Digital MRO: What it means for Shopfloor & Ground Services Cybersecurity

Introduction

As the aviation MRO & ground handling sectors undergo rapid digital transformation, the role of cybersecurity in ensuring safe and efficient MRO operations - and air travel - has never been more critical. With Maintenance, Repair, and Overhaul (MRO) providers and ground handling companies relying on vast interconnected networks, Chief Information Security Officers (CISOs) in these sectors must navigate an evolving landscape of cyber threats and regulatory requirements.

The rising frequency of cyberattacks - up 74% since 2020 - underscores the urgent need for a proactive and structured cybersecurity strategy among MRO & ground handling organisations. Recent incidents, such as ransomware attacks on major international airports and vulnerabilities in passenger booking systems, illustrate the scale of the challenge. Moreover, the introduction of fragmented cybersecurity regulations from the FAA, EASA, CAA, and other aviation authorities worldwide further complicates compliance.

To effectively address these threats and regulatory pressures, CISOs in MRO and ground handling companies must embrace an integrated Information Security Management System (ISMS) that aligns with Safety Management Systems (SMS) and Quality Management Systems (QMS). This 'management system triad' will provide a resilient framework for meeting emerging regulatory requirements while maintaining operational efficiency and trust with airline partners.

The Cyber Threat Landscape for MRO and Ground Handling

Cybersecurity threats in the aviation support sector are no longer hypothetical; they are an operational reality. Some recent examples include:

In 2023: FAA System Failure: A cyber vulnerability caused a nationwide ground stop, delaying over 10,000 flights.

Also in 2023: Seattle-Tacoma International Airport (Sea-Tac) Ransomware Attack: A hacking group targeted the airport’s IT infrastructure, forcing manual operations for ticketing and baggage handling. The attack disrupted operations for over a week and led to threats of leaking sensitive employee data.

In 2024: Ground Handling System Disruptions: Japan Airlines faced a cyberattack that affected multiple systems, including their app, baggage handling, and external communication tools, leading to flight delays and disruptions.

In June 2020: Maintenance Data Breaches: A U.S. subsidiary of ST Engineering experienced a significant cybersecurity breach. The Maze ransomware group infiltrated the company's network, deploying ransomware that encrypted systems and rendered approximately 1.5 terabytes of unencrypted data inaccessible. The compromised information included financial records, IT security details, and other sensitive documents.

Frequent Flyer Program Hacks: Cyberattacks on airline loyalty accounts have surged by over 100% in recent months, leading to stolen customer data and financial fraud.

These incidents highlight the aviation MRO and ground handling sector’s growing exposure to cyber threats across multiple attack vectors, from ransomware and insider threats to supply chain vulnerabilities and unencrypted communication protocols.

Regulatory Responses are (Currently) a Fragmented Patchwork

Regulators worldwide have begun to take decisive action, but the resulting compliance landscape is increasingly complex.

In the USA: TSA Cybersecurity Directives

In March 2023, the TSA mandated a range of measures, including:

• Network Segmentation: Ensuring OT and IT systems can operate independently in case of a breach.
• Access Control Measures: Strengthening authentication and restricting unauthorized access.
• Continuous Monitoring and Threat Detection: Implementing real-time anomaly detection.
• Incident Response Planning: Requiring a comprehensive strategy for cyber incidents.

Also in the USA: FAA Cybersecurity Regulations

The FAA has introduced specific cybersecurity requirements focusing on aviation safety and avionics security, including:

• Aircraft Network Security Programs (ANSP): Airlines must implement measures to protect aircraft digital systems.
• Operational Specification D301: Requires regular risk assessments and control implementation for certified aircraft.
• Mandatory Information Sharing: Enhanced collaboration with government agencies and private sector stakeholders.

