Cyber Essentials for Aviation: How UK Airlines and Airports Should Approach Certification

The Five Cyber Essentials Controls and Their Aviation Application

Each Cyber Essentials control has specific aviation relevance:

• 1. Boundary firewalls and internet gateways: Controls traffic entering and leaving aviation IT networks — critical for protecting reservation systems, operations centres, and passenger-facing portals from internet-borne attacks
• 2. Secure configuration: Ensuring devices and systems are configured securely, with unnecessary services disabled — applies to all office workstations, servers, and network devices, and extends to OT systems where vendor constraints allow
• 3. User access control: Appropriate access rights for each user, MFA on internet-accessible services — the control that would have prevented the British Airways breach from being as extensive as it was
• 4. Malware protection: Anti-malware controls on devices that interact with the internet or email — essential for ground handling, office, and operations centre devices
• 5. Patch management: Keeping operating systems and applications up to date — the most commonly failed control in aviation environments with legacy systems

Cyber Essentials Plus vs Standard: Which Does Aviation Need?

Cyber Essentials comes in two flavours: standard (self-assessment, externally verified) and Plus (includes technical testing of the controls by a certification body). For aviation operators, Cyber Essentials Plus is strongly recommended because: it provides more credible assurance that controls are actually in place (not just self-declared); it is more likely to satisfy CAA, EASA, and procurement requirements; and the technical testing identifies real gaps that self-assessment misses. The additional cost of Plus over standard certification is modest relative to the improved assurance.

Challenges for Aviation Operators Pursuing Cyber Essentials

Aviation environments present specific challenges for Cyber Essentials certification:

• OT systems scope: Cyber Essentials is designed for IT environments — the certification body must advise on how OT systems within the certification scope are handled. Legacy OT systems may not be certifiable and should be explicitly out of scope with compensating controls documented.
• Legacy operating systems: Cyber Essentials requires supported operating systems — but many aviation OT systems run on Windows 7 or earlier. The solution is scoping: define the certification boundary to include IT systems only, with separate OT security documentation.
• Third-party managed systems: Where vendors manage airport or airline IT systems, the operator must ensure those systems meet Cyber Essentials requirements — or exclude them from scope with documented justification.
• Mobile and EFB devices: Crew Electronic Flight Bags (EFBs) and ground handler tablets must be included in scope if they are managed devices used on the corporate network.

How Cyber Essentials Supports CAA and EASA Compliance

Cyber Essentials certification provides documented evidence of baseline security controls that directly supports CAA CAP 1753 and EASA Part-IS compliance:

• CAA CAP 1753 expects all regulated operators to have baseline security controls — Cyber Essentials provides certifiable evidence of these controls
• EASA Part-IS risk assessment: Cyber Essentials controls address many of the information security risks identified in a standard aviation ISMS risk assessment
• Third-party risk management: Aviation operators can request Cyber Essentials certificates from vendors as evidence of baseline security — simplifying supply chain risk assessment for lower-tier vendors
• Insurance: Many aviation cyber insurers require or reward Cyber Essentials certification with improved premium terms
• Procurement: UK government and increasing numbers of aviation industry partners require Cyber Essentials in procurement processes

Frequently Asked Questions