EASA Part 145 Cyber Security _ Reporting Descriptors - Taxonomy

EASA Part 145 Cyber Security _ Reporting Descriptors

Sofema Aviation Services (SAS) considers the key reporting criteria to be introduced I.A.W ECCAIRS Reporting Methodology.

Introduction

Implementation Context

For EASA Part 145 organizations, reporting criteria must align with the requirements of IS.I.OR.220 (information security incidents) and IS.I.OR.230 (external reporting). This includes developing a streamlined process for classifying and reporting incidents based on the descriptors above. The framework should also integrate existing safety management and quality assurance systems to ensure a unified approach to incident detection, analysis, and resolution.

By using these descriptors, EASA Part 145 organizations can establish a comprehensive reporting framework that enhances situational awareness, supports compliance, and strengthens resilience against evolving cyber threats.

Reporting Criteria

A robust reporting framework enables timely detection, assessment, and mitigation of threats that could compromise aviation safety. The following key descriptors form the foundation of such a reporting system:

Threat Level

Threat levels categorize the severity of the cyber threat based on its potential impact on the organization. These levels—Critical, Very High, High, Medium, and Low—provide a structured way to prioritize response efforts. For instance, a "Critical" threat may involve an active attack on critical systems, such as maintenance software, that directly impacts safety, whereas a "Low" threat may represent a minor vulnerability that poses no immediate risk. Clearly defining these categories ensures that resources are allocated efficiently, with urgent attention directed to the most severe threats.

Impact Level

Impact levels assess the potential consequences of a cyber incident on operations, safety, and compliance. Similar to threat levels, impact levels range from Critical to Low, focusing on the degree of disruption caused. A "Critical" impact might involve the compromise of aircraft maintenance data, leading to operational delays or safety risks, while a "Medium" impact could involve temporary unavailability of non-critical systems. By aligning impact levels with threat levels, the organization can better gauge the overall risk and prioritize its response strategies.

Type of Attack

Identifying the type of attack helps in understanding the nature of the threat and implementing appropriate countermeasures. Common attack types include abusive content (e.g., malicious emails), vulnerability exploitation (e.g., exploiting software flaws), and availability threats (e.g., DDOS attacks). Specific subcategories such as SPAM, disclosure of sensitive information, and denial-of-service attacks provide further granularity for accurate threat classification. For example, a DDOS attack may target critical IT infrastructure, affecting the availability of maintenance records, necessitating immediate action.

Attack Vector

The attack vector describes how the threat enters or exploits the system. Vectors such as web-based attacks, email-based threats (e.g., phishing), spoofing, or unknown vectors are key descriptors. For example, email-based phishing targeting maintenance personnel could lead to credential theft, compromising sensitive systems. Understanding the vector allows the organization to focus on strengthening specific defenses, such as email filtering or multi-factor authentication.

Targeted Assets

Reporting criteria should specify the assets targeted by the cyber threat. These might include email attachments containing malware, maintenance software systems, or operational databases. By identifying targeted assets, the organization can assess the potential operational disruption and focus on protecting critical systems.

Other Specific Cyber Attributes

Additional attributes provide deeper insight into the nature of the threat and its potential impact:

• Motive: Identifying whether the threat actor's intent is financial gain, disruption, espionage, or another objective helps prioritize response.
• Threat Actor: Understanding whether the threat originates from a state-sponsored actor, a hacktivist group, or an insider can shape the mitigation approach.
• Low-Observable Characteristics (LOC): These refer to subtle, hard-to-detect aspects of an attack, such as minimal resource consumption or advanced obfuscation techniques. Recognizing LOC is critical for identifying advanced persistent threats (APTs) targeting aviation systems.

Next Steps?

Sofema Aviation Services and Sofema Online provide Classroom, Webinar and Online training – please see the websites or email team @ sassofia.com for questions & guidance.

?