Cybersecurity

Hi Vasileios, do you know if there are any plans to open a "consultation window" for ED-ISMS?

How can I join ?

A couple of years ago, at the 2022 FAA/EASA Intl Aviation Safety Conference in Washington, Larry Grossman (Senior Advisor, Cybersecurity & Privacy Services, FAA) presented an interesting slide that showed that EFBs are the only critical aspect of the aircraft where FAA performs little to no oversight/certification activity. Luc Tytgat (then Director, Strategy & Safety Management, EASA) stated that the (then upcoming) EU Part-IS (ISMS) will require EU operators to manage infosec risks for all their ops including for EFBs. At this year's conference, FAA said that their EFB Security Program requirements already covers Part 121 operators and their upcoming aircraft cybersecurity rulemaking will cover similar threats and objectives as EU's Part-IS for the rest, but they stayed hush about how they would reach those objectives. And while certain accountable executives at the EU operators have the security accountability, the reality is that pilots are the day to day users of those EFBs and they might never realize there's a vulnerability or threat until the accountable executive orders comprehensive app auditing and pen-testing. Think about it... A small non-commercial European operator might have less than a handful of aircraft and a dozen or so pilots, so they might not have the financial or human means to perform extensive pen-testing of all their EFB apps used by all their pilots. Practically speaking, this will be the greatest challenge, because the use of EFB apps is pretty ubiquitous nowadays (try taking the EFB away from a pilot and counting to 10, and see what happens).