WillowRun 6-3
12th Jun 2021, 12:04
EASA has issued its next sequential formal document in an ongoing initiative (or set of initiatives) with regard to information security in aviation and its subsectors.
Note: posted here with the premise that cybersecurity is highly newsworthy, as is essentially any significant formal document issued by EASA.
Link to EASA announcement which includes internal link to the actual Opinion:
Opinion 03/2021 | EASA (europa.eu) (https://www.easa.europa.eu/document-library/opinions/opinion-032021)
Executive Summary quoted verbatim follows::
"The objective of this Opinion is to efficiently contribute to the protection of the aviation system from information security risks, and to make it more resilient to information security events and incidents. To achieve this objective, this Opinion proposes the introduction of provisions for the identification and management of information security risks which could affect information and communication technology systems and data used for civil aviation purposes, detecting information security events, identifying those which are considered information security incidents, and responding to, and recovering from, those information security incidents to a level commensurate with their impact on aviation safety.
These provisions shall apply to competent authorities and organisations in all aviation domains (i.e. production and design organisations, air operators, maintenance organisations, continuing airworthiness management organisations (CAMOs), training organisations, aero-medical centres, operators of flight simulation training devices (FSTDs), air traffic management/air navigation services (ATM/ANS) providers, U-space service providers and single common information service providers, aerodrome operators and apron management service providers), shall include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards.
This Opinion proposes a new Implementing Regulation and a new Delegated Regulation (depending on the specific aviation domains covered) regarding information security management systems for organisations and competent authorities.
In addition, this Opinion proposes amendments to Commission Regulations (EU) No 748/2012, No 1321/2014, 2017/373, 2015/340, No 139/2014, No 1178/2011, No 965/2012 and 2021/664, in order to introduce requirements to comply with the proposed new Implementing and Delegated Regulations described above, and to add the elements necessary for the competent authorities to perform their certification and oversight activities.
NOTE: For the purpose of this Opinion, ‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets."
Opinion No 03/2021; sequential to NPA, Notice of Proposed Amendment, issued on May 27, 2019. Reference also is made to ESCP, European Strategic Coordination Platform for Cybersecurity in Aviation, and the EPAS, European Plan for Aviation Safety 2021-2025, among several other key official and/or formal EASA documents. Links to everything are spread throughout the EASA webpages of relevance.
[ Fun fact: for an ultimate in "eye-chart" displays, see Appendix I to NPA 2019-07, "Draft example of a maturity matrix for the ATM-ANS domain". ]
Note: posted here with the premise that cybersecurity is highly newsworthy, as is essentially any significant formal document issued by EASA.
Link to EASA announcement which includes internal link to the actual Opinion:
Opinion 03/2021 | EASA (europa.eu) (https://www.easa.europa.eu/document-library/opinions/opinion-032021)
Executive Summary quoted verbatim follows::
"The objective of this Opinion is to efficiently contribute to the protection of the aviation system from information security risks, and to make it more resilient to information security events and incidents. To achieve this objective, this Opinion proposes the introduction of provisions for the identification and management of information security risks which could affect information and communication technology systems and data used for civil aviation purposes, detecting information security events, identifying those which are considered information security incidents, and responding to, and recovering from, those information security incidents to a level commensurate with their impact on aviation safety.
These provisions shall apply to competent authorities and organisations in all aviation domains (i.e. production and design organisations, air operators, maintenance organisations, continuing airworthiness management organisations (CAMOs), training organisations, aero-medical centres, operators of flight simulation training devices (FSTDs), air traffic management/air navigation services (ATM/ANS) providers, U-space service providers and single common information service providers, aerodrome operators and apron management service providers), shall include high-level, performance-based requirements, and shall be supported by acceptable means of compliance (AMC), guidance material (GM), and industry standards.
This Opinion proposes a new Implementing Regulation and a new Delegated Regulation (depending on the specific aviation domains covered) regarding information security management systems for organisations and competent authorities.
In addition, this Opinion proposes amendments to Commission Regulations (EU) No 748/2012, No 1321/2014, 2017/373, 2015/340, No 139/2014, No 1178/2011, No 965/2012 and 2021/664, in order to introduce requirements to comply with the proposed new Implementing and Delegated Regulations described above, and to add the elements necessary for the competent authorities to perform their certification and oversight activities.
NOTE: For the purpose of this Opinion, ‘information security risk’ means the risk to organisational civil aviation operations, assets, individuals, and other organisations due to the potential of an information security event. Information security risks are associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets."
Opinion No 03/2021; sequential to NPA, Notice of Proposed Amendment, issued on May 27, 2019. Reference also is made to ESCP, European Strategic Coordination Platform for Cybersecurity in Aviation, and the EPAS, European Plan for Aviation Safety 2021-2025, among several other key official and/or formal EASA documents. Links to everything are spread throughout the EASA webpages of relevance.
[ Fun fact: for an ultimate in "eye-chart" displays, see Appendix I to NPA 2019-07, "Draft example of a maturity matrix for the ATM-ANS domain". ]