Specific Exposures and Threat Scenarios

Malware/Ransomware Initial Access (Exploitation via device)

•  General Ransomware Campaigns: Ransomware actors often gain initial access through phishing campaigns targeting aviation employees or by exploiting exposed VPN/RDP servers.

•  Mobile devices are the primary target for phishing/social engineering attempts.

•  Ransomware group LockBit demanded $200 million from Boeing in 2023.

•  Attacks on airport systems (e.g., Kuala Lumpur International Airport, 2025) have shut down systems for over ten hours, forcing staff to use manual procedures.

Introduction

The use of mobile devices, including GSM phones, by employees for business activities falls directly under the scope of an Information Security Management System (ISMS) as required by EASA's Easy Access Rules for Information Security (Part-IS).

Note - Even though Part-IS does not explicitly focus only on mobile devices, the potential for these devices to introduce information security risks with a potential impact on aviation safety means they must be addressed by the organisation's ISMS.

Impact on ISMS Requirements

The use of personal or company-provided mobile devices for work, particularly those like GSM phones that enable access to information, systems, or data, impacts several critical components of the ISMS:

•  Asset Identification: The mobile device (GSM phone) itself, along with the data and systems accessed through it, must be identified as elements exposed to information security risks.

•  Risk Assessment: The use of these devices introduces threat scenarios (e.g., unauthorised access, loss, theft, malware injection) that must be assessed for their potential impact on aviation safety.

•  The use of personal devices (Bring Your Own Device - BYOD) introduces even greater complexity and risk that needs to be managed.

Risk Treatment: Measures must be implemented to manage unacceptable risks stemming from mobile device use, such as:

• Implementing access controls and encryption to protect information assets stored on or accessible from the devices.
• Applying Mobile Device Management (MDM) solutions for secure operations, including remote content security, remote locking, and restricting access to only approved apps and functionalities (e.g., using kiosk mode in dedicated operations).

Notes Ref Kiosk Mode -

•  Personnel Requirements: Personnel using these devices must be aware of and acknowledge their information security responsibilities as defined in the ISMS policy, especially when using devices in public or insecure places.

•  Incident Management: The devices can be targets for cyber threats. The ISMS must include measures to detect, respond to, and recover from incidents involving these devices that could affect aviation safety. This includes the ability to remotely wipe data if a device is lost or stolen.

Steps to be Taken and Management Criteria - The organisation should manage the use of mobile devices by:

1. Defining a Policy: Create a specific policy on user endpoint devices (including GSM phones/mobile devices) that outlines the secure configuration, permitted business/personal use, physical protection requirements, and user responsibilities.
2. Risk-Based Approach: Conduct a formal risk assessment of mobile device use, considering the following criteria:

>>The type and sensitivity of information that can be processed, stored, or accessed on the device.

>>The potential for the device to introduce risks to safety-critical systems or data.

>>The use of Bring Your Own Device (BYOD), which necessitates technical measures for separating business and personal data, and user consent for remote data wiping.

1. Implementing Controls: Implement practical and proportionate information security controls, such as:

>>Encryption and strong passwords/technical measures to protect the device when not in use.

>>Authentication methods (e.g., multi-factor authentication) for accessing sensitive data.

>>Secure configuration of wireless connections.

>>Procedures for the physical security of devices, especially in public areas.

1. Training and Awareness: Promote the ISMS and the mobile device policy through mandatory training and awareness sessions to ensure personnel understand the risks and their duties.
2. Incident Response: Integrate mobile devices into the incident detection and response plan, establishing procedures for:

>>Monitoring and real-time threat detection (Mobile Threat Defense tools).

>>Containment actions in case of compromise.

>>Remote management actions like locking or wiping data if the device is lost or compromised.

Next Steps

Please visit Sofema Online and Sofema Aviation Servises or email team@sassofia.com