Sofema Aviation Services (SAS) www.sassofia.com considers fundamental issues related to the challenge to address cyber security threats within EASA regulated Organisation
Introduction
EASA’s STORM initiative—Shared Trans-Organisational Risk Management addresses the interconnected risks within the aviation ecosystem, recognizing that risks cannot be managed in isolation due to the increasing digitization and interdependencies across stakeholders.
EASA Guidelines and Regulatory Frameworks Supporting STORM
EASA provides a structured approach to cyber security risk management through regulations, Acceptable Means of Compliance (AMC), and guidance materials. These frameworks serve as foundational tools for the industry to implement Shared Trans-Organizational Risk Management effectively.
Key EASA Guidelines:
AMC 20-42: Airworthiness and Cyber Security
- Focuses on ensuring cyber resilience in aircraft systems, considering shared risks within the supply chain and operational environments.
- Encourages joint risk assessments among manufacturers, operators, and maintenance organizations.
EU NIS Directive (Network and Information Security Directive)
- Applies to essential services such as Air Navigation Service Providers (ANSPs) and airports.
- Promotes mandatory incident reporting and risk management practices to minimize systemic cyber risks.
EASA Cyber Security Strategy
- Outlines an ecosystem approach to aviation cyber security, advocating for:
- Cross-industry collaboration.
- Shared situational awareness and incident response.
- Standardized approaches for risk identification and mitigation.
Data4Safety Program
- EASA’s data-sharing initiative collects and analyzes safety and security data, providing insights into emerging cyber risks.
- Facilitates predictive risk analysis to identify vulnerabilities before incidents occur.
Tools and Mechanisms for EASA STORM Implementation
To operationalize the STORM approach, EASA promotes tools that enable collaboration, information sharing, and collective response:
- Threat Intelligence Sharing Platforms
- Aviation-ISAC (Information Sharing and Analysis Center):
A global platform for sharing cyber threat intelligence among aviation stakeholders (airlines, OEMs, ANSPs, and airports).- Encourages collaboration in identifying common vulnerabilities and threats.
- EASA’s Coordinated Vulnerability Disclosure (CVD):
Provides a structured approach for organizations to report cyber vulnerabilities safely, enabling timely mitigations across the sector.
- Cyber Risk Assessment Tools
- EASA encourages the adoption of tools that assess cross-organizational dependencies:
- Supply Chain Cyber Risk Analysis: Evaluates risks introduced by third-party vendors, including software providers or MROs.
- Attack Surface Mapping: Identifies shared vulnerabilities across integrated systems.
- Joint Response Mechanisms
- Simulated Cyber Security Exercises:
- EASA advocates for cross-organizational tabletop exercises (TTXs) to test joint response capabilities.
- Examples: Exercises simulating ransomware attacks on interconnected systems (e.g., airline operations systems, ATC networks).
Case Study: Shared Risk Management in Aviation Cyber Security
Context: Ransomware Attack on Operational Systems
A real-world incident in recent years highlights the significance of shared cyber risks:
- An airline’s ground operations system was compromised through a third-party software vendor.
- The ransomware attack disrupted flight planning and operational data flow, impacting multiple airlines relying on the same vendor.
Application of EASA STORM Principles:
Cross-Stakeholder Coordination:
- Affected airlines, software vendors, and regulators collaborated to identify root causes and mitigate vulnerabilities.
- Jointly developed enhanced cyber controls to prevent similar incidents.
Information Sharing:
- Threat intelligence (IoCs – Indicators of Compromise) was shared via Aviation-ISAC and reported to EASA.
- This enabled non-affected organizations to proactively secure their systems.
Unified Mitigation Framework:
- EASA issued guidelines on securing third-party software integrations and ensuring cyber risk accountability in contracts.
Role of Key Aviation Stakeholders
Manufacturers (OEMs):
- Secure aircraft design by applying cyber security during system development.
- Collaborate with operators and MROs to manage shared vulnerabilities (e.g., avionics updates).
Operators and MROs:
- Conduct joint risk assessments to ensure data integrity in maintenance and operational processes.
- Implement security patches and updates in a timely, coordinated manner across fleets.
Airports and ANSPs:
- Secure critical infrastructure (e.g., ATC networks) and collaborate with airlines on shared contingency plans.
- Share threat intelligence to prevent disruptions across regional or global operations.
Benefits of EASA STORM in Cyber Security
By implementing the STORM approach, the aviation industry can achieve the following outcomes:
- Early Threat Detection:
Collaborative tools and shared intelligence improve threat visibility across organizations. - Resilience against Cascading Failures:
Identifying and addressing cross-organizational vulnerabilities minimizes the ripple effect of cyber attacks. - Standardized Security Posture:
Harmonized controls ensure a baseline level of protection across interconnected systems. - Reduced Incident Response Times:
Joint preparedness enables faster recovery from cyber incidents.
Future Considerations
To further strengthen STORM’s effectiveness in cyber security, the following steps are recommended:
- Mandatory Reporting Mechanisms: Require all stakeholders to report incidents and vulnerabilities to a central body like EASA.
- Enhanced Cyber Training: Build a cyber-aware culture across aviation organizations through tailored training programs.
- Integration of AI and Automation: Use AI tools for real-time threat detection, risk assessment, and incident response automation.
Next Steps
- Follow this link to our Library to find & download related documents for Free.
- See the following 2 day course-Implementing an Information Cyber Security Program in an EASA Part 145 Organization – 2 Days
for comments or questions please email team@sassofia.com
Tags:
increasing digitization, AI and Automation, Manufacturers (OEMs), Attack Surface Mapping, EASA’s Coordinated Vulnerability Disclosure (CVD), ISAC (Information Sharing and Analysis Center), ecosystem approach, EU NIS Directive, Regulatory Frameworks, EASA Guidelines, Cyber Security, Trans-Organisational Risk Management, EASA's STORM, Data4Safety, AMC 20-42, stakeholders, situational awareness, Acceptable means of compliance (AMC), aircraft systems
