Civil Aviation

Threat Landscape

Civil aviation combines safety-critical systems with critical national infrastructure. Cyber attacks on air traffic control systems pose direct safety risk to aircraft and passengers. Aircraft systems integration creates multiple attack surfaces across flight management, navigation, communications, and passenger-facing systems.

Airport infrastructure cybersecurity affects ground operations, baggage handling, passenger processing, and perimeter security. The interconnected nature of aviation — airlines, airports, ANSPs, ground handlers — means that compromise at any point in the ecosystem can cascade to affect flight safety and operational continuity.

Regulatory & Framework Landscape

Civil aviation cybersecurity is governed by airworthiness security requirements (DO-326A/ED-202A), EASA cybersecurity regulations for aviation organisations, NCSC CAF for designated operators of essential services, and NIS Regulations. Airlines, airports, and air navigation service providers each face distinct but overlapping regulatory obligations.

CCM Domain Alignment

Civil aviation organisations activate the D14 OT/ICS Security overlay for air traffic control, aircraft systems, and airport operational technology, plus the D17 Safety-Critical Environments overlay for safety-security integration controls. This provides comprehensive coverage across the aviation ecosystem.

Operating Context

How C-PAP Supports Civil Aviation

C-PAP provides a unified assurance platform bridging airworthiness security requirements (DO-326A/ED-202A) with CNI obligations (CAF, NIS). The platform consolidates aviation operator, airport operator, and air traffic service provider requirements through a single framework mapping.

For the aviation supply chain — airlines, airports, ANSPs, ground handlers, and technology vendors — C-PAP enables consistent governance across the ecosystem whilst accommodating the distinct regulatory obligations each organisation type faces.