Cybersecurity and Trust Framework
In 2021, the ICAO Council approved a new structure to address cybersecurity across the Organization. The new structure consists of a Cybersecurity Panel that reports to the Council’s Aviation Security Committee, an Ad-Hoc Cybersecurity Coordination Committee that reports to the Council, and an expert group dedicated to the International Aviation Trust Framework.
ICAO revised its Cybersecurity Action Plan (currently available as the second edition) and produced guidance material to support States and stakeholders in addressing cybersecurity and cyber resilience in civil aviation (Guidance on Traffic Light Protocol, Cybersecurity Policy Guidance and Guidance on Cybersecurity Culture in Civil Aviation).
ICAO also continued to organize and participate in national, regional, and international conferences, meetings and webinars to promote cooperation between all stakeholders in the fields of cybersecurity and cyber resilience, as well as the implementation of the Aviation Cybersecurity Strategy and Cybersecurity Action Plan.
In line with its cybersecurity training road map, ICAO continues to support States in the development of human resources and capacities needed to manage cybersecurity and cyber resilience in civil aviation. In 2021, ICAO launched its first cybersecurity and cyber resilience course entitled “Foundations of Aviation Cybersecurity Leadership and Technical Management”, which was developed in partnership with Embry-Riddle Aeronautical University. In partnership with EUROCONTROL, ICAO developed a second course addressing classical and cybersecurity aspects of ATM security.
The Trust Framework concept, policies and procedures developed by the Trust Framework Study Group (TFSG) moved towards a digital environment where communication parties could mutually identify themselves and where exchanged information could not be modified by unauthorized parties.
Efforts focused on drafting the International Aviation Trust Framework (IATF) Concept of Operations and Digital Identity Certificate Policy and on finalizing draft provisions under the Information Security Framework related to the storage, processing and exchange of information in network applications.