Billy Hogg, GRC security consultant at Prism Infosec, reflects on the CAA’s Assure cybersecurity audit and outlines the seven best ways to tackle it
Cyberattacks targeting the aviation sector have rocketed during the COVID-19 pandemic. A July 2021 Eurocontrol Think Paper report based on data from its European Air Traffic Management Computer Emergency Response Team (EATM-CERT) found attacks rose 530% between 2019-2020 and warned of the growing threat of state-sponsored or organised criminal syndicates and malicious actors capable of conducting large scale targeted intrusions. The findings echoed those of the Airport Cybersecurity COVID-19 Survey Report by Airports Council International (ACI), which stated that 61.5% of airports suffered an attack during 2020. Both reports emphasised the need to bolster defences and to attend to potential new threat vectors.
Aware of the need to counter cyberthreats, the UK’s Civil Aviation Authority (CAA) launched its Assure cybersecurity scheme in January 2020. As an accredited thirdparty audit model, Assure effectively provides airport organisations with access to cyber expertise industry experts, which means they can appraise their security against current and emerging threat vectors. Assure cyber suppliers must be accredited by either the Crest or IASME (Information Assurance for Small and Medium Enterprises Consortium) security industry bodies and have to specialise in cyber audit and risk management, technical cybersecurity or industrial control systems (ICS)/operational technology (OT).
The Assure scheme applies to all organisations deemed to fall within the scope of CAP 1753, which details the cybersecurity oversight process for aviation, such as airports, air carriers and air navigation providers. CAP 1753 comprises a six-step process: engagement, critical systems scoping, cyber selfassessment for aviation, the Assure cyber audit, the provisional statement of assurance and the final statement and certificate of compliance.
Organisations are required to identify their critical systems (using guidance under CAP 1849) and assess them against the Cyber Assessment Framework (CAF) for Aviation (using guidance under CAP 1850). The CAF for Aviation has been adapted from the CAF devised by the UK government’s National Cyber Security Centre to assess critical infrastructure, so is well respected and provides an outcome-based assessment founded on fourteen principles and four key objectives. The assessment precedes the Assure audit, which determines if the organisation has met CAF requirements.
Struggling to comply
Assure is a mandatory requirement for UK airports, with which all were supposed to have complied by year-end 2021. However, the coronavirus pandemic resulted in many of them struggling both financially and in terms of available resources, with many tech teams working remotely. While things are slowly normalising, it’s still the case that airports are finding the Assure process time consuming and costly, with the gathering of evidence, assessment and audit often taking months.
Going through the process for the first time has also been daunting. Consequently, many airports successfully petitioned the CAA for an extension. Others are using Assure third parties to assist them with the assessment part of the process, which is perfectly acceptable, provided they use a different Assure cyber supplier to carry out the audit.
The self-assessment stage can be lengthy, requiring evidence to be gathered and recorded, and this can take various forms, from documents and manuals to observations and interviews. Where it gets complicated is where equipment suppliers and third parties are involved. Perhaps separate companies are responsible for the operational training or maintenance of a system, at which point the airport has no direct contract or oversight and therefore holds no evidence to support the process. In these instances, the auditor would need to approach the suppliers for evidence and either request documentation or perform an interview, but it’s an evidential process that relies upon the goodwill of everyone involved. None of this is covered in the contract of deliverables and the likelihood is that these services and contracts will need to be re-negotiated in the future to accommodate the new compliance process.
Given that the Assure audit can be so protracted, how can airports make the process less painful? Here are seven ways to both minimise the impact and maximise the value of the output.
1. The Gap analysis
It’s easy to approach the process as a mandated 'box-ticking' exercise, but if this is the approach taken, the organisation will spend a lot of time, effort and cost for very little gain – and runs the risk of providing the CAA with poor quality data. If the attempt is made to identify opportunities to improve both security and resilience, the value of the process will ultimately be much greater.
To maximise the value, you need to explore what issues have been illuminated by the process and where you can make effective change. Where you have suppliers and managed services in place, ascertain if there is sufficient knowledge, documentation, system access privileges and so on within the organisation to carry on operating as normal should the supplier become unavailable. If not, has the organisation identified this risk and managed it adequately?
There will be some systems that don’t allow you to conduct a Gap analysis, simply because, while they are in scope, they are not cyber systems and much of the CAF process either does not apply or does not fit well with their operation.
