The Cyber Security Oversight Process for Aviation

CAP 1753
Published by the Civil Aviation Authority, 2020

Civil Aviation Authority

Aviation House
Beehive Ring Road
Crawley
West Sussex
RH6 0YR

You can copy and use this text but please ensure you always use the most up to date version and use it in
context so as not to be misleading and credit the CAA.

First published October 2019

Issue 2 – August 2020

Enquiries regarding the content of this publication should be addressed to: [email protected]

The latest version of this document is available in electronic format at: www.caa.co.uk/CAP1753
CAP 1753 Contents

Contents

Contents 3
1. Introduction 4
2. Background 5
3. Purpose 6
4. Roles and Responsibility 7
Department for Transport 7
Civil Aviation Authority 7
National Cyber Security Centre 7
Accountable Manager 8
Cyber Security Responsible Manager 8
ASSURE Cyber Suppliers 8
ASSURE Cyber Professionals 8
5. Applicable Regulation 9
6. CAP1753 – Cyber Security Oversight Process for Aviation 10
Step 1 - Engagement 11
Step 2 - Critical System Scoping 11
Step 3 - Cyber Self-Assessment 12
Step 4 - ASSURE Cyber Audit 12
Step 5 - Provisional Statement of Assurance 14
Step 6 - Final Statement of Assurance and Certificate of Compliance 15
7. Frequency 16
8. Notification of Cyber Security Change 17
8.1. Notification of Change of Cyber Security Responsible Manager 17
Annex A: Information Handling 18
Annex B: The CAA’s Regulatory Enforcement Approach (non-NIS) 19
Annex C: NIS Regulation 20
Annex D: DfT’s Stepped Enforcement Approach for NIS 21
Annex E: Good Practice 22

August 2020 Page 3

CAP 1753 Introduction

1. Introduction
Cyber security risk profiles are dynamic, meaning attackers are always looking to exploit
vulnerabilities and can quickly develop new ways of breaching cyber security. The aviation
industry’s progressively interconnected systems require the industry to maintain an up to
date awareness of both direct and indirect cyber security threats. The changing threat
landscape therefore, encourages a proactive approach to cyber security and in response
means aviation organisations need dynamic protection.
Cyber security can be defined as:

“Cyber security refers to the protection of information systems (hardware, software and
associated infrastructure), the data on them, and the services they provide, from
unauthorised access, harm or misuse. This includes harm caused intentionally by the
operator of the system, or accidentally, as a result of failing to follow security procedures.”
UK National Cyber Security Strategy1 - The Cyber Security Body of Knowledge (CyBOK)2

The Civil Aviation Authority’s (CAA) cyber security oversight strategy must be reviewed
regularly in order to keep pace with these ever-changing cyber security trends.

The vision for CAA Cyber Security Oversight is:

“To have a proportionate and effective approach to cyber security oversight that enables
aviation to manage their cyber security risks without compromising aviation safety, security
or resilience.

To stay up-to-date and positively influence cyber security within aviation to support the
UK’s National Cyber Security Strategy.”

1
https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021
2
https://www.cybok.org/knowledgebase/

August 2020 Page 4

CAP 1753 Background

2. Background
The CAA’s approach to cyber security oversight has been harmonised and consolidated to
align with Better Regulation principles, this provides;

▪ consistency for aviation organisations;

▪ reduced duplication of oversight activity;

▪ assistance in targeting of cyber security regulatory activity; and

▪ improved transparency.

The CAA commit to, broad and collaborative engagement with industry and key
stakeholders to continuously improve our cyber security oversight model.

Working closely with Department for Transport (DfT) and National Cyber Security Centre
(NCSC) the CAA has developed the Cyber Assessment Framework (CAF) for Aviation3. Like
the core CAF, the CAF for Aviation has been designed with scalability and consistency in
mind. This allows it to be applied to aviation organisations of varying size and complexity
whilst maintaining a consistent approach across different scopes including; safety, security,
and resilience.

The CAA and the Council for Registered Ethical Security Testers (CREST)4, a not-for-profit
accreditation and certification body, partnered to create an accreditation scheme
(ASSURE). This service enables aviation organisations to procure accredited cyber security
audit5 capabilities to audit their completed CAF for Aviation self-assessments6, where
applicable.

3
The CAF for Aviation is an aviation specific adaptation of the core CAF v3 produced by NCSC
4
https://crest-approved.org/index.html
5
Step 4 – ASSURE Cyber Audit
6
Step 3 – Cyber Self-Assessment for Aviation

August 2020 Page 5

CAP 1753 Purpose

3. Purpose
CAP1753 outlines the CAA’s approach to cyber security oversight, which includes:

▪ the CAF for Aviation;

▪ ASSURE Cyber Audit; and

▪ incorporation of cyber security oversight into existing CAA Performance Based

Oversight processes.

