.

Aviation Cyber Security

Guidance Material
Part 1: Organization Culture and Posture
Edition 1 | February 2021
 DISCLAIMER.

The information contained in this guidance

material is subject to constant review in the light of
changing government requirements and
regulations. No subscriber or other reader should
act on the basis of any such information without
referring to applicable laws and regulations and
without taking appropriate professional advice.
Although every effort has been made to ensure
accuracy, the International Air Transport
Association shall not be held responsible for any
loss or damage caused by errors, omissions,
misprints or misinterpretation of the contents
hereof. Furthermore, the International Air
Transport Association expressly disclaims any
and all liability to any person or entity, whether a
reviewer of this guidance document or not, in
respect of anything done or omitted, and the
consequences of anything done or omitted, by
any such person or entity in reliance on the
contents of this guidance material.
For feedback, questions or comments please
contact us at: [email protected].

2 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Contents
Revision Record ..................................................................................................................................................................................... 4
List of Contributors ............................................................................................................................................................................... 5
Introduction ............................................................................................................................................................................................. 6
Chapter 1. Scope of the Guidance .................................................................................................................................................. 7
1.1. Applicability .......................................................................................................................................................................................... 7
1.2. Defining Aircraft Types .................................................................................................................................................................... 8
1.2.1 E-Connected Aircraft ............................................................................................................................................................... 8
1.2.2 Legacy Aircraft ........................................................................................................................................................................... 8
Chapter 2. Minimal Cyber Security Culture and Posture within the Organization ......................................................... 9
2.1. Defining Minimal Cyber Security Culture and Posture .......................................................................................................... 9
2.1.1 Minimal Cyber Security Culture............................................................................................................................................ 9
2.1.2 Minimal Cyber Security Posture .......................................................................................................................................... 9
2.2. Cyber Security Strategy ................................................................................................................................................................ 11
2.2.1 Organization and Structure ................................................................................................................................................. 13
2.2.2 Governance and Management ........................................................................................................................................... 14
2.2.3 Workforce .................................................................................................................................................................................. 19
Chapter 3. Overview of Aircraft Cyber Security Elements .................................................................................................. 21
3.1. Aviation Ecosystem Elements ..................................................................................................................................................... 21
3.2. Organization and Connecting Elements .................................................................................................................................. 23
3.3. Aircraft and Connecting Elements ............................................................................................................................................. 25
Appendix A: Data Privacy In-Flight ................................................................................................................................................ 28
List of Acronyms .................................................................................................................................................................................. 29
List of References ............................................................................................................................................................................... 31

3 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Revision Record
Symbol Meaning

□ Insertion

△ Amendment

⨂ Deletion

Revision Table

Revision Date Section(s) Significant Changes

Edition 1 9 February 2021 First release

4 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

List of Contributors
This guidance document is issued with grateful acknowledgment to the organizations listed below (in alphabetic
order) who continuously contribute expert advice and comments on the contents compiled herein.
• Air Canada
• Air France-KLM
• American Airlines
• British Airways
• Copa Air

• FedEx

• IAG

• KLM
• Korean Air

• Lufthansa
• Qantas

• Qatar Airways
• United Airlines

5 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Introduction
Aviation Cyber Security is a key priority for airlines mainly because of the industry adoption of digitalization is well
underway and, if the approach is not carefully protected at the design to the operational stage, new levels of
connectivity and optimization may result in previously unknown cyber vulnerabilities to materialize. As is currently
experienced, adversaries continue exploiting vulnerabilities in systems for financial, reputational, and disruption-
related gains.
Currently, cyber-linked terrorism against aircraft is assessed as “low” 1, but continuous enhancement of
countermeasures is required. To face the challenges relative to aviation cyber security, the Aircraft Cyber Security
Task Force (ACSTF) was established in March 2018. IATA, through ACSTF and Aviation Cyber Security Roundtable
(ACSR)2, held in Singapore in 2019, as well as regulatory forums, industry workshops, and events, as well as raises
awareness among key stakeholders about the challenges and opportunities related to aviation cyber security.
The November 2019 ACSTF meeting discussed the importance of developing guidance material. This resulting
guidance provides airlines with recommendations on adopting a minimal cyber security posture.
While this document defines a baseline and provides airlines with minimum recommendations and checklists to
adopt a cyber security posture, it is imperative that the final decision to follow recommendations belongs to airlines,
based on their respective internal governance and self-assessment of the inherent risks and mitigations already in
place.
Feedback related to the content of this document should be sent to [email protected].

1
ICAO Aviation Security Global Risk Context Statement, Second Edition, 2019 (Doc 10108).
2
IATA, Aviation Cyber Security Roundtable, Read Out, 2019.

6 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Chapter 1. Scope of the Guidance
1.1. Applicability
This guidance is applicable to any Operator with the e-connected aircraft. The guidance may also apply to specific
scenarios to Operators with legacy aircraft, such as with aircraft component software data loading and with certain
avionics navigational/communication systems.
It is aligned with the International Civil Aviation Organization (ICAO) Cybersecurity Strategy3 and relevant Standards
and Recommended Practices (SARPs), such as those related to Annex 17 – Security, and measures concerning
cyber threats contained in Standard 4.9.1 under which each Contracting State shall ensure that “operators or entities
as defined in the national civil aviation security programme or other relevant national documentation identify their
critical information and communications technology systems and data used for civil aviation purposes and, in
accordance with a risk assessment, develop and implement, as appropriate, measures to protect them from unlawful
interference.”4
This ICAO Standard is reflected in IATA’s IOSA Standards Manual (ISM) and can be found in the modified Standard
SEC 4.1.1 (Security Section) in the 14th Edition (December 2020) effective from September 2021 and via a
Recommended Practice of the ORG 3.1.6 (Organization and Management System Section). 5
The Aviation Cyber Security Guidance Material Part 1 relates to the cyber security of the organization, and Part 2 to
the aircraft cyber security and risks management. This guidance material includes an overview of responsibilities
incumbent on Operators and provides recommendations regarding:
• Minimal cyber security culture and posture within an organization;
• Overview of aviation ecosystem, organization, and connecting elements;
• Airworthiness cyber posture of the aircraft at the procurement stage and upon delivery;
• Continued airworthiness accountabilities of the Operator;
• Cyber security relative to the prolonged storage/parking of aircraft;
• Devising a risk management program; conducting a periodic risk assessment as well as emergency
management and incident response.

3
ICAO, Aviation Cybersecurity Strategy, 2019.
4
ICAO, Annex 17 – Security, 10th edition, 2017.
5
IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.

7 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

1.2. Defining Aircraft Types
Two aircraft categories are defined for this guidance, namely e-connected aircraft and legacy aircraft. Section 1.2.1
and Section 1.2.2 further explain both aircraft categories.
Please note, that more information on the e-connected aircraft, as well as its connecting elements, will be further
discussed in Part 1-Chapter 3.

1.2.1 E-Connected Aircraft

Although there is no official definition, an e-connected aircraft may be referred to as an aircraft type typically using
integrated software and networked avionics, e.g. the Airplane Information Management System (AIMS) cabinet on a
B777.
The European Organization for Civil Aviation Equipment (EUROCAE) and Radio Technical Commission for
Aeronautics (RTCA) refer to an e-connected aircraft as an aircraft with network connections, i.e., higher-bandwidth
data communications, which need some level of increased network security requirements for the purpose of
protecting the data being sent and received.
An e-connected aircraft (e.g., A350, A380, B777, B787, etc.) has one or more networks on-board and requires a
connection to external networks (airborne and/or ground-based) to assist with its operation.
Moreover, the Federal Aviation Administration (FAA), in its Order 8900.1 Volume 3, Chapter 61, Aircraft Network
Security Program (ANSP) states that e-connected aircraft may have the capability to reprogram flight-critical
avionics components wirelessly and via various data transfer mechanisms. 6
This capability of many e-connected aircraft to be reprogrammed wirelessly or via a wired connection, magnetic
disc, or USB device may result in unintended cyber security vulnerabilities that potentially impact the continuing
airworthiness of the aircraft.

1.2.2 Legacy Aircraft

Legacy aircraft may be defined as aircraft types that have limited networked software within avionic suites and
typically use “stand-alone” communications, navigation, and surveillance line-replaceable units (LRUs). Software
controlled air-ground connectivity is typically limited to an Aircraft Communications Addressing and Reporting
System (ACARS) link. However, it should be noted that the legacy aircraft could be potentially impacted by cyber
threats, especially considering the systems such as:

• Field Loadable Software (Loadable Software Aircraft Parts, Databases);

• ACARS communication (FANS 1/A, CPDLC);
• TCAS and ADC-B;
• GNSS/GPS/GLONASS;
• And other potential systems (e.g. ILS).

6
FAA, Order 8900.1 Volume 3, Chapter 61.

8 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Chapter 2. Minimal Cyber Security Culture and Posture
within the Organization
2.1. Defining Minimal Cyber Security Culture and Posture
2.1.1 Minimal Cyber Security Culture
The cyber security culture within the organization may be defined as a set of knowledge, norms, values,
assumptions of the staff that directly reflect their behavior in dealing with the information technology and protecting
the Critical Systems, Information, Assets, and Data (CSIAD).7
The Operator needs to have a well-established cyber security culture within the organization that covers all elements
from aircraft procurement and its entire life cycle, operations as well as the supply chain. This should also be relevant
from the most senior levels down to the most junior.
Cyber security culture should be an integral part of one’s organization and staff. Successful cyber security culture
will shape the security thinking of one’s staff and improve resilience against cyber threats and will allow one to
effectively perform strategy goals without imposing burdensome security steps.
Defining a minimal cyber security culture within one’s organization is a process that requires a multithreaded
approach and commitment not only from the senior management but also down to junior levels. A well-established
cyber security culture is not only an awareness of behaviors, norms, and values, but it is also a mutual understanding
between senior management, people responsible for the cyber security implementation, and the entire staff about
their responsibilities and practices to defend CSIAD against the cyber-attacks.8
It needs to be highlighted that the cyber security culture is unique for each Operator and in order to define and
establish a robust and sustainable culture, knowledge and understanding of the organization’s overall culture and
structure, mission and vision, strategic objectives, policies, and processes is required. Therefore, to have
established/to establish minimal cyber security culture, the Operator should ensure that the workforce is
appropriately trained as well as knows and understands the respective role within the organization to make it secure.
For more information on cyber security culture and awareness please also refer to the latest Edition 4 (October 2020)
of the Security Management System (SeMS) Manual.9

2.1.2 Minimal Cyber Security Posture

The cyber security posture, in reference to the National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-12810, may be defined as the security status of the Operator’s networks, information, and
systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place
to manage the defense of the organization and to react as the situation changes. Simply, it may be referred to as the
maturity and overall security strength of the organization, control and measures to protect the organization from
cyber-attacks, its ability to manage its defense as well as readiness and ability to react and recover in case the cyber-

7
NIST, SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, 2011.
8
ENISA, Cyber Security Culture in organisations, 2018.
9
IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
10
NIST, SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2011.

