Dec. 21, 2022

Cyber incidents involving flight planning and communications software, airline reservations systems and more are on the rise in the U.S. and around the world.

The International Civil Aviation Organization recently published an Aviation Cybersecurity Strategy, calling on member states to ensure proper legislation and regulations are in place to combat cybercrime and to include cybersecurity in their aviation security and oversight systems.

The Transportation Security Administration (TSA), along with the Cybersecurity and Infrastructure Security Agency (CISA), are working to mitigate the risks of these types of attacks. The TSA recently updated aviation security programs for airports and commercial operators to require the airport or operator to designate a cybersecurity coordinator and report any cybersecurity incidents to CISA within 24 hours of the occurrence.

To date, these new requirements apply to commercial operators and certain airports, but Doug Carr, NBAA senior vice president, safety, security, sustainability and international operations, said all aircraft operators should understand the risks of cybersecurity attacks to their own operations and develop best practices to mitigate those risks.

Further, NBAA Security Council Chair Eric Moilanen, founder of Premier Corporate Security, Inc., said TSA has indicated cybersecurity requirements will be coming for Twelve-Five Standard Security Program and Private Charter Standard Security Program holders, although the timeline is unknown at this point.

“These new requirements essentially apply to commercial operators and airports that service commercial operators for now, and are not applicable to non-commercial aircraft operations,” added Carr. “However, all stakeholders should be aware of the risks of cybersecurity attacks, implement practices to mitigate those risks and be on watch for changing federal requirements.”