ACyS Guidance Material PART 1 Organization

.
Aviation Cyber Security

Guidance Material
Part 1: Organization Culture and Posture
Edition 1 | February 2021
DISCLAIMER.
The information contained in this guidance

material is subject to constant review in the light of
changing government requirements and
regulations. No subscriber or other reader should
act on the basis of any such information without
referring to applicable laws and regulations and
without taking appropriate professional advice.
Although every effort has been made to ensure
accuracy, the International Air Transport
Association shall not be held responsible for any
loss or damage caused by errors, omissions,
misprints or misinterpretation of the contents
hereof. Furthermore, the International Air
Transport Association expressly disclaims any
and all liability to any person or entity, whether a
reviewer of this guidance document or not, in
respect of anything done or omitted, and the
consequences of anything done or omitted, by
any such person or entity in reliance on the
contents of this guidance material.
For feedback, questions or comments please
contact us at: aviationsecurity@iata.org.
2 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Contents
Revision Record ..................................................................................................................................................................................... 4
List of Contributors ............................................................................................................................................................................... 5
Introduction ............................................................................................................................................................................................. 6
Chapter 1. Scope of the Guidance .................................................................................................................................................. 7
1.1. Applicability .......................................................................................................................................................................................... 7
1.2. Defining Aircraft Types .................................................................................................................................................................... 8
1.2.1 E-Connected Aircraft ............................................................................................................................................................... 8
1.2.2 Legacy Aircraft ........................................................................................................................................................................... 8
Chapter 2. Minimal Cyber Security Culture and Posture within the Organization ......................................................... 9
2.1. Defining Minimal Cyber Security Culture and Posture .......................................................................................................... 9
2.1.1 Minimal Cyber Security Culture............................................................................................................................................ 9
2.1.2 Minimal Cyber Security Posture .......................................................................................................................................... 9
2.2. Cyber Security Strategy ................................................................................................................................................................ 11
2.2.1 Organization and Structure ................................................................................................................................................. 13
2.2.2 Governance and Management ........................................................................................................................................... 14
2.2.3 Workforce .................................................................................................................................................................................. 19
Chapter 3. Overview of Aircraft Cyber Security Elements .................................................................................................. 21
3.1. Aviation Ecosystem Elements ..................................................................................................................................................... 21
3.2. Organization and Connecting Elements .................................................................................................................................. 23
3.3. Aircraft and Connecting Elements ............................................................................................................................................. 25
Appendix A: Data Privacy In-Flight ................................................................................................................................................ 28
List of Acronyms .................................................................................................................................................................................. 29
List of References ............................................................................................................................................................................... 31

Revision Record
Symbol Meaning
□ Insertion
△ Amendment
⨂ Deletion
Revision Table
Revision Date Section(s) Significant Changes
Edition 1 9 February 2021 First release

List of Contributors
This guidance document is issued with grateful acknowledgment to the organizations listed below (in alphabetic
order) who continuously contribute expert advice and comments on the contents compiled herein.
• Air Canada
• Air France-KLM
• American Airlines
• British Airways
• Copa Air
• FedEx
• IAG
• KLM
• Korean Air
• Lufthansa
• Qantas
• Qatar Airways
• United Airlines

Introduction
Aviation Cyber Security is a key priority for airlines mainly because of the industry adoption of digitalization is well
underway and, if the approach is not carefully protected at the design to the operational stage, new levels of
connectivity and optimization may result in previously unknown cyber vulnerabilities to materialize. As is currently
experienced, adversaries continue exploiting vulnerabilities in systems for financial, reputational, and disruption-
related gains.
Currently, cyber-linked terrorism against aircraft is assessed as “low” 1, but continuous enhancement of
countermeasures is required. To face the challenges relative to aviation cyber security, the Aircraft Cyber Security
Task Force (ACSTF) was established in March 2018. IATA, through ACSTF and Aviation Cyber Security Roundtable
(ACSR)2, held in Singapore in 2019, as well as regulatory forums, industry workshops, and events, as well as raises
awareness among key stakeholders about the challenges and opportunities related to aviation cyber security.
The November 2019 ACSTF meeting discussed the importance of developing guidance material. This resulting
guidance provides airlines with recommendations on adopting a minimal cyber security posture.
While this document defines a baseline and provides airlines with minimum recommendations and checklists to
adopt a cyber security posture, it is imperative that the final decision to follow recommendations belongs to airlines,
based on their respective internal governance and self-assessment of the inherent risks and mitigations already in
place.
Feedback related to the content of this document should be sent to aviationsecurity@iata.org.
1
ICAO Aviation Security Global Risk Context Statement, Second Edition, 2019 (Doc 10108).
2
IATA, Aviation Cyber Security Roundtable, Read Out, 2019.

Chapter 1. Scope of the Guidance
1.1. Applicability
This guidance is applicable to any Operator with the e-connected aircraft. The guidance may also apply to specific
scenarios to Operators with legacy aircraft, such as with aircraft component software data loading and with certain
avionics navigational/communication systems.
It is aligned with the International Civil Aviation Organization (ICAO) Cybersecurity Strategy3 and relevant Standards
and Recommended Practices (SARPs), such as those related to Annex 17 – Security, and measures concerning
cyber threats contained in Standard 4.9.1 under which each Contracting State shall ensure that “operators or entities
as defined in the national civil aviation security programme or other relevant national documentation identify their
critical information and communications technology systems and data used for civil aviation purposes and, in
accordance with a risk assessment, develop and implement, as appropriate, measures to protect them from unlawful
interference.”4
This ICAO Standard is reflected in IATA’s IOSA Standards Manual (ISM) and can be found in the modified Standard
SEC 4.1.1 (Security Section) in the 14th Edition (December 2020) effective from September 2021 and via a
Recommended Practice of the ORG 3.1.6 (Organization and Management System Section). 5
The Aviation Cyber Security Guidance Material Part 1 relates to the cyber security of the organization, and Part 2 to
the aircraft cyber security and risks management. This guidance material includes an overview of responsibilities
incumbent on Operators and provides recommendations regarding:
• Minimal cyber security culture and posture within an organization;
• Overview of aviation ecosystem, organization, and connecting elements;
• Airworthiness cyber posture of the aircraft at the procurement stage and upon delivery;
• Continued airworthiness accountabilities of the Operator;
• Cyber security relative to the prolonged storage/parking of aircraft;
• Devising a risk management program; conducting a periodic risk assessment as well as emergency
management and incident response.
3
ICAO, Aviation Cybersecurity Strategy, 2019.
4
ICAO, Annex 17 – Security, 10th edition, 2017.
5
IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.

