Cybersecurity

Cybersecurity in the Aviation Sector – A Comprehensive Approach to Protection

In an era of rapid advancement in information and communication technologies, and the growing importance of data in operational processes, cybersecurity has become one of the key components of civil aviation security. The National Civil Aviation Security Programme (NCASP) imposes obligations on entities in the aviation sector, including airport operators, air carriers, regulated agents, regulated suppliers of in-flight supplies, known consignors, and air navigation service providers that are not designated as operators of essential services. These obligations relate to the protection of Critical Aviation Information and Communication Technology Systems (pol. krytyczne lotnicze systemy technologii informacyjno – komunikacyjnej i danych, KLST).

Scope of Cybersecurity Responsibilities for Aviation Entities

1. Identification of KLST
   Each entity is required to accurately identify its critical aviation information and communication systems that process data essential for safety, security, and the continuity of aviation operations. This identification serves as the foundation for all further cybersecurity measures.
   
2. Risk Assessment and Implementation of Protection Measures
   Based on systematic risk assessments, entities must implement appropriate safeguards to minimize the risk of unauthorized access, interference, or damage to their KLST. These measures are aimed at protecting the integrity, confidentiality, and availability of critical assets.
   
3. Development and Implementation of Cyberattack Prevention Measures
   Entities must define in detail, within their security programmes, the procedures for preventing cyberattacks, mechanisms for detecting them, and effective methods of responding to incidents. This ensures civil aviation is safeguarded against threats stemming from cybercrime.
   
4. Personnel Qualifications and Awareness
   Entities must ensure that individuals responsible for implementing and maintaining cybersecurity measures possess the necessary qualifications and skills. These individuals should also be regularly informed about current threats and potential incidents, in line with the principle of limited access to sensitive information.

Operators of Essential Services and Cybersecurity

For entities designated as operators of essential services, NCASP cybersecurity requirements are replaced by provisions outlined in the Act of 5 July 2018 on the National Cybersecurity System. This means such entities are subject to more advanced and stringent cybersecurity standards in accordance with this legislation.

Obligations Under EU Regulations

Aviation entities, including operators of essential services, are also obliged to:

• – conduct training in accordance with point 11.2.8 of the Annex to Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security.
• – conduct background checks on individuals with administrator rights or unrestricted, unsupervised access to KLST, in accordance with point 11.1.2(c) of the same regulation.

Trust the Experts – Comprehensive Cybersecurity Support from Avsec.pl

By complying with these obligations and continuously improving their internal security procedures, aviation entities ensure a high level of cybersecurity. This is essential for the effective operation of the entire aviation sector and the protection of critical infrastructure and resources..

In this context, Avsec.pl offers training of persons with roles and responsibility related to cyber threats approved by the President of the Civil Aviation Authority, in accordance with the requirements set out in point 11.2.8 of the Annex to Commission Implementing Regulation (EU) 2015/1998 of 5 November 2015 laying down detailed measures for the implementation of the common basic standards on aviation security.
Moreover, leveraging its many years of experience in civil aviation security, Avsec.pl provides specialized consultancy to its aviation partners, supporting the identification of critical aviation ICT systems (KLST) and the implementation of appropriate protection measures to defend against cyber threats effectively.