levels.
• Conducting cross-organizational drills and response exercises to improve coordinated incident management.

1. Regulatory and Standardization Support

• Ensuring compliance with EASA’s cyber security regulations (e.g., AMC 20-42, EU NIS Directive, and EASA Cybersecurity Strategy).
• Encouraging alignment with international frameworks (e.g., ICAO Annex 17, NIST, or ISO 27001).

Benefits of EASA’s STORM in Aviation Cyber Security

• Risk Reduction: Proactive identification of shared risks prevents cyber incidents from spreading across organizations.
• Resilience Building: The aviation system becomes more robust and capable of responding to cyber threats.
• Efficiency: Collaborative approaches avoid duplicated efforts and create economies of scale for cyber security investments.
• Enhanced Trust: Fosters a culture of transparency and trust between stakeholders in the aviation industry.

Implementation Challenges

• Cultural Shifts: Encouraging a mindset of collaboration rather than competition among organizations.
• Resource Allocation: Small or medium-sized stakeholders may struggle to keep pace with cyber security investments.
• Legal and Compliance Barriers: Concerns around liability, accountability, and data privacy laws can slow progress.

Next Steps

• Follow this link to our Library to find & download related documents for Free.
• See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
  for comments or questions please email team@sassofia.com

Tags:

electronic data transfer, NIST, ICAO Annex 17, EASA Cybersecurity Strategy, NIS Directive, cyber security controls, Data4Safety, subcontractors, Cooperation Barriers, Lack of Visibility, Interdependencies, cloud-based systems, Cyber Risks, connected aircraft, ANSP, global aviation system, increasing digitalization, Risk managment, STORM, AMC 20-42, third-party service providers, aviation stakeholders, aviation ecosystem, ISO 27001