1.2. Defining Aircraft Types
Two aircraft categories are defined for this guidance, namely e-connected aircraft and legacy aircraft. Section 1.2.1
and Section 1.2.2 further explain both aircraft categories.
Please note, that more information on the e-connected aircraft, as well as its connecting elements, will be further
discussed in Part 1-Chapter 3.
1.2.1 E-Connected Aircraft

Although there is no official definition, an e-connected aircraft may be referred to as an aircraft type typically using
integrated software and networked avionics, e.g. the Airplane Information Management System (AIMS) cabinet on a
B777.
The European Organization for Civil Aviation Equipment (EUROCAE) and Radio Technical Commission for
Aeronautics (RTCA) refer to an e-connected aircraft as an aircraft with network connections, i.e., higher-bandwidth
data communications, which need some level of increased network security requirements for the purpose of
protecting the data being sent and received.
An e-connected aircraft (e.g., A350, A380, B777, B787, etc.) has one or more networks on-board and requires a
connection to external networks (airborne and/or ground-based) to assist with its operation.
Moreover, the Federal Aviation Administration (FAA), in its Order 8900.1 Volume 3, Chapter 61, Aircraft Network
Security Program (ANSP) states that e-connected aircraft may have the capability to reprogram flight-critical
avionics components wirelessly and via various data transfer mechanisms. 6
This capability of many e-connected aircraft to be reprogrammed wirelessly or via a wired connection, magnetic
disc, or USB device may result in unintended cyber security vulnerabilities that potentially impact the continuing
airworthiness of the aircraft.
1.2.2 Legacy Aircraft

Legacy aircraft may be defined as aircraft types that have limited networked software within avionic suites and
typically use “stand-alone” communications, navigation, and surveillance line-replaceable units (LRUs). Software
controlled air-ground connectivity is typically limited to an Aircraft Communications Addressing and Reporting
System (ACARS) link. However, it should be noted that the legacy aircraft could be potentially impacted by cyber
threats, especially considering the systems such as:
• Field Loadable Software (Loadable Software Aircraft Parts, Databases);

• ACARS communication (FANS 1/A, CPDLC);
• TCAS and ADC-B;
• GNSS/GPS/GLONASS;
• And other potential systems (e.g. ILS).
6
FAA, Order 8900.1 Volume 3, Chapter 61.

Chapter 2. Minimal Cyber Security Culture and Posture
within the Organization
2.1. Defining Minimal Cyber Security Culture and Posture
2.1.1 Minimal Cyber Security Culture
The cyber security culture within the organization may be defined as a set of knowledge, norms, values,
assumptions of the staff that directly reflect their behavior in dealing with the information technology and protecting
the Critical Systems, Information, Assets, and Data (CSIAD).7
The Operator needs to have a well-established cyber security culture within the organization that covers all elements
from aircraft procurement and its entire life cycle, operations as well as the supply chain. This should also be relevant
from the most senior levels down to the most junior.
Cyber security culture should be an integral part of one’s organization and staff. Successful cyber security culture
will shape the security thinking of one’s staff and improve resilience against cyber threats and will allow one to
effectively perform strategy goals without imposing burdensome security steps.
Defining a minimal cyber security culture within one’s organization is a process that requires a multithreaded
approach and commitment not only from the senior management but also down to junior levels. A well-established
cyber security culture is not only an awareness of behaviors, norms, and values, but it is also a mutual understanding
between senior management, people responsible for the cyber security implementation, and the entire staff about
their responsibilities and practices to defend CSIAD against the cyber-attacks.8
It needs to be highlighted that the cyber security culture is unique for each Operator and in order to define and
establish a robust and sustainable culture, knowledge and understanding of the organization’s overall culture and
structure, mission and vision, strategic objectives, policies, and processes is required. Therefore, to have
established/to establish minimal cyber security culture, the Operator should ensure that the workforce is
appropriately trained as well as knows and understands the respective role within the organization to make it secure.
For more information on cyber security culture and awareness please also refer to the latest Edition 4 (October 2020)
of the Security Management System (SeMS) Manual.9
2.1.2 Minimal Cyber Security Posture

The cyber security posture, in reference to the National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-12810, may be defined as the security status of the Operator’s networks, information, and
systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place
to manage the defense of the organization and to react as the situation changes. Simply, it may be referred to as the
maturity and overall security strength of the organization, control and measures to protect the organization from
cyber-attacks, its ability to manage its defense as well as readiness and ability to react and recover in case the cyber-
7
NIST, SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, 2011.
8
ENISA, Cyber Security Culture in organisations, 2018.
9
IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
10
NIST, SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2011.

attack occurs.
Since the cyber threats and malicious actors continue to grow, in civil aviation, not only in number but also in
sophistication, the Operator needs to have a clear vision of their cyber security posture. In addition to the coming
regulations and strict compliance standards imposing requirements on the Operator, the pressure from the
governments and public sector to protect the CSIAD is growing as well.
Due to the increasing number and type of sophisticated cyber-attacks, motivated by financial gains and lack of
criminal interdiction and jurisdiction relative to the likelihood of behavior, the Operator must establish a cyber
security posture.
In order to understand its cyber security posture, the Operator should conduct a risk assessment to identify the
vulnerabilities and overall risk situation of the CSIAD within the organization (more information on the risk
assessment can be found further in this document). This step will help identify the weaker parts of the organization
and determine the next steps to increase the cyber security posture within one’s organization.
However, it is important for the Operator to regularly monitor and assess the security measures covering the CSIAD,
in order to maintain a good cyber security posture. Adopting a more holistic approach considers the organization’s
policies, risk-analysis programs/frameworks, cyber security culture as well as awareness and education of one’s
workforce.
The process of defining cyber security posture takes under account or determines the cyber security maturity of
one’s organization, the security gaps to be fixed, and the efforts that should be prioritized. One can see that there
are several steps to be undertaken. To facilitate this process, many cyber security frameworks were developed. An
example of those frameworks, which may be used by the Operators, is the NIST’s Cyber Security Framework (CSF)11,
which further refers to the NIST Special Publication 800–53 Revision 5.12 Another document that will help one’s
organization to improve the cyber security posture is the standards documentation of the International Organization
for Standardization (ISO). The starting point for the Operator should begin with the standards in the ISO/IEC 27000
family13. One of the examples is the ISO/IEC 27032:2012 Information technology — Security techniques —
Guidelines for cybersecurity.14
The NIST CSF was developed to provide a performance-based and cost-effective approach to help organizations
identify, assess, and manage cyber security risk.
By using those frameworks, and following the regulatory requirements and industry standards, the Operator should
establish the cyber security posture one seeks to achieve. Different security measures and controls ensure that all
aspects are covered, and no gaps are left in one’s cyber security posture. In order to define a minimal cyber security
posture, it is recommended to consider the following steps:
• Identify Critical Systems, Information, Assets, and Data (CSIAD). Each organization is different
therefore, it is important to identify first, what systems, information, assets, and data are critical for one’s
organization and need to be protected. This will also help prioritize a list of actions for continuity of
operations.
• Determine the risk appetite of one’s organization. Operators, depending on the strategic objectives
of the organization and its CSIAD may accept a different level of risk. It is important to determine the
level of risk one is willing to accept to meet the strategic objectives. This should be continuously
11
NIST, Cybersecurity Framework (CSF).
12
NIST, SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, 2020.
13
ISO/IEC, 27000 Family of Standards.
14
ISO/IEC, 27032:2012, Information technology — Security techniques — Guidelines for cybersecurity, 2012.

