Tomasz Zajda - stock.adobe.com
The UK’s Civil Aviation Authority (CAA) has launched a scheme, developed in partnership with security certification body Crest, that it hopes will play a key role in its strategy to enable the aviation industry to manage its security risks without compromising aviation safety.
Under the Assure framework, accredited cyber security professionals will have to demonstrate “extensive” knowledge in one of three key specialisms: cyber audit and risk management; technical cyber security expert; and ICS/OT [industrial control systems/operational technology] expert. The professionals’ organisations will also have to have Crest membership in one of its core disciplines and been reviewed by both Crest and the CAA.
“The CAA is committed to broad and collaborative engagement with industry and key stakeholders to continuously improve our cyber security oversight model,” said Peter Drissell, director of aviation security at the CAA.
“By working with Crest to develop the Assure accreditation scheme, the aviation industry has access to the highest levels of skill, knowledge and competence to face the changing threat landscape and encourage a proactive approach to cyber security.”
The Assure framework was developed alongside the Department for Transport and the National Cyber Security Centre. Its stated overall vision is: “To have a proportionate and effective approach to cyber security oversight that enables aviation to manage cyber security risks without compromising aviation safety, security or resilience.”
Aviation organisations, which would include airlines, airport operating firms and air navigation service providers, among others, will have to complete a cyber security self-assessment using the CAA’s existing Cyber Assessment Framework for Aviation. They may also be asked to contract with an Assure-accredited supplier through a new online buyer’s platform to audit their assessments.
Ian Glover, president of Crest, said: “Assure is the latest scheme to strengthen the UK’s critical national infrastructure against growing cyber threats and supports the CAA’s Cyber Security Oversight strategy.
“Crest has also been working with the UK banking, telecommunications, nuclear and utilities sectors to develop effective accreditation schemes and intelligence-led cyber security testing and is also helping governments and regulators in other countries to adopt the same approach.”
Read more about aviation security
- CrowdStrike has published details of a coordinated campaign of cyber espionage and hacking, forced technology transfer and physical theft as China seeks to gain an advantage in the commercial aviation industry.
- In challenging outdated security cultures, Paddy Francis of Airbus Cyber Security says the aviation sector has important lessons for cyber practitioners.
- The chairman of the Israel Airports Authority paints a dismal picture of the state of cyber security in aviation, and offers advice on what can be done to avert the next disaster.
The first suppliers to be accredited under Assure at launch are Bridewell Consulting LLP, Context Information Security, NCC Group, Nettitude, Pen Test Partners, Protiviti UK and SureCloud.
Context, which was supported by consulting partner Frazer-Nash, said it was well positioned at “the vanguard of supporting assurance and oversight activities for security in the aviation sector”, said CEO Mark Raeburn.
Greg Pope, who led the partnership between Context and Frazer-Nash, added: “Attackers are always looking to exploit vulnerabilities and develop new ways of breaching cyber security defences. Our combined expertise in cyber security, and broad knowledge of the aviation sector, together with our deep understanding of IT and OT, puts us in a strong position to support the UK’s efforts to provide world-leading protection against cyber attack.”