April 04, 2025

Steven Bentley

Sofema Aviation Services (SAS) considers key elements related to Cyber Security Compliance within an EASA Part 145 Organisation

The introduction of Regulation (EU) 2023/203, mandates the integration of information security requirements into aviation safety management. For EASA Part 145 organizations, adopting robust information security practices demands a shift in how these organizations approach their operational, technical, and compliance frameworks.

Why Information Security Matters for Part 145 Organizations

EASA Part 145 organizations are responsible for maintaining aircraft to ensure continued airworthiness. Their operations depend on the integrity, availability, and security of critical systems and data, including:

  • Maintenance management systems.
  • Digital maintenance records and operational data.
  • Communication systems are used for real-time collaboration.

Failures in information security can compromise safety and operational efficiency. For example:

  • Data breaches can lead to unauthorized access to maintenance records, allowing tampering or theft of sensitive information.
  • Cyberattacks on software used for maintenance planning or diagnostic tools can disrupt operations or lead to incorrect maintenance decisions.
  • Insider threats (intentional or accidental) can result in data exposure or operational vulnerabilities.

Information Security (IS) Defined

Information Security refers to the protection of information systems, data, and processes against unauthorized access, alteration, and disruption that could impact aviation safety. Its primary goals are:

  • Confidentiality: Ensuring that sensitive information is accessible only to authorized personnel.
  • Integrity: Maintaining the accuracy and reliability of data and systems.
  • Availability: Ensuring that systems and data are accessible when needed.

EASA Requirements for Information Security – Regulation (EU) 2023/203 introduces mandatory information security requirements for organizations under EASA oversight, including Part 145. These requirements are designed to:

  • Integrate Information Security Management Systems (ISMS) into the overall management system.
  • Identify, assess, and mitigate risks arising from information security threats.
  • Align with international standards like ISO 27001 while addressing aviation-specific needs.
  • Establish reporting mechanisms for cybersecurity incidents to relevant competent authorities.

Key regulatory components include:

  • Part-IS.I.OR (Organization Requirements): These outline the obligations for integrating information security into the organization’s processes.
  • Risk Management: Organizations must perform systematic risk assessments to identify vulnerabilities and implement measures to mitigate them.
  • Incident Detection and Reporting: A process must be in place to detect, manage, and report security incidents.

Challenges for EASA Part 145 Organizations

  • System Complexity: Maintenance operations involve multiple systems, including diagnostic tools, maintenance management software, and data communication platforms. Ensuring security across these interconnected systems is challenging.
  • Data Sensitivity: Maintenance data often contains detailed technical and operational information that could be exploited if accessed by malicious actors.
  • Human Factors: Insider threats—whether due to negligence or malicious intent—pose a significant risk to information security.
  • Compliance and Resource Allocation: Meeting new regulatory requirements may require additional investments in technology, training, and personnel.

Best Practices for Information Security in Part 145 Organizations

  • Develop and Implement an ISMS:
    • Align with the regulatory requirements under Part-IS.I.OR.
    • Define policies and processes for managing information security risks.
    • Regularly update the ISMS to address evolving threats.
  • Conduct Comprehensive Risk Assessments:
    • Identify vulnerabilities in IT systems, networks, and operational processes.
    • Analyze the potential impact of cybersecurity incidents on safety and operations.
    • Prioritize risks and allocate resources to address critical vulnerabilities.
  • Strengthen Incident Management Capabilities:
    • Establish processes to detect and respond to cybersecurity incidents.
    • Train personnel on incident reporting and escalation protocols.
    • Collaborate with competent authorities for timely reporting and resolution.
  • Secure Maintenance Systems and Data:
    • Implement access controls to restrict system access to authorized personnel.
    • Use encryption to protect sensitive data during storage and transmission.
    • Regularly update and patch software to address known vulnerabilities.
  • Invest in Training and Awareness:
    • Conduct cybersecurity awareness programs for all personnel.
    • Provide specialized training for IT staff, maintenance personnel, and management on their specific roles in maintaining information security.
  • Engage with Supply Chain Partners:
    • Ensure that third-party vendors and contractors comply with the organization’s information security requirements.
    • Include cybersecurity clauses in contracts to mitigate supply chain risks.

Role of Key Stakeholders

  • Accountable Manager:
    • Oversees the integration of information security into the management system.
    • Ensures resource allocation for IS compliance.
  • Compliance Manager:
    • Monitors adherence to information security regulations and internal policies.
    • Coordinates audits and ensures regulatory reporting requirements are met.
  • Safety Manager:
    • Aligns cybersecurity risk management with the Safety Management System (SMS).
    • Ensures that information security is treated as a critical component of aviation safety.
  • Maintenance Personnel:
    • Adhere to security policies and practices in daily operations.
    • Report potential vulnerabilities or incidents promptly.

Next Steps

Follow this link to our Library to find & download related documents for Free.

Sofema Aviation Services and Sofema Online provide Classroom, Webinar and Online training – please see the websites or email team@sassofia.com for questions & guidance.

Share this with your network:

Tags:

EASA Part 145, sasblogs, insider threats, Confidentiality, EASA Part 145 organizations, data breaches, Regulation (EU) 2023/203, cyberattacks, General Introduction, Information Security (IS), Cyber Security Compliance, Integrity, Availability