2. Careful choice of critical systems
Robust consideration must be given to which critical systems are within the scope of CAP 1753. There have been many examples of systems being included at the start of the process, only to be taken out of scope during the audit as they should not have been included to begin with. In a similar vein there have been a few examples where systems were excluded when they should have been viewed as being in scope. Organisations should agree both internally and with the CAA which systems are in scope and deemed as critical to operations, to allow prioritisation of resources.
Similarly, in the scoping process, the option to group systems together should follow the guidance in CAP 1849. An example would be the hold baggage. Are the baggage belts, X-ray machines and explosive detection machines all part of the same system or separate? There is no right or wrong approach to this. It all depends upon the architecture and controls employed, but it can be logical for it all to be one system even if the baggage belts are accessed and maintained by one sub-contractor, the scanners by another and the scanning activities by a third. The question is: can they be logically grouped together within your organisation?
3. Accordance with CAP 1849
The scoping documents are often the least complete when presented to the auditor at Step 4 of the CAP 1753 process. However, the context they provide, along with a well laid out diagram, is invaluable in assisting the auditor to accurately assess the CAF and, possibly more importantly, to provide value in recommending improvements. The document is also invaluable to the CAA assessors, who will only have access to the CAF, scoping documents, report and corrective action plan (they do not collect the documented evidence used by the auditor).
4. Pick the right stakeholders
There are numerous examples of the CAF being completed by an individual – often someone who works in IT for the whole organisation. This can result in a single perspective for the content of the CAF, adding to the time the auditor spends in either going over documented evidence or interviewing staff to attempt to capture the information being requested. It can also lead to the organisation scoring outcomes incorrectly for numerous reasons.
Where possible, involve the owner of the system being assessed, because they understand the process best from both a cyber and business continuity perspective. And the wider the audience involved in completing the CAF selfassessment, the more likely it is that the evidence captured and the scoring will be more accurate, giving a more complete picture than if just a single individual completes the form.
5. Be honest
It can be difficult to decide where to pitch the responses in the CAF and honesty is the best policy here. Sometimes organisations are either overly optimistic or pessimistic in their responses, which skews the results between the score of the organisation and the auditors.
Consistently marking down will require the organisation to add many more items to the Corrective Action Plan that follows the audit and takes place prior to submission to the CAA. This work is often unplanned, which may affect delivery schedules. An overly pessimistic approach may also lead to more work being generated, and disagreements between internal parties over corrective actions that have been raised in response to the CAF assessment.
Having a range of interested parties, system owners and managers involved in populating the CAF in the first place will result in a much smoother process of audit, corrective action and CAA follow-up.
6. Accurate listing
When providing evidence in support of an organisation’s CAF responses, it is vital that the information can be easily referenced and located by the auditor, who will not have any local knowledge and may lack access to company data. It is essential when completing the CAF that the auditor can not only access the evidence, but easily navigate it.
In addition, if the document is a large one, don’t just reference the report itself but also the chapter or page where the evidence is found. Where the evidence is by interview, list the role or name of the person to be interviewed (the comments field should also contain information that the auditor can verify). Bear in mind that the CAA will not usually conduct any interviews, so all the information they require needs to be provided by the organisation and verified by the auditor.
7. Create a corrective action plan
It is recommended that the organisation continually self-assesses during the process and that it raises corrective actions as and when gaps are identified between the score and the profile stages. These corrective actions can then also be documented in the CAF evidence, which will add to the CAA’s confidence that corrective actions are underway.
The Corrective Action Plan should be made in whichever tool the organisation uses for task management. It is required that the actions raised can be separated out and reported to the CAA.
Taking a smart approach
The CAF for Aviation was specifically adopted to avoid the audit being treated as a box-ticking exercise, but there’s always a danger of that happening at a time when resource is thin on the ground, costs are spiralling and revenues are down. To prevent it, airports need to take a smart approach to the Assure process. They need to streamline where they can, by determining who needs to be involved and when, by looking at how best to present compliance and by composing the Corrective Action Plan as they move through the process. They also need to establish risk and identify where remediation is needed to bolster defences. While the Assure audit is complex and time consuming, it is undoubtedly a step in the right direction in the fight against cybercrime. It has established a framework which, as it becomes more refined and tailored to the sector, will only become more valuable. It has enabled airports to critically appraise their IT and OT systems at the same time, providing a holistic view of the security posture. And it provides direct access to cybersecurity specialists who, with their knowledge of system vulnerabilities and exploits, can provide advice on corrective action that is practical and meaningful.