Matt Shreeve shares some perspectives from delivering a new training course on aviation cybersecurity, developed by Helios exclusively for EUROCAE.
Concerns about aviation cybersecurity continues to mount rapidly. Trends towards greater connectivity, reliance on technology, common infrastructure, etc, coupled with the fact that attacks only get better, demand a comprehensive and coherent response across the industry. But in this relatively new and rapidly developing space, it can be potentially confusing for aviation stakeholders to know what standards and guidance are available and appropriate for what purpose. Recognising this, EUROCAE has launched a training course to help guide people through this maze.
Our first training course took place at EUROCAE headquarters in Paris and attracted participants from all walks of aviation life, with aircraft manufacturers, equipment suppliers, regulators and ATM represented in the room, from across three continents. We started by recapping some of the key concepts and challenges, for instance the similarities and differences between safety and security. Standards will play a big part in linking rules to practice, so hearing the latest regulatory developments was crucial to many, as well as providing a hot discussion topic.
We then moved on to looking at the standards landscape, exploring which groups have produced what standards and guidance. We covered both aviation-specific standards (eg from EUROCAE and CEN) and non-aviation-specific cyber standards (eg from ISO and NIST), covering airworthiness, ATM/CNS, airports and more general standards. The sheer amount of current activity was surprising to some, but all were creative in an exercise to think of metaphors to summarise it: from wild jungle to a seemingly bottomless ocean to the intricate interactions of the solar system!
A key learning point was to understand the essential elements of a standards-led approach. ECAC has produced some good advice in this regard that we were able to share with participants, using these elements to then identify applicable standards. We covered different aviation domains, noting the similarities and differences between them. One of the big intended benefits of the course comes from understanding the broader context and dependencies between them. Of course, a lot of excellent work has been ongoing for some time by various working groups, so the course also gives an opportunity to highlight those standards that are not well known but offer great promise for the industry.
It was an intensive two days with a lot to pack in, made more challenging by the potentially 'dry' subject matter of standards documents. However, helped by a great set of participants, we managed to keep the course interactive, with plenty of exercises for them to get involved in to help embed the learning and keep everyone alert. I was surprised and delighted when someone even concluded it had been fun (!)
Having now piloted the course, further dates are available later in the year. Check the EUROCAE website for details.
ATM Cybersecurity – what is ‘good enough’?
Revised EASA Basic Regulation – key takeaways for the ATM community
Lower Airspace: a boundary to aviation growth?
Integrated safety risk; time for an oil change!
Performance Management – time for a rethink?
Business continuity in an international ATM environment