Cybersecurity requirements for airborne systems

In the past years, the aircraft systems and components have increased the data connections between them. These connections are delicate links susceptible to security threats. This is the major reason EASA started to work on a Cybersecurity framework for aerospace in May 2016. In this framework, the threats that potentially affect aircraft safety are considered as elements for regulatory requirements. The goal of this framework is to eliminate and/or mitigate the safety effects caused by threats of intentional unauthorized electronic interaction to aircraft safety.

For this purpose, EASA released a Notice of Proposed Amendment 2019-01 on February 2019 in which they planned that for the 3rd quarter of 2019, they would release modification of CSs, AMCs and GMs. In this NPA, three different options were presented:

• 0. No change: This option is negative because applicants would be ignoring cybersecurity expectations. The designs would not be protected enough leading to negative economic impact.
• 1. Amend CSs + related AMC/GM: with this option, EASA would amend Certification Specifications and also the Acceptable Means of Compliance. Following these documents, applicants would take necessary actions to protect against cybersecurity threats. These actions would reduce costs.
• 2. Amend CSs + AMC-20: Similar to the Option 1 but in this case, EASA would amend Certification Specifications and only modify the AMC-20 adding new section regarding the cybersecurity. This option was easier for EASA since they have to modify less documentation.

Finally, this planning was delayed until June 2020 when EASA released the modified rules. The option 2 has been the final decision.

The modifications applied deriving from the NPA 2019-01 affected different regulations: 

• For large aircraft, the CS-25 was modified
• For helicopters, CS-27 and CS-29 were both modified
• For components, several modifications were included:
  • Auxiliary Power Unit: CS-APU 
  • CS-ETSO (European Technical Standard Order)
  • Propulsion: CS-E and CS-P
  • AMC/GM to CS-23 and Part 21
  • AMC-20 General Acceptable Means of Compliance for Airworthiness of Products, Parts and Appliances

These changes are applicable to the majority of the aerospace stakeholders, including large aeroplanes and rotorcraft during the Type Certificate (TC) approval or Supplemental Type Certificate (STC). The same for the approval of new items of equipment or change of equipment in an ETSO (European Technical Standard Order) article. And in general, for all systems which provide Air Service Information the requirements in cybersecurity were specified.

For each regulation, several paragraphs were included. For instance, for CS-25, the paragraphs CS 25.1319 (a) and 25.1319 (b) were included:

All the regulations refer to AMC 20-42 for the compliance with the cybersecurity amendments introduced in the specifications. AMC 20-42 is therefore the main source of cybersecurity proceedings to comply with EASA requirements.

The section AMC 20-42 is titled “Airworthiness information security risk assessment” and describes the Acceptable Means of Compliance for applicable rules for the certification of products and parts in the field of Cybersecurity. It is a workable summary of the safety engineering analyses to be developed in order to verify the cybersecurity requirements. It refers to the following three standards:

The section AMC 20-42 is titled “Airworthiness information security risk assessment” and describes the Acceptable Means of Compliance for applicable rules for the certification of products and parts in the field of Cybersecurity. It is a workable summary of the safety engineering analyses to be developed in order to verify the cybersecurity requirements. It refers to the following three standards:

• ED-202A/DO-326A: Airworthiness Security Process Specification. It explains the fundamental concepts behind the Airworthiness cybersecurity.
• ED-203A/DO-356A: Airworthiness Security Methods and Considerations. It explains how to perform a cybersecurity assessment: how to evaluate threats, the security measure of the system, mitigation measures to apply, etc.
• ED-204/DO-355: Information Security Guidance for Continuing Airworthiness. This is only applicable if there are changes in an already certified system.

The most relevant document for this assessment is Product Information Security Risk Assessment (PISRA). This analysis should be conducted according to ED-202A & ED-203A. After the assessment and application of any mitigation, the system must be free of vulnerabilities that creates a hazard on the system. It is important to consider that the risk acceptability depends on Part Type.

First of all, the operation environment must be determined. This is important because it helps to identify the assets of the system. Then it is important to identify the attack paths through the system and their further Safety Consequences Assessment. Next step is to evaluate the system solidness: how to difficult is to attack it. Once determined the difficulty of attacking, the difficulty must be compared with the severity of each of the failure or threat conditions. If the risk acceptability is fine, no actions are needed. Otherwise, it would be necessary to apply the corresponding mitigation.

In order to perform the Security Risk Assessment, two inputs are necessary:

• Failure Conditions & Severity (FHA)
• Security Scope

There are different types of Threat conditions related to how the threat affects to the Part or System. For instance, the following examples are kind of these threat conditions:

• Integrity: Misuse/ interference function
• Availability: access denial
• Confidentiality: data exposure

Then, the Threat Scenario is composed by the following parameters:

• Attack source (SE): the attacker
• Attack vector (SP): how the attack enters into the system
• Attack path: path through the attack goes, so which assets are affected.
• Security measures: obstacles in the system in order to mitigate the attack
• Effects: possible consequences of the attack

The security measures can prevent or degrade the effect of the attack can be of different types: Preventive, Deterrent, Detective, Corrective or Restorative. These security measures are the ones that need to be evaluated in order to see the level of threat in a given scenario. So, for each Threat scenario, the level of threat must be evaluated.

According to ED-202A, a testing campaign should be carried out. Once the SMs are obtained after the assessment, these must be verified. In order to check if the security measures perform correctly, the Security Requirements Tests must be planned and executed. Also, Security Robustness Tests must be performed to check if the functions behave correctly under abnormal inputs. And finally, Vulnerability tests which is the most aggressive testing of any kind.

Finally, regarding the Continued Airworthiness, the ED-204 must be followed. This document explains that for any change that may have an impact on cybersecurity, it is necessary to change the Impact Analysis (check protection, procedures, SMs). In some cases, it could be also necessary to reassess some cybersecurity risk assessments. The overall effort depends on the rework size: installation of new system, replacement of existing one, modification of the existing one, etc.

For the Continued Airworthiness, EASA demands the following documentation:

* Yes + stands for Yes + Process Independence

* As Neg stands for As Negotiated with the certification authority

For further detail on Cybersecurity regulatory issues, you can read the EASA FAQs on Airworthiness Cybersecurity or check the Technology Watch of the European Center for Cybersecurity in Aviation (ECCSA).

At DMD Solutions, we are always abreast of the latest amendments and have a wealth of experience in aerospace systems to help designers, manufacturers or maintainers adapt their products to changing regulatory frameworks and safety requirements. Stay in touch!