assessed and adjusted if the objectives change.
• Develop and implement a cyber security program. The cyber security program should consist of one’s
respective organization policies, processes, standards, and guidelines. This will help align all cyber
security aspects within the organization, improve general security and resilience of critical
infrastructure, as well as ensure that cyber security risk management of the organization fulfills the
desired objectives.
• Assess maturity and effectiveness of one’s controls. This process is essential to determine whether
or not, the implemented controls are sufficient to protect one’s CSIAD against identified threats and
vulnerabilities.
• Monitor, evaluate, and revise. It is important for the Operator to constantly monitor, evaluate and revise
any changes to the strategic objectives of the organization.
The Operator may consider using a tool, such as the Cyber Assessment Framework (CAF) for Aviation, developed
by the UK CAA, aiming to help with the process of cyber security assessment of the organization.15
Adopting the right level approach to protect CSIAD will enable a resilient cyber security posture. However, it is crucial
for the organization to constantly monitor, maintain and adapt the cyber security posture as the business/operation
environment may change in response to strategic objectives, new technologies, structures, and processes as well
as emerging cyber threats.
2.2. Cyber Security Strategy

The Cyber Security Strategy of the organization may be defined as a plan of actions, developed and implemented to
ensure the protection of confidentiality, integrity, and availability (CIA) of data and the identified CSIAD. This is a key
to enhance one’s security, resilience, and trust in terms of cyber security within the organization. A well-established
strategy will ensure that the minimal cyber security culture and posture of one’s organization is maintained, the
workforce properly trained and informed about their roles and responsibilities. It aims to ensure the organization is
prepared in case a cyber-attack occurs.
The strategy of the organization is a high-level top-down approach document that will establish one’s objectives and
priorities within a defined, specific timeframe (ex. 3 to 5 years, depends on the organization) and it usually starts with
the understanding of the organization’s current risk posture and the associated risk appetite. However, it is important
to align the Cyber Security Strategy with overall organization/business strategy and should cover inter alia a clearly
defined mission and vision of the organization, business goals, and continuity, policies. In terms of the tactical plans,
it is recommended that one has established with a timeframe of 1 to 2 years, and shorter for operational plans or
projects/programs, which will depend on the organization.
Different frameworks can be followed by one’s organization in order to develop and implement the Cyber Security
Strategy. One of the frameworks that were already mentioned is the NIST CSF. It consists of five concurrent and
continuous recommended functions, that the organization should address while developing a Cyber Security
Strategy document are presented in the figure below.
15
UK CAA, CAP1850, Cyber Assessment Framework (CAF) for Aviation, 2020.

Figure 2.2. NIST Cyber Security Framework (CSF)16
IDENTIFY cyber security risk to systems, assets,

data, and capabilities.
PROTECT the organization from identified risks

RECOVER IDENTIFY through controls to limit or contain the impact of a
potential cyber security event
DETECT potential cyber security events in a timely

manner.
RESPOND PROTECT RESPOND to cyber security events, including

having a response plan and performing activities to
eradicate the incident and incorporate lessons
learned into new strategies.
RECOVER from cyber security events through

DETECT actions to restore impaired capabilities or services.
Source: IATA (based on NIST CSF)
The Cyber Security Strategy development process may touch multiple divisions within an organization. Therefore,
the Operator should compose a multi-disciplinary team responsible for the entire process of strategy development
and then implementation. Determining the action plan is key for developing the strategy. This needs to be followed
by setting the timeframe which can be different for each Operator, as it depends on the size, complexity, vision, and
mission of the organization, etc.
As a first step, the Operator should develop the strategic goals and define the scope of the strategy. Further, cyber
security needs should be identified to guide the development of achievable and actionable activities in support of
the goal and scope of one’s Cyber Security Strategy. Another step that should be considered while developing the
strategy should include defining Cyber Security Programs that would eventually determine performance indicators
over specific objectives and overarching the goals, determine the resources needed (amount of time and size of the
staff needed to address the cyber security efforts), as well as developing a communication plan within the
organization. The Cyber Security Strategy should be revisited and updated regularly.
16

2.2.1 Organization and Structure
In general, as per the NIST SP 800-10017, there are two main models of the cyber security governance structure,
namely centralized and decentralized. While the Chief Executive Officer (CEO) in general is responsible for managing
and governing the organization, the responsibility for cyber/information security presents differently in those two
models.
• For a centralized model, the Chief Information Security Officer (CISO) or Chief Information Officer (CIO)
is in control of the line budget (budget and expenses of the department/cost center) over the information
security activities within the department and therefore is responsible for ensuring implementation and
monitoring of information security controls. The CISO or CIO is supported by other staff members
directly reporting to CISO or CIO. This model allows establishing more specialization due to the usually
higher number of staff, allowing to focus on a specific area. However, this model requires more time to
be allocated for the staff management as for the larger size of the team.
• For a decentralized model, the CISO or CIO, in general, is responsible for policy development and
oversight. In terms of the budget, the CISO or CIO controls the budget for departmental information
security but has no control over information security programs of operating units. This model allows to
save time on managing the staff, however, since the staff that CISO or CIO relays on do not directly report
to CISO or CIO, more time is required to obtain resources from other functions within the organization.
Usually, the organization decides to adopt a hybrid model, adopting some elements of centralized and decentralized
models to better address the mission, size, strategic objectives, and governance structure. To determine the
centralized or decentralized model, NIST recommends in its SP 800-100 that during the process of establishing the
structure the following factors should be considered, but not limited to the:
• size of the organization and number of physical locations;
• mission and strategic objectives;
• existing IT infrastructure;
• national regulatory requirements;
• organization’s governance requirements;
• the budget of the organization; and
• capabilities in terms of information security within the organization.
Due to the transversal nature of cyber security, it will cross all departments of the organization. The Operator can,
therefore, consider the hybrid model and establishment of operational cooperation and coordination structure to
include all aspects.
Note that, in case CISO is within the CIO department, there might be a conflict of interests in terms of IT operational
needs vs security needs.
17
NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.

