EASA’s Information Security (IS) regulation aims to protect aviation from cyber threats that could compromise safety and business continuity. Key elements include:
• Risk-Based Approach – Operators must identify, assess, and mitigate cybersecurity risks.
• Integration with SMS – Part-IS mandates alignment with SMS to create a unified safety and security risk management system.
• Governance & Compliance – Clearly defined responsibilities, oversight mechanisms, and accountability.
• Incident Response & Reporting – Mandatory reporting of significant cyber incidents impacting safety.
While SMS is well-established, incorporating cybersecurity risks introduces complexities:
• Different Risk Domains – SMS focuses on operational risks (e.g., human factors, technical failures), while ISMS addresses cyber threats (e.g., ransomware, phishing, data breaches).
• New Stakeholders – Cybersecurity involves IT teams, security officers, and external agencies, whereas SMS mainly includes operational safety personnel.
• Different Risk Management Approaches – SMS risks rely on root cause analysis, while cyber risks demand real-time monitoring and proactive threat intelligence.
To bridge these gaps, organizations must develop a structured integration model that harmonizes cyber risk management with SMS.
To align cybersecurity with SMS, organizations should:
• Expand SMS Scope – Explicitly include cybersecurity risks and adopt a unified risk management framework.
• Enhance Communication – Establish clear channels between safety and cybersecurity teams.
• Incorporate Cyber Risks into Safety Risk Registers – Ensure safety personnel receive cybersecurity training.
• Implement Joint Risk Assessments – Evaluate cyber risks using aviation risk matrices that factor in both safety severity and cybersecurity threats.
• Evolve Governance Structures – Designate cybersecurity representatives within SMS review boards.
• Improve Awareness & Training – Many operational personnel lack cybersecurity knowledge, making education essential.
• Conduct Cybersecurity Drills – Integrate cybersecurity scenarios into traditional SMS safety exercises.
• Adopt Advanced Threat Detection – Implement real-time monitoring tools that feed into SMS dashboards.
Integrating SMS and Information Security Risk Management (ISRM) follows a risk-based approach encompassing identification, analysis, mitigation, and monitoring.
Step 1: Identify & Map Cybersecurity Risks in SMS
• Gap Analysis – Assess how cyber threats impact existing SMS elements.
• Align Cyber Risks with Safety Risks – Incorporate cybersecurity into Hazard Identification & Risk Assessment (HIRA).
• Define Cybersecurity Hazards – Examples include:
>> Unauthorized access to critical aircraft systems (e.g., avionics hacking).
>> Data integrity failures (e.g., maintenance record tampering).
>> Supply chain vulnerabilities (e.g., compromised third-party software).
>> Denial of Service (DoS) attacks on aviation networks.
Step 2: Establish a Unified Risk Assessment Process
Aviation organizations must assess both safety and cybersecurity risks using common risk evaluation principles.
Step 3: Define Governance for SMS & ISMS
• Appoint a Cybersecurity Focal Point – Assign responsibility within the Safety Management Team.
• Clarify Roles & Responsibilities – Define collaboration between SMS and cybersecurity personnel.
• Implement Shared Risk Governance – Conduct joint risk assessment meetings.
• Include Cybersecurity in SMS Safety Review Boards (SRBs) – Ensure cyber risks are formally reviewed.
Step 4: Integrate Cybersecurity into Safety Assurance & Continuous Improvement
• Expand Safety Audits – Include cybersecurity risk assessments.
• Link Cybersecurity Incidents to Safety Reporting – Integrate with Mandatory Occurrence Reporting (MOR).
• Enhance Personnel Training – Educate staff on the impact of cyber threats on aviation safety.
• Maintain a Cybersecurity Risk Register – Manage cyber risks alongside traditional safety risks.
A structured model ensures effective SMS-ISMS integration:
>> Boeing MEDA (Maintenance Event Decision Aid) + Cyber Threat Modeling.
>> Bowtie Model – Links cyber incidents to aviation safety failures.
>> FAIR (Factor Analysis of Information Risk) methodology.
• EASA’s Part-IS regulations require aviation organizations to embed cybersecurity within SMS.
• Aligning cybersecurity with SMS enhances holistic risk oversight.
• A harmonized risk framework strengthens both safety and cybersecurity resilience.
• Collaboration between safety and cybersecurity teams is crucial to achieving aviation security and safety goals.
Final Thought: The future of aviation risk management lies in fully integrated safety and security models, ensuring that SMS and ISMS work together toward aviation safety and resilience.
See the following 2-day course- Part 145 Cyber Security Implementation. For comments or questions, please email team@sassofia.com.
Join our exclusive webinar on Thursday, 6th March.
