New information security threats, also referred to as cybersecurity risk, arise as air operations evolve in design, interconnections, and capabilities.
A rulemaking task, RMT.0720, was published by EASA on Jan 16, 2019, to address high-level, performance-based requirements on the management of cybersecurity risks for organizations in all aviation domains.
The new rulemaking task, RMT.0720, is currently being discussed by many different stakeholders in both Europe and the United States. Based on the latest discussions, the new regulation will most likely be named Part-IS for Information Systems and could require all air operators to write a manual to prove compliance under Part-IS.
What Is Information Security Risk?
According to RMT.0720, information security risk is when “existing flaws in different areas are aligned on purpose and exploited by individuals with a malicious intent”, meaning those accidents not caused by a random event.
With increasingly interconnected aviation technologies, the risk of these systems being exploited is greater than ever before. Consider the extensive interactions between OEM’s supply chain, maintenance and ground service providers, operators and crew, ATM, AIS and many other service providers (third-party or not) in today’s civil aviation. All of these domains have access to non-protected data transmission with the risk of exploitation in some way or another.
The new rulemaking task, RMT.0720, raises the concern that not enough focus is being put on the risk of malicious intent in current regulations.
Alignment With Global Aviation Cybersecurity Strategy
RMT.0720 aligns with the Global Aviation Cybersecurity Strategy, published by ICAO, ESCP and other major stakeholders in aviation.
The Aviation Cybersecurity Strategy is built on the following seven pillars:
- International cooperation
- Effective legislation and regulations
- Cybersecurity policy
- Information sharing
- Incident management and emergency planning
- Capacity building, training and cybersecurity culture
Overall, the strategy shifted the global focus from product specifications to the management of cybersecurity risks for preventing cyberattacks.
From RMT.0648 to RMT.0720
Correspondingly, the first rulemaking task on cybersecurity, RMT.0648, published by EASA in 2016 included provisions on product specifications.
Now, RMT.0720 published by EASA in 2019 align with the ICAO’s global vision and sets out new initiatives more focused on provisions for the management of cybersecurity risks.
Applicability of RMT.0720
The rulemaking of RMT.0720 and Part-IS expect to have the most implications on the following stakeholders:
- Maintenance organisations
- Training organisations
- ATM/ANS providers
- Member States
And also have a major impact on all competent aviation authorities in charge of these domains…
Expected Time Frame
When RMT.0720 was first published, the following milestones were set:
Start: Terms of Reference – 2019/Q1
Consultation: Notice of Proposed Amendment – 2019/Q2
Proposal to Commission: Opinion – 2020/Q2
Adoption by Commission: Implementing Rules – 2021/Q4
Decision: Certification Specifications, Acceptable Means of Compliance and Guidance Material – 2021/Q4
However, with respect to the current state of business and change of focus in 2020, it is not surprising that these milestones have been pushed. Therefore, we cannot expect RMT.0720 to become an implementing rule, Part-IS, until at least next year.
Aim To Add Part-IS To Offerings of Compliance Libraries
Based on recent news from ESCP, the first publication of opinion is expected to publish in March 2021. Web Manuals will keep paying close attention to these developments and inform our community accordingly.
As RMT.0720 progresses, Web Manuals aim to integrate implementing rule Part-IS into our offerings of compliance libraries, together with our partner Aeroex, when it is available to do so to support our users in developing new manuals to prove compliance.
ISO 27001 Certification For Information Security Management
As a software provider, we recognize the risk of information security. We agree that, especially in aviation, the emphasis on risk management is crucial in order to enhance flight safety and information security.
Accordingly, we have obtained an ISO 27001 certification for managing information security since 2014. We have had zero findings during our audits every year since. Such is our commitment to our customers’ considerable safety and security requirements.