For many years, aerospace and aviation security has been primarily focused on the physical aspects of maintaining safety; from airside safety checks to ensure unauthorised personnel cannot access critical areas, to airport safety measures that ensure the safety of passengers and crew on board the plane. However, as passenger convenience and safety has advanced, as well as increased connectivity between airports, aboard a plane, and the outside world, the previous security model has become obsolete.
In line with this, we have recently seen the introduction of CAA ASSURE, a new cybersecurity audit model for third parties providing services to the Aerospace industry. Find out in the below post about what ASSURE entails and what Nettitude can offer in relation to this.
A vision for the future
The ICAO has recognised that globally the aviation sector needs to advance in a collaborative manner. ICAO’s vision for global cybersecurity is that the civil aviation sector is resilient to cyber-attacks and remains safe and trusted globally, whilst continuing to innovate and grow. The tag line for the initiative is ‘No country left behind’ and the Atlantic Council[1] have taken this a step further with ‘No vulnerability left behind’ as an example of how the capability of the industry needs to work together and be aligned in purpose.
Key considerations for the aerospace and aviation industry include:As the aviation sector continues its digital transformation and adopting of new services a range of core issues are being faced. These include:
- Passenger privacy. The capture, exchange and management of passenger information across the industry is constantly being evolved and developed. Ensuring the security and privacy of this data is paramount.
- Information sharing and communications. Sharing threat information across borders, developing understanding that cyber events can have in business orientated language.
- Legacy technology and systems. Managing of complex OT environments and the impacts a cyber event can have on safety as well as security.
- Adoption of 5G networks and services. 5G will transform the use of remote sensors, communication methods and data management
- Development of global and national standards and regulator initiatives. Ensuring clarity, consistency and interoperability.
- Increasing transparency and trust. Within operators, supply chains and between customers and the industry itself. This affects system designs, operation, contracts
The UK Aviation Cyber Strategy
The UK’s Aviation Cyber Strategy[2] sets out an approach that will ensure cybersecurity will continue to be collaborative and supportive for the sector. The aim for the vision is that the UK’s transport sector remains safe, secure and resilient in the face of cyber threats, and able to thrive in an increasingly interconnected, digital world.
As part of this strategy the CAA were tasked by DfT to develop and implement a regulatory framework for cybersecurity, also, to facilitate oversight of industry’s activities related to mitigating potential cyber risks to civil aviation in the UK.
The CAA has reformatted the Cyber Assessment Framework (CAF), developed by the NCSC, specifically for aviation. The CAF for Aviation will be used by aviation organisations to self-assess against fourteen principles across four broad objectives. ASSURE Cyber Suppliers and Cyber Professionals will then perform an ASSURE Cyber Audit on an aviation organisation’s CAF for Aviation self-assessment.
Introducing a new cybersecurity audit model to aerospace & aviation
With the introduction of CAA ASSURE, a new cybersecurity audit model for third parties providing services to the Aerospace industry, there is a new set of requirements that ensures cybersecurity providers are subject to a rigorous and continuous accreditation process under the ASSURE Accreditation Scheme. Nettitude are one of the first providers to achieve this accreditation, further qualifying us to work with Aerospace clients.
Peter Drissell, Director of Aviation Security at the UK Civil Aviation Authority (CAA) comments:
“The CAA is committed to broad and collaborative engagement with industry and key stakeholders to continuously improve our cybersecurity oversight model. “By working with CREST to develop the ASSURE accreditation scheme, the aviation industry has access to the highest levels of skill, knowledge and competence to face the changing threat landscape and encourage a proactive approach to cybersecurity.”
In order to receive this accreditation, Nettitude were subject to a number of requirements, including registering our professionals to become ASSURE Cyber Professionals against the following ASSURE Specialisms, in order to conduct an ASSURE Cyber Audit:
- Cyber Audit & Risk Management;
- Technical Cyber Security Expert; and/or
- Industrial Control Systems/Operational Technology Expert.
In addition to meeting the above requirements, organisations who wish to be ASSURE accredited, must also be a CREST accredited Penetration Testing Partner. As Nettitude were also able to demonstrate this, we have met the total requirements to become a CAA ASSURE Cyber Supplier. Nettitude can be seen on the CREST list of official CAA Cyber Suppliers here.
What can we offer as a CAA ASSURE Cyber Supplier?
Nettitude has extensive experience in conducting cyber assurance work in many sectors that face sophisticated threats such as financial services, governments and critical national infrastructure. We have also been researching and working in OT, firmware and transportation from marine, rail, nuclear and aviation.
This new scheme from the CAA enables an organisation’s approach to their cyber strategy, particularly focused around their critical OT systems, to be assessed and a roadmap developed.
Nettitude can not only provide an ASSURE Cyber Audit but can also provide additional services to organisations at many levels if required from tactical guidance and advice on technical aspects of their systems through to research into legacy or niche elements, right through to maturing and developing capability and organisational cyber strategy.
The ability to be realistic around the risks faced and pragmatic in approaching risk reduction and remediation is key in ensuring that priority in given to the right outcomes.
Nettitude can work with you and the CAA to conduct an ASSURE Cyber Audit and develop appropriate roadmaps and activities to mature and protect your environment from the cyber threats faced if required.
A note from Nettitude’s Chief Technical Officer – Ben Densham
Our CTO Ben Densham comments on the accreditation and what it means for Nettitude Aerospace clients -
“It’s essential that the ever-changing threats from cyber risks are understood from both a security and safety standpoint. The CAA ASSURE Scheme is a robust and tailored scheme designed to deliver assurance to aviation providers that these risks are being identified, the impacts understood and the appropriate measures being put in place. Ensuring the UK’s aviation sector is best prepared to meet the current and future cyber threats is the objective and Nettitude is pleased to be able to support and champion this.”
Overall, the CAA ASSURE accreditation has been put in place to ensure consistency and continuity in the cybersecurity standards upheld by the Aerospace industry. Its focus evolves around the NIS directive, safety, security and resilience and utilises the Cyber Assessment Framework to provide assurance to the regulator that the Aviation community are acting responsibly and are conforming to globally upheld standards. Nettitude are proud to be able to offer this additional level of service to enable our clients to achieve maximum compliance and security standards.
For more information on CAA ASSURE please don’t hesitate to get in touch with our team! More information can also be found on the CREST CAA ASSURE page.
[1] https://www.atlanticcouncil.org/wp-content/uploads/2019/12/AVIATION-CYBERSECURITY-12-19-.pdf
[2] https://www.gov.uk/government/publications/aviation-cyber-security-strategy