Front Page: Traficom
Front Page: Traficom
Menu

Oversight is one of the means of managing aviation cyber security.

Objectives of oversight

Oversight is one of the means of implementing the Finnish aviation safety policy and ensuring that the residents’ trust in the air transport system and its comprehensive safety remains at a good level. 

In terms of aviation cyber security, oversight ensures that Finnish aviation operators and service providers meet the requirements set for cyber security management and that the related performance of operators and service providers is at an acceptable level. 

Regulative framework for aviation cyber security: NIS+AVSEC+Part-IS

Ensuring compliance

Oversight is always based on ensuring compliance. Oversight ensures that operators and service providers meet the obligations set in EU regulations and national statutes (see the page Legislation on aviation cyber security (External link) ). Partly identical obligations can be found in several pieces of legislation, especially after Part-IS, NIS and AVSEC-IR regulation become are all applicable. Traficom takes this into account in planning and implementing oversight. Overlapping oversight measures are to be avoided. In auditing, for example, the compliance with obligations concerning the same set of issues is audited only once. This saves the resources of both aviation operators and the authorities.

Risk- and performance-based approach

Aviation oversight carried out by the authorities has a performance- and risk-based approach (see FASP chapters 2.6 and 3) that also applies to cyber security. The performance- and risk-based approach means that Traficom is obliged to monitor the aviation risk level – also for cyber security – and to monitor and assess the performance of operators and service providers. As aviation safety in general, cyber security is also about balancing values: safety and security, economy and the continuity of operations. The necessary level of cyber security management is defined in relation to cyber security risks, and measures to control those risks are ensured. 

Authority actions are implemented with a performance- and risk-based approach within both oversight and safety promotion. The frequency, targeting, focus and content of oversight are impacted by the risks facing the operations in question and their assessed risk level, in addition to the performance of the organisation in question. Audits are an important oversight measure to assess the current performance of an organisation. In addition, Traficom continuously monitors the performance of organisations through other regulatory work. For example, information continuously produced by the operators’ safety and information security management systems (e.g. information about security incidents and responses) is an important indication that the management systems work appropriately. Oversight ensures that the cyber risk management performance of aviation organisations is at an acceptable level.

Continuous improvement

The performance- and risk-based approach helps authorities target measures effectively at the right time and with the correct scope and focus. In Finland’s aviation system, the competent cyber risk management of the authorities and organisations ensures aviation safety, aviation security and system resilience against changes and sudden events in the operating environment. Here, resilience refers to the aviation system’s capacity to deal with disturbances. The aim is to continuously improve the performance of the authorities and organisations. In modern regulatory work, in addition to the so-called traditional oversight measures, active information exchange and cooperation with operators is important in order to reach the shared safety and performance objectives.

Compliance and performance assessment

In its work, the aviation authority uses the Cybermeter (External link) service developed and maintained by the National Cyber Security Centre Finland in order to assess the performance of cyber security management in organisations. The service is designed for organisations of all types and sizes, and it enables a uniform approach to cyber security in addition to the continuous improvement of performance. In the aviation sector, the use of Cybermeter ensures a uniform approach to different sectors parts of aviation: aviation safety, aviation security and aviation resilience. The use of the Cybermeter service is optional for organisations, but recommended.
Key oversight measures in aviation cyber security include audits (compliance and performance assessment), self-evaluation and safety discussions.

Updated