The Cyber Security Oversight Process for Aviation involves six key steps:

Step 1:
Engagement

Step 6:
Step 2:
Final Statement of Assurance
Critical Systems Scoping
and Certificate of Compliance

Step 5:
Step 3:
Provisional Statement of
Cyber Self Assessment
Assurance

Step 4:
ASSURE Cyber Audit

Figure 1: Cyber Security Oversight Process for Aviation

August 2020 Page 6

CAP 1753 Roles and Responsibility

4. Roles and Responsibility

The CAA has identified the following key roles pertinent to the Cyber Security Oversight
Process for Aviation.

Department for Transport

DfT is responsible for setting the strategic direction of cyber security policy and regulation
across transport, including Aviation. In relation to Network and Information Systems (NIS)7,
where the Secretary of State for Transport is the co-competent authority, the Cyber Team
in DfT will be responsible for NIS policy, identification thresholds, incident thresholds and
enforcement.

Civil Aviation Authority

The UK's specialist aviation regulator is responsible for ensuring that the aviation industry
meets the highest safety standards, that consumers have choice and, value for money,
that they are protected and treated fairly when they fly, and that the aviation industry
manages security risks effectively. The CAA holds responsibility for cyber security
oversight for aviation and co-competent authority with Secretary of State for Transport
under NIS, with responsibility for the implementation of NIS in aviation and post-incident
investigation.

The CAA Cyber Security Oversight Team is responsible for all cyber security regulatory
activity within any of the CAA regulatory domains (for example Continuing Airworthiness,
Flight Operations, Aerodromes, Airspace, Air Traffic Management, and Aviation Security).

The team is also the first point of contact at the CAA for all questions and issues relating to
the cyber security oversight process for aviation and can be contacted at
[email protected].

National Cyber Security Centre

As the UK’s national technical authority for cyber security, the NCSC manages national
cyber security incidents, provides an authoritative voice and centre of expertise on cyber
security, and delivers tailored support and advice to departments, the Devolved
Administrations, regulators, and businesses. While having no regulatory responsibilities,
the NCSC is the Single Point of Contact (SPOC), and the Computer Security Incident
Response Team (CSIRT) under NIS.

7
http://www.legislation.gov.uk/uksi/2018/506/made

August 2020 Page 7

CAP 1753 Roles and Responsibility

Accountable Manager
The Accountable Manager(s) is an individual or individuals designated by their aviation
organisation as the person(s) responsible to the CAA in respect of the functions which are
subject to regulation. It is expected that the role of Accountable Manager is held by an
individual who has corporate authority for ensuring that all operational activities can be
financed and carried out to the standard required by the CAA.

For cyber security accountability, individuals do not have to be the operational

“Accountable Manager” registered with the CAA but instead can be an equivalent board
member (e.g. Chief Information Security Officer, CIO, IT Director etc) dependent on the
aviation organisation’s structure.

Cyber Security Responsible Manager

An individual who has been delegated responsibility for cyber security by the aviation
organisation’s Accountable Manager, they may have responsibility for specific areas of
their organisation (e.g. Head of Information Security, Safety Manager, Security Manager
etc). The Cyber Security Responsible Manger ensures compliance with cyber security
regulations and is responsible for the management of cyber security risk exposure.

As a Cyber Security Responsible Manager, you will be asked to demonstrate the

appropriate competency for the post and to enable the sharing of threat information you
will need to hold the relevant security clearance8.

ASSURE Cyber Suppliers

ASSURE Cyber Suppliers are third party “Qualified Entities” that are subject to rigorous
and continuous accreditation processes in order to provide a cyber audit capability under
the ASSURE Scheme. The ASSURE Cyber Supplier must adhere to the ASSURE Code of
Conduct.

ASSURE Cyber Professionals

ASSURE Cyber Suppliers utilise ASSURE Cyber Professionals who hold appropriate
professional certifications and are accredited to conduct ASSURE Cyber Audits. The
accredited ASSURE Cyber Professionals must adhere to the ASSURE Code of Conduct.

ASSURE Cyber Professionals are accredited in one or more of the following three
specialisms (all specialisms must be present for an ASSURE Cyber Audit):

▪ Cyber Audit & Risk Management;

▪ Technical Cyber Security Expert; and/or

▪ Industrial Control Systems/Operational Technology Expert.

8
Detail of the competency and vetting requirements can be found in the Cyber Security Responsible
Manager Nomination Form.

August 2020 Page 8

CAP 1753 Applicable Regulation

5. Applicable Regulation
All aviation organisations that have regulatory cyber security obligations to comply with
existing safety, security, and resilience requirements are deemed to be in scope of
CAP1753. Following initial engagement9, each aviation organisation may be required to
complete all or part of the of the steps detailed herein.

Existing regulations applicable to aviation organisations under CAP1753 include but are
not limited to:

▪ EASA Basic Regulation and Implementing Rules;

▪ ICAO Standards and Recommended Practices (SARPs) and UK Air Navigation

Order;

▪ Network and Information Systems (NIS) Regulation.

Note: This is an evolving area of regulation and the aviation organisation is responsible for
staying abreast of regulatory requirements which may change from time to time.

