Blog: Aviation Cyber Security

ASSURE Aviation Cyber Security Testing

Ken Munro 30 Jan 2020

We’ve long been supporters and champions of a formalised approach to Aviation Cyber Security Testing. Our research and blogging has taken us on an interesting journey regarding airside and landside security, mapping attack surfaces and explaining how systems work and interact.

Speaking and exhibiting at conferences and events like DEF CON’s Aerospace Village, the Aviation ISAC, and the upcoming RSA 2020 has also allowed us to both promote good practice and share ideas and knowledge with other leaders in the field.

It’s been a while in the pipeline but CREST and the CAA have unveiled the ASSURE aviation cyber security testing scheme, which we are proud to be one of the first accredited providers. It also helps that we have experience of highly structured, long, engagements such as GBEST/CBEST.

ASSURE differs from what has gone before in that it has provision for OT as well as IT, so ICS/SCADA for e.g. airport lighting and baggage handling, as well as aircraft maintenance.

To give you a better understanding here’s a transcript of CREST’s president Ian Glover talking about the ASSURE scheme:

I’d just like to give you a little bit more of an update in terms of some of the work we’re doing with the CAA, related to their new scheme called Assure. The Assure programme is designed to look at the NIS directive and also the Cyber Assessment Framework the operates within the aviation industry and pull those together to provide some level of assurance to the regulator that the aviation community is acting in an appropriate fashion in relation to cyber security related issues.

The process that the Assure programme goes through is an initial questionnaire is sent out to organisations that are under the regulated scheme. They would provide a response back, and that response is in two formats. One relates directly to the NIS directive, and the other relates to the Cyber Assessment Framework operated by the CAA. The idea that the CAA has then got is that external organisations, suitably accredited organisations, and suitably qualified individuals then validate the responses that are provided to the regulator, and that validation is provided by the regulator and then the regulator makes a final decision on whether or not there is an appropriate level of security in place to protect the organisation or the services that are being provided.

I think this is probably one of the most mature approaches to looking at the NIS directive in particular that we’ve seen through all of the regulators that we’re working with in these particular areas, and I think it’s a really sensible scalable approach that will provide a consistent set of results that can be utilised by the regulator to actually get a good understanding about the level of maturity within the aviation industry.

There’s an awful lot of other industries that fall under the NIS directive that are also very interested in this work and its my belief that the principles associated with this scheme will be extended into other domains.

From a company perspective, so from a CREST member company perspective, then the criteria is set by the CAA in terms of what the minimum requirements are and CREST undertakes that accreditation process on behalf of the CAA. The CAA have final sign-off in terms of whether or not an organisation is fit for purpose. We then combine that together with qualifications, and the qualifications fall into three specific areas.

The first is technical security, and a lot of the existing CREST technical qualifications fall into that particular bracket. We then look at audit, and we’re looking at organisations that have got access to 27001 lead auditors with a technical competence. Then the third is looking at IT OT, so in other words looking at the operational environments as well as the IT environments.

The organisation must demonstrate that its got capability in all of those three areas. The reason for doing that is the evidential artefacts that are provided to provide justification that the NIS directive and the questionnaire has been completed correctly fall under those three brackets. In other words, each of those evidential artefacts needs to be signed-off by a combination of all of those three or individuals- so from a technical security perspective, from an audit perspective, or from an IT OT perspective. Again, I think that combination of providing different skill sets is a really appropriate and mature approach to taking levels of assurance within this particular domain.

I think this is much stronger than just using a technically competent individual or using somebody who is very experienced in terms of audit. The combination of those elements together make it a much stronger approach, and the inclusion of IT OT also allows us to expand out into other operational areas, all falling under the CNI, so again I believe that the model for this particular area under the Assure programme can be easily rolled-out to other areas of CNI in a very controlled way.

I think the CAA have been excellent in terms of the way they’ve gone about this process. It’s been mature, timely, and we’ve made really good progress in what I think is a relatively short time scale. They’ve involved everybody from the community from a CREST perspective that work really well with us to look at the accreditation of the companies supplying those services and also the individuals that hold qualifications in either technical security, audit, or IT OT. The combination of those two again, pulling those together in an overall scheme has been operating extremely well and we can really look forward to the launch in January 2020 as the programme starts to roll-out to different areas within the CAA regulated environment.

Coming back to the role of the CAA again I think the community has got together extremely well. They have involved the suppliers, they have involved the buying community, and they’ve involved the regulators, as well as putting together the elements of both the NIS directive and the CAF. I think pulling all of those communities together and spending the time to make sure that people understand the process, making sure there’s good policies processes and procedures are in place to actually enable this to be put into place in a structured and efficient way. I think its been extremely good.

I really look forward to seeing the output from some of the initial trials that will be running early in 2020. Gradually what we’ll do is be maturing the overall process based on the lessons learned from the early implementations.

From my perspective the Assure process is one of the most mature we’ve seen in the NIS directive, and I think this is the approach that should be taken by other areas in the CNI. What we’ve tried to do with the CAA is to make sure that there’s a generic set of policies, processes, procedures, and implementation guides that we can pull together to make that really easily implementable by other areas of the CNI.

I also believe that domestically in the UK this is a fantastic opportunity for member organisations to provide the services but again because the NIS directive goes much broader and there are similar initiatives in other parts of the world that lessons we learn from this can be easily implemented into other domains.