In Europe: EASA Acts and the Part-IS Cybersecurity Framework

• Driven by the EU Cybersecurity Act, stringent security-by-design principles for aircraft and ground systems are required of OEMs and the supply chain.
• NPA 2023-09 Cybersecurity Rulemaking: Requires airlines, MROs, and airports to adopt an Aviation Cybersecurity Management System (ACMS) aligned with existing safety requirements.
• The Part-IS framework is a mandatory framework that will require all aviation organisations of various complexity and tiers within the supply chain, to operate an information security management system (ISMS) based on (but going beyond) established ISMS frameworks such as ISO27001, NIS-800 and others. It will need to integrate with established SMS and QMS systems, where applicable.

In the UK: Civil Aviation Authority (CAA) CAF, CAPs 1753, 1849 & 1850.

• CAP 1753 Cybersecurity Oversight Framework: Introduces new risk-based cybersecurity assessments and regulatory reporting obligations. These are built on in CAPs 1849 & 1850 to implement critical system scoping and wider cyber assessment frameworks.

Other Global Regulations: ICAO and IATA Strategic Guidance & Recommended Best-practice

• ICAO Annex 17 & 19: Provides international cybersecurity recommendations for aviation safety.
• IATA Cybersecurity Toolkit: Helps MROs and ground handlers navigate regulatory complexities.

The lack of harmonization among these regulations presents a significant compliance challenge for MRO and ground handling CISOs. Many organizations must comply with multiple regulatory frameworks simultaneously, leading to duplicated efforts, inefficiencies, and resource constraints.

The Case for an Integrated Cybersecurity Approach

Rather than treating cybersecurity as an isolated discipline, there is increasing recognition among CISOs in aviation that solutions must embed cybersecurity into broader organisational governance frameworks. The solution lies in integrating the Information Security Management System (ISMS) with Safety Management Systems (SMS) and Quality Management Systems (QMS), creating a triad of management systems for comprehensive risk management.

What does this triad look like?

1. Information Security Management System (ISMS)

• Establishes cybersecurity policies, risk assessments, and compliance frameworks.
• Builds on ISO 27001, NIS-800 and, ultimately Part-IS and CMMC 2.0 for structured cybersecurity governance.
• Pulls in compliance with FAA, EASA, and CAA cybersecurity directives.

2. Safety Management System (SMS)

• Ensures that cybersecurity incidents are assessed through a safety lens.
• Incorporates cybersecurity into maintenance and ground handling safety risk assessments.
• Facilitates incident reporting and investigation under ICAO Annex 19 requirements.

3. Quality Management System (QMS)

• Provides a structured approach to continuous improvement and compliance monitoring.
• Integrates cybersecurity focuses with existing aviation safety and quality audits.
• Aligns with AS9100, AS9110 (MRO QMS), AS9120, as well as software development standards such as AS9115, AQAP-2210 & RTCA standards.

By integrating these three management systems, CISOs can ensure core deliverables for compliance across these multiple cybersecurity regulations with a minimum of duplication. The main deliverables that these lead to are:

- Enhance risk visibility by linking cybersecurity threats to safety and operational risks.

- Improve incident response coordination between cybersecurity, maintenance, and ground handling teams.

- Strengthen collaboration with regulators by providing a unified risk management approach.

Conclusion: An Integrated Path Forward for MRO and Ground Handling Cybersecurity

From AOC holders to MRO providers, aviation cybersecurity is at a crossroads. The industry faces a growing wave of cyber threats, compounded by fragmented global regulations. For CISOs, the challenge is not just compliance but operating technology resilience; from secure baggage handling systems to on-site additive manufacturing repairs.

The key to success lies in integrating cybersecurity into an AOC holdeing, MRO and ground handling safety & quality ecosystem. By aligning ISMS, SMS, and QMS approaches, CISOs can create a unified, proactive approach to managing cyber risks while ensuring compliance with emerging regulations.

The future of aviation cybersecurity depends on strategic leadership across these areas. Now is the time for CISOs in these sectors to act.