Sofema Aviation Services (SAS) Takes a deep dive into the Role of the Part IS Auditor Introduction The typical skillset required for a Part-IS Auditor or Safety System Risk Assessor primarily centers on aviation safety regulatory expertise and risk management, supplemented by information security knowledge. The premise that the existing broad skillset (Safety/Compliance) can typically address 90% of the task is generally supported by the…

Specific Exposures and Threat Scenarios Malware/Ransomware Initial Access (Exploitation via device) General Ransomware Campaigns: Ransomware actors often gain initial access through phishing campaigns targeting aviation employees or by exploiting exposed VPN/RDP servers. Mobile devices are the primary target for phishing/social engineering attempts. Ransomware group LockBit demanded $200 million from Boeing in 2023. Attacks on airport…

Sofema Aviation Services (SAS) considers the challenges related to phishing, ransomware, data breaches, and insider threat exposures (both intentional and accidental) within the context of EASA Part 145 organizations, together with a high-level mitigation review. Introduction The European Union Aviation Safety Agency (EASA) mandates comprehensive management of information security risks in aviation to safeguard operations,…