2.2.2 Governance and Management
2.2.2.1 Cyber Security Governance Framework
The information security governance is defined by the NIST as the process of establishing and maintaining a
framework and supporting management structure and processes to assure that information security strategies are
aligned with and support business objectives, are consistent with applicable laws and regulations through adherence
to policies and internal controls, and provide assignment of responsibility, all to manage risk. 18
In general, referring to the NIST CSF and SP 800-100 the cyber security governance has different types of possible
structures, discussed in the previous section, requirements, challenges, and various activities. Moreover, the
cyber/information security governance will define the key roles and responsibilities within the organization and
support the development, oversight, and ongoing monitoring of the policies. Therefore, in order to ensure the
desired level of the organization’s mission support and implementation of compliance requirements, it is important
for the Operator to have a well-established governance framework and that it is applied to all aspects of the Flight
and Technical Operations organizations. As part of the governance, the Operator should identify the applicable
regulatory requirements at the national level (legislation, regulations, directives) as well as internal requirements.
The Operator should consider the integration of the cyber security governance with the overall organizational
structure and activities in order to ensure that the upper management is informed and participate in the process of
overseeing the implementation of security controls within the organization. his process can be facilitated by the
following elements:
• strategic planning;
• organizational structure and development;
• defined and established appropriate roles and responsibilities;
• integration with the overall architecture of the organization;
• documentation like policies and guidance put in place.
The figure below presents the Governance, Risk, and Compliance (GRC) Framework which aims to help in the process
of managing the organization’s overall governance, risk management, and compliance with the regulations and
standards. The governance is all about the regulations, standards, policies, processes, and procedures, as well as
controls to be put in place. Risk involves understanding one’s CSIAD, operations, and processes, as well as an
understanding of the business’ capability to endure losses. Moreover, the compliance part indicates the controls
implemented by the organization to fulfill compliance mandates.
18
NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.

Figure 2.2.2.1. Governance, Risk & Compliance (GRC) Framework
GOVERNANCE RISK COMPLIANCE
Statutory/Regulatory Categorization Monitor
Standards Select Controls & Measures Internal Assessment
Policies Implement & Assess External Audit
Process & Procedures Authorize & Monitor Report & Adjust
Risk Assessment &

Controls
Adjustments
Source: IATA
ISO/IEC 27001 and other frameworks can support the GRC activities within one’s organization as it helps with the
process of establishing an information/cyber security governance to be aligned with the organization governance,
preserving the information/cyber security by applying risk management, as well as establishing a set of controls
enabling the organization to be compliant with the regulations and standards.
2.2.2.2 Cyber Security Management
For any Operator, the ultimate success of cyber security management and strategy depends on proactive support
from the organization’s senior management. The structured management framework ensures the oversight,
monitoring, and controlling of the right implementation of cyber/information security within the organization.
Therefore, it is important to have established a strong leadership and ownership of the topic with the relevant
elements embedded in respective business units.
The Board of Directors is ultimately responsible for the whole governance of the organization. However, the
executive responsibilities over most governance matters rest with the CEO. The CEO is ultimately accountable for
ensuring all required resources are appointed throughout the organization. Therefore, the CEO appoints the CISO,
who reports directly to the CEO. The CISO is responsible for the cyber security operations and ensuring the
successful implementation of the cyber security strategy of the organization.19 This role may be also appointed to
19
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.

the CIO, or the Chief Security Officer (CSO). It is also possible that the role is appointed to another Senior Officer,
which depends on the size and structure of the organization. However, one should note that there might be a conflict
of interest in this setup, especially for larger organizations, for which it is recommended to separate information
security and IT operation, which is already a best practice or required by regulators in other industries.
The Senior Officer should act as the primary liaison with the respective regulators and other governmental
organizations on the topic of cyber security. The Senior Officer should have the support of the CEO for the oversight
and coordination of regulatory activities within the organization and act as the primary point of contact. Moreover,
the Senior Officer should have a lead role in developing cyber security policies, processes, controls, and metrics
aligned with the mission, vision, compliance requirements, and risk appetite.
More information relative the cyber security management, including CISO, CIO, CSO role, within the organization can
be found in the latest Edition 4 of the SeMS Manual.20 Moreover, more detailed information can be also found in the
NIST CSF21 and ISO/IEC 27001:2013.22
2.2.2.3 Devising the Cyber Security Program
The cyber security program should fulfill the Cyber Security Strategy and it often refers to the industry framework
standards and recommended practices. The cyber security program will establish all the policies and processes
required to protect the confidentiality, integrity, and availability of one’s identified CSIAD. It is important to note, that
based on the strategic objectives and regulatory requirements, the individual element and sub-elements of the cyber
security program may vary between different Operators. However, there are certain elements that the effective
cyber security program components should include, i.e. policies, cyber security framework, and process as well as
the way to measure them. Each cyber security program element and the relevant documentation must be
implemented to specific business units of one’s organization. Therefore, the cyber security program should be
tailored specifically to one’s organization.
One of the key elements for an Operator in support of the management of cyber security within an organization is
the development and establishment of the cyber security program. The cyber security program should align with the
mission and vision of the organization. It should be based on the risk appetite determined by the Board of Directors.
The goal of the program is also to identify different business units and appoint staff in order to support the strategic
objectives of the organization.
The process of devising a cyber security program is very important and to do so, the organization needs to appoint
a strong leadership with a strategic resource who will ensure that the program aligns with the mission and vision,
mission, and risk appetite of the Operator.
The very first step for the Operator should be to identify the individuals within the organization to be involved in the
process of devising a cyber security program. Therefore, the Board of Directors or the CEO should appoint the
Senior Officer who will provide the lead and direction of the entire organization. As the cyber security lead for the
organization, and the cyber operational aviation aspects as well, meaning the fleet of aircraft, this Senior Officer
bridges the organization program with cyber security tactical aviation implementation. However, it is also important
that the Senior Officer is in control of the budget, can plan and allocate necessary resources, as well as has the
capacity to execute the devised cyber security program. The Senior Officer will provide direction to the entire
organization and ensure consistency throughout the management.
20
21
22

