(1) | A designated airport, air carrier, air traffic and navigation service provider and catering stores and supplies service provider shall identify critical information, communication technology systems and data used for aviation purposes in accordance with risk assessment, develop and implement the following measures to prevent unlawful interference and protect the confidentiality, integrity and availability of identified critical systems: |
(b) | supply chain security; |
(c) | network separation; and |
(d) | protection and limitation of any remote access capabilities. |
(2) | A designated air port, air carrier of a scheduled service, air traffic and navigation service provider and catering stores and catering supplies service provider shall develop procedures for— |
(a) | testing of cyber-security; |
(b) | cyber-security response; |
(c) | cyber-security incident analysis; and |
(d) | cyber-security incident reporting. |
(3) | A cyber-security incident shall be reported to the Director within 48 hours of occurrence. |
[Regulation 111.01.19 inserted by regulation 29(d) of Notice No. R. 1503, GG45491, dated 15 November 2021 (Twenty-First Amendment of the Civil Aviation Regulations, 2021)]