Operators Must Prepare for Part-IS Cybersecurity Requirements

25 May 2023

A Wednesday afternoon session at the 2023 European Business Aviation Convention & Exhibition (EBACE2023) addressed the European Commission’s recently implemented Part-IS regulation that calls for aviation operations to identify and manage information security risks that could compromise company and passenger data.

The new regulations encompass “all the information and communication systems that are used by approved authorization in the authorities and all the data that are talking to them,” noted Gian Andrea Bandieri, section manager for aviation cybersecurity and emerging risks with the European Union Aviation Safety Agency (EASA). “Everything that is traveling and being exchanged in digital manner is within the scope.”

The new requirements are also intended to complement existing safety programs, not supersede them. “Part-IS doesn’t interfere with the security obligation that an operator has toward customers or passengers,” Bandieri noted. “But information security risk can spill out below over to the safety bar.”

Smaller operators are concerned about that scope, however. “Cybersecurity is a risk that should not be neglected by organizations or underestimated by the aviation ecosystem,” said Joan Serra, regulatory affairs manager for the General Aviation Manufacturers Association (GAMA) Europe. “But there are organizations that have no risk whatsoever to cyber threats that may [fall] under the scope of these regulations.”

Andrew Douglas, founder of cybersecurity consultancy Make Tech Fly, emphasized even small flight operations can be at significant risk to cyberattack. “Your data is what makes your business run,” he said. “When we talk about cybersecurity, and the reason why we must have security, it is because we’re trying to get to the ultimate goal of business security.”

All operations can take simple steps to reduce their cybersecurity risk, including two factor authentication for system logins and using non-intuitive passwords. “A 16-character password is almost impossible to break [but] eight-character passwords can be broken in about between five and 10 minutes.”

Nevertheless, Serra reiterated that differences between GA and business aviation operations pose challenges. “Smaller companies may have no leverage or bargaining power whatsoever over big IT (information technology) corporations,” he noted. “How can they negotiate terms and conditions of contract with big IT companies? It’s not possible.”

Despite such concerns, EASA remains adamant that these considerations pale in comparison to the threat posed by cyberattacks.

“We are discussing size where the focus should be on protection,” Bandieri said. “We want every organization to be protected against a new set of risks that were not there before. [Rather than] consideration of size, we must ask, ‘how much am I exposed to cyberthreats? And in case of a cyberattack, how do I respond and how will I recover?’ There is the starting point.”