British Airways (BA) has appeared in the news recently because data of around 500,000 customers has been stolen from their website and mobile app, and this has led to the Information Commissioner’s Office (ICO) in the UK handing them a potential fine of £183.4million (GBP) under the General Data Protection Regulation (GDPR). This is a fine of approximately 1.5% of their worldwide annual turnover, with the maximum fine being 4% of annual turnover (or around £18million, whichever is greater).
nis Directive WITHIN AVIATION
At the same time as GDPR came into force across the EU, The NIS Directive also came into force (somewhat drowned out by the GDPR noise, unsurprisingly). The NIS Directive requires organisations within Critical National Infrastructure, including transportation networks such as aviation, to embed a particular level of cyber security and incident response planning throughout the entire organisation from engineering operations and IT, through to board level.
In the UK, the National Cyber Security Centre (NCSC) which is the public-facing cyber security division of GCHQ, released the Cyber Assessment Framework (CAF) to address the minimal requirements critical national infrastructure must adhere to in order to be compliant enough for the regulation. It was the CAF that was the initial framework of our Profile software. Audits against the CAF are then checked by the regulators for the different sectors.
For the aviation sector in the UK, the NIS Directive regulation still applies, and the Civil Aviation Authority (CAA) is the organisation charged with ensuring that aviation organisations within the UK are complying with that regulation. They, however, are currently not using the NCSC CAF but are using their own framework entitled “CAP 1574: 26 security controls for regulation.”
It is with pleasure that we announce full support of CAP 1574 in the Profile product by Awen Collective, meaning that we make the whole process of helping aviation organisations within the UK comply with the NIS Directive, enabling them also to track their scores over time and assist them with making improvements.
Within the aviation sector, the regulation and the framework should apply to all organisations that own or operate: aircraft, airlines, airports, airspace management and aviation security. The NIS Directive also states that suppliers to these organisations should also have the same or greater levels of cyber security.
Building Automation and Control within Aviation
Aviation sector organisations have to consider the cyber security of their facilities, including their buildings - both private and public-facing, including airports. These buildings are increasingly being fitted with digital networks and internet-connected devices. These devices are often sensors but in some cases they are controllers and actuators (something that makes a physical change). Examples include Heating, Ventilation, Air Conditioning (HVAC); elevators, escalators and travelators; physical access systems (such as key cards or biometric scanners); bag checking systems; fire alarms and so on.
These systems generally come under the category of Building Automation & Control (BAC), and it is with pleasure that we announce that our product Dot supports protocols for BAC, including BACnet. With our software, organisations within the aviation sector will be able to perform automated asset and vulnerability discovery, leading to a greater understanding of risk and the mitigation of that risk. Dot will not only help to improve safety and security within an aviation organisation, but will also help to save money as budget can be correctly allocated to any security concerns before an incident happens. Dot will also help aviation organisations to achieve various components of the CAP 1574 and the Cyber Assessment Framework, in particular those compliance points related to Asset Management, Risk Management, Secure Configuration, Network Segregation, Security by Design, Vulnerability Monitoring and Knowledge Sharing.
This is the first in a series of a series of blog posts about the cyber security of Building Automation and Control (BAC) and Building Management Systems (BMS).