9 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

attack occurs.
Since the cyber threats and malicious actors continue to grow, in civil aviation, not only in number but also in
sophistication, the Operator needs to have a clear vision of their cyber security posture. In addition to the coming
regulations and strict compliance standards imposing requirements on the Operator, the pressure from the
governments and public sector to protect the CSIAD is growing as well.
Due to the increasing number and type of sophisticated cyber-attacks, motivated by financial gains and lack of
criminal interdiction and jurisdiction relative to the likelihood of behavior, the Operator must establish a cyber
security posture.
In order to understand its cyber security posture, the Operator should conduct a risk assessment to identify the
vulnerabilities and overall risk situation of the CSIAD within the organization (more information on the risk
assessment can be found further in this document). This step will help identify the weaker parts of the organization
and determine the next steps to increase the cyber security posture within one’s organization.
However, it is important for the Operator to regularly monitor and assess the security measures covering the CSIAD,
in order to maintain a good cyber security posture. Adopting a more holistic approach considers the organization’s
policies, risk-analysis programs/frameworks, cyber security culture as well as awareness and education of one’s
workforce.
The process of defining cyber security posture takes under account or determines the cyber security maturity of
one’s organization, the security gaps to be fixed, and the efforts that should be prioritized. One can see that there
are several steps to be undertaken. To facilitate this process, many cyber security frameworks were developed. An
example of those frameworks, which may be used by the Operators, is the NIST’s Cyber Security Framework (CSF)11,
which further refers to the NIST Special Publication 800–53 Revision 5.12 Another document that will help one’s
organization to improve the cyber security posture is the standards documentation of the International Organization
for Standardization (ISO). The starting point for the Operator should begin with the standards in the ISO/IEC 27000
family13. One of the examples is the ISO/IEC 27032:2012 Information technology — Security techniques —
Guidelines for cybersecurity.14
The NIST CSF was developed to provide a performance-based and cost-effective approach to help organizations
identify, assess, and manage cyber security risk.
By using those frameworks, and following the regulatory requirements and industry standards, the Operator should
establish the cyber security posture one seeks to achieve. Different security measures and controls ensure that all
aspects are covered, and no gaps are left in one’s cyber security posture. In order to define a minimal cyber security
posture, it is recommended to consider the following steps:
• Identify Critical Systems, Information, Assets, and Data (CSIAD). Each organization is different
therefore, it is important to identify first, what systems, information, assets, and data are critical for one’s
organization and need to be protected. This will also help prioritize a list of actions for continuity of
operations.
• Determine the risk appetite of one’s organization. Operators, depending on the strategic objectives
of the organization and its CSIAD may accept a different level of risk. It is important to determine the
level of risk one is willing to accept to meet the strategic objectives. This should be continuously

11
NIST, Cybersecurity Framework (CSF).
12
NIST, SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, 2020.
13
ISO/IEC, 27000 Family of Standards.
14
ISO/IEC, 27032:2012, Information technology — Security techniques — Guidelines for cybersecurity, 2012.

10 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

 assessed and adjusted if the objectives change.
• Develop and implement a cyber security program. The cyber security program should consist of one’s
respective organization policies, processes, standards, and guidelines. This will help align all cyber
security aspects within the organization, improve general security and resilience of critical
infrastructure, as well as ensure that cyber security risk management of the organization fulfills the
desired objectives.
• Assess maturity and effectiveness of one’s controls. This process is essential to determine whether
or not, the implemented controls are sufficient to protect one’s CSIAD against identified threats and
vulnerabilities.
• Monitor, evaluate, and revise. It is important for the Operator to constantly monitor, evaluate and revise
any changes to the strategic objectives of the organization.
The Operator may consider using a tool, such as the Cyber Assessment Framework (CAF) for Aviation, developed
by the UK CAA, aiming to help with the process of cyber security assessment of the organization.15
Adopting the right level approach to protect CSIAD will enable a resilient cyber security posture. However, it is crucial
for the organization to constantly monitor, maintain and adapt the cyber security posture as the business/operation
environment may change in response to strategic objectives, new technologies, structures, and processes as well
as emerging cyber threats.

2.2. Cyber Security Strategy

The Cyber Security Strategy of the organization may be defined as a plan of actions, developed and implemented to
ensure the protection of confidentiality, integrity, and availability (CIA) of data and the identified CSIAD. This is a key
to enhance one’s security, resilience, and trust in terms of cyber security within the organization. A well-established
strategy will ensure that the minimal cyber security culture and posture of one’s organization is maintained, the
workforce properly trained and informed about their roles and responsibilities. It aims to ensure the organization is
prepared in case a cyber-attack occurs.
The strategy of the organization is a high-level top-down approach document that will establish one’s objectives and
priorities within a defined, specific timeframe (ex. 3 to 5 years, depends on the organization) and it usually starts with
the understanding of the organization’s current risk posture and the associated risk appetite. However, it is important
to align the Cyber Security Strategy with overall organization/business strategy and should cover inter alia a clearly
defined mission and vision of the organization, business goals, and continuity, policies. In terms of the tactical plans,
it is recommended that one has established with a timeframe of 1 to 2 years, and shorter for operational plans or
projects/programs, which will depend on the organization.
Different frameworks can be followed by one’s organization in order to develop and implement the Cyber Security
Strategy. One of the frameworks that were already mentioned is the NIST CSF. It consists of five concurrent and
continuous recommended functions, that the organization should address while developing a Cyber Security
Strategy document are presented in the figure below.

15
UK CAA, CAP1850, Cyber Assessment Framework (CAF) for Aviation, 2020.

11 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Figure 2.2. NIST Cyber Security Framework (CSF)16

IDENTIFY cyber security risk to systems, assets,

data, and capabilities.

PROTECT the organization from identified risks

RECOVER IDENTIFY through controls to limit or contain the impact of a
potential cyber security event

DETECT potential cyber security events in a timely

manner.

RESPOND PROTECT RESPOND to cyber security events, including

having a response plan and performing activities to
eradicate the incident and incorporate lessons
learned into new strategies.

RECOVER from cyber security events through

DETECT actions to restore impaired capabilities or services.

Source: IATA (based on NIST CSF)

The Cyber Security Strategy development process may touch multiple divisions within an organization. Therefore,
the Operator should compose a multi-disciplinary team responsible for the entire process of strategy development
and then implementation. Determining the action plan is key for developing the strategy. This needs to be followed
by setting the timeframe which can be different for each Operator, as it depends on the size, complexity, vision, and
mission of the organization, etc.
As a first step, the Operator should develop the strategic goals and define the scope of the strategy. Further, cyber
security needs should be identified to guide the development of achievable and actionable activities in support of
the goal and scope of one’s Cyber Security Strategy. Another step that should be considered while developing the
strategy should include defining Cyber Security Programs that would eventually determine performance indicators
over specific objectives and overarching the goals, determine the resources needed (amount of time and size of the
staff needed to address the cyber security efforts), as well as developing a communication plan within the
organization. The Cyber Security Strategy should be revisited and updated regularly.

16
NIST, Cybersecurity Framework (CSF).

12 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

2.2.1 Organization and Structure
In general, as per the NIST SP 800-10017, there are two main models of the cyber security governance structure,
namely centralized and decentralized. While the Chief Executive Officer (CEO) in general is responsible for managing
and governing the organization, the responsibility for cyber/information security presents differently in those two
models.
• For a centralized model, the Chief Information Security Officer (CISO) or Chief Information Officer (CIO)
is in control of the line budget (budget and expenses of the department/cost center) over the information
security activities within the department and therefore is responsible for ensuring implementation and
monitoring of information security controls. The CISO or CIO is supported by other staff members
directly reporting to CISO or CIO. This model allows establishing more specialization due to the usually
higher number of staff, allowing to focus on a specific area. However, this model requires more time to
be allocated for the staff management as for the larger size of the team.
• For a decentralized model, the CISO or CIO, in general, is responsible for policy development and
oversight. In terms of the budget, the CISO or CIO controls the budget for departmental information
security but has no control over information security programs of operating units. This model allows to
save time on managing the staff, however, since the staff that CISO or CIO relays on do not directly report
to CISO or CIO, more time is required to obtain resources from other functions within the organization.
Usually, the organization decides to adopt a hybrid model, adopting some elements of centralized and decentralized
models to better address the mission, size, strategic objectives, and governance structure. To determine the
centralized or decentralized model, NIST recommends in its SP 800-100 that during the process of establishing the
structure the following factors should be considered, but not limited to the:
• size of the organization and number of physical locations;
• mission and strategic objectives;
• existing IT infrastructure;
• national regulatory requirements;
• organization’s governance requirements;
• the budget of the organization; and
• capabilities in terms of information security within the organization.
Due to the transversal nature of cyber security, it will cross all departments of the organization. The Operator can,
therefore, consider the hybrid model and establishment of operational cooperation and coordination structure to
include all aspects.
Note that, in case CISO is within the CIO department, there might be a conflict of interests in terms of IT operational
needs vs security needs.

17
NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.

13 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

2.2.2 Governance and Management
2.2.2.1 Cyber Security Governance Framework

The information security governance is defined by the NIST as the process of establishing and maintaining a
framework and supporting management structure and processes to assure that information security strategies are
aligned with and support business objectives, are consistent with applicable laws and regulations through adherence
to policies and internal controls, and provide assignment of responsibility, all to manage risk. 18
In general, referring to the NIST CSF and SP 800-100 the cyber security governance has different types of possible
structures, discussed in the previous section, requirements, challenges, and various activities. Moreover, the
cyber/information security governance will define the key roles and responsibilities within the organization and
support the development, oversight, and ongoing monitoring of the policies. Therefore, in order to ensure the
desired level of the organization’s mission support and implementation of compliance requirements, it is important
for the Operator to have a well-established governance framework and that it is applied to all aspects of the Flight
and Technical Operations organizations. As part of the governance, the Operator should identify the applicable
regulatory requirements at the national level (legislation, regulations, directives) as well as internal requirements.
The Operator should consider the integration of the cyber security governance with the overall organizational
structure and activities in order to ensure that the upper management is informed and participate in the process of
overseeing the implementation of security controls within the organization. his process can be facilitated by the
following elements:
• strategic planning;
• organizational structure and development;
• defined and established appropriate roles and responsibilities;
• integration with the overall architecture of the organization;
• documentation like policies and guidance put in place.
The figure below presents the Governance, Risk, and Compliance (GRC) Framework which aims to help in the process
of managing the organization’s overall governance, risk management, and compliance with the regulations and
standards. The governance is all about the regulations, standards, policies, processes, and procedures, as well as
controls to be put in place. Risk involves understanding one’s CSIAD, operations, and processes, as well as an
understanding of the business’ capability to endure losses. Moreover, the compliance part indicates the controls
implemented by the organization to fulfill compliance mandates.

18
NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.

14 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Figure 2.2.2.1. Governance, Risk & Compliance (GRC) Framework

GOVERNANCE RISK COMPLIANCE

Statutory/Regulatory Categorization Monitor

Standards Select Controls & Measures Internal Assessment

Policies Implement & Assess External Audit

Process & Procedures Authorize & Monitor Report & Adjust

Risk Assessment &

Controls
Adjustments

Source: IATA

ISO/IEC 27001 and other frameworks can support the GRC activities within one’s organization as it helps with the
process of establishing an information/cyber security governance to be aligned with the organization governance,
preserving the information/cyber security by applying risk management, as well as establishing a set of controls
enabling the organization to be compliant with the regulations and standards.

2.2.2.2 Cyber Security Management

For any Operator, the ultimate success of cyber security management and strategy depends on proactive support
from the organization’s senior management. The structured management framework ensures the oversight,
monitoring, and controlling of the right implementation of cyber/information security within the organization.
Therefore, it is important to have established a strong leadership and ownership of the topic with the relevant
elements embedded in respective business units.
The Board of Directors is ultimately responsible for the whole governance of the organization. However, the
executive responsibilities over most governance matters rest with the CEO. The CEO is ultimately accountable for
ensuring all required resources are appointed throughout the organization. Therefore, the CEO appoints the CISO,
who reports directly to the CEO. The CISO is responsible for the cyber security operations and ensuring the
successful implementation of the cyber security strategy of the organization.19 This role may be also appointed to

19
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.

