Linking the Existing Aviation SMS to the Risk Assessment Process within the EASA Part-IS Framework

?

Sofema Aviation Services (SAS) considers key aspects of integration of Information & Cyber Security within the current SMS system

Introduction - Understanding the EASA Part-IS Regulatory Framework

The EASA Information Security (IS) regulation is built to safeguard aviation from cyber threats that could impact safety and business continuity. Key elements include:

• Risk-based Approach: Operators must proactively identify, assess, and mitigate information security risks.
• Integration with SMS: Part-IS expects harmonization with existing SMS processes to ensure a unified safety and security risk management system.
• Governance & Compliance: Clear responsibilities, oversight mechanisms, and accountability.
• Incident Response & Reporting: Mandatory reporting of significant cyber incidents affecting aviation safety.

Key Challenges in Aligning SMS with Part-IS Risk Assessment

While SMS is well-established in aviation organizations, integrating cybersecurity risks into the existing safety risk framework presents challenges:

• Different Risk Domains: SMS traditionally focuses on operational risks (e.g., human factors, technical failures), whereas ISMS addresses cyber threats (e.g., ransomware, phishing, data breaches).
• New Stakeholders: Cybersecurity involves IT teams, security officers, external cybersecurity agencies, whereas SMS mainly involves operational safety personnel.
• Different Risk Treatment Approaches: SMS risks often follow root cause analysis, while cyber risks require real-time monitoring, penetration testing, and threat intelligence.

To overcome these challenges, organizations must create a structured integration model for aligning cyber risk management with SMS.

?

Consider the following:

·?????? Modify the existing SMS framework to explicitly include cybersecurity risk factors and adopt a unified risk management approach that considers both safety and cybersecurity risks.

·?????? Establish clear communication channels between safety and cybersecurity teams

·?????? Ensuring that cyber risks are incorporated into safety risk registers and that safety personnel receive cybersecurity awareness training.

·?????? Organizations should implement joint risk assessment mechanisms, where cyber risks are evaluated using common aviation risk matrices that factor in both safety severity levels and cybersecurity threat levels.

·?????? Governance structures should evolve to accommodate cybersecurity concerns within the SMS framework, with designated cybersecurity focal points participating in SMS review boards and risk assessments.

·?????? Many operational personnel may not fully understand the impact of cyber threats on aviation safety, making education and training key to fostering a unified risk perspective.

·?????? Conducting cybersecurity drills alongside traditional SMS safety exercises can help bridge the gap between these disciplines.

·?????? Implementing advanced threat detection tools and real-time monitoring systems that feed into SMS dashboards can further enhance safety and cybersecurity resilience.

Linking SMS with the Risk Assessment Process in Part-IS

The integration of SMS and Information Security Risk Management (ISRM) follows a common risk-based approach, focusing on identification, analysis, mitigation, and monitoring.

Step 1: Identify & Map Information Security Risks in the Existing SMS Framework

• Conduct a gap analysis to determine how cybersecurity threats impact existing SMS elements.
• Align cyber risks with traditional safety risks under the Hazard Identification & Risk Assessment (HIRA) process.
• Define cybersecurity hazards in operational contexts: Unauthorized access to critical aircraft systems (e.g., avionics hacking). Data integrity failures (e.g., maintenance record tampering). Supply chain vulnerabilities (e.g., third-party software compromises). Denial of Service (DoS) attacks on aviation networks.

Step 2: Establish a Unified Risk Assessment Process

EASA requires aviation organizations to assess risks both for safety and information security. This process ensures that cybersecurity risks are evaluated using the same principles as operational safety risks.

Step 3: Establish Common Governance for SMS & ISMS

• Appoint a Cybersecurity Focal Point within the Safety Management Team.
• Define clear roles & responsibilities between SMS and Information Security personnel.
• Implement shared risk governance through regular joint risk assessment meetings.
• Ensure that cybersecurity risks are included in SMS Safety Review Boards (SRBs).

Step 4: Integrate Cybersecurity into Safety Assurance & Continuous Improvement

• Modify internal safety audits to include cybersecurity risk assessments.
• Link cybersecurity incidents to the existing safety reporting system (e.g., integrate with Mandatory Occurrence Reporting - MOR).
• Train aviation personnel on the impact of cyber threats on safety risks.
• Establish a cybersecurity risk register alongside the safety risk register.

Practical Implementation: Using a Cyber-SMS Risk Model

The following steps outline a real-world integration model:

1. Identify common touchpoints between SMS and ISMS (e.g., aircraft avionics cybersecurity, maintenance data security).
2. Develop a unified risk scoring method (combining operational risk with cybersecurity risk).
3. Use real-time data from cybersecurity monitoring tools in SMS decision-making.
4. Adopt advanced risk assessment frameworks such as: Boeing MEDA (Maintenance Event Decision Aid) + Cyber Threat Modeling. Bowtie Model for linking cyber incidents with aviation safety failures. FAIR (Factor Analysis of Information Risk) methodology.

Conclusion: Moving Toward an Integrated Safety & Cybersecurity Risk Model

• EASA's Part-IS regulations require a structured approach to managing cybersecurity risks within aviation.
• Organizations must link cybersecurity risk management to their SMS to ensure holistic risk oversight.
• Using a harmonized risk assessment framework, aviation companies can improve both safety and cybersecurity resilience.
• By aligning safety assurance, governance, and performance monitoring, aviation safety and cybersecurity teams can work collaboratively.

Final Thought: The future of aviation risk management lies in integrated safety-security models, where SMS and ISMS are not separate silos but complementary frameworks working toward the same goal: safety and resilience in aviation.