Many guidance on the devising process of cyber security programs are available and may be used by the Operators.
One of them is already mentioned before the NIST CSF.23 This framework provides a process on how to establish
and manage the process of devising a cyber security program. Another framework that can be used here is for
example the ISO/IEC 27000 family, as well as the Control Objectives for Information and Related Technology (COBIT)
and/or Payment Card Industry Data Security Standard (PCI DSS), depending on the standards and policies a program
needs to cover. The figure below is based on the NIST recommendations and outlines the seven-step process while
devising a cyber security program.
Figure 2.2.3. Process for devising a Cyber Security Program
Step 1: Prioritize and Scope
• Identify organization vision and mission objectives along with high-level organizational priorities;
• Make strategic cyber security implementation decisions as well as determine the scope of the systems
and assets;
Step 2: Orient
• Identify related systems and assets, regulatory requirements and the program’s overall risk approach;
• Identify vulnerabilities of, and threats to, these systems and assets;
Step 3: Create a Current Profile
• Define the state of the organization's cyber security program;
Step 4: Conduct a Risk Assessment
• Analyze the operational environment of the organization in order to determine the likelihood of cyber
security events and their related impact;
Step 5: Create a Target Profile
• Create a target profile that focuses on the CSF Categories and Subcategories assessment describing
the desired cyber security outcomes (based on the organizational risks and considering the risk
appetite);
Step 6: Determine, Analyze and Prioritize Gaps
• Determine, analyze and prioritize any gaps that exist, based on the created Target Profile;
Step 7: Implement Action Plan
• Determine which actions to take and carry out said actions to address the gaps;
• Document the roadmap to achive the strategic goals;
Source: IATA (based on NIST CSF)
23

2.2.2.4 Devising the Organization Cyber Security Risk Management
The NIST in the Framework for Improving Critical Infrastructure Cybersecurity 24 outlines that there is no one-size-
fits solution for all. Operators may have identified different CSIAD which would infer different risks. In general, the
goal of Cyber Security Risk Management is to identify the risks, understand the likelihood as well as their impact on
the operations. as well as to implement, measure and update security controls in order to mitigate the risks to an
acceptable level.
Many frameworks are available that can be considered by the Operator in order to develop risk management for the
organization. It can be based on the NIST CSF, ISO/IEC 27001:201325, or ISO 27005:201826. The documentation like
NIST SP 800-37 Rev. 227 (or latest version), and NIST SP 800-82 Rev. 228 (or latest version) provides the information
that can be used by the Operator to establish a baseline.
In the process of devising the organization’s Cyber Security Risk Management, the Federal Information Security
Modernization Act (FISMA)29 Implementation Project of the NIST CSF and developed by NIST the Risk Management,
which is a key element of the FISMA, may be useful. The Risk Management Framework (RMF) will provide one with
information on the processes integrating security and risk management activities. It represents a risk-based
approach and covers the following steps: prepare, categorize, select, implement, assess, authorize and monitor. The
figure below outlines all the steps with the relevant documentation for each step of the RMF.
Figure 2.2.4(1). Risk Management Framework
1 2
4 3
Source: IATA (based on ISO/IEC 27005)
24
NIST, Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, 2018.
25
26
ISO/IEC 27005: 2018, Information technology — Security techniques — Information security risk management, 2018.
27
NIST, SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy,
2018.
28
NIST, SP 800-82 Revision 2, NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security, 2015.
29
NIST, Federal Information Security Modernization Act, 2014

Figure 2.2.4(2). Risk FISMA Implementation Project30
Source: NIST
The Cyber Security Risk Management of the Operator needs to be revisited annually and improved if any changes to
the strategic objectives were made or any new critical system introduced.
The considerations for the aircraft specific Cyber Security Risk Management is further discussed in
Part 2-Chapter 3 of this guidance material.
2.2.3 Workforce
Planning of the Operator’s workforce is another key element of the Cyber Security Program. As cyber threats against
civil aviation constantly emerge, and the number and sophistication of cyber-attacks are increasing, the need for
cyber security professionals is also growing.
Currently, the aviation industry is lacking the cyber security professionals to meet the regulatory compliance and
changing landscape of aircraft cyber security. In order to fill this current gap between the need and available
workforce, cyber security professionals need to undergo the process of skills development relative to aviation and
aircraft cyber security.
The area of cyber security requires professionals to constantly grow, evolve and maintain highly technical skills.
Therefore, effective workforce planning for the Operator is crucial. This will enable the development of processes
that will help to identify where the gaps are present as well as give one information on how to shape the workforce
to achieve the vision and mission of the organization. The Operator should ensure how to attract, assess, and
develop a specialized workforce.
A companion document to the NIST CSF, the NIST Roadmap for Improving Critical Infrastructure Cybersecurity31
points out the importance of a skilled cyber security workforce to meet the needs of the critical infrastructure. As
30
NIST, FISMA Implementation Project.
31
NIST, Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, 2019.

per this document, due to the evolving cyber security threats and technology environment, the workforce is required
to continually design, implement, maintain and improve the necessary cyber security practices. In parallel to the NIST
CSF, the Operator can use the NIST SP 800-181 Revision 1 – National Initiative for Cybersecurity Education (NICE)
Cybersecurity Workforce Framework (NICE Framework)32, which serves as the fundamental resource to support the
organizations to meet the cyber security needs.
Another useful source that can be considered by the Operator for the process of workforce planning is A Roadmap
for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce 33
published by NIST. Worth considering guidance on workforce management is also the Cybersecurity Capability
Maturity Model (C2M2) developed by the Department of Energy. At European Union (EU) level, the documents that
will help one’s organization to address the workforce planning, as well as cyber security skills development, is the
Cybersecurity Skills Development in the EU 34, in which the European Union Agency for Cybersecurity (ENISA)
provided some recommendations.
2.2.3.1 Awareness and Training
Training, raising awareness, and developing cyber security skills, best practices, and processes, are critical elements
of the Cyber Security Program and culture within the organization. Its importance should not be underestimated; the
Operator should ensure its entire workforce complete cyber security awareness training, including the
understanding of cyber security hygiene and behavior best practices, alertness to unexpected system responses
and procedures to mitigate the consequences of the cyber-attack.
The purpose of the awareness training is to provide the relevant workforce with sufficient knowledge to understand
the cyber threats landscape, typical levels of vulnerability across the organization, one’s responsibilities, and how
one should react when a cyber-attack occurs or may have occurred.
The organization should provide other cyber-related training depending on specific roles or relevant groups of staff
and identify corresponding risks (e.g. cockpit and cabin crew, developers, privilege access users, personnel with
access to the most sensitive information in an organization, maintenance technicians, etc.). For example, the
Operator should ensure that the individuals responsible for the CSIAD complete suitable and sufficient cyber
security training and skills development before being appointed to the role and its responsibilities. To measure the
evolution of the cyber security culture of the workforce, the organization should have in place some testing tools
such as white phishing exercises, etc. The organization should have a process in place to review and update its
training courses to ensure one remains up to date. Such updates should consider business and regulatory changes
(i.e., acquisition of new software, discontinuation of software, new services or business lines, new regulations,
standards, and best practices).
More details on the awareness and training can be found in the latest Edition 4 of the SeMS Manual. 35 Moreover, the
Operators may consider the NIST guidelines for building and maintaining a comprehensive awareness and training
program for their workforce that is included in the NIST SP 800-50.36
32
NIST, SP 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework), 2020.
33
NIST, NISTIR 8287, A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce, 2020.
34
ENISA, Cybersecurity Skills Development in the EU, 2020.
35
36
NIST, SP 800-50, Building an Information Technology Security Awareness and Training Program, 2003.

