To ensure compliance with Part-IS, we need to master the regulatory terminology. Specific terms will recur throughout our policies and procedures which are legal definitions defined in the Guidance Material to Article 2 of the regulation. We shall start by explaining these concepts, beginning with the three fundamental components of Information Security, commonly known as the CIA Triad.
When we say we are ‘securing’ information, what are we actually protecting?
The first pillar is Confidentiality. This means ensuring that information is accessible only to those authorized to have access. In an aviation context, think about the passenger manifest or the security codes for the cockpit door. If this data is stolen, it doesn’t necessarily make the plane crash immediately, but it allows bad actors to plan attacks or exploit our customers.
The second pillar is Integrity. This is arguably the most critical for flight safety. Integrity means guarding against improper information modification or destruction. Imagine a Flight Management System (FMS) database – if a hacker enters the system and subtly changes the coordinates of a waypoint or the elevation of a runway by just a few digits, the pilot might trust that data and fly the aircraft into the ground. The system still ‘works,’ but the data is lying. Preserving integrity means ensuring that the data on the screen is exactly what it is supposed to be.
The third pillar is Availability. This means ensuring timely and reliable access to data and information services. Think about the electronic flight bag (EFB) used by pilots for charts and performance calculations. If a ransomware attack locks up those iPads 10 minutes before departure, the aircraft cannot leave. The data is safe, and it hasn’t been changed, but it is useless because we cannot reach it.
Beyond the CIA Triad, you need to understand three other core concepts: Asset, Threat, and Vulnerability.
An Asset is anything of value to the organization. Under Part-IS, we focus on ‘Critical Assets’—things that, if hacked, could endanger the safety of flight. This includes your laptop, your ID badge, the aircraft’s avionics, and even the software we use to track maintenance.
A Threat is a potential cause of an incident. This could be a person (like a hacker), a piece of software (like a virus), or an event (like a denial-of-service attack) that wants to harm the asset.
A Vulnerability is a weakness that the threat can exploit. This is where you come in. A vulnerability might be a technical flaw in a firewall, but more often, it is a human behavior, like a password written on a sticky note, or an employee holding a secure door open for a stranger.The goal of Part-IS is to manage the risk where these three elements meet. We cannot eliminate all threats (hackers will always exist), but we can reduce our vulnerabilities and protect our assets to ensure the Confidentiality, Integrity, and Availability of the aviation system.