PowerPoint Presentation

[Audio] Welcome to Information Security Awareness Training. This training is designed to equip Qatar Airways professionals with the essential knowledge on information security and to understand and meet the requirements of EASA Part-IS, which is critical for maintaining safety and operational resilience in a cyber-vulnerable environment affecting aircraft safety. COURSE TITLE.

[Audio] The content and related manuals used in this presentation are For Training Purposes Only. Under no circumstances should this material be used as reference. This material does not amend or supersede information contained in applicable documentation..

[Audio] After completion of this training the participants will be able to: Recognize the human and technical elements to information security. Recognize and explain the objectives and scope of the EASA Part-IS referencing the regulation EU 2022/1645 and EU 2023/203 and their applicability. Define core information security terminology and concepts, including threats, vulnerabilities, risks, safety-relevant assets, and an Information Security Management System (ISMS). Recognize the interdependencies and critical links between aviation safety, security, and information security within the operational environment. Demonstrate best industry practices related to information security system..

[Audio] This training will cover the following topics Introduction to Information Security Why Information Security is important? Understanding Information Security Threats Information Security Management Regulatory Framework EASA Part-IS Familiarization Information Security Management System Organizations Information Security Management System.

[Audio] Introduction to Information Security. INTRODUCTION TO INFORMATION SECURITY.

[Audio] In aviation Safety & Security are very important and inter-connected. SAFETY focuses on preventing accident through the identification and mitigation of risk & brining risk to an acceptable level. On the other hand, SECURITY focuses on protecting the aviation system from threats associated with intentional wrongdoing, malicious intent and criminal behavior. While they have distinct goals, they are profoundly interdependent; a failure in one often leads to a failure in the other. SAFETY focuses on preventing accident through the identification and mitigation of risk & brining risk to an acceptable level. SECURITY focuses on protecting the aviation system from threats associated with intentional wrongdoing, malicious intent and criminal behavior..

[Audio] Safety of the aircraft can be affected by factors like Human Error, environment, Aircraft Design and Maintenance. Intentional security threats can quickly become critical safety issues, as a malicious act like sabotage, hijacking, drone, missiles or insider threat can override all safety protocols..

[Audio] Lets see some examples of safety concerns due to different factors: Human Factors: Garuda Indonesia flight 152, while making the final approach, the air traffic controller ordered the pilot to turn right instead of the left. The confusion reduced the flight crew's vertical awareness and hit tree tops killing all 234 people on board..

[Audio] Environment: On July 27, 1989, Korean Air Flight 803, a DC-10 carrying 199 people, crashed while attempting to land in heavy fog (visibility 100-800 feet) at Tripoli. The accident resulted in the deaths of 74 occupants of the aircraft and six people on the ground..

[Audio] Maintenance Error The Aeroperu B757 crashed into the Pacific Ocean shortly after taking off from the capital, Lima. All 70 people onboard were killed. Worker have placed the duct tape over the key sensors. They forgot to remove the duct tape after cleaning..

[Audio] Now Let's see some real examples of security events in aviation: Bomb threat Richard Reid, known as the "Shoe Bomber," was a British terrorist who attempted to detonate explosives hidden in his shoes on American Airlines Flight 63 from Paris to Miami on December 22, 2001..

[Audio] Overflight Security In December 2018, Gatwick Airport, was brought to a standstill by unauthorized drone activity, when reports of drones, sometimes two seen at once, forced an emergency shutdown of its runways causing 1,000 flights cancelled, 110,000 passengers stranded, and significant financial damage.

[Audio] Insider threat: A suicide bomber on Daallo Airlines Flight 159, shortly after takeoff, detonated an explosive device concealed inside a laptop on February 2, 2016. The explosion tore a hole in the fuselage, causing an explosive decompression. It was discovered that two airport employees at Mogadishu airport had handed the laptop containing the bomb..

[Audio] The safety of an aircraft is a holistic concept, and while traditional safety factors include human error, environment, aircraft design, and maintenance, security threats pose a significant, deliberate risk that directly impacts this safety Additionally, Information security threat on aviation systems pose a direct safety risk in the increasingly digital environment of aviation. For example, Attackers who gain access to flight management systems, air traffic control networks, or communication systems could manipulate flight data, disable navigation aids, or cause operational paralysis, potentially leading to mid-air collisions or loss of control. Security failures can create immediate safety emergencies, demonstrating the strong interlink between the two disciplines.

[Audio] The aviation industry has always been connected with safety and security surrounding airports and aircraft. However, one event changed aviation i.e. 9/11 attack..

[Audio] What does 9/11 have to do with Information Security? It was after the 9/11 terrorist attack attacks that the aviation industry became fully aware of the vulnerabilities existing within aviation security and the disastrous consequences. That is why Worst possible cyber-attack is referred as cyber 9/11..

[Audio] 9/11 attack highlighted the FAILURES in the aviation industry..

[Audio] After the incident it was identified that aviation industry was not ready related to information security threats. There was no set policy for information security management, organizational capabilities were not developed and management was not trained..

[Audio] So what is information security? 'Information security' means the preservation of confidentiality, integrity, authenticity and availability of network and information systems..

[Audio] confidentiality means protecting sensitive information from being disclosed to unauthorized parties integrity means ensuring that information has not been tampered with or modified in an unauthorized way Availability means ensuring that information and systems are accessible to authorized users when needed and Authenticity means ensuring that information and communication come from a trusted source.