Chapter 3. Overview of Aircraft Cyber Security Elements
3.1. Aviation Ecosystem Elements
The civil aviation ecosystem requires the collaboration of multiple stakeholders whose systems are highly
interconnected and need to be secured and protected at the proper level. Many elements play a key role in delivering
a safe operation of the aircraft as well as a more personalized experience of the air transport, while at the same time
enabling operational efficiency and revenue generation for the industry.
Figure 3.1(1). Civil Aviation Ecosystem
Civil Aviation Ecosystem
Airline Connected
Elements
Aircraft
Source: IATA
As presented in the figure above, to understand the complexity of the entire aviation ecosystem and its
interconnected elements we will have a look now at the different stakeholders or entities of this sector. Then, we will
focus on the airline organization and connecting element and finally the critical part which is the aircraft itself and its
connecting elements.
For this document, referring to the EUROCAE ED-201: Aeronautical Information System Security Framework
Guidance, aviation stakeholder framework, we can distinguish the following, but not limited to, list of stakeholders37:
• Manufacturers like Original Equipment Manufacturers (OEMs), System Suppliers, Design Approval
Holders (DAHs) of aircraft, systems, and devices integrated into the aircraft;
• Operators: i.e., airlines, airports, Air Navigation Service Providers (ANSPs);
• Maintenance and repair providers of aircraft, systems, networks, etc.;
• Regulatory and governance entities: legislators, regulators, auditors, etc.;
37
EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.

• Standardization entities: originations responsible for standards development;
• Passengers.
However, different stakeholders are present in the aviation ecosystem and each represents different roles,
objectives, motivation, strength, or abilities, all play a crucial role in terms of aviation cyber security, especially that
the flow of data between different stakeholders is increasing.
The complexity of the aviation ecosystem, interconnected systems, and the flow of data is presented on the below
map.
Figure 3.1(2). Aviation Ecosystem
Source: IATA (based on AIAA)38
It needs to be underlined that the complexity of multiple stakeholders, especially product suppliers and service
providers, relationships on both the aircraft and the industry, in general, create a challenge for the industry in terms
of the responsibilities, who holds the responsibility, and which area. This is very important to have a clear picture and
understanding of where one’s responsibility sits and to what extent to ensure clear accountability for safety and
38
AIAA, The Connectivity Challenge: Protecting Critical Assets in a Networked World, A Framework for Aviation Cybersecurity, August 2013, Figure 1 at p. 8.

security.
The accountabilities at different stages of the aircraft lifecycle will be further addressed in Part 2-Chapter 2 of this
guidance material.
3.2. Organization and Connecting Elements

The Operator to perform its operations interacts with many different stakeholders and parties within the entire
aviation ecosystem. Hence, the airlines increasingly take advantage of the increased reliability, accuracy, and
efficiency that can be delivered by automation as well as interactions with third parties/supply chain,
communications, and networking within the daily operations. This refers not only to the flight operations but also to
other several business units responsible for maintenance, ground operations, airport operations as well as cargo.
Also, many civil aviation stakeholders/supply chain, manufacturers, and system suppliers, support/provide services
to the airlines concerning cyber security. The figure below represents the Airline Organization and the groups of
stakeholders that usually the Operators, in general, interacts with.
Figure 3.2(1). Airline Organization and Interacting Stakeholders
Manufacturers,
System
Suppliers,
Service
Providers
Airports Governments
Airline
Organization
Financial Other Bussines

Institutions Units
Passengers
Source: IATA
The two tables below present a non-exhaustive list of the airline business and aircraft operations systems for which
the Operator is responsible. However, it needs to be underlined that for each system different players/individuals
have a responsibility, both internal to the organization and external where systems are supplied by different
stakeholders what is covered by the Service Level Agreements (SLAs). More information and recommendations on

the SLAs may be found in the ED-201: Aeronautical Information System Security (AISS) Framework Guidance 39.
Therefore, due to the complexity, solid procedures, communication, and clearly defined responsibilities need to be
defined/put in place.
Figure 3.2(2). Airline Business Systems Figure 3.2(3). Aircraft Operations Systems
Customer Support Applications Aircraft Operations Applications

• Customer Relationship Management • Flight Release Software
• Social media • Weather Application
• Flight Management System
Airline Operations Applications
• CMU (Central Management Unit)
• Reservation System • Cabin Management Systems
• Departure Control System • ACARS
• Passenger Data Transfer
• CPDLC (Controller Pilot Data Link Communications)
• Reservation System • Navigation Systems (GNSS, TCAS/ATC, ILS, etc.)
• Flight Planning
• Airport Kiosks Aircraft Maintenance Applications
• Airport CUTE System • E-Logbook
• Airport CUSS System • Central Management Operating Software
Passenger Service Applications
• Websites
• Mobile Applications
• Frequent Flyer
• In-Flight Entertainment
Crew Operations Applications
• Take-off and landing (TOLA) performance software
• Crew Scheduling
• Crew Mobile Phones
• Cabin Crew Tablets
• ePIL (Passenger Information List)
• Electronic Crew Reporting
Corporate Applications
• E-mail
• Network (VPN)
• Accounting
• Revenue Management
Cargo Applications
• Cargo Booking System
Source: IATA
39
EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.

3.3. Aircraft and Connecting Elements
The aircraft is now very digitalized and contains a large number of systems, therefore the process of securing them
requires the involvement of many different stakeholders. In recent years, the electronic content (systems and
networks) has evolved rapidly, where the map of interconnections is very complex now. The aircraft connectivity
brings a lot of value in term of its maintenance, health monitoring, more efficient costs of operations as well as better
passenger experience. This entire process of digitalization, however, may bring also some risks associated with the
exposure of the on-board systems.
The OEMs/Systems Suppliers/DAHs deliver new solutions for the Operators to meet different expectations from the
industry in terms of aircraft design, more efficient engines, passenger experience, and computing capacity.
Therefore, the aircraft is designed and built now with the integrated software and networked avionics, which are
placed in the different aircraft domains, differing with the level of trust.
ICAO, together with the other industry stakeholders defined three main aircraft domains, which are the following:
• Aircraft Control Domain (ACD);
• Aircraft/Airline Information Services Domain (AISD); and
• Passenger Information and Entertainment Systems Domain (PIESD).
Figure 3.3(1). Aircraft Domains
Airline
Passenger Information Aircraft
Information
and Entertainment Control
Service
System Domain Domain
Domain
PIESD AISD ACD
Source: IATA
The principal function of the Aircraft Control Domain (ACD) is to ensure safe aircraft operation. The secure
exchange of the ACD helps also to track and manage the aircraft in a more accurate way. It requires adherence to
the highest standards of international aviation safety. Because of the critical nature of this domain, the exchange of
data always needs to be guaranteed. It should be noted that the ACS is comprised of different systems including
control from the cockpit, environmental systems, and other things like smoke detectors, doors, and the evacuation
slides.
The Aircraft/Airline Information Services Domain (AISD) contains systems providing services that are not critical,
with the principal function to ensure the connectivity between other domains. The systems in the AISD play a key
role in the aircraft operation, however, do not bear on the control of the aircraft. This domain is used by the airlines
to support the applications and content either for cabin or flight crew. The systems are not defined as mission-critical

