22 February 2021
This position paper highlights ASD’s concerns that local implementation of Information Security Management Systems (ISMS) in Approved Organisations as required by the new PART-IS regulation prepared by EASA (RMT.0720) and based on current EUROCAE ED-201A v0.7 version could lead to a non-optimal solution that does not guarantee the exhaustive implementation of the elements necessary for holistic and end-to-end protection of civil aviation safety. This Position Paper is based on the draft PART-IS regulation as shared among the European Strategic Coordination Platform (ESCP) on 27 January 2021.
2. Problem Statement
As mentioned in the ESCP Strategy for Cybersecurity in Aviation (v1.0), “[…] there is a concern that many stakeholders of the aviation system are currently dealing with cybersecurity issues as if they were deterministic problems which can be solved at source […] but this risk mitigation approach focussing on perimeter protection at all costs are not sustainable. Moreover, due to increasing number of interconnection between multiple systems across a number of different stakeholders, it is extremely improbable that an organisation has full oversight and a vulnerability emerging in one system which does not pose a risk for the system itself but to someone else’s system with negative consequences […].”
For that reason, EASA came-up with a Rule Making Task (i.e. RMT.0720) to globally manage Information Security Risks horizontally with the same rule applying to all civil aviation stakeholders.
A careful analysis of requirements imposed on Authorities and Operators shows an enforcement of the need to implement local ISMS in Organisations and similarly for Authorities (either National Competent Authorities or the Agency).Noticeably, there are no provisions in the current rule draft to set objectives at the highest possible level to analyse end-to-end threat scenarios (considering civil aviation as a system-of-systems), assess top-level risks, and assign security objectives to different elements of the functional chain in a balanced manner.
As no authority oversees all of aviation centrally, from latest ED-201A discussions it emerged that horizontal threats will mostly be managed through external agreements (peer-to-peer or multi-level) at functional chain interfaces.
This is of course the most pragmatic and short-term efficient option to improve security overall in our system-of-systems, but security effectiveness (the sum of the implemented controls might not fully answer the security threats) and economic efficiency (the set of security controls implemented to answer security threats might be overdesigned) might be missed. As with all areas of aviation relating to safety, resilience to individual errors needs to be built in with cross checking of results.
Within the STORM group of the ESCP, discussions addressed a flow-down of security requirements over all functional chains. However, several problems were recognised. Primarily, there currently is no entity that has oversight of the entire aviation sector within one organisation and that interactions within organisations are fairly fluid and constantly evolving. Thus, an approach similar to the Aeronautical Data Chains to create a “self-evolving system” and by overseeing each of the individual organisations to adherence to their portion in aviation was deemed necessary to have the greatest chances of securing entire aviation sector sustainably for the future. This pragmatic approach has its virtues, but also its limitations, which we believe need to be addressed. How can we be sure that the players in air transport will understand what their contribution should be? How can we be sure that investments will be made wisely and that we will not find ourselves in situations where measures could be lacking or duplicated due to a lack of global vision?
ASD believes that standard ED201A should not be limited to the reporting from individual organisations as currently established in ED201A and draft Part-IS, but that resilience is built in the authority level to cross check organisational risk outputs. The competent authorities should be required to create a map of all organisational interfaces, security levels applied and resulting functional chains within their jurisdiction. The competent authorities should then provide these maps to the Agency to create a European level map of all functional chains. Through the use of these maps, mismatch of security levels, missing interfaces and other errors in the organisational risk activities can be identified and raised as findings on the responsible organisations. The aviation ecosystem becomes more resilient as this allows checking that no security has been comprehensively applied and creates a level playing field as it ensures that all security levels are appropriately and equally applied. By providing the Agency with a European wide picture, it provides the Agency with strategic level insights on where future rules may be needed to secure the evolving ecosystem and also provides data for handling significant incidents in aviation.
The process cycle shown in Figure 1 provides the means to introduce the expected resiliency into aviation by cross checking organisational internal activities against the shared partners via competent authority oversight. This mechanism preserves the self-evolving nature required for a sustainable aviation ecosystem and avoids the need for establishing an authority with oversight of all of aviation yet ensure that all actors in the system perform their roles equally and robustly. The following sections provide the recommendations on the measures needed to ensure that this oversight cycle can be implemented in practice.
