Shift from prescriptive processes to more effective and efficient performance based cyber security oversight processes by the UK CAA.
Cyber security risk profiles are dynamic, meaning those with malicious intent can quickly develop new ways of breaching cyber security. Prior to October 2019, the UK CAA cyber security audit used a prescribed questionnaire to assess compliance of the UK industry with the regulations. The regulated entities were subject to five to six audits, having their cyber security assessed under different operational activities, often duplicating tasks across operational functions. The process was time-consuming for both the regulated entities and regulator. The risk self-assessment did not reflect requirements specific to the entities and did not encourage proactive evaluation and preparation for potential threats. To keep pace with the changing threat landscape and promote awareness of direct and indirect cyber security threats, the UK CAA embarked on re-visioning their existing cyber security oversight.
The UK CAA had to develop a new cyber security oversight process consistent across different scopes and applicable to aviation organisations of varying size and complexity. It was essential to change the prescriptive principle of the existing oversight to enable the industry entities to manage their cyber security risks effectively so that they can detect cyber security incidents and minimise their impact, protecting their organisation, staff and clients.
As part of the cyber security assessment process, aviation organisations must be able to determine and document all critical systems. At the time, the methodology to determine critical systems across operational functions did not exist. This led to additional work when entities used to assess everything that was mandatory or what they thought was critical.
The entire cyber security oversight process needed to become more efficient and effective for the regulated organisations and regulator.
Working closely with the Department for Transport, industry and the National Cyber Security Centre, the UK CAA reformatted and amended the core Cyber Assessment Framework (CAF) to create the CAF for Aviation. The new framework harmonised all cyber security requirements across different regulatory scopes (safety, security, resilience) into one comprehensive cyber security framework, which became applicable to aviation organisations of different size and complexity.
The new framework aligned with the existing UK CAA performance based oversight processes, encouraging the aviation organisations to manage their own risks with a focus on relevant/real incidents enabling proactive assessment of existing barriers and control levels.
The UK CAA Cyber Security Oversight Team in close collaboration with industry, introduced guidance on how to identify critical systems, with a focus on those elements that would impact flight safety.
The UK CAA integrated cyber security assessment processes across all operational functions into one, leading to one process for aviation organisations to meet their regulatory cyber security requirements and assess their level of protection against relevant threats.
The Authority decided to outsource cyber security audits to increase efficiency and transparency, using the Qualified Entity model. CAA partnered with an accreditation and certification body to create an accreditation scheme enabling aviation organisations to access accredited cyber security auditors. To ensure compliance with the Cyber Security Oversight Process CAP1753, the Authority gives final compliance approval.
The new proportionate and effective approach to the cyber security oversight enabled the aviation organisations to manage their cyber security risks without compromising aviation safety, security or resilience.
Clear guidance on how to determine critical systems led to a reduction in the scope of work for regulated entities enabling them to focus and enhance systems relevant to their specifications. This guidance was later adopted by the EU Commission into their new Cyber Security Guidance.
The cyber security oversight process became more efficient and less time consuming by removing duplications during the self-assessment stage and by facilitating the evaluation of cyber security regime through a single audit.
Outsourcing auditing to accredited companies, brought economic benefits for industry, allowing them to choose from a large pool of competing auditors. The Authority benefitted from time-saving, allowing the UK CAA cyber security experts to concentrate on improvements to cyber security oversight.
For more information on our cyber security oversight assistance, please contact Kevin.Sawyer@caa.co.uk
- Development of Cyber Assessment Framework for Aviation
- Implementation of a proportionate and effective approach to cyber security oversight
- Introduction of guidance to determine critical systems, later adopted by EU Commission
- Increased efficiency during the entire cyber security oversight process
- Enabling economic benefits to regulated entities
- Enabling time-saving benefits for the regulator