but may be important from the commercial and operational point of view. The AISD provides airlines operational and
administrative data to the cockpit, aircraft cabin, connects with the maintenance services, as well as supports the
PIESD domain.
The Passenger Information and Entertainment System Domain (PIESD) plays a role in providing and supporting
passengers with services such as on-board entertainment, Internet connectivity, etc. This highly depends on the
airlines on what services/level of entertainment is provided to the passenger experience (ie., in-flight entertainment,
passenger flight information, as well as access to the Intranet).
Moreover, the formalized definition of aircraft systems and airborne networks is organized into aircraft domains
provided by ARINC-664 standards, which are served by the airborne networks and systems with the same
requirements for performance, safety, and security. As per the following documents, ARINC664P1-240 and
ARINC664P541, four different domains are distinguished. The first three are the same as already mentioned above.
The other, however, the fourth domain is called the Passenger Owned Devices Domain (PODD), which includes any
device that passengers may connect on-board with the in-flight entertainment service.
To ensure the appropriate level of safety and security, the aircraft domains are physically separated or otherwise
logically segregated. Therefore, the aircraft control systems, built in the ACD, are separated from other domains.
The figure below presents the domains with the characteristics of closed, trusted, and untrusted as well as presents
the systems and connecting elements to each of the three domains.
Figure 3.3(2). Aircraft Domains and System Examples
PIESD AISD ACD

Untrusted Trusted Closed
Public Systems Airlines Operation Aircraft Control
• In-Flight Entertainment (IFE) • Flight Support Systems (EFB, NavDB, ACARS) • Flight Control Systems (FMS)
• Pub Device Connection & Web • Aircraft Data Network • Cabin Core Systems
Access • Aircraft Health Monitoring (AHM)
• Admin/Cabin Support (Crew Devices, PAX, POS)
• Maintenance Support (Softw Updates, Sensor Data,
Pred Maint.)
• Air-Ground Network Telecom • Air-Ground Network Telecom (Wi-Fi, LAN, Cellular, • Air-Ground Network Telecom
(Wi-Fi, LAN, Cellular, SAT) SAT) (VHF, HF, SATCOM, GPS/GNSS)
Source: IATA
40
ARINC, 664P1-2 Aircraft Data Network, Part 1, Systems Concepts and Overview, 2019.
41
ARINC, 664P5 Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection, 2005.

From the functional architecture standpoint, the PIESD is UNTRUSTED, and, is assumed to be compromised,
therefore it bears the lowest integrity level. No information is shared from that domain to the higher trusted domains,
as only expected data or information is considered within the trusted domains. Both AISD and ACD qualify as
TRUSTED domains, ACD being the highest integrity systems of the aircraft. Those domains do not trust the lower
integrity domain, for this is the security basis of the aircraft architecture. The separation between the domains
translates into some specific limitations for the usage of communication systems, for example:
• Equipment for radio communication attached to the ACD domain is restricted to the systems in the ACD
(e.g., Air Traffic Control, Airlines Operational Communications);
• Equipment for radio communication attached to other domains is restricted to the systems in these
domains (e.g., Airlines Operational Commun, Airlines Administrative Communications, Aeronautical
Passenger Communications).
The general growth in aircraft digitalization introduced a number of systems, networks, and equipment listed below
that are important for aircraft operations. However, they are beneficial, some potential matters need to be
considered when referring to the security of the aircraft and its interconnected ecosystem.
• Aircraft Communications Systems: digital air-to-ground communication systems using links like Very
High Frequency (VHF) or SATCOM.
• Aircraft-Ground Links: emerging satellite air-ground communication systems, etc.
• Aircraft Maintenance: maintenance of the aircraft is now more based on the technology, enabling data
transmission directly to the maintenance teams. This process is crucial in terms of the continuing
airworthiness of the aircraft and aircraft parts. Therefore, it is important to secure the systems and
devices responsible for this process, as this contributes to flight safety.
• Aircraft Health Monitoring (AHM): OEMs/Systems Suppliers provide a connected technology to
support the Operators in terms of the AHM to enable addressing any issues and more accurate
maintenance as early as possible.
• Electronic Flight Bag (EFB): portable devices used for storage and display of many different aviation
data, considered as computing platforms to reduce/replace any paper-based information and
documentation ( flight charts, maps, engineering information) used by the crew during the flight.
• Non-trusted Services/Networks: aircraft systems connecting to non-trusted services and networks,
including airport gate link networks (e.g. GateLink), cellular networks, and portable electronic devices.
• In-Flight Entertainment (IFE): cabin communications and connectivity, also with wireless distribution,
providing on-board entertainment and better passengers experience.
For a better understanding of where each component is placed in terms of aircraft domains, please refer to Figure
3.3(2) above.

Appendix A: Data Privacy In-Flight
The EU General Data Protection Regulation (GDPR) 42 and other equivalences across the globe were pushed forward
in support of the privacy and security of the personal information and data that is created, transited, and/or at rest,
whether from an application, system, infrastructure or network. Therefore, the data which flows between the
different aviation stakeholders, and connecting to the aircraft, also fall under these regulations. One of the domains
of the aircraft which is essential to the value proposition of an Operator is the PIESD. Even though this domain does
not control the aircraft, it is as important as the other domains, since it is the backbone network for the passengers,
who need to be comforted that they are connecting to a secure environment, and their Personal Identifiable
Information (PII) and data will remain private as well as protected. Whether on-ground or in-flight, the requirements
over privacy and security are the same and subject to fines if a data breach occurs.
At the organization level, airlines are entrusted with different personal information which may be subjected to
different fines when a data breach occurs which may include data loss, damage, or theft. Already, some airlines have
been fined over data breaches reaching hundreds of millions of dollars or euros. But some systems on-board the
aircraft holds and transmits personal information, often via the Flight Crew systems, such as credit card payments,
which are covered by PCI DSS, wireless internet connection systems offered to passengers may also hold, transit,
or have access to personal information or identifiable information which needs to be protected. That information,
systems, and data need to be identified, classified, or categorized and protected accordingly. Passenger to
passenger cyber-attacks should be considered as very impactful to the business’ trust and reputation. Use case
scenarios should be developed relative to possible exploitation of the network allowing those types of attack or
capabilities, and security measures and mitigations should be put in place and assessed periodically to maintain a
good cyber security posture.
42
EU GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

