Nobody needs reminding that the last two years have led to seismic changes within the aviation industry. The daily realities of operation as 2022 gets underway are something that would have been difficult to predict a few years ago.
Aviation has always been a tightly integrated environment with lots of suppliers, service providers and manufacturers working together to provide a safe and efficient service. As traffic levels resume and travel reopens, the reality is that many of the capabilities and knowledge which used to exist “in-house” either need to be rebuilt, or outsourced. Many organisations are finding themselves even more reliant on third parties than they were pre-pandemic – often through organisations known as “Managed Service Providers”.
What’s happening now?
Pre-pandemic, the aviation cybersecurity world was already taking steps towards recognising the significance of supply chains as potential threat vectors for operation. But with aviation now more dependent on supply chains for core operational capability it is vital to bring supply chain security risk management front and centre.
Governments across the world are pushing forward with applying cybersecurity standards to Critical National Infrastructure. The European NIS Directive set the direction of travel and is continuing to gain momentum. However, until now the standards and baselines driven by NIS have only applied to the direct providers of critical services. There’s a growing realisation that these direct providers are just the tip of the iceberg, and that their security is built upon the foundation of the security of their suppliers.
It's no surprise that a second wave of cyber security regulation is incoming – for example, an open consultation by the UK Government covers extending the NIS Regulation requirements to Managed Service Providers who support essential services. For UK aviation specifically, the CAP1753 ASSURE process has been successful in raising awareness and providing an industry-wide baseline of knowledge. The first stage has been to measure the current situation, the next stages will be steps to further improve security throughout the supply chain.
Other countries have taken different approaches to the same problem, typically building on ISO 27001 compliance, of which supply chain security is a key element (eg A.15 – Supplier Relationships). The 27001 standard used today dates back to 2013 and there have been huge changes in cybersecurity in years since. ISO 27001 is planned to be updated again in 2022 - indeed, its partner set of security controls, ISO 27002:2022 has already been released.
The ISO 27000 series updates will reflect the modern realities for Information Security – including alignment along common security risk assessment lines (such as “Confidentiality, Integrity, Availability”, “Identify, Protect, Detect, Respond, Recover”). It will be easier to align with other security frameworks such as NIST SP 800-53 and CSF. Those who currently align with ISO 27001:2013 will over time align with 27001:2022 through continuous improvement of their Information Security Management Systems (ISMS).
So, what does this actually mean for supply chain providers in aviation?
The only way to continue to protect our critical systems is to start to apply cybersecurity standards to all organisations that contribute to essential services. The cybersecurity of the whole supply chain will need to be considered either through the evolution from ISO 27001:2013 to ISO 27001:2022, or through state-level laws and regulations such as the proposed extensions to the UK NIS Regulations, .
Supply chains are typically made up of organisations with significantly differing ISMS implementations – conceivably ranging from nothing at all, through to full ISO 27001 certified systems. For effective security across the whole supply chain, each link in the chain will have a contribution, and their Information Management systems will need to support each other and work together.
The interface point between organisations will always have the potential for loss of alignment, and a weakness in protections. The more mature an organisation’s ISMS is, the more tools that organisation will have at their disposal to manage supply chain risk and also contribute to protecting the entire supply chain from cyber threats. Of course, the whole chain is only as strong as its weakest link, so it is more important than ever for organisations to work together to build effective security controls into products and services from the ground up.
Whether you are currently subject to cybersecurity regulation or not, To defer this is only delaying the inevitable – and runs the risk that an incident may occur that impacts the whole supply chain. All organisations will sooner or later need to satisfy either supervisory authorities or shareholders that they have thoroughly considered cyber risk and effectively managed it.
For providers within aviation supply chains, there are some excellent tools to help:
- The EUROCONTROL ATM Cybersecurity Maturity Model is designed to consider cyber risk across supply chains and gives a model for cybersecurity that can be applied at all levels.
- EUROCAE ED-201A provides a framework for Information Security Risk Sharing between organisations.
- CANSO have published their Standard of Excellence in Cybersecurity which covers best practice.
- The NCSC Cyber Assessment Framework version 3 (CAFv3) provides not only criteria for evaluation but also Indicators of Good Practice (IGPs) which can be used to help plan cyber maturity improvements over time.
- ISO 27002 has been updated in 2022 and makes use of Security Attributes which aid with aligning the ISO controls to other frameworks.
Our experience at Egis has shown that these tools can be equally applied to both Operational Technology as well as Information Technology systems, even where the original intent was for an IT environment (ie the ISO 27000-series and CAFv3). For example, the requirements behind the ICAO Doc 10057 competency approach have a lot in common with the underlying requirements of CAF Objective B.6 (Staff Awareness & Training) – particularly regarding levels of knowledge and understanding of system users who could cause disruption. Also, procedural controls around requiring pre-authorisation or work and risk assessment to release equipment for maintenance have significant alignment with the core security needs reflected in CAF Objective B.2 (Identity & Access Control).
It has been a difficult journey for aviation organisations to map modern cybersecurity concepts onto operational systems that were designed for a pre-cyber, pre-pandemic world – but it has been done!
As the aviation world reawakens after the pandemic, we are more reliant than ever on supply chains, and that reliance will grow further as concepts such as ATM Data Service Providers, SWIM and IRIS come onstream. Aviation organisations are already seeing an increase in supply chain cyber threats (possibly linked to current world events). Now is the time for aviation suppliers to recognise their contribution to the cybersecurity of the aviation system, and work together to harden the complete supply chain.