15 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

the CIO, or the Chief Security Officer (CSO). It is also possible that the role is appointed to another Senior Officer,
which depends on the size and structure of the organization. However, one should note that there might be a conflict
of interest in this setup, especially for larger organizations, for which it is recommended to separate information
security and IT operation, which is already a best practice or required by regulators in other industries.
The Senior Officer should act as the primary liaison with the respective regulators and other governmental
organizations on the topic of cyber security. The Senior Officer should have the support of the CEO for the oversight
and coordination of regulatory activities within the organization and act as the primary point of contact. Moreover,
the Senior Officer should have a lead role in developing cyber security policies, processes, controls, and metrics
aligned with the mission, vision, compliance requirements, and risk appetite.
More information relative the cyber security management, including CISO, CIO, CSO role, within the organization can
be found in the latest Edition 4 of the SeMS Manual.20 Moreover, more detailed information can be also found in the
NIST CSF21 and ISO/IEC 27001:2013.22

2.2.2.3 Devising the Cyber Security Program

The cyber security program should fulfill the Cyber Security Strategy and it often refers to the industry framework
standards and recommended practices. The cyber security program will establish all the policies and processes
required to protect the confidentiality, integrity, and availability of one’s identified CSIAD. It is important to note, that
based on the strategic objectives and regulatory requirements, the individual element and sub-elements of the cyber
security program may vary between different Operators. However, there are certain elements that the effective
cyber security program components should include, i.e. policies, cyber security framework, and process as well as
the way to measure them. Each cyber security program element and the relevant documentation must be
implemented to specific business units of one’s organization. Therefore, the cyber security program should be
tailored specifically to one’s organization.
One of the key elements for an Operator in support of the management of cyber security within an organization is
the development and establishment of the cyber security program. The cyber security program should align with the
mission and vision of the organization. It should be based on the risk appetite determined by the Board of Directors.
The goal of the program is also to identify different business units and appoint staff in order to support the strategic
objectives of the organization.
The process of devising a cyber security program is very important and to do so, the organization needs to appoint
a strong leadership with a strategic resource who will ensure that the program aligns with the mission and vision,
mission, and risk appetite of the Operator.
The very first step for the Operator should be to identify the individuals within the organization to be involved in the
process of devising a cyber security program. Therefore, the Board of Directors or the CEO should appoint the
Senior Officer who will provide the lead and direction of the entire organization. As the cyber security lead for the
organization, and the cyber operational aviation aspects as well, meaning the fleet of aircraft, this Senior Officer
bridges the organization program with cyber security tactical aviation implementation. However, it is also important
that the Senior Officer is in control of the budget, can plan and allocate necessary resources, as well as has the
capacity to execute the devised cyber security program. The Senior Officer will provide direction to the entire
organization and ensure consistency throughout the management.

20
IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
21
NIST, Cybersecurity Framework (CSF).
22
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.

16 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Many guidance on the devising process of cyber security programs are available and may be used by the Operators.
One of them is already mentioned before the NIST CSF.23 This framework provides a process on how to establish
and manage the process of devising a cyber security program. Another framework that can be used here is for
example the ISO/IEC 27000 family, as well as the Control Objectives for Information and Related Technology (COBIT)
and/or Payment Card Industry Data Security Standard (PCI DSS), depending on the standards and policies a program
needs to cover. The figure below is based on the NIST recommendations and outlines the seven-step process while
devising a cyber security program.

Figure 2.2.3. Process for devising a Cyber Security Program

Step 1: Prioritize and Scope

• Identify organization vision and mission objectives along with high-level organizational priorities;
• Make strategic cyber security implementation decisions as well as determine the scope of the systems
and assets;

Step 2: Orient

• Identify related systems and assets, regulatory requirements and the program’s overall risk approach;
• Identify vulnerabilities of, and threats to, these systems and assets;

Step 3: Create a Current Profile

• Define the state of the organization's cyber security program;

Step 4: Conduct a Risk Assessment

• Analyze the operational environment of the organization in order to determine the likelihood of cyber
security events and their related impact;

Step 5: Create a Target Profile

• Create a target profile that focuses on the CSF Categories and Subcategories assessment describing
the desired cyber security outcomes (based on the organizational risks and considering the risk
appetite);

Step 6: Determine, Analyze and Prioritize Gaps

• Determine, analyze and prioritize any gaps that exist, based on the created Target Profile;

Step 7: Implement Action Plan

• Determine which actions to take and carry out said actions to address the gaps;
• Document the roadmap to achive the strategic goals;

Source: IATA (based on NIST CSF)

23
NIST, Cybersecurity Framework (CSF).

17 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

2.2.2.4 Devising the Organization Cyber Security Risk Management

The NIST in the Framework for Improving Critical Infrastructure Cybersecurity 24 outlines that there is no one-size-
fits solution for all. Operators may have identified different CSIAD which would infer different risks. In general, the
goal of Cyber Security Risk Management is to identify the risks, understand the likelihood as well as their impact on
the operations. as well as to implement, measure and update security controls in order to mitigate the risks to an
acceptable level.
Many frameworks are available that can be considered by the Operator in order to develop risk management for the
organization. It can be based on the NIST CSF, ISO/IEC 27001:201325, or ISO 27005:201826. The documentation like
NIST SP 800-37 Rev. 227 (or latest version), and NIST SP 800-82 Rev. 228 (or latest version) provides the information
that can be used by the Operator to establish a baseline.
In the process of devising the organization’s Cyber Security Risk Management, the Federal Information Security
Modernization Act (FISMA)29 Implementation Project of the NIST CSF and developed by NIST the Risk Management,
which is a key element of the FISMA, may be useful. The Risk Management Framework (RMF) will provide one with
information on the processes integrating security and risk management activities. It represents a risk-based
approach and covers the following steps: prepare, categorize, select, implement, assess, authorize and monitor. The
figure below outlines all the steps with the relevant documentation for each step of the RMF.

Figure 2.2.4(1). Risk Management Framework

1 2

4 3

Source: IATA (based on ISO/IEC 27005)

24
NIST, Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, 2018.
25
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.
26
ISO/IEC 27005: 2018, Information technology — Security techniques — Information security risk management, 2018.
27
NIST, SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy,
2018.
28
NIST, SP 800-82 Revision 2, NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security, 2015.
29
NIST, Federal Information Security Modernization Act, 2014

18 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Figure 2.2.4(2). Risk FISMA Implementation Project30

Source: NIST

The Cyber Security Risk Management of the Operator needs to be revisited annually and improved if any changes to
the strategic objectives were made or any new critical system introduced.
The considerations for the aircraft specific Cyber Security Risk Management is further discussed in
Part 2-Chapter 3 of this guidance material.

2.2.3 Workforce
Planning of the Operator’s workforce is another key element of the Cyber Security Program. As cyber threats against
civil aviation constantly emerge, and the number and sophistication of cyber-attacks are increasing, the need for
cyber security professionals is also growing.
Currently, the aviation industry is lacking the cyber security professionals to meet the regulatory compliance and
changing landscape of aircraft cyber security. In order to fill this current gap between the need and available
workforce, cyber security professionals need to undergo the process of skills development relative to aviation and
aircraft cyber security.
The area of cyber security requires professionals to constantly grow, evolve and maintain highly technical skills.
Therefore, effective workforce planning for the Operator is crucial. This will enable the development of processes
that will help to identify where the gaps are present as well as give one information on how to shape the workforce
to achieve the vision and mission of the organization. The Operator should ensure how to attract, assess, and
develop a specialized workforce.
A companion document to the NIST CSF, the NIST Roadmap for Improving Critical Infrastructure Cybersecurity31
points out the importance of a skilled cyber security workforce to meet the needs of the critical infrastructure. As

30
NIST, FISMA Implementation Project.
31
NIST, Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, 2019.

19 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

per this document, due to the evolving cyber security threats and technology environment, the workforce is required
to continually design, implement, maintain and improve the necessary cyber security practices. In parallel to the NIST
CSF, the Operator can use the NIST SP 800-181 Revision 1 – National Initiative for Cybersecurity Education (NICE)
Cybersecurity Workforce Framework (NICE Framework)32, which serves as the fundamental resource to support the
organizations to meet the cyber security needs.
Another useful source that can be considered by the Operator for the process of workforce planning is A Roadmap
for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce 33
published by NIST. Worth considering guidance on workforce management is also the Cybersecurity Capability
Maturity Model (C2M2) developed by the Department of Energy. At European Union (EU) level, the documents that
will help one’s organization to address the workforce planning, as well as cyber security skills development, is the
Cybersecurity Skills Development in the EU 34, in which the European Union Agency for Cybersecurity (ENISA)
provided some recommendations.

2.2.3.1 Awareness and Training

Training, raising awareness, and developing cyber security skills, best practices, and processes, are critical elements
of the Cyber Security Program and culture within the organization. Its importance should not be underestimated; the
Operator should ensure its entire workforce complete cyber security awareness training, including the
understanding of cyber security hygiene and behavior best practices, alertness to unexpected system responses
and procedures to mitigate the consequences of the cyber-attack.
The purpose of the awareness training is to provide the relevant workforce with sufficient knowledge to understand
the cyber threats landscape, typical levels of vulnerability across the organization, one’s responsibilities, and how
one should react when a cyber-attack occurs or may have occurred.
The organization should provide other cyber-related training depending on specific roles or relevant groups of staff
and identify corresponding risks (e.g. cockpit and cabin crew, developers, privilege access users, personnel with
access to the most sensitive information in an organization, maintenance technicians, etc.). For example, the
Operator should ensure that the individuals responsible for the CSIAD complete suitable and sufficient cyber
security training and skills development before being appointed to the role and its responsibilities. To measure the
evolution of the cyber security culture of the workforce, the organization should have in place some testing tools
such as white phishing exercises, etc. The organization should have a process in place to review and update its
training courses to ensure one remains up to date. Such updates should consider business and regulatory changes
(i.e., acquisition of new software, discontinuation of software, new services or business lines, new regulations,
standards, and best practices).
More details on the awareness and training can be found in the latest Edition 4 of the SeMS Manual. 35 Moreover, the
Operators may consider the NIST guidelines for building and maintaining a comprehensive awareness and training
program for their workforce that is included in the NIST SP 800-50.36

32
NIST, SP 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework), 2020.
33
NIST, NISTIR 8287, A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build the Cybersecurity Workforce, 2020.
34
ENISA, Cybersecurity Skills Development in the EU, 2020.
35
IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
36
NIST, SP 800-50, Building an Information Technology Security Awareness and Training Program, 2003.

20 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Chapter 3. Overview of Aircraft Cyber Security Elements
3.1. Aviation Ecosystem Elements
The civil aviation ecosystem requires the collaboration of multiple stakeholders whose systems are highly
interconnected and need to be secured and protected at the proper level. Many elements play a key role in delivering
a safe operation of the aircraft as well as a more personalized experience of the air transport, while at the same time
enabling operational efficiency and revenue generation for the industry.

Figure 3.1(1). Civil Aviation Ecosystem

Civil Aviation Ecosystem

Airline Connected
Elements

Aircraft

Source: IATA

As presented in the figure above, to understand the complexity of the entire aviation ecosystem and its
interconnected elements we will have a look now at the different stakeholders or entities of this sector. Then, we will
focus on the airline organization and connecting element and finally the critical part which is the aircraft itself and its
connecting elements.
For this document, referring to the EUROCAE ED-201: Aeronautical Information System Security Framework
Guidance, aviation stakeholder framework, we can distinguish the following, but not limited to, list of stakeholders37:
• Manufacturers like Original Equipment Manufacturers (OEMs), System Suppliers, Design Approval
Holders (DAHs) of aircraft, systems, and devices integrated into the aircraft;
• Operators: i.e., airlines, airports, Air Navigation Service Providers (ANSPs);
• Maintenance and repair providers of aircraft, systems, networks, etc.;
• Regulatory and governance entities: legislators, regulators, auditors, etc.;

37
EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.

21 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

 • Standardization entities: originations responsible for standards development;
• Passengers.
However, different stakeholders are present in the aviation ecosystem and each represents different roles,
objectives, motivation, strength, or abilities, all play a crucial role in terms of aviation cyber security, especially that
the flow of data between different stakeholders is increasing.
The complexity of the aviation ecosystem, interconnected systems, and the flow of data is presented on the below
map.

Figure 3.1(2). Aviation Ecosystem

Source: IATA (based on AIAA)38

It needs to be underlined that the complexity of multiple stakeholders, especially product suppliers and service
providers, relationships on both the aircraft and the industry, in general, create a challenge for the industry in terms
of the responsibilities, who holds the responsibility, and which area. This is very important to have a clear picture and
understanding of where one’s responsibility sits and to what extent to ensure clear accountability for safety and

38
AIAA, The Connectivity Challenge: Protecting Critical Assets in a Networked World, A Framework for Aviation Cybersecurity, August 2013, Figure 1 at p. 8.

22 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

security.
The accountabilities at different stages of the aircraft lifecycle will be further addressed in Part 2-Chapter 2 of this
guidance material.

