July 9, 2019

The European Union Aviation Safety Agency (EASA) recently published a Notice Proposed of Amendment (NPA) introducing provisions for the management of information security risks related to aeronautical information systems used in civil aviation.

The NPA, 2019-07 Management of Information Security Risks, is broadly scoped with its provisions applicable to design, production, continuing airworthiness, maintenance, air operations, aircrew, air traffic management/air navigation services and aerodromes. The NPA includes high-level, performance-based requirements.

NPA 2019-07 follows NPA 2019-01, Aircraft Cybersecurity, published in February 2019, which applies largely to airworthiness and design standards.

According to EASA, both NPAs are intended to mitigate potential effects of cybersecurity threats on aviation safety.

“There are persons or entities that are intentionally looking for weaknesses in the system that can be exploited with the aim of creating harm. These potential weaknesses are not always known to the operators,” the agency said in NPA background material.

“The concern, however, is that not enough focus may have been put in properly addressing the situation where existing flaws in different areas are aligned on purpose and exploited by individuals with a malicious intent, no longer being a random event,” added EASA, in justifying the urgency of the rulemaking tasks related to cybersecurity.

The agency believes information security management systems (ISMS), introduced in NPA 2019-07, can integrate with traditional SMS principles to identify and mitigate cybersecurity risks.

The NPA requests stakeholders submit a reasonable timeline for implementation and provided an example of a four-phase approach with full implementation 24 months from publication of the final regulation:

  • Phase 1: Gap Analysis (12 months)
  • Phase 2: Definition, Planning and Preparation (18 months)
  • Phase 3: Development and deployment (24 months)
  • Phase 4: Continuous improvement

“NBAA and other organizations are working with EASA to appropriately mitigate security risks without creating new, cumbersome mandates,” said Doug Carr, NBAA’s vice president of regulatory and international affairs. “NBAA will submit comments on behalf of its membership, but strongly encourages member companies potentially affected by the NPA to submit comments with specific impacts to their own operations.”

EASA is accepting comments on NPA 2019-07 through Sept. 27.

Read NPA 2019-07: Management of Information Security Risks.