Cyber security ABC – how to get started | Traficom
Skip to main content
Transport and Communications Agency

Cyber security ABC – how to get started

This page contains information on how an aviation organisation can get started with developing its cyber security management and what the key elements of that work are.

Kuvituskuva

Initially, it can be challenging to see what aviation cyber security means from the perspective of your own organisation’s functions. Organisations’ functions and their potential impact on aviation security vary greatly. The essential thing is that each organisation assesses and identifies the significance of aviation cyber security in their operations. The end result of the assessment may vary by organisation. The result can be that cyber security has no impact or only minor impact on an organisations' systems, functions or risks critical to aviation. At the same time, an organisation may also discover that cyber security plays a key role in its functions and systems, and identify a need to develop its cyber security management. 

Guidance and instructions from well-known and commonly used frameworks

A number of good practices, frameworks and standards apply to cyber security management. These include e.g. the ISO 27000 series, the NIST Cyber Security Framework, the Cybersecurity Capability Maturity Model (C2M2)other industrial standards and the Cybermeter published and maintained by the National Cyber Security Centre Finland. Sector-specific aviation standards are developed e.g. by EUROCAE. A framework can help you chart and assess the operations of your own organisation, allowing you to see the big picture. 

As the Legislation on aviation cyber security page describes, the regulation on aviation cyber security is currently under extensive development and renewal. The application of the Part-IS regulation will harmonise the requirements, while bringing aviation organisations more widely under the scope of the requirements. The instructions below refer to currently applicable requirements and provide related tips from different frameworks. Traficom does not require you to use any particular framework. However, the instructions describe the key elements whose existence and implementation Traficom oversees as part of the cyber security management of organisations. 

The drop-down menus under the image provide further information on the areas of cyber security management (identify, protect, detect, respond, recover). Each organisation takes care of their overall information security management based on their own needs and legislation coming from different sectors in society. The information security management measures described in the text refer to information security management from the aviation perspective (aviation safety, aviation security and resilience).

Ilmailun organisaatioiden kyberturvallisuudenhallinnan kokonaisuus on sitä, että organisaatio pystyy tuottamaan strategiansa ja tavoitteidensa mukaisesti keskeiset palvelunsa ja toimintonsa turvallisesti. Organisaation toimintaan liittyvät, ilmailun turvallisuuteen tai turvaamiseen vaikuttavat tietoturvariskit ovat hallinnassa, ja mahdollisista organisaatioon kohdistuvista tietoturvatapahtumista kyetään palautumaan turvallisesti ja hallitusti.

What is meant by identifying?

The area of identifying covers the following:

  • Asset management: charting and dividing the aviation-related tangible and intangible assets of an organisation from the perspective of aviation cyber security management – the data/information, personnel, competences, equipment and systems the organisation has and needs in order to implement its strategic operations and which it must protect.
  • Business Environment: understanding the organisation’s business environment and the goal of operations. This information is used in the organisation’s cyber security management, e.g. to define necessary roles and make decisions on risk management. 
  • Governance: defining and describing the cyber security policy, procedures, processes and responsibilities.
  • Risk assessment: identifying the vulnerabilities of assets and cyber security threats facing the organisation’s operations by using different sources of information; assessing risks and identifying and prioritising security controls and management measures.
  • Risk management strategy: defining and using risk management processes and an acceptable risk level (risk tolerance / risk appetite / acceptable risk level).
  • Supply chain risk management: organisation’s processes for identifying, assessing and managing risks in the supply chain and ensuring that they remain on the acceptable level defined in the risk management strategy. 