3.2. Organization and Connecting Elements

The Operator to perform its operations interacts with many different stakeholders and parties within the entire
aviation ecosystem. Hence, the airlines increasingly take advantage of the increased reliability, accuracy, and
efficiency that can be delivered by automation as well as interactions with third parties/supply chain,
communications, and networking within the daily operations. This refers not only to the flight operations but also to
other several business units responsible for maintenance, ground operations, airport operations as well as cargo.
Also, many civil aviation stakeholders/supply chain, manufacturers, and system suppliers, support/provide services
to the airlines concerning cyber security. The figure below represents the Airline Organization and the groups of
stakeholders that usually the Operators, in general, interacts with.

Figure 3.2(1). Airline Organization and Interacting Stakeholders

Manufacturers,
System
Suppliers,
Service
Providers

Airports Governments

Airline
Organization

Financial Other Bussines

Institutions Units

Passengers

Source: IATA

The two tables below present a non-exhaustive list of the airline business and aircraft operations systems for which
the Operator is responsible. However, it needs to be underlined that for each system different players/individuals
have a responsibility, both internal to the organization and external where systems are supplied by different
stakeholders what is covered by the Service Level Agreements (SLAs). More information and recommendations on

23 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

the SLAs may be found in the ED-201: Aeronautical Information System Security (AISS) Framework Guidance 39.
Therefore, due to the complexity, solid procedures, communication, and clearly defined responsibilities need to be
defined/put in place.

Figure 3.2(2). Airline Business Systems Figure 3.2(3). Aircraft Operations Systems

Customer Support Applications Aircraft Operations Applications

• Customer Relationship Management • Flight Release Software
• Social media • Weather Application
• Flight Management System
Airline Operations Applications
• CMU (Central Management Unit)
• Reservation System • Cabin Management Systems
• Departure Control System • ACARS
• Passenger Data Transfer
• CPDLC (Controller Pilot Data Link Communications)
• Reservation System • Navigation Systems (GNSS, TCAS/ATC, ILS, etc.)
• Flight Planning
• Airport Kiosks Aircraft Maintenance Applications
• Airport CUTE System • E-Logbook
• Airport CUSS System • Central Management Operating Software
Passenger Service Applications
• Websites
• Mobile Applications
• Frequent Flyer
• In-Flight Entertainment
Crew Operations Applications
• Take-off and landing (TOLA) performance software
• Crew Scheduling
• Crew Mobile Phones
• Cabin Crew Tablets
• ePIL (Passenger Information List)
• Electronic Crew Reporting

Corporate Applications
• E-mail
• Network (VPN)
• Accounting
• Revenue Management
Cargo Applications
• Cargo Booking System

Source: IATA

39
EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.

24 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

3.3. Aircraft and Connecting Elements
The aircraft is now very digitalized and contains a large number of systems, therefore the process of securing them
requires the involvement of many different stakeholders. In recent years, the electronic content (systems and
networks) has evolved rapidly, where the map of interconnections is very complex now. The aircraft connectivity
brings a lot of value in term of its maintenance, health monitoring, more efficient costs of operations as well as better
passenger experience. This entire process of digitalization, however, may bring also some risks associated with the
exposure of the on-board systems.
The OEMs/Systems Suppliers/DAHs deliver new solutions for the Operators to meet different expectations from the
industry in terms of aircraft design, more efficient engines, passenger experience, and computing capacity.
Therefore, the aircraft is designed and built now with the integrated software and networked avionics, which are
placed in the different aircraft domains, differing with the level of trust.
ICAO, together with the other industry stakeholders defined three main aircraft domains, which are the following:
• Aircraft Control Domain (ACD);
• Aircraft/Airline Information Services Domain (AISD); and
• Passenger Information and Entertainment Systems Domain (PIESD).

Figure 3.3(1). Aircraft Domains

Airline
Passenger Information Aircraft
Information
and Entertainment Control
Service
System Domain Domain
Domain

PIESD AISD ACD

Source: IATA

The principal function of the Aircraft Control Domain (ACD) is to ensure safe aircraft operation. The secure
exchange of the ACD helps also to track and manage the aircraft in a more accurate way. It requires adherence to
the highest standards of international aviation safety. Because of the critical nature of this domain, the exchange of
data always needs to be guaranteed. It should be noted that the ACS is comprised of different systems including
control from the cockpit, environmental systems, and other things like smoke detectors, doors, and the evacuation
slides.
The Aircraft/Airline Information Services Domain (AISD) contains systems providing services that are not critical,
with the principal function to ensure the connectivity between other domains. The systems in the AISD play a key
role in the aircraft operation, however, do not bear on the control of the aircraft. This domain is used by the airlines
to support the applications and content either for cabin or flight crew. The systems are not defined as mission-critical

25 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

but may be important from the commercial and operational point of view. The AISD provides airlines operational and
administrative data to the cockpit, aircraft cabin, connects with the maintenance services, as well as supports the
PIESD domain.
The Passenger Information and Entertainment System Domain (PIESD) plays a role in providing and supporting
passengers with services such as on-board entertainment, Internet connectivity, etc. This highly depends on the
airlines on what services/level of entertainment is provided to the passenger experience (ie., in-flight entertainment,
passenger flight information, as well as access to the Intranet).
Moreover, the formalized definition of aircraft systems and airborne networks is organized into aircraft domains
provided by ARINC-664 standards, which are served by the airborne networks and systems with the same
requirements for performance, safety, and security. As per the following documents, ARINC664P1-240 and
ARINC664P541, four different domains are distinguished. The first three are the same as already mentioned above.
The other, however, the fourth domain is called the Passenger Owned Devices Domain (PODD), which includes any
device that passengers may connect on-board with the in-flight entertainment service.
To ensure the appropriate level of safety and security, the aircraft domains are physically separated or otherwise
logically segregated. Therefore, the aircraft control systems, built in the ACD, are separated from other domains.
The figure below presents the domains with the characteristics of closed, trusted, and untrusted as well as presents
the systems and connecting elements to each of the three domains.

Figure 3.3(2). Aircraft Domains and System Examples

PIESD AISD ACD

Untrusted Trusted Closed

Public Systems Airlines Operation Aircraft Control

• In-Flight Entertainment (IFE) • Flight Support Systems (EFB, NavDB, ACARS) • Flight Control Systems (FMS)
• Pub Device Connection & Web • Aircraft Data Network • Cabin Core Systems
Access • Aircraft Health Monitoring (AHM)
• Admin/Cabin Support (Crew Devices, PAX, POS)
• Maintenance Support (Softw Updates, Sensor Data,
Pred Maint.)

• Air-Ground Network Telecom • Air-Ground Network Telecom (Wi-Fi, LAN, Cellular, • Air-Ground Network Telecom
(Wi-Fi, LAN, Cellular, SAT) SAT) (VHF, HF, SATCOM, GPS/GNSS)

Source: IATA

40
ARINC, 664P1-2 Aircraft Data Network, Part 1, Systems Concepts and Overview, 2019.
41
ARINC, 664P5 Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection, 2005.

26 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

From the functional architecture standpoint, the PIESD is UNTRUSTED, and, is assumed to be compromised,
therefore it bears the lowest integrity level. No information is shared from that domain to the higher trusted domains,
as only expected data or information is considered within the trusted domains. Both AISD and ACD qualify as
TRUSTED domains, ACD being the highest integrity systems of the aircraft. Those domains do not trust the lower
integrity domain, for this is the security basis of the aircraft architecture. The separation between the domains
translates into some specific limitations for the usage of communication systems, for example:
• Equipment for radio communication attached to the ACD domain is restricted to the systems in the ACD
(e.g., Air Traffic Control, Airlines Operational Communications);
• Equipment for radio communication attached to other domains is restricted to the systems in these
domains (e.g., Airlines Operational Commun, Airlines Administrative Communications, Aeronautical
Passenger Communications).
The general growth in aircraft digitalization introduced a number of systems, networks, and equipment listed below
that are important for aircraft operations. However, they are beneficial, some potential matters need to be
considered when referring to the security of the aircraft and its interconnected ecosystem.

• Aircraft Communications Systems: digital air-to-ground communication systems using links like Very
High Frequency (VHF) or SATCOM.
• Aircraft-Ground Links: emerging satellite air-ground communication systems, etc.
• Aircraft Maintenance: maintenance of the aircraft is now more based on the technology, enabling data
transmission directly to the maintenance teams. This process is crucial in terms of the continuing
airworthiness of the aircraft and aircraft parts. Therefore, it is important to secure the systems and
devices responsible for this process, as this contributes to flight safety.
• Aircraft Health Monitoring (AHM): OEMs/Systems Suppliers provide a connected technology to
support the Operators in terms of the AHM to enable addressing any issues and more accurate
maintenance as early as possible.
• Electronic Flight Bag (EFB): portable devices used for storage and display of many different aviation
data, considered as computing platforms to reduce/replace any paper-based information and
documentation ( flight charts, maps, engineering information) used by the crew during the flight.
• Non-trusted Services/Networks: aircraft systems connecting to non-trusted services and networks,
including airport gate link networks (e.g. GateLink), cellular networks, and portable electronic devices.
• In-Flight Entertainment (IFE): cabin communications and connectivity, also with wireless distribution,
providing on-board entertainment and better passengers experience.
For a better understanding of where each component is placed in terms of aircraft domains, please refer to Figure
3.3(2) above.

27 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

Appendix A: Data Privacy In-Flight
The EU General Data Protection Regulation (GDPR) 42 and other equivalences across the globe were pushed forward
in support of the privacy and security of the personal information and data that is created, transited, and/or at rest,
whether from an application, system, infrastructure or network. Therefore, the data which flows between the
different aviation stakeholders, and connecting to the aircraft, also fall under these regulations. One of the domains
of the aircraft which is essential to the value proposition of an Operator is the PIESD. Even though this domain does
not control the aircraft, it is as important as the other domains, since it is the backbone network for the passengers,
who need to be comforted that they are connecting to a secure environment, and their Personal Identifiable
Information (PII) and data will remain private as well as protected. Whether on-ground or in-flight, the requirements
over privacy and security are the same and subject to fines if a data breach occurs.
At the organization level, airlines are entrusted with different personal information which may be subjected to
different fines when a data breach occurs which may include data loss, damage, or theft. Already, some airlines have
been fined over data breaches reaching hundreds of millions of dollars or euros. But some systems on-board the
aircraft holds and transmits personal information, often via the Flight Crew systems, such as credit card payments,
which are covered by PCI DSS, wireless internet connection systems offered to passengers may also hold, transit,
or have access to personal information or identifiable information which needs to be protected. That information,
systems, and data need to be identified, classified, or categorized and protected accordingly. Passenger to
passenger cyber-attacks should be considered as very impactful to the business’ trust and reputation. Use case
scenarios should be developed relative to possible exploitation of the network allowing those types of attack or
capabilities, and security measures and mitigations should be put in place and assessed periodically to maintain a
good cyber security posture.