The CAA recommend that regardless of the level of our regulatory involvement, aviation
organisations should proactively apply appropriate and proportionate cyber security good
practice10 into their operations.

9
Step 1 – Engagement
10
Annex E - Good Practice

August 2020 Page 9

CAP 1753 CAP1753 – Cyber Security Oversight Process for Aviation

6. CAP1753 – Cyber Security Oversight Process for Aviation

CAP1753 consists of six key steps, which may be performed by either; the CAA, an
aviation organisation, the ASSURE Cyber Supplier, or a combination of roles.

To ensure an appropriate and proportionate approach each aviation organisation will be

assessed independently against CAP1753. The applicability of each step will be
confirmed in the initial engagement step and determined based on several factors
including; the assessment of cyber security risk, aviation organisation complexity, and
regulatory requirements.

Step 1:
Engagement

Step 6:
Final Statement of Step 2:
Assurance and Certificate Critical Systems Scoping
of Compliance

Step 5:
Step 3:
Provisional Statement of
Cyber Self Assessment
Assurance

Step 4:
ASSURE Cyber Audit

Figure 2: CAP1753 - Cyber Security Oversight Process for Aviation

August 2020 Page 10

CAP 1753 CAP1753 – Cyber Security Oversight Process for Aviation

Step 1 - Engagement
The CAA will notify an aviation organisation’s Accountable Manager that under applicable
regulatory obligations their organisation is now deemed in scope of CAP1753 and will
issue an engagement pack containing:

▪ CAP1753;
▪ Cyber Security Responsible Manager Nomination Form*;
▪ Critical System Scoping Template and guidance (CAP1849);
▪ Cyber Assessment Framework (CAF) for Aviation, guidance (CAP1850) and
applicable profile (see Step 3); and
▪ Statement of Assurance.
*The aviation organisation’s Accountable Manager will be required to nominate a Cyber
Security Responsible Manager and provide their contact information to the CAA.

Step 2 - Critical System Scoping

Using an appropriate method, an aviation organisation must determine and document all
critical systems in scope of the relevant aviation safety, security or resilience regulation(s).
This may include systems and services operated on behalf of the aviation organisation by
third party suppliers.

When considering the scope of critical systems, the CAA expect an aviation organisation
to make an informed and competent consideration of reasonable and expected impacts.
The CAA does not expect an aviation organisation to consider implausible scenarios or
highly complex chains of events or failures, a reasonable worst-case scenario should be
used.

An aviation organisation is ultimately responsible for their own risks and the identification
and validation of their critical system scope. To ensure that the scope is accurate and
includes critical systems that would reasonably be considered in scope, an aviation
organisation must be able to demonstrate that a logical method was followed and included
all stakeholders deemed relevant by the organisation (e.g. workshops with supporting
documentation, board level discussions and decisions, business impact assessments,
etc). The CAA will arrange individual calls with aviation organisations to validate the
method used, dates for these calls will be set out in the initial engagement pack.

As an output of the identification and internal validation of critical systems scoping, an

aviation organisation is required to produce completed:

▪ Critical System Scoping Template11; and

11
https://www.caa.co.uk/Commercial-industry/Cyber-security-oversight/Cyber-security-compliance/

August 2020 Page 11

CAP 1753 CAP1753 – Cyber Security Oversight Process for Aviation

▪ Critical system scoping diagrams.

More information can be found in CAP1849 CAA Cyber Security Critical Systems Scoping
Guidance12.
Step 3 - Cyber Self-Assessment
The CAF for Aviation13 has been designed to provide an outcome-focused assessment
against fourteen principles across four broad objectives and should not be used as a
checklist. Two of these objectives are generally at an organisational level and two are
generally specific to each critical system identified.

The CAF for Aviation has also been designed with scalability and consistency in mind.
This allows it to be applied to aviation organisations of varying size and complexity, whilst
maintaining a consistent approach.

Each aviation organisation will have an expected benchmark which will be pre-determined
by profiles developed by the CAA in conjunction with NCSC. These profiles will be
informed by sector and national assessments of risk, minimum regulatory requirements
and the capabilities demonstrated by threat actors likely to target aviation organisations. .

To ensure proportionate cyber security oversight the CAA will inform an aviation
organisation of the expected profile during Step 1 (i.e. the expected balance of outcomes
that need to be ‘achieved’, ‘partially achieved’ or in some cases ‘not achieved’).

Each aviation organisation may be required to produce, as an output of the Cyber Self-
Assessment step:

▪ Completed CAF for Aviation for all in-scope systems; and

▪ consolidated associated evidence.

Please refer to the CAP1850 “CAF for Aviation Guidance” for more detail14.