Current requirements in the area of identifying in aviation legislation

  • Excerpts from the Commission Implementing Regulation (EU) 2019/1583, paragraph 1.7:
    ”1.7 Identification and protection of civil aviation critical information and communication technology systems and data from cyber threats
    1.7.1 The appropriate authority shall ensure that airport operators, air carriers and entities as defined in the national civil aviation security programme identify and protect their critical information and communications technology systems and data from cyber-attacks which could affect the security of civil aviation.
    1.7.2 Airport operators, air carriers and entities shall identify in their security programme, or any relevant document cross-referenced in the security programme, the critical information and communications technology systems and data described in 1.7.1. The security programme, or any relevant document cross-referenced in the security programme, shall detail the measures to ensure the protection from, detection of, response to and recovery from cyber-attacks, as described in 1.7.1.
    1.7.3 The detailed measures to protect such systems and data from unlawful interference shall be identified, developed and implemented in accordance with a risk assessment carried out by the airport operator, air carrier or entity as appropriate."
  • Excerpts from the Directive (EU) 2016/1148 of the European Parliament and of the Council (the NIS Directive) and its national implementation, the Aviation Act:
    • The NIS Directive: Article 16
      Security requirements and incident notification
      1.   Member States shall ensure that digital service providers identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services referred to in Annex III within the Union. Having regard to the state of the art, those measures shall ensure a level of security of network and information systems appropriate to the risk posed, and shall take into account the following elements:
      a) the security of systems and facilities;
      b) incident handling;
      c) business continuity management;
      d) monitoring, auditing and testing;
      e) compliance with international standards.
    • Section 128 a of the Aviation Act (23.11.2018/965):
      "Duty to ensure the management of risks posed to communication networks and information systems
      Providers of air navigation services and operators of such airports that are significant for the functioning of the society shall, without delay, notify the Finnish Transport Safety Agency of any significant information security incident related to communication networks and information systems."

What is meant by protecting?

The area of protecting covers the following:

  • Identity Management, Authentication and Access Control: access to the organisation’s devices or facilities (physical infrastructure) and to devices, software or data in its protected assets is restricted to authorised users, functions and devices. Access control is continuous and based on a risk assessment and the objectives of the organisation. The organisation assesses the risks of unauthorised access to physical infrastructure, functions or systems, and implements and strengthens protective controls and measures accordingly.
  • Information security awareness and training: the organisation provides training, instruction and communications to its personnel, and as required, to the organisation’s interest groups, subcontractors and partners, on the aviation information security management and its importance. The training and instruction correspond to the employee’s work tasks and responsibilities and cover policies and practices, operating methods and rules.
  • Data Security: data and information resources controlled and used by the organisation are protected according to the organisation’s risk strategy, and the confidentiality, integrity and availability of data and information resources is ensured.
  • Information Protection Processes and Procedures: an information security policy, processes and procedures are defined and adopted in order to protect assets. The organisation’s information security policy defines objectives, frameworks, roles, responsibilities, management commitment and the organisation of activities.

What is meant by detecting?

The area of detecting covers the following:

  • Anomalies and Events: cyber anomalies and events are detected and their possible effects on aviation understood.
  • Security Continuous Monitoring: aviation critical information systems and assets are monitored in order to detect cyber events and ensure the effectiveness of controls and protective measures.  
  • Detection Processes: detection processes and methods are maintained and tested in order to ensure awareness of abnormal activities.

What is meant by responding?

The area of responding covers the following:

  • Response Planning: the organisation has defined and adopted incident management processes and methods for the management of information security events and anomalies. The organisation also uses the necessary continuity plans for critical operations.
  • Communications: response measures are coordinated with the necessary internal and external interest groups, and this is taken into account in the planning and rehearsing of functions.
  • Analysis: events and anomalies are analysed to ensure an effective and impactful response. 
  • Mitigation: response measures are planned and implemented in a way that stops and limits the impacts of events and anomalies, ensures that their potential risks to aviation safety or security are managed, and solves the situation.
  • Improvements:  lessons learned about good practices and improvement targets are utilised in operational development, including in strategies, processes and methods.

What is meant by recovering?

The area of recovering covers the following:

  • Recovery Planning: recovery processes and measures are planned, implemented and maintained in order to ensure the recovery of systems and assets from information security incidents.
  • Improvements: recovery plans and processes are improved by including lessons learned.
  • Communications: recovery functions are coordinated with internal and external partners.

Well-known and commonly used frameworks

Further instruction is available on Traficom’s aviation cyber security Instructions and the Q&A section page.

Page was last updated