42
EU GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

28 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

List of Acronyms
Acronym Term

ACARS Aircraft Communications Addressing and Reporting System

ACD Aircraft Control Domain
ACSR Aviation Cyber Security Roundtable
ACSTF Aircraft Cyber Security Task Force
AHM Aircraft Health Monitoring

AIMS Airplane Information Management System

AISD Aircraft/Airline Information Services Domain
AISS Aeronautical Information System Security
ANSP Aircraft Network Security Program
ARINC Aeronautical Radio, Incorporated
C2M2 Cybersecurity Capability Maturity Model
CEO Chief Executive Officer
CIA Confidentiality, Integrity, and Availability
CIO Chief Information Officer

CISO Chief Information Security Officer

COBIT Control Objectives for Information and Related Technology
CPDLC Controller–Pilot Data Link Communications
CSF Cyber Security Framework
CSIAD Critical Systems, Information, Assets, and Data
CSO Chief Security Officer
DAH Design Approval Holder
EFB Electronic Flight Bag
ENISA European Union Agency for Cybersecurity

EU European Union
EUROCAE European Organization for Civil Aviation Equipment
FAA Federal Aviation Administration
FANS Future Air Navigation System
FISMA Federal Information Security Modernization Act
GDPR General Data Protection Regulation

29 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

 GLONASS Global Navigation Satellite System
GNSS Global Navigation Satellite System
GPS Global Positioning System
GRC Governance, Risk, and Compliance
ICAO International Civil Aviation Organization
ILS Instrument landing system
IP Internet Protocol
ISM IOSA Standards Manual
ISO International Organization for Standardization
LRU Line-Replaceable Units
NICE National Initiative for Cybersecurity Education
NIST National Institute of Standards and Technology
NOTAMs Notices to Airman
OEM Original Equipment Manufacturer
PCI DSS Payment Card Industry Data Security Standard
PIESD Passenger Information and Entertainment Systems Domain
PODD Passenger Owned Devices Domain
RMF Risk Management Framework
RTCA Radio Technical Commission for Aeronautics
SARPs Standards and Recommended Practices
SATCOM Satellite Communications
SLA Service Level Agreement
SMS Short Message Service

SeMS Security Management System

TCAS Traffic Collision Avoidance System
TCP Transmission Control Protocol
VHF Very High Frequency

30 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

List of References
1. AIAA, The Connectivity Challenge: Protecting Critical Assets in a Networked World, A Framework for Aviation
Cybersecurity, August 2013.
2. ARINC, 664P1-2 Aircraft Data Network, Part 1, Systems Concepts and Overview, 2019.
3. ARINC, 664P5 Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection, 2005.
4. ENISA, Cyber Security Culture in organisations, 2018.
5. ENISA, Cybersecurity Skills Development in the EU, 2020.
6. EU GDPR, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of
such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
7. EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.
8. EUROCAE, ED-201: Aeronautical Information System Security (AISS) Framework Guidance, 2015.
9. FAA, Order 8900.1 Volume 3, Chapter 61.
10. IATA, Aviation Cyber Security Roundtable, Read Out, 2019.
11. IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.
12. IATA, Security Management System (SeMS) Manual, Edition 4, 2020.
13. ICAO, Annex 17 – Security, 10th edition, 2017.
14. ICAO, Aviation Cybersecurity Strategy, 2019.
15. ICAO Aviation Security Global Risk Context Statement, Second Edition, 2019 (Doc 10108).
16. ISO/IEC, 27000 Family of Standards.
17. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements, 2019.
18. ISO/IEC 27005: 2018, Information technology — Security techniques — Information security risk
management, 2018.
19. ISO/IEC, 27032:2012, Information technology — Security techniques — Guidelines for cybersecurity, 2012.
20. NIST, NISTIR 8287, A Roadmap for Successful Regional Alliances and Multistakeholder Partnerships to Build
the Cybersecurity Workforce, 2020.
21. NIST, SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations—A
System Life Cycle Approach for Security and Privacy, 2018.
22. NIST, SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View,
2011.
23. NIST, SP 800-50, Building an Information Technology Security Awareness and Training Program, 2003.
24. NIST, SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, 2020.
25. NIST, SP 800-82 Revision 2, NIST SP 800-82 Rev. 2 Guide to Industrial Control Systems (ICS) Security, 2015.
26. NIST, SP 800-100, Information Security Handbook: A Guide for Managers, 2007.

31 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

27. NIST, SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2011.
28. NIST, SP 800-181 Revision 1, Workforce Framework for Cybersecurity (NICE Framework), 2020.
29. NIST, Cybersecurity Framework (CSF).
30. NIST, Federal Information Security Modernization Act, 2014
31. NIST, FISMA Implementation Project.
32. NIST, Framework for Improving Critical Infrastructure Cybersecurity Version 1.1, 2018.
33. NIST, Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, 2019.
34. UK CAA, CAP1850, Cyber Assessment Framework (CAF) for Aviation, 2020.

(END)

32 Aviation Cyber Security Guidance Material | PART 1 Edition 1 | February 2021

 .

Aviation Cyber Security

Guidance Material
Part 2: Aircraft
Edition 1 | February 2021
 DISCLAIMER.

The information contained in this guidance

material is subject to constant review in the light of
changing government requirements and
regulations. No subscriber or other reader should
act on the basis of any such information without
referring to applicable laws and regulations and
without taking appropriate professional advice.
Although every effort has been made to ensure
accuracy, the International Air Transport
Association shall not be held responsible for any
loss or damage caused by errors, omissions,
misprints or misinterpretation of the contents
hereof. Furthermore, the International Air
Transport Association expressly disclaims any
and all liability to any person or entity, whether a
reviewer of this guidance document or not, in
respect of anything done or omitted, and the
consequences of anything done or omitted, by
any such person or entity in reliance on the
contents of this guidance material.
For feedback, questions or comments please
contact us at: [email protected].

2 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Contents
Revision Record ..................................................................................................................................................................................... 4
List of Contributors ............................................................................................................................................................................... 5
Introduction ............................................................................................................................................................................................. 6
Chapter 1. Scope of the Guidance .................................................................................................................................................. 7
1.1. Applicability .......................................................................................................................................................................................... 7
Chapter 2. Aircraft Airworthiness Cyber Posture ..................................................................................................................... 8
2.1. Cyber Security Considerations at Aircraft Procurement Stage ........................................................................................ 8
2.2. Cyber Security Posture Upon Delivery ....................................................................................................................................... 8
2.3. Continuing Airworthiness and Accountabilities for the Operator ..................................................................................... 9
2.3.1 National Requirements and Recommendations............................................................................................................. 9
2.3.2 Devising a Compliance Program ....................................................................................................................................... 10
2.4. Cyber Security Considerations Relative the Parked Aircraft............................................................................................ 11
2.5. Reporting of Non-Compliant Issues .......................................................................................................................................... 12
Chapter 3. Aircraft Cyber Risk Management ............................................................................................................................ 13
3.1. Threat Landscape ............................................................................................................................................................................ 13
3.1.1 Defense Measures .................................................................................................................................................................. 14
3.2. Devising Aircraft Risk Management Program ........................................................................................................................ 15
3.3. Cyber Risk Assessment ................................................................................................................................................................. 16
3.3.1 Devising a Vulnerability Assessment ............................................................................................................................... 17
3.4. Regular/Periodic Risk Assessment ............................................................................................................................................ 18
3.5. Emergency Management and Incident Response ............................................................................................................... 18
List of Acronyms .................................................................................................................................................................................. 21
List of References ............................................................................................................................................................................... 23

3 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Revision Record

Symbol Meaning

□ Insertion

△ Amendment

⨂ Deletion

Revision Table

Revision Date Section(s) Significant Changes

Edition 1 9 February 2021 First release

4 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

List of Contributors
This guidance document is issued with grateful acknowledgment to the organizations listed below (in alphabetic
order) who continuously contribute expert advice and comments on the contents compiled herein.
• Air Canada
• Air France-KLM
• American Airlines
• British Airways
• Copa Air

• FedEx

• IAG

• KLM
• Korean Air

• Lufthansa
• Qantas

• Qatar Airways
• United Airlines

5 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Introduction
Aviation Cyber Security is a key priority for airlines mainly because of the industry adoption of digitalization is well
underway and, if the approach is not carefully protected at the design to the operational stage, new levels of
connectivity and optimization may result in previously unknown cyber vulnerabilities to materialize. As is currently
experienced, adversaries continue exploiting vulnerabilities in systems for financial, reputational, and disruption-
related gains.
Currently, cyber-linked terrorism against aircraft is assessed as “low”1, but continuous enhancement of
countermeasures is required. To face the challenges relative to aviation cyber security, the Aircraft Cyber Security
Task Force (ACSTF) was established in March 2018. IATA, through ACSTF and Aviation Cyber Security Roundtable
(ACSR)2, held in Singapore in 2019, as well as regulatory forums, industry workshops, and events, as well as raises
awareness among key stakeholders about the challenges and opportunities related to aviation cyber security.
The November 2019 ACSTF meeting discussed the importance of developing guidance material. This resulting
guidance provides airlines with recommendations on adopting a minimal cyber security posture.
While this document defines a baseline and provides airlines with minimum recommendations and checklists to
adopt a cyber security posture, it is imperative that the final decision to follow recommendations belongs to airlines,
based on their respective internal governance and self-assessment of the inherent risks and mitigations already in
place.
Feedback related to the content of this document should be sent to [email protected].

1
ICAO, Aviation Security Global Risk Context Statement, Second Edition, 2019 (Doc 10108).
2
IATA, Aviation Cyber Security Roundtable, Read Out, 2019.

6 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Chapter 1. Scope of the Guidance
1.1. Applicability
This guidance is applicable to any Operator with the e-connected aircraft. The guidance may also apply to specific
scenarios to Operators with legacy aircraft, such as with aircraft component software data loading and with certain
avionics navigational/communication systems.
It is aligned with the International Civil Aviation Organization (ICAO) Cybersecurity Strategy3 and relevant Standards
and Recommended Practices (SARPs), such as those related to Annex 17 – Security, and measures concerning
cyber threats contained in Standard 4.9.1 under which each Contracting State shall ensure that “operators or entities
as defined in the national civil aviation security programme or other relevant national documentation identify their
critical information and communications technology systems and data used for civil aviation purposes and, in
accordance with a risk assessment, develop and implement, as appropriate, measures to protect them from unlawful
interference.”4
This ICAO Standard is reflected in IATA’s IOSA Standards Manual (ISM) and can be found in the modified Standard
SEC 4.1.1 (Security Section) in the 14th Edition (December 2020) effective from September 2021 and via a
Recommended Practice of the ORG 3.1.6 (Organization and Management System Section). 5
The Aviation Cyber Security Guidance Material Part 1 relates to the cyber security of the organization, and Part 2 to
the aircraft cyber security and risks management. This guidance material includes an overview of responsibilities
incumbent on Operators and provides recommendations regarding:
• Minimal cyber security culture and posture within an organization;
• Overview of aviation ecosystem, organization, and connecting elements;
• Airworthiness cyber posture of the aircraft at the procurement stage and upon delivery;
• Continued airworthiness accountabilities of the Operator;
• Cyber security relative to the prolonged storage/parking of aircraft;
• Devising a risk management program; conducting a periodic risk assessment as well as emergency
management and incident response.
For the definitions of the e-connected and legacy aircraft types please refer to Part 1: Organization Culture and
Posture (Section 1.2.1 and Section 1.2.2) of this guidance material.

3
ICAO, Aviation Cybersecurity Strategy, 2019.
4
ICAO, Annex 17 – Security, 10th edition, 2017.
5
IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.

7 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Chapter 2. Aircraft Airworthiness Cyber Posture
2.1. Cyber Security Considerations at Aircraft Procurement Stage
Each region and country have their laws over the Transfer of Title/Transfer of Ownership of an aircraft, whether this
aircraft is registered locally or not, whether it requires proof of ownership, a bill of sales or similar agreements. Thus,
respective processes need to be followed, in order to ensure their validity. Inspections should include cyber security
elements; the registration of the aircraft is then transferred to the new owner.
As Operator is responsible and accountable for the aircraft’s compliance after the Transfer of Title, it is important to
include in the Request for Proposal (RFP) or Tender, cyber and information security requirements that the Original
Equipment Manufacturers(OEMs)/System Suppliers and the Design Approval Holders (DAHs), as well as its tiers,
should be covering and/or be responsible for.
Risks inheritance/acceptance and transference disclosure and mitigation procedures should be part of RFP and
Service Level Agreements (SLAs). RFPs and SLAs should indicate who is responsible for what, and the means to
comply and provide proof of compliance. OEMs/System Suppliers and the DAHs should also provide different
logging capacity and reporting mechanisms for the Operator for security integration with the Risk Management
Framework (RMF). The Operator may refer to the standards included in the ITIL (Information Technology
Infrastructure Library) 4 and Service Agreements Management – APO09 (COBIT2019) in support of the SLAs
processes.
SLAs should include vulnerability disclosure at the time of discovery, update and/or patching roadmap, and
exceptions over security aspects, procedures, and associated risks aspects.