Step 4 - ASSURE Cyber Audit

The CAA has opted for a third-party cyber security audit model where accredited “Qualified
Entities” are contracted with, by aviation organisations, to perform ASSURE Cyber Audits
on behalf of the CAA. “Qualified Entities” means an ASSURE Cyber Supplier accredited by
the UK Civil Aviation Authority in accordance with Article 69 and Annex VI of
REGULATION (EU) 2018/1139 OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL (“the EASA Basic Regulation), to carry out certain specified cyber security
oversight tasks on the CAA’s behalf under the EASA Basic Regulation and implementing

12
https://www.caa.co.uk/CAP1849
13
https://www.caa.co.uk/Commercial-industry/Cyber-security-oversight/Cyber-security-compliance/
14
https://www.caa.co.uk/CAP1850

August 2020 Page 12

CAP 1753 CAP1753 – Cyber Security Oversight Process for Aviation

regulations. Each ASSURE Cyber Supplier must nominate ASSURE Cyber Professionals
who are then accredited to conduct an ASSURE Cyber Audit on behalf of the CAA.

The ASSURE Scheme provides a mechanism for the CAA (in partnership with associated
accreditation bodies) to ensure that ASSURE Cyber Suppliers and ASSURE Cyber
Professionals are accredited to a high standard, are qualified and competent to conduct
ASSURE Cyber Audits in a consistent professional manner in accordance with CAP 1753
and the CAA’s requirements. These requirements are signed up to in an ASSURE Code of
Conduct and are further detailed in the ASSURE section on the CAA website.15

Each aviation organisation, when required to by the CAA, must procure cyber audit
services from an accredited ASSURE Cyber Supplier via the ASSURE Scheme. To
prevent a conflict of interest this must not be an ASSURE Cyber Supplier that has;
interests in products or services within scope of the audit, implemented or consulted on the
cyber elements covered in the scope of the audit or has personal relationships between
members of staff responsible for the management of or undertaking of ASSURE Cyber
Audits and staff within the aviation organisation. If you are unsure if there is a conflict of
interest, please contact us at [email protected] for further clarification.

An aviation organisation will be required to make the following available to the ASSURE
Cyber Professional(s) during the audit:

▪ Completed list of critical systems and diagrams from the Critical Systems Scoping
Template;
▪ completed CAF for Aviation for all in-scope systems; and
▪ all necessary supporting evidence.

During the ASSURE Cyber Audit the ASSURE Cyber Professional(s) will complete the
relevant ASSURE sections in the CAF for Aviation and issue an ASSURE Cyber Audit
Report to the aviation organisation detailing:

▪ A validated opinion of ‘achieved’, ‘partially achieved’ or ‘not achieved’ with

associated commentary against each CAF for Aviation contributing outcome, based
on the evidence provided by the aviation organisation and the associated indicators
of good practice.
▪ Recommendations where requested which the aviation organisation may use to
update the corrective action plan section of the CAF for Aviation.

Once the final ASSURE Cyber Audit Report has been submitted to the aviation
organisation, the ASSURE Cyber Professional(s) are required to have a “wash-up” call

15
https://www.caa.co.uk/Commercial-industry/Cyber-security-oversight/Cyber-security-compliance/

August 2020 Page 13

CAP 1753 CAP1753 – Cyber Security Oversight Process for Aviation

with the CAA to discuss the ASSURE Cyber Audit. Please refer to the ASSURE section
of our website for more detail in the associated ASSURE Implementation Guide.
Step 5 - Provisional Statement of Assurance
The provisional Statement of Assurance constitutes a commitment from an aviation
organisation that it is complying with the Cyber Security Oversight Process and that it is
providing an accurate representation of their cyber risk posture. For guidance on completing
a Statement of Assurance please see CAP1850.
An aviation organisation is required to send, following the information handling instructions,
a provisional Statement of Assurance to the CAA by the agreed deadline, which must
include the following:

▪ Completed Critical Systems Scoping Templates;

▪ completed critical system scoping diagrams;

▪ ASSURE audited CAF for Aviation for all in-scope systems;

▪ ASSURE Cyber Audit Report;

▪ Corrective action plan with supporting documents; and

▪ Cyber security organisation structure.

The CAA’s Cyber Security Oversight Team will conduct an analysis of the information
provided and request additional supplementary information if clarification is required.

As part of ongoing cyber security oversight, the CAA’s Cyber Security Oversight Team will
engage with CAA Performance Based Oversight16 (PBO) providing a view of the aviation
organisation’s ability to;

▪ manage and address cyber security risk; and

▪ translate residual gaps into safety, security and/or resilience implications.

Ultimately determining an effective and appropriate oversight regime for that organisation.

Engagement with PBO will include briefing the relevant CAA Capability Teams and
working with the Oversight Managers to agree if there is a safety, security, or resilience
impact that needs to be addressed.

The CAA will engage in discussions with an aviation organisation to review the provisional
Statement of Assurance including any amendments to corrective action plans. Following
engagement, an aviation organisation will be required to finalise their Statement of
Assurance ensuring it is signed by the Accountable Manager and returned to the CAA.

