Airports looking to comply with the new ASSURE cybersecurity scheme have found themselves on a steep learning curve. Required to complete an initial audit, many have sought an extension while grappling with highly prescriptive requirements. However, while the scheme might be demanding, there’s real value to be had in embracing the process.
ASSURE has been welcomed by an industry now regularly subjected to cyber-attacks and ransom demands (the Airport Cybersecurity COVID-19 Survey Report by the Airports Council International (ACI) found 61.5% of airports were subjected to cyber-attacks during 2020). It provides a process and framework that considers cybersecurity broadly as it covers both IT and OT systems and the supply chain. The audit itself is carried out by a CREST/IASME assured third-party with security expertise in these systems who are up to speed on emerging threats, ensuring it has real relevance.
It also promises to narrow the gap between those organizations that have a sound understanding of their cyber exposure and those with limited visibility or understanding. Small air operators, for instance, often outsource their IT and rely upon a small group of cloud applications. As ASSURE requires them to review their systems, any gaps and associated risks are highlighted and can be addressed.
Self-Assessment and Evidence
These gaps should materialize during the self-assessment stage. Still, with many lacking the confidence to gather the necessary evidence, it’s increasingly common for these organizations to turn to their IT department or an ASSURE assessor to help them. Yet while their IT department may well be au fait with internal processes, they’re often unaware of all the aviation functions in play, making it difficult for these teams to source the right evidence.
The form that evidence can take varies, from documents and manuals to observations and interviews. This means the level of detail being submitted to satisfy ASSURE tends to fluctuate, particularly as organizations have to carry out the process remotely due to COVID restrictions. Some are submitting vast sums of evidence while others are struggling to obtain the correct documentation – a problem exacerbated by how the industry operates.
Airport systems tend to be outsourced to either the equipment supplier or a third-party, which makes for a convoluted audit trail. For example, a baggage check-in system may be outsourced and manned by staff employed by a third-party and trained using software from another third party. Maintenance support for the hardware may come from another couple of vendors (one for the baggage belts and one for the scanning machines).
All of these systems and training are “in-scope” as part of a critical system. However, the airport has no direct contract or oversight of these parties and therefore holds no evidence to support the process. The auditor would need to approach the suppliers for evidence and either request documentation or perform an interview, but it’s an evidential process that relies upon the goodwill of everyone involved. None of this is covered in the contract of deliverables, and the likelihood is that these services and contracts will need to be re-negotiated in the future to accommodate the new compliance process.
Room for Refinement
Such teething problems are expected with a standard that is still bedding in, and the general consensus is this will be refined as we move to the next iteration of CAP1753. Yet, while the process is painful, it is still proving beneficial. Many are finding it is providing visibility, often for the first time, of the entire estate, with assessors then able to provide recommendations and identify opportunities for improvement, which can then be adopted as part of the corrective action plan in the future.
In the future, we’d like to see the ASSURE scheme hone the currently applied criteria so that it becomes more relevant to the aviation sector. At the moment, all critical systems are treated the same, regardless of whether they have internet connectivity or not, which means a legacy radar system has to be assessed using the same criteria as that used on a state-of-the-art self-check-in system.
It would be great, too, if the objectives could be prioritized to reduce the evidential requirements and, therefore, the time taken to complete the process. Many organizations, already struggling financially from the pandemic, find they now need to go through a process that takes months. Finally, the process must be seen as a source of value as a process, with more value given to the self-assessment phase and the process portrayed as cyclical rather than linear. The emphasis needs to be not on compliance but continual improvement