Europe pushes Cybersecurity rules for airlines and aviation supply chain

New requirements apply to the aviation supply chain, including plane manufacturers, airlines and weather data providers. New cybersecurity rules in Europe will for the first time require a swath of aviation suppliers to identify and defend against hacking risks to flight safety.

The new rules, which take effect in 2025, will apply to a range of air transportation companies, including manufacturers, airlines, airports, flight training schools, caterers and weather data providers. Companies also will be required to create a governance system that assigns an individual to be responsible for making sure problems are documented and addressed.

“It’s a huge increase of the workload,” said Robert Baltus, chief operations officer at the European Business Aviation Association, a Brussels-based group representing more than 700 companies including Shell Aircraft, which operates aircraft for Shell PLC, and Volkswagen AirService, an airline that runs business jets for Volkswagen AG.

National aviation regulators will oversee compliance with the rules.

Many companies in the aviation industry already fall under separate EU cybersecurity rules that require them to implement basic security measures and report cyberattacks to national cybersecurity authorities.

The European Union Aviation Safety Agency, known as EASA, the EU body that drafted the rules, said the regulation aims to address potentially dangerous cyberattacks, such as an aviation design company’s engineering files falling into the hands of hackers, or blueprints being modified or corrupted.

France-based plane manufacturer Airbus said the new regulation will require it to adjust some of its processes.

“The requirements of this regulation are definitely demanding,” an Airbus SE spokesman said in a statement. The plane maker will need to adjust some of its processes, such as assigning a person to oversee the system, he said.

Regulators in the U.S. also are stepping up cyber rules for the aviation sector. The Transport Security Administration said in October it would introduce new cybersecurity requirements for some parts of the aviation industry. The agency already requires airline and airport operators to do cybersecurity assessments and appoint a cyber coordinator.

Last month, the Russian-language hacker group known as Killnet took credit for low-level denial-of-service attacks on the websites of several U.S. airports, including New York’s LaGuardia and Los Angeles International, which temporarily disrupted their websites but didn’t affect operations or flights.

One of the challenges for some smaller or medium-size companies will be finding cybersecurity staff who understand the specific technologies and requirements for security aviation systems, said Thomas Hutin, senior managing director in the Paris office of FTI Consulting.

Companies across industries are struggling to find cybersecurity staff to fill the more than 3 million jobs that are estimated to be open worldwide in the field.

“Whether or not all affected stakeholders have the in-house capabilities and expertise to manage this transition is a risk,” said Nick Rhodes, head of operations, safety and infrastructure at the European Regions Airline Association, whose members include airlines and manufacturers such as Airbus and Boeing Co.

Costs to set up the systems required by the regulation could be high, he said.

Companies will need to appoint or hire staff to oversee the system tracking and reporting cyber threats, train employees to use it, and in some cases buy new cyber tools, Mr. Baltus said.

EASA said the regulation has to cover a web of suppliers because the aviation industry is so interconnected. A cyberattack could target one company but could damage customers and suppliers.

“If you have a small company that has a risky business for others, you can’t duck out because you’re small. You have to take responsibility for the risk you’re exposing others to,” said Jean-Paul Moreaux, the agency’s principle coordinator for aviation cybersecurity.

https://www.wsj.com

Share