Navigating NIS2 Aviation: Cybersecurity in the Skies

The Network and Information Security (NIS) Directive was the first piece of European Union (EU)-wide legislation on cybersecurity. Its aim was to achieve a high common level of cybersecurity across Member States and paved the way for significant change in relation to the institutional and regulatory approach to cybersecurity. Due to the growing threats posed by digital transformation and the surge in cyber attacks, the Commission proposed an expansion of the scope of NIS — leading to the creation of NIS2. The expansion of NIS2 is intended to strengthen the security requirements of NIS, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements. In this blog, we will discuss how this directive has impacted the aviation sector and how your organization can successfully comply with NIS2 requirements. 

What is The Scope of NIS2? 

One area that the NIS2 directive has improved on compared to NIS is the scope of those affected. NIS2 has set a baseline for cybersecurity risk in 13 industries and sectors, including transportation (which encompasses aviation). In addition, digital infrastructure and digital service providers have been included in the NIS2 scope. This means that even organizations who do not necessarily reside physically in the EU can also be affected if they are providing essential or important services. These essential or important services include cloud services, DNS services, social media networks, search engines, and more. 

Entities that fall under NIS2 requirements are divided into two categories. The first category is ‘essential’ services. The essential services group includes organizations that provide critical services and whose disruption of said services would have serious consequences for the country’s economy or society as a whole. Included in this category are sectors such as healthcare, energy, and transportation. The second category is ‘important’ services, or organizations that would not have as dire consequences if their services were disrupted. Examples of important services include manufacturing, food production, digital providers, and waste management. Although these two categories have been divided, entities within both categories will have to meet the same requirements — however, the distinction will lie in the supervisory measures and penalties. 

NIS2 Requirements for Aviation

As a subset of the transportation sector, aviation is considered an ‘essential’ service and inturn must address the following cybersecurity areas: 

1. policies on risk analysis and information system security

2. incident handling (prevention, detection, and response to incidents)

3. crisis management and business continuity, such as backup management and disaster recovery

4. supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers

5. security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure

6. policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures

7. basic cyber hygiene practices and cybersecurity training

8. policies and procedures regarding the use of cryptography and, where appropriate, encryption;

9. human resources security, access control policies and asset management

10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

Some of the most significant implications for the aviation sector specifically will fall under evaluating and controlling the potential cybersecurity threats from external suppliers and vendors. Meeting this requirement will entail verifying their systems and products meet security standards and determining their ability to withstand and recover from a cyberattack. The aviation sector, much like other transportation organizations, also relies heavily on a large amount of cyber-physical systems (CPS), such as the control systems used for planes. This will pose another implication for aviation organizations in safeguarding their supply chain and will require companies to implement measures to secure these systems from cyber threats in order to comply with NIS2 requirements. This may include implementing access controls to protect their control systems from unauthorized access or manipulation. Although the NIS2 directive will require aviation organizations to invest in cybersecurity measures upfront, the increased investment will ultimately result in a more secure and resilient industry in the long run.  

Route to NIS2 Compliance in Aviation

Aviation organizations can team up with a CPS security vendor, like Claroty, to help them meet requirements for NIS2 compliance. Claroty’s CPS cybersecurity portfolio both supports and simplifies NIS2 compliance by extending robust protection, monitoring, and other cyber risk management controls to all CPS — including those that underpin the essential and important services provided by EU entities deemed in-scope for NIS2. Alignment between the Claroty Portfolio and NIS2 spans two core areas of the directive's requirements: Cybersecurity Risk Management and Incident Reporting. By harnessing and seamlessly integrating Claroty’s CPS cybersecurity solutions with their existing IT security tools and workflows, aviation organizations will gain full coverage and support for all NIS2 requirements across all IT and CPS environments entity-wide.