16
https://www.caa.co.uk/Safety-initiatives-and-resources/How-we-regulate/Safety-Plan/Enhancing-CAA-
oversight/Performance-based-oversight/

August 2020 Page 14

CAP 1753 CAP1753 – Cyber Security Oversight Process for Aviation

Step 6 - Final Statement of Assurance and Certificate of Compliance

The Certificate of Compliance is confirmation that an aviation organisation has met the
agreed requirements of the Cyber Security Oversight Process for Aviation. It is important
to note that this is not a confirmation of compliance with all applicable regulatory
requirements; this remains solely the aviation organisations responsibility.

To achieve compliance with CAP1753 an aviation organisation must meet the following
requirements, where deemed applicable by the CAA:

▪ Engagement with CAA and nomination of a Cyber Security Responsible Manager

(step 1);
▪ completion of critical system scoping activity (step 2);
▪ completion of Cyber Self-Assessment (step 3);
▪ procurement and completion of ASSURE Cyber Audit (step 4);
▪ submission of appropriately signed provisional and final Statement of Assurance
(steps 5&6)
▪ progress towards or maintenance of appropriate and proportionate cyber security
controls in line with the agreed profile and corrective action plan;
▪ notification of reportable incidents (if applicable);
▪ notification of cyber security change (see below); and
▪ information requests.
The CAA will issue a Certificate of Compliance to an aviation organisation following the
receipt and review of the final Statement of Assurance. The Certificate of Compliance will
detail future cyber security oversight activity; to follow up on corrective action plans and as
part of ongoing oversight.

The aviation organisation’s cyber security posture will be discussed at Accountable

Manager meetings. The aim of this is to ensure that the CAA and the Accountable
Manager have the same broad perspective on the major risks to safety performance
(including cyber security risks) across the aviation organisation.

August 2020 Page 15

CAP 1753 Frequency

7. Frequency
The continued frequency by which an aviation organisation is required to comply with the
steps of the cyber security oversight process varies and is decided by the CAA in
conjunction with existing Performance Based Oversight (PBO) processes. The factors
used to determine frequency of audits include:

▪ Cyber security risk;

▪ aviation organisation’s complexity status;

▪ cyber security regulatory requirements;

▪ notifications of cyber security changes;

▪ cyber security corrective action plans; and

▪ cyber security incidents where relevant.

August 2020 Page 16

CAP 1753 Notification of Cyber Security Change

8. Notification of Cyber Security Change

Following submission of a final Statement of Assurance, an aviation organisation must
notify the CAA’s Cyber Security Oversight Team within 30 days of any changes to:

▪ Critical System scope;

▪ critical supplier list;

▪ cyber security controls which would change the aviation organisation’s CAF for
Aviation response;

▪ corrective action plan, including any changes to the corrective actions themselves,
or the implementation timeframes.

A Notification of Cyber Security Change must not include any sensitive information or
attachments (i.e. network diagrams). The CAA accept no liability for sensitive information
which is shared by an aviation organisation non-securely or without prior agreement.

The notification email should include a high-level description of the nature of the change
(i.e. change to critical suppliers, scope change, change in controls effecting the CAF
response) and the date the change was effective from. The CAA will then contact the
Cyber Security Responsible Manager to discuss the change further and make appropriate
arrangements for secure information sharing if required.

Please direct all cyber security change notifications to [email protected].

Note: This is in addition to any change notification required under existing safety or
security regulations.

8.1. Notification of Change of Cyber Security Responsible Manager

A new Cyber Security Responsible Manager Nomination Form must be submitted to the
CAA, where possible, 30 days in advance of the change in post holder.

The notification of a new Cyber Security Responsible Manager must include a completed
Cyber Security Responsible Manager Nomination form which can be requested from and
submitted to [email protected].

August 2020 Page 17

CAP 1753 Annex A: Information Handling

Annex A: Information Handling

The CAA will provide each aviation organisation with Information Handling Instructions to
ensure the secure transfer and storage of sensitive information during the Cyber Security
Oversight Process.

The CAA intends to share relevant information with DfT and NCSC in line with Section 23
of the Civil Aviation Act 198217 and Part 2 of the Network and Information Systems
Regulation 201818 to:

▪ Support the assessment of national level and transport sector cyber security risk;

▪ improve cyber security regulation;

▪ support aviation through cyber security research and development; and

▪ as part of our NIS or safety responsibilities.

Where the sharing of identifiable information beyond the above scope is considered
necessary, the CAA will request written consent from the aviation organisation and provide
a clear statement setting out the;

▪ Information to be shared;

▪ reasons why sharing the information is considered necessary;

▪ conditions for sharing; and

▪ a statement that the receiving party understands their obligations; and

▪ has the capability to protect the information appropriately.

Further information on our data publication principles can be found on the CAA website19.
Any cyber security related questions can be sent to the CAA Cyber Security Oversight Team
at [email protected].