2.2. Cyber Security Posture Upon Delivery

Upon entry into service of a new e-connected aircraft, the airworthiness certificate should cover the cyber security
elements which may impact safety. The latest version of the ED-202A6/DO-326A7 (Airworthiness Security Process
Specification) and ED-203A8/DO-356A9 (Airworthiness Security Methods and Considerations) cover these
requirements for the OEMs/Suppliers and the DAHs. ARINC 811(Commercial Aircraft Information Security Concepts
of Operation and Process Framework)10 offers definitions and recommendations on airborne networks and
associated information security concepts of operation and process. Those references help support the Operator
understanding the risk landscape they are inheriting or accepting, as well as put together or adjust the requirements
for risk assessment activities.
Even though an aircraft has a valid Certificate of Airworthiness (CoA), the requirements of cyber security cover much
more, and the residual risks should be transparently disclosed, so that the Operators may decide to accept or
transfer those risks. OEMs and system suppliers should provide a list of cyber risks/vulnerabilities and mitigation or
proactive measures, as well as how the risks and security were evaluated and tested. The new owner should have a
good understanding of the inherited risks and therefore, accepting upon the aircraft delivery.

6
EUROCAE, ED-202A - Airworthiness Security Process Specification, 2014.
7
RTCA, DO-326A - Airworthiness Security Process Specification, 2014.
8
EUROCAE, ED-203A - Airworthiness Security Methods and Considerations, 2018.
9
RTCA, DO-356A - Airworthiness Security Methods and Considerations, 2018.
10
ARINC, 811 Commercial Aircraft Information Security Concepts of Operation and Process Framework, 2005.

8 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Security Handbooks from the OEMs/System Suppliers and the DAHs confers the process and procedures required
and expected from the Operators, to help maintain the security posture and hop hold the validity of its CoA. Based
on the requirements of the OEMs/System Suppliers and the DAHs, the Operator will need to develop an Aircraft
Information Security Program (AISP)/Aircraft Network Security Program (ANSP) 11 which integrates the requirements
and obligations of the Operator over cyber security.
One has to keep in mind that the provided security material may not be specific enough for one to understand how
to validate/test and confirm if over time, and after numerous modifications and updates, specific vulnerabilities are
exposed or could change the criticality or severity of possible impacts. Clear exchange of information and
collaboration is required, to keep all passengers and stakeholders, safe.

2.3. Continuing Airworthiness and Accountabilities for the Operator

Even if the Operator can delegate responsibilities via legal contracts and SLAs, in the end, the entity accountable to
demonstrate compliance over the cyber security elements relative to safety, remains the Operator. In order to
provide proof and assurance, Operators, OEMs/System Suppliers, and DAHs need to work together to ensure the
cyber security posture of aircraft over critical information systems, the underlying data networks, and
interconnected systems, including Ground Support Equipment (GSE), Ground Support Information Systems (GSIS),
maintenance equipment as well as airborne software connecting to the aircraft which may have an impact on safety.
Regarding continued airworthiness aspects, the Operator should consult the latest version of the ED-204A/DO-
355A (Information Security Guidance for Continuing Airworthiness), which helps distinguish responsibilities between
the DAH and the Operator. ED-202A/DO-326A and ED-203A/DO-356A are used to understand the specific
requirements and related processes over the security evaluation of the equipment, relative to airworthiness.
The amendment of the Commission Regulation (EU) 748/201212 introduced provisions where Operators will need to
comply at the organization level, over aviation information security which could have an impact on safety. Other
coming EUROCAE EDs/RTCA DOs are currently under development to help support other cyber security aspects.
Although the EDs and DOs are not the only Means of Compliance (MoC) recognized by the authorities, those
documents should be considered while establishing the required processes in order to comply with the regulations.
Those can also be used as a comparative argument, gap analysis, and support request for budgets necessary to
achieve a comparable level of compliance.

2.3.1 National Requirements and Recommendations

For the ICAO Member States, part of the Chicago Convention, ICAO Annex 17 – Security13, the Standard 4.9.1, and
Recommended Practice 4.9.2 (or equivalent, for the Annex 17, is under revision), are the only Standards and
Recommended Practices (SARPs) that covers cyber security. Different documents are used as guidance material to
assure the protection of the critical information and communication technology systems against intentional
interference. The ICAO Aviation Security Manual - Document 897314, Chapter 18th, (restricted Access), is such a
document.

11
Note that the Aircraft Information Security Program (AISP) is EUROCAE term used in the ED-204A (Information Security Guidance for Continuing Airworthiness),
while Federal Aviation Administration (FAA) equivalence for this term is Aircraft Network Security Program (ANSP).
12
Commission Regulation (EU) No 748/2012 of 3 August 2012 laying down implementing rules for the airworthiness and environmental certification of aircraft and
related products, parts and appliances, as well as for the certification of design and production organisations.
13
ICAO, Annex 17 – Security, 10th edition, 2017.
14
ICAO, Aviation Security Manual (Doc 8973 – Restricted).

9 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

For compliance with the ICAO Standard, different Member States have proposed different regulations. In June 2020,
the European Aviation Safety Agency (EASA), rendered its decision over the latest modifications of their regulations
over Aircraft Cyber Security. This ED Decision 2020/006/R (Aircraft Cyber Security) and related Notice of Proposed
Amendment (NPA) 2019-0115 covers equipment, systems, and network information protection and Information
system security Instructions for Continued Airworthiness (ICA). Acceptable Means of Compliance (AMC) have been
expressed as, but not exclusive to, the ED-202A/DO-326A, ED-203A/DO-356A, and the ED-204A16/DO-355A17.
These measures are expected to be enforced over the year 2021 and further.
Other MoC also refers to the ISO/IEC 2700118 suite and the NIST Cybersecurity Framework (CSF) 19 and the other
NIST Special Publication reference materials, which may be adapted to comply. The existing framework, within an
organization, may also be assessed and deemed sufficient for compliance, according to the national regulations and
requirements.
Meanwhile, IATA also introduced the first set of measures over Aircraft Cyber Security, for its IATA Operational
Safety Audit IOSA Program, namely Edition 14th of the ISM20. A first Recommended Practice is adopted for the ORG
(Organization) Section, while a second, modified an existing standard in the SEC (Security) Section over the Security
Threat Management, to include cyber security threats to aircraft.
A full description of existing material, in support of legal instruments, regulations and compliance can be found in the
IATA reference document entitled “Compilation of Cyber Security Regulations, Standards, Guidance for Civil
Aviation”.21

2.3.2 Devising a Compliance Program

Establishing a Compliance Program over the Aircraft Cyber Security aspects, within the Operator’s organization,
should be evaluated. The goal of a Compliance Program is to establish processes and procedures to demonstrate
compliance over the regulations and SARPs and includes the oversight of audits. It then reports to the higher
management, after analysis, a compliance portrait and a gap analysis to determine deviations over items of non-
conformity and proposes a roadmap for a compliance action plan to bridge the gap and reduce non-compliance
issues. This program is normally established by a single point of contact, usually a Senior Officer, and provides the
necessary means for the accountable manager to obtain the necessary resources, tools, and budget to support the
business.
Under this program, the Operator will need to demonstrate that one maintains the expected level of security for
software distribution and security and integrity of the network onboard the aircraft. In order to establish a compliance
portrait and determining the gaps or deviations, the Compliance Program will use the internal, developed by the
Operator, AISP/ANSP, which will be based on different security handbook requirements 22, and other security
materials provided by the OEMs/System Suppliers and DAHs. One will need to pay special attention to specific parts
over implementation objectives for which guidance material is proposed.
The Operator will then cross-reference the Compliance Program with the current standards and requirements, so
that nothing is overlooked and that its compliance portrait is complete. Audits are regularly executed to ensure the

15
EASA, ED Decision 2020/006/R: Aircraft Cyber Security and related Notice of Proposed Amendment: NPA 2019-01.
16
EUROCAE, ED-204A - Information Security Guidance for Continuing Airworthiness, 2020.
17
RTCA, DO-355A-Information Security Guidance for Continuing Airworthiness, 2020.
18
ISO/IEC 27001, Information Security Management.
19
NIST, Cybersecurity Framework (CSF).
20
IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.
21
IATA, Compilation of Cyber Security Regulations, Standards, and Guidance Applicable to Civil Aviation, 2021.
22
Set of requirements included in the security handbooks provided by the OEMs, System Suppliers, DAHs.

10 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

required level of compliance, and non-conformity issues are attended to.

2.4. Cyber Security Considerations Relative the Parked Aircraft

As this is the first health crisis this industry suffers, the security handbooks from different OEMs/System Suppliers
and DAHs do not cover the particulars of aircraft being parked for months, sometimes, in an unusual setting.
The following represents the latest cyber security recommendations for prolonged parked aircraft over the restart:
• Perform a Risk Assessment of critical information/data and communications technology systems
related to aircraft operations and connectivity based on the new cyber security posture (as emerging
from the pandemic context), including cyber security for continued airworthiness;
• Validate with the OEM the list of critical systems, and ensure logs are integrated and new baselining
ready for anomaly detection, and updates are validated with integrity checks;
• Involve the relevant overseeing airworthiness Authority to validate and distribute possible missing
information, guidance, or disclosure on software patch and updates or other mitigations and/or
countermeasures;
• Communicate with entities/subcontractors engaged in the Supply Chain for modifications and
adjustments to systems and processes, and to ensure logs are integrated and new baselining ready for
anomaly detection, and updates are validated with integrity checks;
• Log review, validation, and archiving of all software relative to critical systems, to ensure that no illicit
software was installed or connected to the aircraft, illicit aircraft system access, or modification during
parking & storage. Should an illicit action be suspected, maintenance actions should be performed to
check the integrity of the connected systems and, whenever necessary, restore them according to the
relevant entity’s instructions;
• Implement an approach identical to the one mentioned immediately above with respect to all
maintenance devices, systems like Data loaders, media, all software and credential systems;
• Review the OMP against the latest Risk Assessment, as new teams performing maintenance or remote
operations may have changed the landscape of the surface attack of some equipment, special attention
should be taken if such remote access could affect continued airworthiness aspects;
• Validate expiry dates of Certificates used to satisfy the identity assurance via the identity management
solution employed, as well as the Public Key Infrastructure (PKI) or cryptographic system for data
integrity assurance and requirement;
• Mobile Devices like Electronic Flight Bag (EFB) and Portable Multi-Purpose Access Terminal (PMAT) to
be updated and re-assessed under the new cyber security posture;
• Ensure that basic training in cyber security, checklists, and best practices are imparted to all teams
performing or supporting aircraft maintenance actions.
However, please note that the last three recommendations from the list above should be already practiced on a
regular basis by the Operator.

11 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

2.5. Reporting of Non-Compliant Issues
The reporting of non-compliant issues will depend on each Operator depending on the location; however, it is
important to note that the Operator should report any non-compliant matters relative to the information security
occurrences to the appropriate entity, which should always be validated according to the national and/or regional
regulatory framework and requirements.
For example, the recently adopted ED Decision 2020/006/R (more specifically the AMC 20-42: Airworthiness
Information Security Risk Assessment)23, included provisions on the reporting in case of the information security
occurrences. It states that the Operator should report any information security occurrence to the OEM/System
Supplier/DAH for further impact analysis and undertake any necessary steps to fix the issue. In case the outcome of
the impact analysis will show an unsafe condition, then the OEM/System Supplier/DAH should report any issue to
the appropriate authority in a timely manner.

