EASA issued a notice of proposed amendment (NPA) that introduces provisions for the management of information security risks related to aeronautical information systems used in civil aviation. These cybersecurity provisions would apply to authorities and organizations in all aviation domains: design, production, management of continuing airworthiness, maintenance, training and training devices, air operations, aeromedical, aircrew, air traffic control, air navigation services, and airports.
This NPA and similar others are in response to EASA’s concern that cyberattacks are no longer just random events. “Therefore, not enough focus may have been put in properly addressing cybersecurity because existing flaws can be exploited by individuals with a malicious intent,” EASA said. “Such a risk is constantly increasing in the civil aviation environment as the current aeronautical information systems are becoming more and more interconnected.”
These information security risks have the potential to generate events that can have direct consequences on the safety of flight. “Therefore, the interactions between information security and safety management systems (SMS) may be relevant for addressing information security risks,” EASA added. Comments on the NPA are due September 27.
This NPA is the second in a series to help protect the industry from cybersecurity attacks. The first NPA, published earlier this year, dealt exclusively with mitigating cyberattacks on aircraft and their systems through proposed changes to airframe, engine, and accessory certification rules. It also proposed to replace special conditions to meet these threats with dedicated requirements.