Digitalisation has long since arrived in all areas of aviation. All affected parts of the industry, especially aviation security, are under increasing pressure from the digital transformation. As a result, the demands on information security are also increasing at the same time. Many associate digitalisation at airports with the possibilities of online bookings, real-time tracking of flights, digital check-in functionalities, digitalised logistics processes or freely available WLAN. All these applications and systems were primarily designed and developed for the convenience of air travellers. But what about the protection of airports against cyber attacks?

The topic of security has accompanied aviation since Otto Lilienthal's first attempts at flight. For a long time, the focus was exclusively on operational safety. Since the terrorist attacks of 11 September, protection against terrorist attacks and acts of sabotage (security) has become more of a focus. Due to the increasing use of information and communication technology, threats from cyberspace are also taken into account.

Protection against cyber attacks

With the adoption of the Implementing Regulation (DVO) (EU) 2019/1583, which will come into force on 31 December 2021, airport operators, air carriers and entities named in the national civil aviation security programme will in future have to achieve and guarantee a certain level of information security in aviation security.

The aim of the regulation is to protect and safeguard civil air traffic against cyber attacks, especially with regard to acts of sabotage and terrorist attacks. This includes preventive measures in the area of cyber security, such as protection against these, but also the detection of and response to cyber attacks. Above all, the protection of critical information and communication technology systems and data (KIKS, such as access control systems) plays an important role here. In addition, the appropriate, practicable and timely exchange of information on vulnerabilities, malware or similar is essential.

The BSI and aviation security

In Germany, the Federal Office for Information Security (BSI) is entrusted with the coordination and control of information security measures in accordance with §8 LuftSiG, from 31 December 2021.

The BSI therefore develops, among other things, the specifications for regulated companies, continuously develops these further and operates a warning and reporting system. As a reliable partner, the BSI would like to provide support in order to be able to achieve and maintain a high and comparable level of information security for all stakeholders in the long term.

As part of the BSI's cooperative approach, an expert group for the aviation industry was founded together with the business community. Within the framework of the expert group, a trusting exchange between the industry and the BSI is established.

For enquiries on the topic of aviation security information security, please contact lusi@bsi.bund.de.

IT-Grundschutz profile for small and medium-sized airports

The Federal Office for Information Security (BSI) initiated a working group in 2023 consisting of experts from small and medium-sized airports and the BSI itself, intending to jointly develop a set of minimum requirements for cybersecurity at such airports.The working group organised a series of workshops with the aim of establishing common minimum requirements and increasing resilience at small and medium-sized airports. Outcome of these workshops is this IT-Grundschutz profile for small and medium-sized airports IT-Grundschutz profile for small and medium-sized airports. It contains recommendations for the minimum level of security for small and medium-sized airports in Germany.