23
EASA, AMC 20-42: Airworthiness Information Security Risk Assessment.

12 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Chapter 3. Aircraft Cyber Risk Management
3.1. Threat Landscape
In order to understand the threat landscape of the aircraft and its interconnected systems, it is important to identify
the most important assets and respective attack surfaces in the context of functions, interfaces and data flow at
different stages of operations and including maintenance, configuration as well as at rest. Assets can be of physical
or virtual nature, such as hardware, software, telecommunication, information or data, systems and devices over
space, air (over-the-air OTA) as well as ground and the interconnected and communication assets.
Threats can be defined as a potentially harmful action or event, exploiting a vulnerability, exposure, or compromise,
which can have different levels of severity impacts over the loss of confidentiality, integrity, and availability, referred
as CIA, where:
• Confidentiality ensures that information is accessed and disclosed only to those authorized;
• Integrity ensures the accuracy, completeness, non-repudiation, and authenticity of information, assets,
and processing methods;
• Availability ensures that authorized users have timely and reliable access to information associated
assets when required;
Those threats or loss of asset security can have direct or indirect impacts on safety. ED-203A/DO-326A defines
assets security and threat conditions over the loss of either confidentiality, integrity, or availability in support to
threat scenarios identification.
Using ED-204A/DO-355A to map Continued Airworthiness requirements against the CIA and mitigation strategy can
help achieve a better understanding of the gaps and the implementation of security controls and other measures to
achieve resilience.
The main systems, but not limited to, which would require specific attention are described under three main domains
of the aircraft (already discussed in Part 1-Chapter 3 of the guidance):
• Aircraft Control Domain (ACD): Aircraft Communications Addressing and Reporting System (ACARS), Flight
Management Systems (FMS) and navigation systems (inertial, satellite, aids and TAWS), cryptosystem,
Instrument Landing Systems (ILS), Traffic Collision Avoidance System (TCAS), Controller–Pilot Data Link
Communications (CPDLC), and other sensors telemetry related, etc.
• Aircraft/Airline Information Services Domain (AISD): flight management device (EFBs/Mobile device),
airport ground-based communications, GateLink networks and maintenance systems, wireless airplane
sensors and sensor networks (fault monitoring systems),
• Passenger Information and Entertainment System Domain (PIESD): public networks, cellular networks, In-
Flight Entertainment (IFE), etc.
Attacks can be successful against vulnerable assets, misconfigurations, unsecured communications, undesired
and/or unknown functionalities leading to zero days attack, connections or interactions, and so forth. Attacks can
take different shapes and forms. It can be single-stage or multi-stage; it can have persistency or can be executed as
a blitz attack. The following represents a non-exhaustive list of threats and attacks against the aircraft and its
interconnected systems and information assets:
• Violation of security partitioning, like crossing over the aircraft’s domains and into the aircraft control domain
ACD or connecting uncertified or unauthorized devices to the ACD or AISD domains;

13 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

 • Spoofing of authentication mechanisms leading to malicious or unsafe Over-the-Air update, or causing
misinformation over a flight data or navigation systems leading to unsafe flight conditions or spoofing of
telemetry or recordings/records;
• The side-channel attack, buffer overflow exploitation, enabling reverse engineering of the asset, leading to
zero-day vulnerability exploitation;
• Denial of Service attack, which may lead to temporary or complete unavailability of essential information,
data, function, or service;
• Compromised maintenance or other equipment whilst connecting to the aircraft leads to unauthorized
disclosure, malware injection, denial of service attack transfer, or injection/enabling of malicious backdoor.
Other adversarial tactics can be studied or evaluated using MITRE ATT&CK (Adversarial Tactics, Techniques, and
Common Knowledge) framework, and other Industrial Control Systems and Internet of Things/Operational Things
types of threats and attacks framework. Open Web Application Security Project (OWASP) and its associated
frameworks can be used to transfer scenarios to the e-connected aircraft from ground systems or others.
As new technologies are integrated within the different aircraft domains, those may bring new attack surface, which
was not intended, or even sometimes, not well understood. The advent of artificial intelligence and machine learning
models, often used as predictive maintenance capabilities, as well as automation or automated systems, should
require special care and monitoring. Human validation should be required for decision-making when the action may
have an impact on safety.

3.1.1 Defense Measures

Intrusion Detection Systems are now available on new aircraft, as well as Endpoint threat Detection and Response
or EDR, in support of the defense processes. The hardening of the different hardware, software, and network
configuration and systems is also the first step to lower the attack surface by reducing its attack vectors. Security
Hardening consists of securing a system by disabling/turning off and/or removing any unnecessary connections,
applications, limit configuration, and use role-based access to data, etc. All defense mechanisms need to be
revalidated at every major or critical update, for any update could modify the state or efficiency of the security
measures.
Cyber Threat Hunting is the science that monitors and tries to detect possible attacks, amongst the massive threat
intelligence sources, as covered in the threat section. Different technics are used, and the most efficient are Machine
Learning (ML) based, for they have the ability to scale, according to the number of sources ingested, and can
automate the detection of well-known recognized patterns of attacks. Those most efficient can also rapidly eliminate
or react accordingly. A well-known example of ML algorithms is using behavior analytics, baselining systems, and
anomaly detection modeling.
Cyber Threat Intelligence, a sub-discipline of threat hunting, is the science that aggregates different sources and
data points for correlation and analysis. They include logging events, Indicators of Compromise, which are compiled
by other organizations, as well as those from respective authorities and other private organizations like the Aviation
Information Sharing and Analysis Center (A-ISAC) and other security vendors and can infer a certain cost. Cyber
Threat Intelligence also often includes open source and social media intelligence. Each source should be evaluated,
and different trust levels attributed, according to the quality, veracity, and value of the information or data.

14 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

3.2. Devising Aircraft Risk Management Program
Risk Management Program covers different categories of risks, such as safety and security, financial and economic,
and for some time now, cyber security is part of the discussions at the highest management level. The goal is to
make sure the organization define their risk appetite and make decisions to either accept or transfer the risks.
Many Operators already have Risk Management Program or Framework, often based on the ISO/IEC 27005:201824,
ARINC 81125, and other standards, for it is part of the regulatory safety and security aviation environment. As many
IP-enabled technologies are now part of the e-connected aircraft and their interrelated systems, the possible cyber
threats and risks must be considered and well understood within the Risk Management Program, ergo, the need for
an Aircraft Risk Management Program or Framework. It is important, therefore, as a first step, to determine the scope
of the program which should prioritize cyber security functions that may have a safety impact on the aircraft systems
and its interconnected systems, including ground.
The following represent the well-known steps of an IT Risk Management Framework (RMF) that would be used to
support this framework.

Figure 3.2. Risk Management Framework

RISK MANAGEMENT FRAMEWORK

1 2

4 3

Source: IATA (based on ISO/IEC 27005)

24
ISO/IEC 27005:2018, Information technology — Security techniques — Information security risk management, 2018.
25
ARINC, 811 Commercial Aircraft Information Security Concepts of Operation and Process Framework, 2005.

15 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

NIST CSF is a well-known example of such a framework. One of the most interesting implementations of the NIST
CSF comes from the Federal Information Security Modernization Act (FISMA), already mentioned in Part1-Chapter 2
of this guidance. This implementation proposes the different steps, starting by the “Prepare”, followed by
“Categorize”, etc., and the associated National Institute of Standards and Technology (NIST) Special Publications,
Federal Information Processing Standards (FIPS), and other guidance to support its implementation. Those steps
are generally part of the Risk Management Framework, which aligns with the ICAO Standard 4.9.1 (Annex 17), and the
associated standard (SEC 4.1.1) and Recommended Practice (ORG 3.1.6) from the IATA ISM Ed. 1426.
An Aircraft Risk Management Framework should introduce and include the more Operational Technology (OT) side
that is related to the aircraft and its interconnected systems. This implies that the operational side of the organization
is to take part in the Risk Management creation, implementation or integration, evaluation and assessment and
support the mitigation elements of the Framework. Also, because an aircraft incident could translate into the
potential loss of life, ergo the highly regulated and safety requirements in this industry, and only a risk-based
approach may not be enough. Considerations to impacts to safety need to be part of the equation, weighted and
supported via the risk-based framework. This impact-based element is often referred to as cyber safety.
The aircraft is composed of three different domains, where particularity one is critical to the control of the aircraft.
Any connection, communication, to and from this domain, should be strictly assessed and validated. This may
include ground systems, maintenance, and integration of any new technologies where underlying functionalities
could require or request to cross boundaries. The Framework should consider all operations within the lifecycle of
the aircraft as part of the Risk Management process. The same analysis and validation need to be done for each
zone.
After analyzing the aircraft systems over its life-cycle operations and associated elements, the regulations and
compliance requirements and associated AMC should clarify the policies, controls, and other protection measures
for the OT side of the equation. Those measures should then be monitored and assessed, so that residual risks may
be identified and mitigated over a recurrent Aircraft Risk Assessment activity.

3.3. Cyber Risk Assessment

The Operator security threat review process should typically include an Aircraft Cyber Risk Assessment Framework
(ACRAF) which may be implemented and integrated with the corporate side of the RMF. The following should be
taken into consideration when establishing this sub-process, part of the Risk Management.
In order to clarify the scope of the Risk Assessment, it is important to refer to ICAO’s first standard on cyber security
which is to “ensure that operators or entities as defined in the national civil aviation security programme or other
relevant national documentation identify their critical information and communications technology systems and data
used for civil aviation purposes and, in accordance with a risk assessment, develop and implement, as appropriate,
measures to protect them from unlawful interference.” 27
The following can complete the understanding of the ICAO Standard 4.9.1 (Annex 17) where the Critical Systems,
Information, Assets, and Data (CSIAD) relative to the aircraft are identified, the cyber threats relative to those assets
are analyzed and residual risks are mitigated, accepted of transferred. Sharing of newly found unmitigated risks
coming from the OEMs/Suppliers and/or the Design Approval Holder DAH is essential and required.
The identification of information for continued airworthiness is supported by the ED-204A/DO-355A guidance and

26
IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.
27
ICAO, Annex 17 – Security, 10th edition, 2017, Standard 4.9.1.

16 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

AMCs. This document presents aircraft components, network access points, GSE and GSIS, digital certificates, and
details the responsibilities of DAH and Operators.
The identified CSIAD will determine the scope of the Aircraft Cyber Risk Assessment (ACRA) which should cover the
aircraft life-cycle operations and maintenance. Categorization of the aircraft CSIAD should be based on the latest
versions of FIPS 19928 and NIST Special Publications (SP) 800-3029, SP 800-5930, and SP 800-6031.
As previously mentioned, for each identified CSIAD, security control measures are selected according to the
protection level required based on the risks and impacts, consequences and assessed according to the required
effectiveness. NIST SP-800-17132, SP-800-5333, NIST SP-800-7034 latest versions would support this step.
ED-203A/DO-356A is the guidance document and AMC reference for the Risk Assessment process. The latest
version of the following references can also be used to support the ACRA, such as NIST SP 800-3735, ISO/IEC
27001:201336 based on (Information Technology Infrastructure Library) ITIL, or ISO/IEC 31000 37.
The industry standards ED-203A, ED-204A, and the associated DO-356A and DO-355A are essential reference
documents to understand the information security threats which can affect safety over the different lifecycle of the
aircraft, including operations and maintenance activities.
As discussed before, it is important to note that the Aircraft Cyber Risk Assessment should also consider the cyber
security requirements provided by the OEMs/System Suppliers and/or the DAH, which should be carefully be
integrated within this process. The internal AISP/ANSP also contains key components to support you in this process.
One could also wish to validate its Risk Assessment with the OEMs/System Suppliers and/or DAH, to make sure there
is no breach of contract or breach of the Aircraft Domains when executing testing for the Risk Assessment. Some
activities may render the Certificate of Airworthiness invalid since some tests could be too invasive and may leave
the aircraft in an unknown state. Also, some OEMs/System Suppliers and/or DAH may offer a cyber range or cyber
twining systems to render easier the testing of their products which may be helpful to understand the perimeter, the
data flow, and other characteristics before proceeding with further testing.

3.3.1 Devising a Vulnerability Assessment

The Vulnerability Assessment is a sub-step of the Risk Assessment. Its goal is to plan, conduct technical security
testing, and gather existing vulnerabilities that may impact the CSIAD, analyze, classify and prioritize the findings and
finally, develop remediation strategies and implement mitigation measures. ED-203A/DO-356A presents such a
process.
The process may or not include penetration/intrusion and validation testing activities, according to the requirement
or sensibilities of the systems to be evaluated. Again, here, the Operator may want to consult the OEMs/System
Suppliers and DAH security handbooks, and discuss directly with them, prior to the assessment activity, for some
activities may render the Certificate of Airworthiness invalid since some test could be invasive and may leave the
aircraft in an unknown state.

