UK’s Civil Aviation Authority (CAA) has announced its new ASSURE scheme developed in partnership with the Council for Registered Ethical Security Testers (CREST), the not-for-profit accreditation and certification body for the technical security industry.
ASSURE is an accreditation scheme created by CAA in association with CREST to enable aviation organisations to procure accredited cyber security audit capabilities to audit their completed CAF for Aviation self-assessments.
The new scheme will improve CAA’s cyber-security oversight strategy, enabling the aviation industry – including airlines, airports and air navigation service providers – to manage their cyber-security risks without compromising aviation safety, security or resilience and to support the UK governments’ national cyber-security strategy.
CAA’s cyber-security oversight process for aviation outlines the organisation’s approach to cyber-security oversight, which includes: the CAF for aviation, ASSURE cyber-audit and incorporation of cyber-security oversight into existing CAA performance-based oversight processes.
The first set of specialist cyber-security third-party suppliers have been accredited under the process defined in the ASSURE framework. To become an accredited ASSURE cyber-supplier, a firm must have CREST membership in one of its core areas. Accredited ASSURE cyber professionals are expected to demonstrate extensive knowledge in at least one of the following three specialisms: cyber-audit & risk management, technical cyber-security expert and ICS/OT expert.
"The CAA is committed to broad and collaborative engagement with industry and key stakeholders to continuously improve our cyber-security oversight model," said Peter Drissell, CAA aviation security director, in the announcement.
"By working with CREST to develop the ASSURE accreditation scheme, the aviation industry has access to the highest levels of skill, knowledge and competence to face the changing threat landscape and encourage a proactive approach to cyber-security."
Where stipulated by the CAA, aviation organisations will be required to complete a self-assessment of their cyber security using the CAA’s Cyber Assessment Framework (CAF) for Aviation, which can be applied to organisations of varying size and complexity. Aviation organisations may then be required to contract with an ASSURE Cyber Supplier through the ASSURE Buyer’s Platform to audit their completed CAF for Aviation self-assessment, on behalf of the CAA.
"ASSURE is the latest scheme to strengthen the UK’s Critical National Infrastructure against growing cyber threats and supports the CAA’s cyber-security oversight strategy," CREST preseident Ian Glover said in the announcement.
"CREST has also been working with the UK banking, telecommunications, nuclear and utilities sectors to develop effective accreditation schemes and intelligence-led cyber-security testing and is also helping governments and regulators in other countries to adopt the same approach."