List of Acronyms
Acronym Term
ACARS Aircraft Communications Addressing and Reporting System

ACD Aircraft Control Domain
ACSR Aviation Cyber Security Roundtable
ACSTF Aircraft Cyber Security Task Force
AHM Aircraft Health Monitoring
AIMS Airplane Information Management System

AISD Aircraft/Airline Information Services Domain
AISS Aeronautical Information System Security
ANSP Aircraft Network Security Program
ARINC Aeronautical Radio, Incorporated
C2M2 Cybersecurity Capability Maturity Model
CEO Chief Executive Officer
CIA Confidentiality, Integrity, and Availability
CIO Chief Information Officer
CISO Chief Information Security Officer

COBIT Control Objectives for Information and Related Technology
CPDLC Controller–Pilot Data Link Communications
CSF Cyber Security Framework
CSIAD Critical Systems, Information, Assets, and Data
CSO Chief Security Officer
DAH Design Approval Holder
EFB Electronic Flight Bag
ENISA European Union Agency for Cybersecurity
EU European Union
EUROCAE European Organization for Civil Aviation Equipment
FAA Federal Aviation Administration
FANS Future Air Navigation System
FISMA Federal Information Security Modernization Act
GDPR General Data Protection Regulation

GLONASS Global Navigation Satellite System
GNSS Global Navigation Satellite System
GPS Global Positioning System
GRC Governance, Risk, and Compliance
ICAO International Civil Aviation Organization
ILS Instrument landing system
IP Internet Protocol
ISM IOSA Standards Manual
ISO International Organization for Standardization
LRU Line-Replaceable Units
NICE National Initiative for Cybersecurity Education
NIST National Institute of Standards and Technology
NOTAMs Notices to Airman
OEM Original Equipment Manufacturer
PCI DSS Payment Card Industry Data Security Standard
PIESD Passenger Information and Entertainment Systems Domain
PODD Passenger Owned Devices Domain
RMF Risk Management Framework
RTCA Radio Technical Commission for Aeronautics
SARPs Standards and Recommended Practices
SATCOM Satellite Communications
SLA Service Level Agreement
SMS Short Message Service
SeMS Security Management System

TCAS Traffic Collision Avoidance System
TCP Transmission Control Protocol
VHF Very High Frequency

List of References
1. AIAA, The Connectivity Challenge: Protecting Critical Assets in a Networked World, A Framework for Aviation
Cybersecurity, August 2013.
2. ARINC, 664P1-2 Aircraft Data Network, Part 1, Systems Concepts and Overview, 2019.
3. ARINC, 664P5 Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection, 2005.
4. ENISA, Cyber Security Culture in organisations, 2018.
5. ENISA, Cybersecurity Skills Development in the EU, 2020.
6. EU GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
7. EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.
8. EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.
9. FAA, Order 8900.1 Volume 3, Chapter 61.
10. IATA, Aviation Cyber Security Roundtable, Read Out, 2019.
11. IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.
12. IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
13. ICAO, Annex 17 – Security, 10th edition, 2017.
14. ICAO, Aviation Cybersecurity Strategy, 2019.
15. ICAO Aviation Security Global Risk Context Statement, Second Edition, 2019 (Doc 10108).
16. ISO/IEC, 27000 Family of Standards.
17. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements, 2019.
18. ISO/IEC 27005: 2018, Information technology — Security techniques — Information security risk
management, 2018.
19. ISO/IEC, 27032:2012, Information technology — Security techniques — Guidelines for cybersecurity, 2012.
20. NIST, NISTIR 8287, A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build
the Cybersecurity Workforce, 2020.
21. NIST, SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations—A
System Life Cycle Approach for Security and Privacy, 2018.
22. NIST, SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View,
2011.
23. NIST, SP 800-50, Building an Information Technology Security Awareness and Training Program, 2003.
24. NIST, SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, 2020.
25. NIST, SP 800-82 Revision 2, NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security, 2015.
26. NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.

27. NIST, SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2011.
28. NIST, SP 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework), 2020.
29. NIST, Cybersecurity Framework (CSF).
30. NIST, Federal Information Security Modernization Act, 2014
31. NIST, FISMA Implementation Project.
32. NIST, Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, 2018.
33. NIST, Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, 2019.
34. UK CAA, CAP1850, Cyber Assessment Framework (CAF) for Aviation, 2020.
(END)

ACyS Guidance Material PART 1 Organization

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACyS Guidance Material PART 1 Organization

Uploaded by

Copyright:

Available Formats

.

Aviation Cyber Security

The information contained in this guidance

2 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

3 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Revision Date Section(s) Significant Changes

Edition 1 9 February 2021 First release

4 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

5 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

6 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

7 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

1.2.1 E-Connected Aircraft

1.2.2 Legacy Aircraft

• Field Loadable Software (Loadable Software Aircraft Parts, Databases);

8 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

2.1.2 Minimal Cyber Security Posture

9 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

10 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

2.2. Cyber Security Strategy

11 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

IDENTIFY cyber security risk to systems, assets,

PROTECT the organization from identified risks

DETECT potential cyber security events in a timely

RESPOND PROTECT RESPOND to cyber security events, including

RECOVER from cyber security events through

Source: IATA (based on NIST CSF)

12 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

13 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

14 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

GOVERNANCE RISK COMPLIANCE

Statutory/Regulatory Categorization Monitor

Standards Select Controls & Measures Internal Assessment

Policies Implement & Assess External Audit

Process & Procedures Authorize & Monitor Report & Adjust

Risk Assessment &

2.2.2.2 Cyber Security Management

15 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

2.2.2.3 Devising the Cyber Security Program

16 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Figure 2.2.3. Process for devising a Cyber Security Program

Step 1: Prioritize and Scope

Step 3: Create a Current Profile

• Define the state of the organization's cyber security program;

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze and Prioritize Gaps

Step 7: Implement Action Plan

Source: IATA (based on NIST CSF)

17 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Figure 2.2.4(1). Risk Management Framework

Source: IATA (based on ISO/IEC 27005)

18 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

19 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

2.2.3.1 Awareness and Training

20 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Figure 3.1(1). Civil Aviation Ecosystem

Civil Aviation Ecosystem

21 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Figure 3.1(2). Aviation Ecosystem

Source: IATA (based on AIAA)38

22 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

3.2. Organization and Connecting Elements

Figure 3.2(1). Airline Organization and Interacting Stakeholders

Financial Other Bussines