Cybersecurity in Aviation SMS

What Is Cybersecurity

The aviation industry relies heavily on computers for every touchpoint of aviation service, from ground to flight operations. Cybersecurity is a term that refers to the safety of such computer systems – it is also called info-security. If nefarious individuals were able to get access to some of your computer systems, they could pose a catastrophic threat to flight operations.

In general, when we talk about cybersecurity we are referring to

• Who has access to information;
• Who has access to different computer systems; and
• How information is safely and securely communicated through communication channels in your organization.

Because computers are fully integrated into the most sensitive and risk-prone aspects of flight services, all aviation service providers need to be deeply concerned with the cybersecurity practices of their organization.

Threats come from individuals called hackers. Hackers may try and compromise your computer systems, data, access, and safety instrumentation. They may do this from outside your organization, or they may try it from within your organization.

How Cybersecurity Affects Aviation Safety

Cybersecurity in aviation affects areas of flight operations that you would expect, but others that you might not expect. Basically, any area of flight operations that is non-mechanical has cybersecurity implications.

Some ways cybersecurity affects aviation safety are:

• Communication between aircraft and flight control;
• Check in;
• All security scanning devices;
• Any aspect of your service that uses the internet;
• Any aspect of your service that uses a computer, such as a check-in;
• Flight controls;
• Aircraft sensors;
• Any software;
• Baggage scanning devices.

The list could go on and on. Just consider how devastating it would be if a hacker gained access to any sensors on an aircraft. Cybersecurity affects aviation safety in nearly every way it possibly could.

Related Aviation Safety Articles

• Transparency and Aviation Safety Data Security - User Roles SetUp
• What Are Safety Objectives in Aviation SMS – with Examples
• What Should Your Aviation Safety Culture Look Like [Free Checklists]

Should Cybersecurity Be a Part of Your Aviation SMS

Whether or not cybersecurity should be a part of your aviation SMS is a tricky question. The best answer is not the guidance you are probably looking for: it depends.

On the one hand, cybersecurity is an intimate part of safety. On the other hand, aviation safety managers aren’t cybersecurity experts. How much your info-security system and your safety management system are integrated is something your organization will have to work out. Maybe your cybersecurity system is a part of your SMS, or maybe it is a separate entity.

Regardless of whether they are fully integrated or not, info-security and safety teams should work closely to ensure that:

• Goals of their cybersecurity and safety management align;
• Cybersecurity processes and procedures are built into safety processes and procedures;
• Aviation safety training regimens includes cybersecurity awareness training; and
• Safety managers can assign an IT expert to cybersecurity issues should they be reported.

So to get back to the original question, should cybersecurity be a part of your aviation SMS, the short answer is definitely. The long answer is, it depends. Larger organizations may need more separation between safety and cybersecurity teams, whereas smaller organizations may have full integration between the two.

Who Is Responsible for Info-Security

As said, though cybersecurity is an important facet of SMS, safety managers are not the subject-matter experts who should be responsible for cybersecurity. A designated IT manager or cybersecurity expert should be responsible for developing and managing:

• Cybersecurity controls; and
• Stance on cybersecurity (called “security posture”).

That being said, the safety manager may ultimately be responsible for the safety of the entire organization, of which cybersecurity is a significant part. Your safety manager should work closely with the cybersecurity manager to facilitate safe operations.

Who Is Ultimately Responsible for Cybersecurity

Ultimately it is the responsibility of the accountable manager of your SMS to ensure that:

• The organization has a stance on cybersecurity (i.e., a security posture)
• The organization has a dedicated cybersecurity professional, such as an IT manager, to manage cybersecurity;
• The relationship and expectations of SMS and cybersecurity are clear; and
• SMS teams and cybersecurity teams are working closely to facilitate safe operations.

Have your cybersecurity controls built into your SMS with aviation SMS software.

Last updated December 2023.