Training & Regulations
Published on 17 Apr 2025
James Willoughby
UK CAA guidance on Cyber Safety in Specific Category
As part of SORA 2.5, the UK CAA has published published CAP 3098, offering guidance on Cyber Safety Objectives for Specific Category drone operations.
UK CAA releases CAP 3098 - issuing guidance on Cyber Safety Objectives for the Specific Category;
It is part of the Specific Operation Risk Assessment (SORA) framework;
CAP 3098 highlights the importance of integrating cyber security to mitigate vulnerabilities in RPAS technology.
The UK Civil Aviation Authority (CAA) has published CAP 3098: Guidance on Cyber Safety Objectives for Specific Category Operations.
This document is a companion to the Specific Operations Risk Assessment (SORA) and aims to bolster safety for Remote Piloted Aircraft Systems (RPAS) in the Specific Category.
Why drone cyber safety matters
While RPAS share many of the same risks as manned aircraft, their reliance on digital systems makes them uniquely vulnerable to cyber threats - jamming, spoofing, malware, and unauthorised access among them.
With no pilot on board, ensuring cyber resilience of the systems becomes non-negotiable.
The new CAP guidance aligns with the JARUS SORA 2.5 Cyber Safety Extension and defines basic cybersecurity concepts and threats to identify their impact on an operator.
The objective of this document is to ensure that reasonable and proportionate cyber safety considerations are applied in the context of the SORA method.
The Cyber Safety framework at a glance
The CAA divides cyber safety responsibilities, requirements, and considerations into Operational Safety Objectives (OSOs) that drone operators must meet depending on their SAIL (Specific Assurance and Integrity Level) rating.
SAIl is a risk-based classification used to determine how robust your risk mitigations need to be when conducting drone operations under the SORA framework.
Assurance levels have been given to each OSO - with Low, Medium, or High levels of robustness, and each with its own criteria.
OSOs cover:
Operator Competency
RPAS Maintenance
System Design & Reliability
Command & Control (C3) Link Security
External Service Providers
Tables: Operational Safety Objectives
The assurance levels are outlined below for each OSO. Refer to the CAP document for an in-depth breakdown of the criteria for each level.
OSO: Ensure the Operator is competent and/or proven
SAIL I | SAIL II | SAIL III | SAIL IV | SAIL V | SAIL VI | |
|---|---|---|---|---|---|---|
Organisation Culture | None | Low | Medium | High | High | High |
IT and Data Security | None | Low | Medium | High | High | High |
Industry Group Participation | None | Low | Medium | High | High | High |
Risk Management Program | None | Low | Medium | High | High | High |
Audit Program for Cyber Safety issues | None | Low | Medium | High | High | High |
Flight Logs | None | Low | Medium | High | High | High |
OSO: RPAS Maintained by competent and/or proven entity
SAIL I | SAIL II | SAIL III | SAIL IV | SAIL V | SAIL VI | |
|---|---|---|---|---|---|---|
Malware Protection | Low | Low | Medium | Medium | High | High |
Supply Chain Management | Low | Low | Medium | Medium | High | High |
Physical Security | Low | Low | Medium | Medium | High | High |
Controlled Access | Low | Low | Medium | Medium | High | High |
Wireless Access Protected | Low | Low | Medium | Medium | High | High |
Software/Firmware Updates | Low | Low | Medium | Medium | High | High |
OSO: RPAS is designed considering system safety and reliability
SAIL I | SAIL II | SAIL III | SAIL IV | SAIL V | SAIL VI | |
|---|---|---|---|---|---|---|
Cyber Safety Risk Assessment | Low | Low | Medium | Medium | High | High |
GNSS Equipment, if used | Low | Low | Medium | Medium | High | High |
Resilience in the Face of a Cyber Attack | Low | Low | Medium | Medium | High | High |
Life Cycle Security Appraisal | Low | Low | Medium | Medium | High | High |
Test and Security Validation | Low | Low | Medium | Medium | High | High |
OSO: C3 link characteristics (e.g. performance, spectrum use) are appropriate for the operation
SAIL I | SAIL II | SAIL III | SAIL IV | SAIL V | SAIL VI | |
|---|---|---|---|---|---|---|
Datalink Encryption | None | Low | Low | Medium | High | High |
Authentication | None | Low | Low | Medium | High | High |
Access Control | None | Low | Low | Medium | High | High |
Data Integrity and Anti-Replay Protections | None | Low | Low | Medium | High | High |
OSO: External Services Supporting RPAS Operations are adequate to the operation
SAIL I | SAIL II | SAIL III | SAIL IV | SAIL V | SAIL VI | |
|---|---|---|---|---|---|---|
Criteria | Low | Low | Medium | Medium | High | High |
Common Threats Identified
The CAP outlines several common cyber threats:
Denial of Service (DoS/DDoS): Disrupting communication between the drone and controller.
Hijacking: Taking control of systems mid-flight.
Malware: Compromising software to disrupt drone functions.
Spoofing: Faking signals like GPS to mislead drones.
On-path attacks: Eavesdropping or altering communications.
Supply chain risks: Inserting malicious code during manufacturing or updates.
What the UK CAA says
Within the guidance document, the UK CAA says that the Cyber OSOs are designed to identify and mitigate against inadvertent or malicious introduction of such cyber vulnerabilities, to maintain the safety of the RPAS and other airspace users.
It adds that many of the OSOs are simple documented processes or procedures that can be put in place to provide a basic level of cyber hygiene.
The Authority says: 'Following the publication of JARUS SORA 2.5 Cyber Safety Extension and the subsequent UK SORA project, it is of vital importance that organisations consider cyber security as part of their safety processes.
'The effective culture of Cyber Safety relies heavily on the buy-in from the highest levels within an organisation; therefore, affirming a business level commitment to fully understand and address cyber-safety is essential and serves as the catalyst towards establishing an organisational commitment to cyber safety.
'It is important to the regulator that organisations seek the highest-level executive sponsorship within their business and utilise this to address cyber-safety within their proposed operations.'
The CAA adds that applicants should undertake a risk assessment that has been informed by threat analysis, and that both the assessment and mitigations should have a focus on the applicant’s cyber security policies and plans, as well as the physical security of the operational environment.
heliguy™ has in-house regulatory specialists and can support applicants in preparing SORA applications,
