Kyanite Blue
Sector Guides

Aviation MRO Cybersecurity: Protecting Maintenance Records, OEM Data, and Airworthiness Integrity

Maintenance, Repair, and Overhaul (MRO) organisations occupy a critical position in the aviation ecosystem — and a uniquely vulnerable cybersecurity position. They hold airworthiness records, OEM-licensed technical documentation, component traceability data, and maintenance history for aircraft worth hundreds of millions of pounds. They connect to airline IT systems, OEM platforms, and regulatory authority databases. They employ engineers whose work directly affects the airworthiness of commercial aircraft. And yet, compared to airlines and airports, MRO cybersecurity has historically received less regulatory attention and less security investment. EASA Part-IS changes this: Part-145 approved organisations are explicitly in scope, creating binding ISMS requirements for MROs for the first time.

EASA Part-IS explicitly covers Part-145 approved MRO organisations — binding ISMS requirements now apply to the maintenance, repair, and overhaul sector for the first time.

Why MRO Cybersecurity Matters: The Airworthiness Integrity Risk

The cybersecurity risk in MRO is distinct from most aviation contexts because it extends beyond data breach and operational disruption:

  • Airworthiness record integrity: Maintenance records document that work has been completed correctly and aircraft are airworthy. Compromised or falsified records could allow unsafe aircraft to operate.
  • Component traceability: MRO systems track component serial numbers, overhaul history, and approved parts. A compromised traceability system could introduce unapproved or counterfeit parts undetected.
  • OEM technical data: MROs hold licences to OEM maintenance manuals, service bulletins, and airworthiness directives. This commercially sensitive data is valuable to competitors and threat actors.
  • Intellectual property: MRO development of proprietary maintenance procedures and tooling represents significant intellectual property that state-sponsored actors systematically target.
  • Regulatory filings: EASA and CAA approve MRO scopes of work. A compromised regulatory filing system could misrepresent an organisation's approved capabilities.

EASA Part-IS and Part-145 MRO Compliance

EASA Part-IS explicitly brings Part-145 approved maintenance organisations within its scope. MROs must:

  • Establish an ISMS proportionate to the size and nature of their operations and the systems they use
  • Conduct information security risk assessments covering their IT systems, OT equipment, and supply chain relationships
  • Implement security controls appropriate to the risks identified — including access management, network security, and incident response
  • Report information security incidents that may affect aviation safety to their National Aviation Authority
  • Ensure personnel with security responsibilities are appropriately trained and qualified
  • Maintain records demonstrating ISMS implementation — available for NAA inspection

MRO-Specific Cybersecurity Threats

MRO organisations face a threat landscape shaped by their position in the aviation supply chain:

  • Nation-state IP theft: State-sponsored actors systematically target aerospace MRO for OEM technical data, proprietary repair procedures, and manufacturing IP — NCSC and CISA have published specific warnings
  • Ransomware: MRO systems — maintenance tracking, parts management, document management — are high-value ransomware targets. Disrupted MRO operations cascade to airline maintenance schedules.
  • Counterfeit parts: Compromised traceability systems could facilitate introduction of unapproved components — a safety-critical supply chain risk
  • Insider threat: MRO engineers with system access have capability to alter maintenance records — insider threat programmes are particularly important in MRO contexts
  • OEM portal attacks: MRO access to OEM technical portals (Airbus World, Boeing Technical Operations) via credentials that could be compromised through phishing

MRO Cybersecurity Controls: Priority Areas

MRO organisations should prioritise the following cybersecurity controls:

  • Maintenance record integrity: Immutable audit logs for all maintenance record creation and modification — technical controls to prevent unauthorised alteration of airworthiness documentation
  • OEM portal access management: MFA and privileged access controls for all OEM technical portal access — limiting the impact of credential compromise
  • Network segmentation: Isolation of maintenance tracking and documentation systems from general office IT — limiting ransomware propagation paths
  • Third-party access control: Controlled, logged access for airline customers and OEM representatives accessing MRO systems
  • Data classification: Clear classification of OEM-licensed data, proprietary procedures, and customer aircraft data — with appropriate access controls for each category
  • Phishing and social engineering training: MRO staff who receive OEM-branded emails are a specific target — role-specific awareness training is essential

Frequently Asked Questions

Do all MRO organisations need to comply with EASA Part-IS?

EASA Part-IS applies to all EASA-regulated aviation entities — including Part-145 approved maintenance organisations. UK MROs holding EASA Part-145 approvals are directly subject to Part-IS. UK MROs operating solely under UK CAA Part-145 approval are subject to CAA CAP 1753 cybersecurity expectations rather than directly to EASA Part-IS. However, since many UK MROs hold both UK and EASA approvals for commercial reasons, the Part-IS obligations apply to their EU-regulated activities. The UK CAA Part-145 cybersecurity framework is broadly aligned with EASA Part-IS.

Can ransomware attack a maintenance record system and affect airworthiness?

In a ransomware attack on an MRO, maintenance management systems would typically be encrypted and unavailable. The airworthiness risk is primarily from operational disruption — engineers unable to access maintenance records, log completed work, or verify component histories — rather than from record falsification. However, the more concerning scenario is a sophisticated attacker who compromises maintenance systems and alters records before deploying ransomware — using the chaos of the ransomware attack to obscure the record manipulation. MRO operators should implement immutable audit logging specifically to detect record alterations, not just ransomware encryption.

What is the relationship between MRO cybersecurity and aviation safety oversight?

EASA Part-IS is explicitly framed as a safety regulation — not purely a cybersecurity or data protection framework. EASA's position is that cybersecurity failures in aviation, including at MROs, can have direct safety implications. Compromised maintenance records, unreliable component traceability, or disrupted MRO operations all create safety risks. National Aviation Authorities conducting Part-145 oversight inspections are expected to include cybersecurity (ISMS implementation) within their audit scope. MROs should expect cybersecurity to become a standard element of regulatory oversight visits.

Get an MRO EASA Part-IS compliance assessment

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Featured Product

Panorays

Learn more

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides