Cyber security as part of the Finnish aviation safety management | Traficom
Skip to main content
Transport and Communications Agency

Cyber security as part of the Finnish aviation safety management

Cyber security is a part of safety of aviation.

Kuvituskuva

The national aviation safety management responds to the challenges of a complex aviation system. It also helps strengthen the resilience of Finland’s aviation system in relation to threats as well as changes in the system and the operating environment. Well-functioning safety management structures maintain the high level of safety we have reached and ensure the safety of operations even in acute situations, such as in the COVID-19 pandemic. The safety management of Finland’s aviation is described in more detail on the Finnish aviation safety programme, plan and performance targets and indicators page.

This page focuses on describing the national-level safety management elements for cyber security and the mechanisms and cooperation used in their implementation. The foundation of safety consists of a good safety and security culture, effective communications between operators and authorities, and information-based measures undertaken to manage identified safety risks. Our common goal is to ensure safe air travel and uphold passenger confidence in the air transport system. The foundation of cyber security in the Finnish aviation system consists of both the aviation authority and operators taking care of cyber security within their operations and responsibilities, and carrying out active and confidential cooperation to ensure continuous improvement of the operations. 

Furthermore, cyber security work is carried out on the level of the entire transport system and more widely on the level of Finnish society as a whole. National cyber security programmes and strategies are compiled in the Instructions and the Q&A section page.

In aviation, the development of cyber security is guided by the Cyber Strategy and Action Plan of the International Civil Aviation Organization ICAO, and on the EU level, the EU Cybersecurity Strategy, Plan and other theme-related concept papers and roadmaps. These are compiled in the Instructions and the Q&A section page.

Below is the Finnish Aviation Safety Policy published in chapter 1.1 of the Finnish Aviation Safety Programme  (FASP). The safety policy describes the national-level commitment to aviation safety and safeguarding. The safety policy covers the entire national aviation system. In terms of safety, it describes the comprehensive safety of aviation, cyber security being one part of it.

"In international civil aviation, safety and safeguarding aviation have been set as the highest goal of joint agreements and regulations. Finland’s civil aviation authority Traficom is committed to maintaining and developing the national aviation safety programme. Traficom considers it particularly important that flight safety remains good and citizens retain a high level of confidence in the air transport system. In the aviation system, confidence is based on the pillars of safety, security, cybersecurity, health security and environmental friendliness. The parties involved in the system must also ensure the economy, reliability and precision of operations to enable smooth travel chains supporting the accessibility of Finland. They also have to make sure that new technologies and operating models are safely integrated into the aviation system taking into account the strengths and limitations of human factors and technology. The parties must also guarantee that operations remain safe even in the event of major changes in the operating environment and ensure efficient change and risk management.   

Aviation in Finland complies with ICAO and EU requirements. Traficom specifies strategic safety objectives and an acceptable level of safety for Finnish aviation, taking into account the safety objectives set at EU level, local conditions and the safety themes that have emerged in the context of risk management in Finnish aviation. Traficom and aviation organisations must aim to achieve the objectives and the required level of safety in their practical operations.

The continuous development of safety management and a good safety culture, a performance- and risk-based approach and the organisations’ responsibility for the safety of their own activities are the cornerstones of Finnish aviation safety. Traficom oversees and promotes their realisation.

Traficom ensures and promotes the realisation of 'just culture'. In the Finnish aviation system, just culture involves defining and communicating acceptable and unacceptable operating methods and practices, promoting a climate of confidence and fairness and complying with the principles of just culture in practice. It also includes addressing unacceptable practices in cases referred to in Article 16(10) of the Occurrence Regulation. Traficom promotes good reporting culture and safeguards the confidentiality and appropriate use of information on occurrences and the protection of information sources in accordance with Articles 15 and 16 of the Occurrence Regulation. 

Traficom maintains the expertise required by the duties of aviation authorities. This is supported by continuous training and international cooperation."

Strategic safety objectives of Finnish aviation

The strategic safety objectives of Finnish aviation are described in FASP version 8.0 chapter 1.2 and annex 2 of FASP. Cyber security is included as part of the wholeness to many of the strategic safety objectives. In addition to that, cyber security is separately mentioned in the objectives listed below:

  • Key threats of Finnish aviation (safety, security, cybersecurity, health security) have been identified and they are addressed in the organisations’ safety management. The special conditions in Finland, such as winter conditions, are taken into account in the work.
  • Risk management (safety, security, cybersecurity, health security) in Finnish aviation is systematic, effective and in constant development.
  • The aviation risk management by Traficom and aviation organisations also includes the management of cybersecurity risks.

Finnish aviation safety performance indicators and targets

The achievement of strategic safety objectives is monitored with the help of predetermined and published performance indicators and performance targets set for them (FASP annex 2). The national targets and indicators are updated regularly, also in terms of cyber security, as a part of performance- and risk-based safety management. The valid cyber security performance targets are:

  • SSP-SPI-4: Organisations have defined an emergency response plan (ERP) for cyber threat management.
  • SSP-SPI-5: In Finland, risk management related to cyber threats has been incorporated as part of aviation safety risk management at Traficom and among the organisations.

The above-mentioned performance targets are updated in cooperation with strategic aviation operators. The updated version will be published together with the publication of the update of whole FASP Annex 2 during autumn 2023.

Traficom is committed to extensive and cooperation-based operations with the aviation industry and operators to ensure aviation cyber security in a continuously changing operating environment. The national safety management in aviation cyber security is carried out in cooperation with strategic aviation operators and it consists of the following sections:

  • Aviation cyber security risk workshops
  • Work on the situational picture of aviation cyber security
  • Work on updating the strategic safety objectives and performance indicators, and reaching the objectives.

The aviation cyber security risk workshops create and maintain the national aviation cyber security risk picture as part of the national aviation risk management process (see FASP chapter 2.6). Through oversight, communications and advice, the results benefit all aviation operators. 

In its work, the aviation authority uses the Cybermeter developed and maintained by the National Cyber Security Centre Finland in order to assess the performance of cyber security management in organisations. The Cybermeter is designed for organisations of all types and sizes, and it enables a uniform approach to cyber security. In the aviation sector, the use of Cybermeter ensures a uniform approach to different parts of aviation: aviation safety, aviation security and aviation resilience. The use of the Cybermeter service is optional for organisations, but recommended.

Page was last updated