(1) | An ASTO shall identify critical information and communication technology systems and data used for aviation purposes in accordance with risk assessment, develop and implement the following measures, to prevent unlawful interference and protect the confidentiality, integrity and availability of identified critical systems: |
(b) | suppl y chain security; |
(c) | network separation; and |
(d) | protection and limitation of any remote access capabilities. |
(2) | An ASTO shall develop procedures for— |
(a) | testing of cyber-security; |
(b) | cyber-security response; |
(c) | cyber-security incident analysis; and |
(d) | cyber-security incident reporting. |
(3) | An ASTO shall report any cyber-security incident to the Director within 48 hours of occurrence. |
[Regulation 109.03.10 inserted by regulation 27(a) and 27(f) of Notice No. R.1503, GG45491, dated 15 November 2021 (Twenty-First Amendment of the Civil Aviation Regulations, 2021)]