28
NIST, FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, 2004.
29
NIST, SP 800-30 Revision 1, Guide for Conducting Risk Assessments, 2012.
30
NIST, SP 800-59, Guideline for Identifying an Information System as a National Security System, 2003.
31
NIST, SP 800-60 Vol. 1 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, 2008.
32
NIST, SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, 2020.
33
NIST, SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, 2020.
34
NIST, SP 800-70 Revision 4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers, 2018.
35
NIST, SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy,
2018.
36
ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements, 2019.
37
ISO/IEC 31000, Risk Management.

17 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

The following references can support this step namely the NIST SP 800-11538, SP 800-4039, the Open Web
Application Security Project (OWASP), the Open Source Security Testing Methodology Manual (OSSTMM), the
Penetration Testing Execution Standard (PTES), and the Information Systems Security Assessment Framework
(ISSAF).

3.4. Regular/Periodic Risk Assessment

As previously mentioned, at entry in service of an e-connected aircraft, the airworthiness certificate should cover
the cyber security elements which may impact safety. Some aircraft OEM has issued a notice of future instructions
for continued airworthiness (ICA) for securing legacy aircraft system components from cyber threats.
The latest version of the ED-202A/DO-326A and ED-203A/DO-356A cover these requirements for the
OEMs/Suppliers and the DAH. The Operator is particularly impacted by the continuing airworthiness aspects found
in the latest version of the ED-204A/DO-355A. Other coming EDs/DOs are currently under development.
As new technologies are introduced in the aviation sector and eventually into the e-connected aircraft, fixes,
modifications, and new configurations are required along the operation life cycle of the aircraft. Modifications of all
aircraft fleet types, legacy or e-connected must be monitored for and reviewed. Hence, the Risk Assessment
process must be periodically executed, according to a new integration of technologies, modifications or
configuration changes, or following an incident, in order to supply an up-to-date risk portrait to the decision-makers.
This risk portrait or report should support, on an ongoing basis, the implementation of the right mitigation measures
as well as serve to adjust the cyber security policies and strategy.
One particular example relates to newer EFBs or Mobile Devices introduction into the cockpit. More and more EFBs
application runs on iPads, for these devices are more powerful and often offer more in terms of capacity as well as
user experience. As these new technologies offer more to the pilot, it may translate into a larger attack surface and
introduce new vulnerabilities and/or exposure. Thus, they may even circumvent the airworthiness obligations or
normal DAH responsibilities. It is worth mentioning that the responsibilities of this new supply chain, including
maintenance, of those Off-The-Shelf technologies in the cockpit, may be very difficult to establish, and requirements
over the compliance aspects, very difficult to establish.

3.5. Emergency Management and Incident Response

The Emergency Management and Incident Response process is one of the most important of the Risk Management
Program for it needs to detect and react to the failings of the policies, controls, measures, and mitigations that were
put in place to protect the aircraft. ED-204A/DO-355A presents the aircraft information security incident
management guidance and AMC, while other ED-ISEM/DO-ISEM (Guidance on Information Security Event
Management) is currently being developed as this document is being redacted.
The latest version of the NIST SP 800-61 Rev. 240, providing guidance on incident handling, and SP 800-16141,
providing guidance on Supply Chain Risk Management, can support the Operator.
The following represents the general process of Information Security Incident Management and Response, which
can be used as the basis of this process.

38
NIST, SP 800-115, Technical Guide to Information Security Testing and Assessment, 2008.
39
NIST, SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, 2013.
40
NIST, SP 800-61 Revision 2, Computer Security Incident Handling Guide, 2008.
41
NIST, SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, 2015.

18 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Figure 3.5. Information Security Incident Management and Response

REPORT,
PREPARE
Present

RECOVER, DETECT &

INVESTIGATE Analyse

RESPOND
(CONTAIN,
ERADICATE)

Source: IATA (based on NIST42)

The correlation and monitoring of different logs such as system logs and security logs are one of the major activities
to support this process. Both types of logs are required, and mechanisms to access and safeguards those, should
be provided by the respective OEMs/System Suppliers and/or DAH of equipment and services. Those logs need to
be correlated with Operator’s critical systems’ logs, to provide insights or leads into possible attacks. Those logs
need to be secured and preserved for evidence during a time, as prescribed by regional authorities. ED-203A/DO-
355A discusses the recommendations over the logs and respective responsibilities of the DAHs and the Operators,
within the Continued Airworthiness concepts.
Logs relative to any of the identified CSIAD should be considered as essential and required for collection and
correlation. Critical logs should include recording devices/record systems, avionics systems, authentication
services, the communication system as well as Global Navigation Satellite System (GNSS), maintenance, and
operations. Logs of firewalls and servers, Intrusion Detection Systems (IDS) as well as Endpoint Detection and
Response (EDR) automated systems, would also need to be correlated and analyzed. It is also important to mention
that time synchronization is required to establish the right timeframe of the events. Alignment between aircraft logs
and ground systems should be required. Other logs may come from the following systems: IFE, PAX, Ground

42
NIST, SP 800-61 Revision 2, Computer Security Incident Handling Guide, 2008.

19 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

Systems, the EFBs/mobile devices, and other IT systems.
Note: Modification of systems, configuration, or the introduction of new technology or connecting elements should
trigger an automatic risk analysis and new logs integration.
Elements of the incident response, information sharing, and reporting can be found in the coming Eds/DOs from
EUROCAE and RTCA, especially the ED-ISEM/DO-ISEM (Guidance on Information Security Event Management)
which is currently being developed.

Response Containing and eradicating incidents requires a strong preparation for different types of
attacks. Developing a list of threats/risks scenarios that could affect safety and critical
systems over a cyber-attack, should be the first step in devising a Response plan. Different
types of attacks demand different types of response, and it is important to consider the
context and motivation that drives those attacks, in order to recover promptly. Also, it is
important to remind oneself that well-prepared attackers are well known to hide their ultimate
attack, behind a flashier or resource-intensive attack, in order to distract its victim from the
real target.

Investigation Different measures are required when investigating an incident. The first one noting every
action the investigator takes to support its investigation and start a chain of custody process.
Second, capture the state of a device or system before doing anything, this may include taking
pictures, etc. Then, depending on the incident and type of attack, one may want to cover or
contain the device or asset, with an aluminum-based or Faraday enclosure), unplug the asset
from its energy support, or capture the Random Access Memory, and copy byte by byte the
firmware, memory, etc. The bulk of the investigation needs to be done over a copy of the
device, as the state and memory of the original device or asset, needs to be preserved as
evidence and included in the chain of custody. The investigation may have to be conducted
by official authorities, according to local regulations or laws.

Reporting The process of reporting should also be prepared in advance. The type of communication will
vary according to the type of attack and its impact.

20 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

List of Acronyms
Acronym Term

ACARS Aircraft Communications Addressing and Reporting System

ACD Aircraft Control Domain
ACRAF Aircraft Cyber Risk Assessment Framework
ACSR Aviation Cyber Security Roundtable
ACSTF Aircraft Cyber Security Task Force

A-ISAC Aviation Information Sharing and Analysis Center

AISD Aircraft/Airline Information Services Domain
AISS Aeronautical Information System Security
AMC Acceptable Means of Compliance
ANSP Aircraft Network Security Program
ARINC Aeronautical Radio, Incorporated
CIA Confidentiality, Integrity, and Availability
COBIT Control Objectives for Information and Related Technology
CoA Certificate of Airworthiness

CPDLC Controller–Pilot Data Link Communications

CSF Cyber Security Framework
CSIAD Critical Systems, Information, Assets, and Data
DAH Design Approval Holder
EDR Endpoint Detection and Response
EFB Electronic Flight Bag
EU European Union
EUROCAE European Organization for Civil Aviation Equipment
FAA Federal Aviation Administration

FIPS Federal Information Processing Standards

FISMA Federal Information Security Modernization Act
FMS Flight Management Systems
GNSS Global Navigation Satellite System
GSE Ground Support Equipment
GSIS Ground Support Information Systems

21 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

 ICA Instructions for Continued Airworthiness
ICAO International Civil Aviation Organization
IDS Intrusion Detection Systems
IFE In-Flight Entertainment
ILS Instrument landing system
ISEM Information Security Event Management
ISM IOSA Standards Manual
ISO International Organization for Standardization
ISSAF Information Systems Security Assessment Framework
ITIL Information Technology Infrastructure Library
ML Machine Learning
MoC Means of Compliance
NIST National Institute of Standards and Technology
NPA Notice of Proposed Amendment
OEM Original Equipment Manufacturer
OWASP Open Web Application Security Project
OSSTMM Open Source Security Testing Methodology Manual
OT Operational Technology
OWASP Open Web Application Security Project
PIESD Passenger Information and Entertainment Systems Domain
PKI Public Key Infrastructure
PMAT Portable Multi-Purpose Access Terminal
PTES Penetration Testing Execution Standard

RFP Request for Proposal

RMF Risk Management Framework
RTCA Radio Technical Commission for Aeronautics
SARPs Standards and Recommended Practices
SLA Service Level Agreement
TCAS Traffic Collision Avoidance System

22 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

List of References
1. ARINC, 811 Commercial Aircraft Information Security Concepts of Operation and Process Framework, 2005.
2. Commission Regulation (EU) No 748/2012 of 3 August 2012 laying down implementing rules for the
airworthiness and environmental certification of aircraft and related products, parts and appliances, as well as
for the certification of design and production organisations.
3. EASA, AMC 20-42: Airworthiness Information Security Risk Assessment.
4. EASA, ED Decision 2020/006/R: Aircraft Cyber Security and related Notice of Proposed Amendment: NPA
2019-01.
5. EUROCAE, ED-202A - Airworthiness Security Process Specification, 2014.
6. EUROCAE, ED-203A - Airworthiness Security Methods and Considerations, 2018.
7. EUROCAE, ED-204A - Information Security Guidance for Continuing Airworthiness, 2020.
8. IATA, Aviation Cyber Security Roundtable, Read Out, 2019.
9. IATA, Compilation of Cyber Security Regulations, Standards, and Guidance Applicable to Civil Aviation, 2021.
10. IATA, IOSA Standards Manual (ISM) Ed. 14, 2020.
11. ICAO, Aviation Security Global Risk Context Statement, Second Edition, 2019 (Doc 10108).
12. ICAO, Aviation Cybersecurity Strategy, 2019.
13. ICAO, Aviation Security Manual (Doc 8973 – Restricted). ICAO, Annex 17 – Security, 10th edition, 2017.
14. ISO/IEC 27001, Information Security Management.
15. ISO/IEC 27001:2013, Information technology — Security techniques — Information security management
systems — Requirements, 2019.
16. ISO/IEC 27005:2018, Information technology — Security techniques — Information security risk management,
2018.
17. ISO/IEC 31000, Risk Management.
18. NIST, Cybersecurity Framework (CSF).
19. NIST, SP 800-30 Revision 1, Guide for Conducting Risk Assessments, 2012.
20. NIST, SP 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations—A
System Life Cycle Approach for Security and Privacy, 2018.
21. NIST, SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, 2013.
22. NIST, SP 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations, 2020.
23. NIST, SP 800-59, Guideline for Identifying an Information System as a National Security System, 2003.
24. NIST, SP 800-60 Vol. 1 Revision 1, Guide for Mapping Types of Information and Information Systems to
Security Categories, 2008.
25. NIST, SP 800-61 Revision 2, Computer Security Incident Handling Guide, 2008.
26. NIST, SP 800-70 Revision 4, National Checklist Program for IT Products: Guidelines for Checklist Users and
Developers, 2018.

23 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021

27. NIST, SP 800-115, Technical Guide to Information Security Testing and Assessment, 2008.
28. NIST, SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and
Organizations, 2015.
29. NIST, SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and
Organizations, 2020.
30. NIST, FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, 2004.
31. RTCA, DO-326A - Airworthiness Security Process Specification, 2014.
32. RTCA, DO-355A-Information Security Guidance for Continuing Airworthiness, 2020.
33. RTCA, DO-356A - Airworthiness Security Methods and Considerations, 2018.

(END)

24 Aviation Cyber Security Guidance Material | PART 2 Edition 1 | February 2021