These rules ensure that both regulated organisations and authorities detect, assess, and manage cybersecurity events in a way that preserves aviation safety.
Rather than using rigid, pre-defined tiers, the classification of cybersecurity incidents is built on a risk-based approach.
• Incidents are assessed based on their potential to materialize into unacceptable risks that may affect safety.
• This includes both actual occurrences (i.e., events that cause harm or disruption) and the discovery of exploitable vulnerabilities, which are treated as information security events due to their potential to lead to harm.
• Impact on Safety: Whether the affected asset contributes directly or indirectly to aviation safety, considering its place in the functional chain (e.g., end system vs support function).
• Deviations from Baselines: Incidents are flagged if they deviate from either the functional baseline (expected system performance) or the security baseline (expected operation of security controls).
• Detection of Abnormal Behaviour: Events are classified higher if multiple correlated anomalies are detected, suggesting a coordinated attack or system compromise.
Response actions are tailored to the assessed severity and urgency of the incident. The regulations outline three core areas of incident management:
Organisations must deploy continuous monitoring systems to detect cybersecurity incidents and vulnerabilities.
• Detection strategies should be aligned with identified threat scenarios and asset criticality, ensuring coverage of all systems that could propagate to a safety-impacting event.
• Detection includes both real-time alerting (warnings) and vulnerability discovery.
The response phase involves taking active measures to contain, mitigate, and understand the incident. This includes:
• Triggering predefined response plans based on alert thresholds.
• Containment strategies tailored to asset types and worst-case scenarios.
• Assessment of acceptable safety degradation, ensuring that emergency responses do not compromise operational safety.
• Prioritized intervention based on risk pre-triage and estimated impact if the vulnerability or incident fully materializes.
The response time must match the potential severity of the incident. If there is a possibility of high or immediate safety impact, rapid containment is mandatory—even before the full root cause is confirmed.
The recovery phase aims to return the system to a safe and secure state. Key elements include:
• Predefined recovery objectives and timelines, based on asset safety criticality.
• Prioritized restoration of services and functionalities essential to aviation safety.
• Emergency measures may be applied immediately but must be risk-assessed and justified if they introduce temporary degradation.
• Proactive contracting of recovery services with third parties to ensure readiness.
Note - Recovery is not merely about restoring operations but must also address documenting residual risks and ensuring they are accepted at the appropriate level of accountability.
• Incidents are classified based on risk potential and system impact, not just on surface-level severity.
• A triage process helps determine which incidents escalate to full response and which can be monitored.
• Detection and containment must be timely and may include deceptive security strategies.
• Recovery plans should be in place before an incident occurs and must include resource allocation and timing tailored to safety priorities.
• The framework encourages continuous improvement by requiring a response not just to incidents, but also to vulnerabilities and findings by authorities.
Sofema Aviation Services and Sofema Online provide Information and Cyber Security Regulatory Training as Classroom, Webinar and Online Training – Please see the websites or email team@sassofia.com.