17
http://www.legislation.gov.uk/ukpga/1982/16/contents
18
http://www.legislation.gov.uk/uksi/2018/506/made
13
https://www.caa.co.uk/Data-and-analysis/

August 2020 Page 18

CAP 1753 Annex B: The CAA’s Regulatory Enforcement Approach (non-NIS)

Annex B: The CAA’s Regulatory Enforcement Approach (non-NIS)

The primary purpose of the CAA’s enforcement role is to protect consumers and the public
by encouraging compliance with the rules applicable to civil aviation and by deterring non-
compliance.

The CAA may take enforcement action in cases where an aviation organisation is found to
be in breach of any of the applicable regulatory requirements. More information can be
found online in the CAA’s Regulatory Enforcement Policy20.

5 6
4 Prosecutions

2 3 Directions /
Enforcement

1
Formal Notice
Review
Deficiency
Notice
Persuade
Advise

Figure 3: CAA’s Stepped Enforcement Approach

20
https://www.caa.co.uk/Our-work/About-us/Enforcement-and-prosecutions/

August 2020 Page 19

CAP 1753 Annex C: NIS Regulation

Annex C: NIS Regulation

The following information and guidance on the NIS Regulation can be obtained on the
GOV.UK website:
▪ The Network and Information Systems Regulation 2018;
▪ Implementation of the NIS Directive DfT Guidance version 1.1.21

21
https://www.gov.uk/government/publications/implementing-the-network-and-information-systems-directive-
in-the-transport-sector

August 2020 Page 20

CAP 1753 Annex D: DfT’s Stepped Enforcement Approach for NIS

Annex D: DfT’s Stepped Enforcement Approach for NIS

The DfT and CAA will use a stepped approach to enforcement when an Operator of
Essential Service (OES) is found to be failing to meet requirements. This relies heavily on
a collaborative approach between the DfT, CAA and OES. Any enforcement, particularly
the issuing of penalties, will be a last resort and in all cases will be proportionate to the
failing identified. The stepped approach can be summarised as follows:

Step 1: Advise and persuade

When any deficiencies are identified, the initial approach taken by the CAA will be to
engage and discuss this with the OES. This will include discussing what the failing or
deficiency is and how and when it can be addressed. The CAA will agree the remedial
actions proposed by the OES and when these actions should be completed. The CAA may
wish to follow-up with further assessments or audits to ensure that these actions have
been taken and any failings have been addressed appropriately and proportionately. More
formal communications may be required, if these actions fail to be addressed in the agreed
timeframe. The DfT or CAA may issue information notices requiring the OES to provide
specified information to support compliance assessment.

Step 2: Enforcement notice

Where the initial informal approach has not worked, and failings are not being addressed,
the CAA will escalate to DfT and make a recommendation for enforcement. DfT will
determine whether a formal enforcement notice will be issued. A formal enforcement
notice will set out the failings identified, the steps to be taken and the time-period in which
they need to be completed.

Step 3: Penalty notice

Where the OES has failed to take adequate steps within the specified time to rectify a
failure identified in an enforcement notice a monetary penalty may be issued. In practice
such a step is likely to be taken only in extreme cases and as a last resort where the initial
actions taken by the DfT and CAA have not been successful at instigating action by the
OES. In determining the value of the monetary penalty, the DfT will consider the
appropriate and proportionate level within the prescribed limit of £17m.

August 2020 Page 21

CAP 1753 Annex E: Good Practice

Annex E: Good Practice

The CAA recommend that regardless of the level of our regulatory involvement, aviation organisations should proactively apply
appropriate and proportionate cyber security good practice into their operations. The CAF for Aviation represents the building blocks
for cyber security and resilience, the relevant profiles set by the CAA will inform whether Contributing Outcomes should be "Achieved",
"Partially Achieved" or in some cases "Not Achieved" for each aviation organisation.
The below extract of the of the CAF for Aviation provides an overview of good practice Principles, and references associated standards
and guidance. For further information and guidance on good practices please visit the NCSC website22.

Objective Principle Informative References Contributing Description

Outcomes
Governance: ISO/IEC 27001:2017 You have effective organisational security
Board
ISO/IEC 27002:2013 management led at board level and articulated
The organisation has Direction
clearly in corresponding policies.
appropriate management ISA/IEC 62443-2-1
policies and processes in Your organisation has established roles and
NIST SP800-53 Roles and
place to govern its approach to responsibilities for the security of critical systems at
NIST SP800-82 Responsibilitie
the security of critical systems. all levels, with clear and well-understood channels
s
Managing Eurocae ED-204 for communicating and escalating risks.
security You have senior-level accountability for the security
risk
of critical systems, and delegate decision-making
Decision authority appropriately and effectively. Risks to
Making critical systems are considered in the context of
other organisational risks.

Risk management: ISO/IEC 27005:2018 The organisation takes appropriate steps to identify,
Risk
ISO/IEC 27001:2017 assess and understand security risks to the critical
The organisation takes Management
systems. This includes an overall organisational
appropriate steps to identify, ISO/IEC 3100:2018 Process
approach to risk management.

