Sofema Aviation Services (SAS) addresses EASA Cyber Security threats and fosters trans-organizational resilience.
Introduction
EASA Cyber Security addresses organizational resilience targets and service levels related to cyber security as part of its overall commitment to improving aviation system resilience in response to emerging risks, particularly cyber threats.
- These initiatives reflect EASA’s focus on fostering a cross-organizational (trans-organizational) approach to ensure system-wide resilience. Here’s an overview of how this concept is addressed:
Cyber Resilience as a Key Component of Aviation Safety
EASA promotes cyber security as integral to ensuring the resilience and continuity of aviation operations and services.
Resilience targets focus on the ability of organizations to:
- Anticipate cyber threats.
- Withstand cyber incidents.
- Rapidly recover to ensure continued operations.
EASA has emphasized that cyber resilience requires collaboration between different actors in the aviation system, including airlines, airports, air navigation service providers (ANSPs), manufacturers, and other stakeholders.
Key Regulatory Drivers
The EASA Cyber Security Roadmap, is focused on targets and service levels to enhance the resilience of critical aviation infrastructure. This roadmap promotes:
- Development of baseline standards for cyber resilience.
- A harmonized approach to risk management.
- Implementation of service level agreements (SLAs) to clarify the expectations around cyber resilience across organizations.
Key components include:
- EASA AMC/GM related to Cybersecurity in Airworthiness.
- Guidance for operators and providers on improving incident response times and recovery.
Trans-Organizational Resilience
EASA encourages a trans-organizational approach to resilience targets. This involves:
- Cross-sector collaboration: Sharing information about cyber threats and responses between manufacturers, operators, and service providers.
- Defining shared service levels and resilience targets to ensure operational continuity, even during cyber incidents.
- Implementing joint exercises and drills: Organizations must coordinate to assess their collective ability to manage cyber incidents.
EASA promotes the establishment of cyber resilience metrics, including:
- Incident detection times.
- Recovery times aligned with Service Level Objectives (SLOs).
- Targets for data integrity and availability.
Service Levels and Performance Metrics
Service levels related to cyber security include measurable outcomes, such as:
- System uptime and availability targets under cyber threats.
- Ensuring critical systems (e.g., flight operations, ground systems) remain functional with minimum disruption.
- Setting data recovery timeframes after cyber incidents.
For example:
- Recovery Time Objective (RTO): Time required to restore normal operations.
- Recovery Point Objective (RPO): Acceptable data loss in case of a cyber incident.
These metrics are incorporated into Service Level Agreements (SLAs) between service providers and aviation organizations.
Tools for Achieving Cyber Resilience Targets
EASA promotes tools and frameworks such as:
- Cybersecurity Information Sharing: Establishing platforms for sharing real-time threat intelligence (e.g., through CERT-EU or EASA Cybersecurity Competence Center).
- Risk Assessment and Management Frameworks: Organizations must implement systematic cyber risk assessments to identify and mitigate vulnerabilities.
- Incident Reporting: EASA regulations emphasize mandatory reporting of significant cyber events to improve overall system resilience.
Standards and Alignment with Other Regulations
EASA aligns its cyber security initiatives with global frameworks, including:
- ICAO Annex 17 and 19: Guidance on security and safety management systems.
- NIS2 Directive: EU-wide directive on improving the resilience of critical infrastructure. (See Separate Guidance)
- ISO/IEC 27001: Standards for cyber security management systems. (See Separate Guidance)
Organizations are required to align their cyber resilience service levels with these frameworks to meet compliance targets.
Next Steps
- Follow this link to our Library to find & download related documents for Free.
- See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
for comments or questions please email team@sassofia.com
Tags:
EASA (European Union Aviation Safety Agency), Management Frameworks, RPO, RTO, SLOs, Performance Metrics, Cyber Resilience, Incident Reporting, Key Components, air navigation service providers, aviation safety, AMC/GM, cyber threats, Cyber security threats, Cyber Incidents, Aviation Cyber Security, Aviation System, Risk Assessment, EASA
