admin / AirportCyberSimulator
publicAirport Cyber Attack Simulation Application
AirportCyberSimulator / airport-cyber-sim / backend / data / compliance.json
5431 B · main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 | { "frameworks": { "caf": { "name": "NCSC Cyber Assessment Framework (CAF) v3.2", "objectives": { "A": "Managing security risk", "B": "Protecting against cyber attack", "C": "Detecting cyber security events", "D": "Minimising the impact of cyber security incidents" } }, "csr_bill": { "name": "UK Cyber Security and Resilience Bill", "summary": "Expands NIS Regulations to designated critical infrastructure, introduces mandatory 24/72-hour incident reporting and strengthened supply-chain and regulator powers." } }, "mappings": { "atc_tower": { "caf_objective": "D", "caf_principle": "D1 Response and Recovery Planning", "csr_duty": "Designated essential service — significant incidents affecting flight safety are reportable to the competent authority within 24 hours.", "insight": "Loss of ATC integrity is a life-safety event; resilience planning and rehearsed failover are statutory expectations." }, "runway_lighting": { "caf_objective": "B", "caf_principle": "B4 System Security (OT)", "csr_duty": "Airfield operational technology must maintain segregation and integrity controls under the Bill's OT resilience provisions.", "insight": "AGL control systems require air-gapped or strongly segmented OT networks with signed firmware." }, "airplane_comms": { "caf_objective": "C", "caf_principle": "C1 Security Monitoring", "csr_duty": "Interference with aeronautical communications triggers immediate CAA and competent-authority notification.", "insight": "Continuous RF and datalink monitoring is needed to detect spoofing or jamming early." }, "security_screening": { "caf_objective": "B", "caf_principle": "B2 Identity and Access Control", "csr_duty": "Access control failures at screening are reportable and subject to enhanced supply-chain assurance duties.", "insight": "Badge and biometric systems demand least-privilege, MFA and rapid revocation of stolen credentials." }, "identity_db": { "caf_objective": "B", "caf_principle": "B2 Identity and Access Control", "csr_duty": "Compromise of the identity store is a notifiable personal-data and access breach under both UK GDPR and the Bill.", "insight": "Privileged access to the IAM directory is the crown-jewel target; tiering and PAM are essential." }, "boarding_gates": { "caf_objective": "B", "caf_principle": "B3 Data Security", "csr_duty": "Biometric override at the gate is a reportable integrity incident affecting passenger processing.", "insight": "Gate systems must fail-secure and validate against a trusted, tamper-evident identity source." }, "check_in": { "caf_objective": "B", "caf_principle": "B5 Resilient Networks and Systems", "csr_duty": "Departure Control outages degrading essential services must be reported within 72 hours.", "insight": "Shared network drives are a classic lateral-movement path; segment and monitor east-west traffic." }, "baggage_handling": { "caf_objective": "B", "caf_principle": "B4 System Security (OT)", "csr_duty": "BHS is designated operational technology; USB and removable-media controls are a Bill supply-chain requirement.", "insight": "Removable-media policy and OT allow-listing prevent USB-borne ingress into the sortation network." }, "logistics": { "caf_objective": "A", "caf_principle": "A4 Supply Chain", "csr_duty": "Third-party cargo and routing APIs fall under strengthened supply-chain due-diligence duties.", "insight": "Automated routing APIs must authenticate and rate-limit to contain automated lateral spread." }, "hvac_systems": { "caf_objective": "B", "caf_principle": "B4 System Security (OT)", "csr_duty": "Internet-facing BMS devices with default credentials breach the Bill's baseline OT security duties.", "insight": "Smart-building devices must have credentials rotated and be removed from public internet exposure." }, "terminal_access": { "caf_objective": "B", "caf_principle": "B2 Identity and Access Control", "csr_duty": "Physical access controller compromise is a reportable safety and security incident.", "insight": "Door and lift controllers should sit on a dedicated VLAN isolated from the BMS." }, "retail_pos": { "caf_objective": "A", "caf_principle": "A4 Supply Chain", "csr_duty": "Vendor-managed POS is squarely within the Bill's enhanced third-party assurance scope.", "insight": "Vendor remote-support accounts need MFA, just-in-time access and phishing-resistant auth." }, "ticketing_db": { "caf_objective": "B", "caf_principle": "B3 Data Security", "csr_duty": "Exposure of payment and reservation data is notifiable to the ICO and competent authority.", "insight": "Payment gateway APIs must be tokenised and isolated from customer-facing sync jobs." }, "public_wifi": { "caf_objective": "B", "caf_principle": "B5 Resilient Networks and Systems", "csr_duty": "Guest network breaches enabling data sync are reportable resilience failures.", "insight": "Guest Wi-Fi must be fully isolated from corporate and data-tier networks." } } } |