22
https://www.ncsc.gov.uk/collection/caf/table-view-principles-and-related-guidance

August 2020 Page 22

CAP 1753 Annex E: Good Practice

assess and understand ISA/IEC 62443 1-1 You have gained confidence in the effectiveness of
security risks to the critical ISA/IEC 62443 2-1 the security of your technology, people, and
systems supporting the processes relevant to critical systems.
NIST SP800-30
operation of essential
functions. This includes an NIST SP800-37
overall organisational NIST SP800-39 Assurance
approach to risk management.
NIST SP800-82
Eurocae ED202A, ED203A,
ED204 & ED205
CyBOK Risk Management &
Governance Knowledge Area
Asset management: ISO/IEC 55001:2019 Principle applies.
Everything required to deliver, ISO/IEC27002: 2013
maintain or support critical ISA 62443-1-1
systems is determined and Asset
NIST SP800-82
understood. This includes Management
data, people and systems, as NIST SP800-53
well as any supporting
infrastructure (such as power
or cooling).
Supply chain: Principle applies.
ISO/IEC 27002:2013
The organisation understands ISO/IEC 27036-2
and manages security risks to
critical systems supporting the ISO/IEC 27036-3
operation of essential functions ISA/IEC 62443-2-1
that arise as a result of Supply Chain
NIST SP800-53
dependencies on external
suppliers. This includes NIST SP800-37
ensuring that appropriate Eurocae ED201
measures are employed where
third party services are used.

August 2020 Page 23

CAP 1753 Annex E: Good Practice

Function protection policies ISO/IEC 27001:2017 You have developed and continue to improve a set
Policy and
and ISO/IEC 27002:2013 of cyber security and resilience policies and
Process
processes: processes that manage and mitigate the risk of
ISO/IEC 22301:2019 Development
adverse impact on the critical system.
The organisation defines,
ISA/IEC 62443-1-1
implements, communicates You have successfully implemented your security
and enforces appropriate NIST SP800-53 Policy and policies and processes and can demonstrate the
policies and processes that Process security benefits achieved.
NIST SP800-82
direct its overall approach to Implementatio
securing critical systems and n
data that support operation of
essential functions.
Identity and access control: ISO/IEC 27001:2019 Identity You robustly verify, authenticate and authorise
Protecting ISO/IEC 27002:2013 verification, access to the critical systems.
The organisation understands,
against authentication
documents and manages NIST SP800-53
cyber- and
access to critical systems
attack NIST SP800-82 authorisation
supporting the operation of
essential functions. Users (or Eurocae ED204 Device You fully know and have trust in the devices that are
automated functions) that can CyBOK Authentication, Management used to access your critical systems and data.
access critical data or critical Authorisation and Accountability
systems are appropriately Knowledge Base Privileged You closely manage privileged user access to critical
verified, authenticated and User systems supporting the essential functions.
authorised. Management

Identity and You assure good management and maintenance of

Access identity and access control for your critical systems.
Management
(IdAM)

Data security: You have a good understanding of data important to

ISO/IEC 27002:2013
Understanding the operation of the critical systems, where it is
Data stored or transmitted ISA/IEC 62443-1-1
Data stored, where it travels and how unavailability or
electronically is protected from
ISA/IEC 62443-2-1 unauthorised access, modification or deletion would
actions such as unauthorised
impact the critical systems. This also applies to third

August 2020 Page 24

CAP 1753 Annex E: Good Practice

access, modification, or ISA/IEC 62443-3-3 parties storing or accessing data important to the
deletion that may cause an NIST SP800-53 operation of critical systems.
adverse impact on critical
NIST SP800-82 You have protected the transit of data important to
systems. Such protection
Data in Transit the operation of the critical systems. This includes
extends to the means by which Eurocae ED204 & ED205
the transfer of data to third parties.
authorised users, devices and
systems access critical data You have protected stored data important to the
Stored Data
necessary for the operation of operation of the critical system.
critical systems. It also covers
You have protected data important to the operation
information that would assist Mobile Data
of the critical system on mobile devices.
an attacker, such as design
details of critical systems. Media / You appropriately sanitise media and equipment
Equipment holding data critical to the operation of the critical
Sanitisation systems.

System security: ISO/IEC 27002:2013 You design security into the critical systems. You
ISA/IEC 62443-1-1 minimise their attack surface and ensure that the
Critical systems and
Secure by operation of the critical system should not be
technology critical for the ISA/IEC 62443-2-1
Design impacted by the exploitation of any single
operation of essential functions
ISA/IEC 62443-3-3 vulnerability.
are protected from cyber
attack. An organisational NIST SP800-53
understanding of risk to the NIST SP800-82 Secure You securely configure critical systems.
critical system informs the use
Eurocae ED202A, ED203A, Configuration
of robust and reliable
ED204 & ED205
protective security measures You manage your organisation's critical systems to
to effectively limit opportunities Secure enable and maintain security.
for attackers to compromise Management
networks and systems.
You manage known vulnerabilities in your critical
Vulnerability systems to prevent adverse.
Management

