New cybersecurity rules in Europe will for the first time require a group of aviation suppliers to identify and defend against hacking risks to flight security.
The new rules will apply to a range of air transport companies, including manufacturers, airlines, airports, flight training schools, caterers and weather data providers. Companies will also be required to create a governance system that assigns one person responsibility for ensuring issues are documented and resolved.
“It’s a huge increase in workload,” said Robert Baltus, chief operating officer of the European Business Aviation Association, a Brussels-based group representing more than 700 companies, including Shell Aircraft, which operates aircraft for Shell PLC, and Volkswagen AirService, an airline which operates business jets for Volkswagen AG.
National aviation regulators will oversee compliance with the rules, which will come into force in 2025.
Many companies in the aviation industry are already subject to separate EU cybersecurity rules that require them to implement basic security measures and report cyberattacks to national cybersecurity authorities.
“The requirements of these regulations are definitely demanding,” an Airbus SE spokesperson said in a statement. The Toulouse, France-based manufacturer will have to adjust some of its processes, such as appointing a person to oversee the system, he said.
Regulators in the United States are also tightening cyber rules for the aviation sector. The Transport Security Administration said in October that it would introduce new cybersecurity requirements for parts of the aviation industry. The agency already requires airline and airport operators to conduct cybersecurity assessments and appoint a cyber coordinator.
Last month, the Russian-speaking hacker group known as Killnet took credit for low-level denial-of-service attacks on the websites of several US airports, including New York’s LaGuardia and Los Angeles airports. Angeles International, which temporarily discontinued their websites but did not affect operations or flights.
The European Union Aviation Safety Agency, known as EASA, the EU body that drafted the rules, said the regulations were aimed at combating potentially dangerous cyberattacks, such as an aircraft design company’s engineering files falling into the hands of hackers, or altered or corrupted blueprints. .
One of the challenges for some small or medium-sized businesses will be finding cybersecurity personnel who understand the specific technologies and requirements of aviation security systems, said Thomas Hutin, senior managing director of FTI Consulting’s Paris office..
Companies across all sectors are struggling to find cybersecurity personnel to fill the more than 3 million jobs that are expected to open globally in the field.
“Whether or not all relevant stakeholders have the in-house capabilities and expertise to manage this transition is a risk,” said Nick Rhodes, operations, safety and infrastructure manager at the European Regions Airline Association, whose members include airlines and manufacturers such as Airbus and Boeing Co.
The costs of setting up the systems required by regulations could be high, he said.
Companies will need to appoint or hire staff to oversee the cyber threat tracking and reporting system, train employees in its use and, in some cases, purchase new cyber tools, Baltus said.
EASA said the regulation needed to cover a network of suppliers because the aviation industry is so interconnected. A cyberattack could target a business, but could harm customers and suppliers.
“If you have a small business that does risky business for others, you can’t get away because you’re small. You must take responsibility for the risk you expose others to,” said Jean-Paul Moreaux, the agency’s senior coordinator for aviation cybersecurity.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8