3. Safety SMS Interface Management
In the Safety SMS forthcoming rules, for which the Opinion is now published since the end of December (04/2020), interfaces are addressed in the SMS Industry standard SM-001 Chapter 7 Interfaces Between Organizations. There is yet no provisions included in the SMS rules or standards comparable to what is proposed in this paper for managing the shared risks between organisations from external companies. Nevertheless, a new EASA RMT (RMT.0706) was initiated. When it comes to information security and the nature of cross-organisation propagating threats, a more comprehensive scheme than SMS is needed (i.e. not limited to potential consequences of the risks or the management of their mitigation).
4. Way forward
Finalising the To-Be analyse the gaps will require more time and broader involvement of the ESCP community, but short-term actions can be taken in the following fields:
Objectives for global effectiveness could be improved in the Implementing Rules pertaining to Authorities (both the Competent Authorities and the Agency). The following proposals for regulatory material (rules, acceptable means of compliance and guidance material) should be considered for adoption in the Opinion related to Part-IS. IS.AR.40X:
The competent authority shall provide effective oversight of the information security management systems within the scope of IS.AR.400. [Note: probably not needed as Part-IS is added to the Section B and equivalents so IS.AR.400 already covers this. The following AMC/GM would provide guidance on how this oversight is to be achieved with or without a new rule.]
(a) For each organisation, the Competent Authority should list all interfaces and associated security level requirements and enter in database
(b) The competent authority should use database to identify all singular information where only one organisation in an interface pair has reported the interface
(c) The competent authority should take actions on gaps according to IS.AR.900 AMC/GM
The competent authority of the Member State shall ensure effective coordination with the competent authorities of other Member States and the Agency on the security risks associated with organisations operating across the Member State borders.
(a) The competent authority should list all organisations that have interfaces with other organisations outside the jurisdiction of the competent authority
(b) The competent authority should list all interface pairs of these organisations that leave the jurisdiction of the competent authority
(c) The competent authority should identify all interface pairs and chains where high security levels have been identified by the organisations
(d) The competent authority should provide the agency with all cross border interface pairs
(e) The competent authority should provide the agency with all critical functional chains (f) The agency should enter all cross border interfaces into a database
(g) The agency should use database to identify all singular information where only one organisation in an interface pair has reported the interface
(h) The Agency should coordinate with the competent authorities to take actions on gaps according to IS.AR.900 AMC/GM
The competent authority shall notify organisations in IS.AR.900 of any errors identified in information security risk assessments, audit affected areas and ensure remediation. [Note: may be covered by existing Findings and Corrective Actions text from the Section B and equivalents. The following AMC/GM would provide guidance on how this oversight is to be achieved with or without a new rule.]
(a) The competent authority should identify root cause of the gap
a. Erroneous listing of external interface, e.g. prior business relationship now terminated
b. Error in interface list of one organisation, e.g. risk assessment not correctly performed to identify all external interface
c. Security level requirements and achievements are not aligned, e.g. customer has not communicated minimum security requirements correctly or supplier has falsely declared higher security level
(b) The competent authority should address gaps
a. Erroneous listing: update risk assessment and interface list to remove superfluous interfaces
b. Missing interface: update risk assessment to include interface, audit risk assessment process and all activities concerned with missing organisation
c. Security level mismatch: audit external agreement process
(c) Where affected organisations are in different Member States, EASA should coordinate necessary information exchange so the Competent Authorities can perform the root cause analysis and raise appropriate finding
ED-201A standard in preparation by EUROCAE and RTCA will provide further guidance on the definition of an Aviation Framework in line with Part-IS objectives. The topics raised in the paper can be integrated in this standard.
The effort required to map the functional chains by competent authorities based on data captured by organisations is cumbersome and can be only achieved if appropriate methods and tooling are available. Leveraging EASA research initiative SEC-09 in the EASA Agency Research Agenda 2020-2022 to develop methods and tools to assess organisational structures for security risk management of critical transport infrastructures, with focus on inter-organisation processes will definitely help. The research initiative can investigate the most efficient methods and tools for generating external interface pair lists, databases to contain these lists and identify mismatches between reports of the paired organisations and how to efficiently communicate these to the authorities. Furthermore, the research can also investigate how to ensure appropriate levels of sharing of interface information while maintaining confidentiality of these functional chains due to commercial interests of the organisations. Finally, we need to develop at Agency level the overarching capacity of having the visibility of European functional chains to prevent and remediate large scale cyber-incidents.
LINK TO THE POSITION PAPER