August 2020 Page 25

CAP 1753 Annex E: Good Practice

Resilient Networks and ISO/IEC 27002:2013 Resilience You are prepared to restore the operation of your
Systems: ISO/IEC 27035-3 Preparation critical system following adverse impact.
The organisation builds ISA/IEC 62443-1-1 You design critical systems to be resilient to cyber
resilience against cyber-attack Design for
NIST SP800-53 security incidents. Critical systems are appropriately
and system failure into the Resilience
segregated, and resource limitations are mitigated.
design, implementation, NIST SP800-82
operation and management of You hold accessible and secured current backups of
Backups data and information needed to recover operation of
critical systems.
your critical system.
Staff Awareness and NCSC 10 Steps: User Education Cyber Security You develop and pursue a positive cyber security
Training: and Awareness Culture culture.
Staff have appropriate ISO/IEC 27001:2019
The people who support the operation of your critical
awareness, knowledge and ISO/IEC 27002:2013 system are appropriately trained in cyber security. A
skills to carry out their range of approaches to cyber security training,
ISA/IEC 62443-2-1
organisational roles effectively Cyber Security awareness and communications are employed.
in relation to the security of NIST SP800-53 Training
critical systems supporting the NIST SP800-82
operation of essential
functions.
Security monitoring: NCSC Introduction to logging for The data sources that you include in your monitoring
Monitoring
security purposes allow for timely identification of security events which
The organisation monitors the Coverage
NCSC 10 Steps: Monitoring might affect the operation of your critical system.
security status of the networks
and systems supporting the CREST – Cyber Security You hold log data securely and grant read access
Detecting operation of critical systems in Monitoring Guide only to accounts with business need. No employee
cyber order to detect potential ISO/IEC 27002:2019
Securing Logs should ever need to modify or delete log data within
security security problems and to track an agreed retention period, after which it should be
the ongoing effectiveness of ISO/IEC 27002:2013 deleted.
events
protective security measures. ISO/IEC 27035:1-3
Evidence of potential security incidents contained in
Generating
ISA/IEC 62443-2-1 your monitoring data is reliably identified and triggers
Alerts
alerts.

August 2020 Page 26

CAP 1753 Annex E: Good Practice

NIST SP 800-53 Identifying You contextualise alerts with knowledge of the threat
NIST SP800-82 Security and your systems to identify those security incidents
Incidents that require some form of response.
NIST SP800-94
Monitoring staff skills, tools and roles, including any
that are out-sourced, should reflect governance and
Monitoring
reporting requirements, expected threats and the
Tools and
complexities of the network or system data they
Skills
need to use. Monitoring staff have knowledge of the
critical systems they need to protect.
Proactive security event ISO/IEC 27001:2019 System You define examples of abnormalities in system
discovery: ISO/IEC 27002:2013 Abnormalities behaviour that provide practical ways of detecting
for Attack malicious activity that is otherwise hard to identify.
The organisation detects, ISO/IEC 27035-3 Detection
within critical systems,
ISA/IEC 62443-2-1
malicious activity affecting, or You use an informed understanding of more
with the potential to affect, the NIST SP800-53 sophisticated attack methods and of normal system
operation of essential functions behaviour to monitor proactively for malicious
even when the activity evades Proactive activity.
standard signature-based Attack
security prevent/detect Discovery
solutions (or when standard
solutions are not deployable).

Response and recovery NCSC 10 Steps: Incident You have an up-to-date incident response plan that
planning: Management Response is grounded in a thorough risk assessment that takes
Minimising ISO/IEC 27035 (all) Plan account of your essential functions and covers a
There are well-defined and
the impact range of incident scenarios.
tested incident management ISO/IEC 22301:2019
of cyber processes in place, that aim to You have the capability to enact your incident
security ISO/IEC 27002:2013
ensure continuity of essential Response and response plan, including effective limitation of impact
incidents functions in the event of NIST SP800-61 Recovery on the operation of your critical systems. During an
system or service failure. NIST SP800-53 Capability incident, you have access to timely information on
Mitigation activities designed which to base your response decisions.

August 2020 Page 27

CAP 1753 Annex E: Good Practice

to contain or limit the impact of NIST SP800-82 Your organisation carries out exercises to test
compromise are also in place. Eurocae ED204 response plans, using past incidents that affected
Testing &
your (and other) organisation, and scenarios that
Exercising
draw on threat intelligence and your risk
assessment.
Lessons learned: NCSC 10 Steps: Incident Incident Root When an incident occurs, steps must be taken to
Management Cause understand its root causes and ensure appropriate
When an incident occurs,
ENISA Good Practice for Analysis remediating action is taken.
steps are taken to understand
its root causes and to ensure Incident Management Guide
Your organisation uses lessons learned from
appropriate remediating action ISO/IEC 27035:2-3 incidents to improve your security measures.
is taken to protect against ISO/IEC 22301:2019
future incidents. Using
ISO/IEC 27001:2019 Incidents to
ISO/IEC 27002:2013 Drive
NIST SP800-61 Improvements

NIST SP800-53

August 2020 Page 28