• Rationale

    Due to the progressively interconnected nature of industry systems, the aviation industry has to remain aware of cyber threats, both direct and indirect, and as a result of attacks and through reckless or negligent behaviour. The risk profile is dynamic: attackers (people, artificial intelligence systems or self-replicating viruses) are always looking to exploit vulnerabilities and can quickly develop new ways of breaching cyber security.

    This means that aviation entities need to have dynamic protection systems, requiring that CAA’s cyber strategy keeps pace with the main trends in cyber vulnerability/intent and is reviewed regularly.

    The vision for the CAA Cyber programme is to enable all aviation industry stakeholders to exploit the benefits of cyberspace without compromising aviation safety both now and in the future.

    Outcomes

    • A proportionate and effective regulatory framework for the mitigation of risks to UK aviation from cyber incidents to create a cyber resilient UK aviation system.

    • A UK aviation system that benefits from the advantages of networked communications and services without impediment by the impact of the cyber threat.

    • Mechanisms in place to promote the sharing of aviation cyber security knowledge, skills and capability.
    • A common understanding between all aviation stakeholders of cyber threats, vulnerabilities and risks, supported by a set of accepted standards, advice and guidance.

    Actions

    Ensure a cyber regulatory/policy framework which:

    • Defines CAA’s responsibilities for cyber security under existing EU/UK/international regulations;
    • Provides a process for continuous reviews of new cyber standards, assurance and cyber management activities for in-scope aviation entities;
    • Understands how these standards, assurance and cyber management activities align to legal obligations specified in strategic priority one and where gaps exist;
    • Identifies key structural cyber vulnerabilities in the UK aviation system, particularly around interfaces between different entities;
    • Develops industry relationships to inform our work; and
    • Provides integration with our Regulatory Regime: the Safety Management System (SMS); Performance Based Oversight (PBO) and the Regulatory Safety Management System (RSMS) and define what training is required, and a decision process for focusing on compliance and oversight activities.

    For further information on cyber security and cyber incident management, contact: