• The CAA Cyber Oversight Project has been established to provide effective oversight of how the UK aviation industry is managing its cyber security risks to achieve safety and economic resilience.  It has been developed to meet UK and European legal obligations for cyber security. The intent is to develop an effective regulatory methodology to enable industry to demonstrate that the appropriate risk mitigations are in place. Guidance in the form of CAP 1574 has been developed in support of this ethos.

    CAP 1574 details twenty six cyber security controls as a framework for the regulation of cyber induced risks within the aviation industry, both in respect of aviation safety and economic resilience. CAP 1574 will be subject to periodic review and revision to take account of changes in regulations, feedback from industry, and nationally and internationally recognised best practice.

    This framework is published for use by industry and to support the CAA’s regulatory cyber oversight. Its purpose is twofold:

    • To guide industry in implementing effective cyber security initiatives that positively influence security-induced aviation safety and economic risks;
    • To provide a common structure for the regulatory oversight of cyber based on existing standards.

    The CAA has reviewed the evidence obtained from a series of studies into the security of the aviation and other industries, and has engaged in cyber workshops with some of leading organisations that provide aviation and other services within the UK and overseas.  From this preparatory work, the CAA has been able to determine a set of cyber security control groups that are specifically focused on aviation safety, and has built these into a recognisable framework that can be cross-referenced to existing information security standards.

    This initial engagement has been followed up with cyber experts in the aviation industry to refine the framework, so that it will support the CAA’s developing approach towards cyber oversight.  CAP 1574 is also pertinent to meeting the needs of the NIS Directive that is expected to be implemented in the UK in the first half of 2018, but a different blend of compliance requirements will be used for inspections and audits.

    The CAA recognises that many organisations already make use of recognised international standards, and therefore the standards offer flexibility in demonstrating how each particular component of the standards framework can be met.  Whilst CAP 1574 provides some example references to existing international standards for information security, these are not mandated as there may be alternative ways of demonstrating adherence with each particular aspects of vulnerability covered by the standard. What is more important is that the framework establishes the standard practice for regulating cyber security in a way that is focussed on the specific benefits to aviation’s resilience.

    CAP 1574 is intended to provide guidance on how organisations might wish to plan their cyber programmes, it should not be regarded as a new framework that all organisations are required to follow. The CAA aims to achieve proportionate regulation that allows organisations to exploit the benefits of new technology in a manner that ensures that risks are being appropriately managed. The use of recognised international standards for information security is encouraged, but organisations are free to use their existing schemes for cyber security, as long as it can be demonstrated that they provide adequate protection against the vulnerabilities identified in the standards.

    This is one important component of the CAA’s approach to cyber security in aviation.  CAA will set out shortly how it plans to include cyber into its regulatory oversight functions and hold entities to account for managing their cyber risks in accordance with both EASA and Network and Information Services Directive requirements.

    Enquiries should be addressed to cyber@caa.co.uk