Billy Hogg, security consultant at Prism Infosec, ponders whether ASSURE – the cybersecurity assessment framework introduced three years ago – has lived up to expectations and improved cybersecurity within the sector.
When the ASSURE cybersecurity assessment framework was introduced by the Civil Aviation Authority (CAA) three years ago, it had its work cut out.
The aviation sector was routinely subjected to cyber attacks, with a 530% rise reported by the European Air Traffic Management Computer Emergency Response Team between 2019 and 2020.
ASSURE was brought in to help aviation organisations assess the resilience of their cybersecurity, a key theme in the travel industry, against current and emerging threat vectors and is a mandatory requirement under the CAP 1753 regulations; but three years on, has it lived up to expectations?
Latent uptake due to the pandemic
First, let’s consider the state of cybersecurity in the sector today. The Cyber Security in Critical National Infrastructure Organisations 2022 report published at the end of 2022 claims that 70% of transport and aviation leaders did not have sufficient visibility across the IT and Operational Technology (OT) boundary.
It also found the sector also was the slowest to detect a breach, on average taking 51 days to do so, and that 77% of those questioned thought the number of successful attacks had increased. Top risks were named as supply chain compromise, compromise of office personnel, and connected devices and the internet of things.
So, where it has been adopted (it has not yet covered all applicable organisations) does this mean that ASSURE has yet to deliver? One of the chief benefits of the framework is that it provides much better oversight because it assesses both IT and OT systems.
OT is mostly airport-orientated rather than airline, and several airports outsource their OT maintenance to third parties but in both cases ASSURE has made organisations review how they manage IT and OT and the risk that they have, which they may not have understood.
The likely explanation for the report findings are that the pandemic did impact adoption of the framework. Airports were due to be compliant by year-end 2021 but many had to seek an extension from the CAA because both they and the regulator simply didn’t have the resources to carry out the assessment.
Consequently, many did not achieve compliance until 2022 and there are still some due to undergo the assessment this year. So, this needs to be borne in mind when looking at these figures. That said, the CAA has actively been reviewing its adoption and will no doubt seek to improve elements.
ASSURE has room for improvement
Acting in the capacity of advisors on the self-assessment phase and assessors that formally review compliance with the framework, we’ve seen first-hand both the value it confers and the challenges aviation organisations have faced in meeting the requirements.
There’s no denying that any Cyber Assessment Framework (CAF) is resource intensive and it’s a process that’s naturally delegated to IT. But the IT team does not always have the information required to complete the assessment, lacking both access to and knowledge of the non-IT operational infrastructure, as well as the governance side of the organisation.
This is especially true for organisations who have predominantly outsourced their IT and engineering functions to third parties, for whom the challenge then becomes sourcing the evidence.
However, with respect to ASSURE, there is some ambiguity that could be addressed. The guidance on which systems are in scope and which are out of scope means it is not always consistently interpreted by organisations.
We’ve seen similar organisations define critical systems lists that are markedly different, for example. The CAA could have more engagement with organisations and standardise the scoping at stage 2 of the ASSURE process.
The process of completing the assessment could also be markedly improved. Some of the Indicators of Good Practice (IGPs) are so similar between “Achieved” and “Partially Achieved” that the difference is only a matter of semantics – in a couple of responses the IGP’s were actually identical.
A more pragmatic approach would be to ask for a narrative response for the 39 contributing outcomes, supported by a few key questions for the topic.
This would allow a qualified and experienced auditor to assess the response and evidence, and potentially to conduct follow-up interviews to assess the outcome. At the present time, anyone faced with over 450 IGP repeated per system is bound to drift towards a “tick-box” mentality.
In addition, assessing organisations by function rather than by system may well produce a more informed result. Is the application that manages the checking of fire equipment a critical system, or is it the recording and management of those checks that is critical? If the system fails those checks, could be managed on paper or a spreadsheet?
Essentially, we need to determine if the application is critical, or if it’s the function that is critical. Likewise for flight planning, is the system critical when flight planning could be done ‘old school’?
Beneficial effects of ASSURE
These criticisms aside – and there were always going to be teething issues when introducing a new CAF – ASSURE has undoubtedly made great strides.
It has compelled organisations to take a more detailed look at cyber across their estate, beyond IT infrastructure and staff, and to realise that risks can fall across all business areas, depending on the threat type and system. In doing so, it’s brought governance, risk and compliance to the fore.
ASSURE has improved supply chain security by making organisations get to grip with their third parties in order to complete the assessment.
The traditional focus has been on the service delivered and the price of that service but under ASSURE organisations are required to gain adequate assurance on the risks and controls in place with third party suppliers.
And finally, ASSURE has created a baseline that provides the UK Government, via the CAA, with insight into the aviation sector’s resilience; information that can then be used to provide direction and drive policy decisions when it comes to protecting critical national infrastructure.
The aviation sector has had to adapt to ASSURE and this has revealed there’s still work to be done on both sides. But as the CAF becomes more refined, it will add yet more value, helping what has been a very disparate sector control and mitigate risk more holistically.