Catalyst / admin/AirportCyberSimulator 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / AirportCyberSimulator

public

Airport Cyber Attack Simulation Application

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
AirportCyberSimulator / airport-cyber-sim / backend / data / compliance.json 5431 B · main
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
{
  "frameworks": {
    "caf": {
      "name": "NCSC Cyber Assessment Framework (CAF) v3.2",
      "objectives": {
        "A": "Managing security risk",
        "B": "Protecting against cyber attack",
        "C": "Detecting cyber security events",
        "D": "Minimising the impact of cyber security incidents"
      }
    },
    "csr_bill": {
      "name": "UK Cyber Security and Resilience Bill",
      "summary": "Expands NIS Regulations to designated critical infrastructure, introduces mandatory 24/72-hour incident reporting and strengthened supply-chain and regulator powers."
    }
  },
  "mappings": {
    "atc_tower": {
      "caf_objective": "D",
      "caf_principle": "D1 Response and Recovery Planning",
      "csr_duty": "Designated essential service — significant incidents affecting flight safety are reportable to the competent authority within 24 hours.",
      "insight": "Loss of ATC integrity is a life-safety event; resilience planning and rehearsed failover are statutory expectations."
    },
    "runway_lighting": {
      "caf_objective": "B",
      "caf_principle": "B4 System Security (OT)",
      "csr_duty": "Airfield operational technology must maintain segregation and integrity controls under the Bill's OT resilience provisions.",
      "insight": "AGL control systems require air-gapped or strongly segmented OT networks with signed firmware."
    },
    "airplane_comms": {
      "caf_objective": "C",
      "caf_principle": "C1 Security Monitoring",
      "csr_duty": "Interference with aeronautical communications triggers immediate CAA and competent-authority notification.",
      "insight": "Continuous RF and datalink monitoring is needed to detect spoofing or jamming early."
    },
    "security_screening": {
      "caf_objective": "B",
      "caf_principle": "B2 Identity and Access Control",
      "csr_duty": "Access control failures at screening are reportable and subject to enhanced supply-chain assurance duties.",
      "insight": "Badge and biometric systems demand least-privilege, MFA and rapid revocation of stolen credentials."
    },
    "identity_db": {
      "caf_objective": "B",
      "caf_principle": "B2 Identity and Access Control",
      "csr_duty": "Compromise of the identity store is a notifiable personal-data and access breach under both UK GDPR and the Bill.",
      "insight": "Privileged access to the IAM directory is the crown-jewel target; tiering and PAM are essential."
    },
    "boarding_gates": {
      "caf_objective": "B",
      "caf_principle": "B3 Data Security",
      "csr_duty": "Biometric override at the gate is a reportable integrity incident affecting passenger processing.",
      "insight": "Gate systems must fail-secure and validate against a trusted, tamper-evident identity source."
    },
    "check_in": {
      "caf_objective": "B",
      "caf_principle": "B5 Resilient Networks and Systems",
      "csr_duty": "Departure Control outages degrading essential services must be reported within 72 hours.",
      "insight": "Shared network drives are a classic lateral-movement path; segment and monitor east-west traffic."
    },
    "baggage_handling": {
      "caf_objective": "B",
      "caf_principle": "B4 System Security (OT)",
      "csr_duty": "BHS is designated operational technology; USB and removable-media controls are a Bill supply-chain requirement.",
      "insight": "Removable-media policy and OT allow-listing prevent USB-borne ingress into the sortation network."
    },
    "logistics": {
      "caf_objective": "A",
      "caf_principle": "A4 Supply Chain",
      "csr_duty": "Third-party cargo and routing APIs fall under strengthened supply-chain due-diligence duties.",
      "insight": "Automated routing APIs must authenticate and rate-limit to contain automated lateral spread."
    },
    "hvac_systems": {
      "caf_objective": "B",
      "caf_principle": "B4 System Security (OT)",
      "csr_duty": "Internet-facing BMS devices with default credentials breach the Bill's baseline OT security duties.",
      "insight": "Smart-building devices must have credentials rotated and be removed from public internet exposure."
    },
    "terminal_access": {
      "caf_objective": "B",
      "caf_principle": "B2 Identity and Access Control",
      "csr_duty": "Physical access controller compromise is a reportable safety and security incident.",
      "insight": "Door and lift controllers should sit on a dedicated VLAN isolated from the BMS."
    },
    "retail_pos": {
      "caf_objective": "A",
      "caf_principle": "A4 Supply Chain",
      "csr_duty": "Vendor-managed POS is squarely within the Bill's enhanced third-party assurance scope.",
      "insight": "Vendor remote-support accounts need MFA, just-in-time access and phishing-resistant auth."
    },
    "ticketing_db": {
      "caf_objective": "B",
      "caf_principle": "B3 Data Security",
      "csr_duty": "Exposure of payment and reservation data is notifiable to the ICO and competent authority.",
      "insight": "Payment gateway APIs must be tokenised and isolated from customer-facing sync jobs."
    },
    "public_wifi": {
      "caf_objective": "B",
      "caf_principle": "B5 Resilient Networks and Systems",
      "csr_duty": "Guest network breaches enabling data sync are reportable resilience failures.",
      "insight": "Guest Wi-Fi must be fully isolated from corporate and data-tier networks."
    }
  }
}