Description
To ensure the safety of manufacturing processes within the aircraft industry
and aviation safety overall, the European Union Aviation Safety
Agency (EASA) works on new requirements for aircraft manufacturers
that shall guarantee information security in production processes. Once the
new regulations, currently discussed within EASA’s Notice For Proposed
Amendment (NPA) 2019-07, enter official EU law, aircraft manufacturers
will require certification for conforming with EASA NPA 2019-07 to be
allowed to continue corporate operations.
Currently, industry-known frameworks like ISO 27005 or IEC 62443-3-2
are common for conducting information security risk assessments. However,
these frameworks provide guidelines for risk assessments and aim to
assist companies in conducting them but hardly present concrete means
of implementation. Previously, the corporate practice required projects
with external partners to conduct risk assessments rather than enabling
employees to complete them themselves. This resulted in additional costs
for already limited production budgets.
This work presents a practical risk assessment approach to establish an efficient
way to conducting information security risk assessments, while conforming
to EASA’s risk assessment requirements. The compliance-driven
method is derived from a holistic risk analysis based on Fraunhofer AISEC’s
Modular Risk Assessment (MoRA) framework and makes use of security
control questionnaires based on common industry standards to assess the
security status of a component and the likelihood of exploits. Combined
with company specific threat impact criteria, this results in an efficient risk
assessment that can be conducted by machine responsible managers in the
field without the need for additional resources.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching