In the past years, the aircraft systems and components have increased the data connections between them. These connections are delicate links susceptible to security threats. This is the major reason EASA started to work on a Cybersecurity framework for aerospace in May 2016. In this framework, the threats that potentially affect aircraft safety are considered as elements for regulatory requirements. The goal of this framework is to eliminate and/or mitigate the safety effects caused by threats of intentional unauthorized electronic interaction to aircraft safety.
Aerospace Cybersecurity Regulatory Framework
For this purpose, EASA released a Notice of Proposed Amendment 2019-01 on February 2019 in which they planned that for the 3rd quarter of 2019, they would release modification of CSs, AMCs and GMs. In this NPA, three different options were presented:
- 0. No change: This option is negative because applicants would be ignoring cybersecurity expectations. The designs would not be protected enough leading to negative economic impact.
- 1. Amend CSs + related AMC/GM: with this option, EASA would amend Certification Specifications and also the Acceptable Means of Compliance. Following these documents, applicants would take necessary actions to protect against cybersecurity threats. These actions would reduce costs.
- 2. Amend CSs + AMC-20: Similar to the Option 1 but in this case, EASA would amend Certification Specifications and only modify the AMC-20 adding new section regarding the cybersecurity. This option was easier for EASA since they have to modify less documentation.
Finally, this planning was delayed until June 2020 when EASA released the modified rules. The option 2 has been the final decision.
Scope of the Amendments in Cybersecurity for Aerospace Regulations
The modifications applied deriving from the NPA 2019-01 affected different regulations:
- For large aircraft, the CS-25 was modified
- For helicopters, CS-27 and CS-29 were both modified
- For components, several modifications were included:
- Auxiliary Power Unit: CS-APU
- CS-ETSO (European Technical Standard Order)
- Propulsion: CS-E and CS-P
- AMC/GM to CS-23 and Part 21
- AMC-20 General Acceptable Means of Compliance for Airworthiness of Products, Parts and Appliances
These changes are applicable to the majority of the aerospace stakeholders, including large aeroplanes and rotorcraft during the Type Certificate (TC) approval or Supplemental Type Certificate (STC). The same for the approval of new items of equipment or change of equipment in an ETSO (European Technical Standard Order) article. And in general, for all systems which provide Air Service Information the requirements in cybersecurity were specified.
Cybersecurity Requirements in Certification Specifications
For each regulation, several paragraphs were included. For instance, for CS-25, the paragraphs CS 25.1319 (a) and 25.1319 (b) were included:
CS 25.1319 (a) Aeroplane equipment, systems and networks, considered separately and in relation to other systems, must be protected from intentional unauthorised electronic interactions (IUEIs) that may result in adverse effects on the safety of the aeroplane. Protection must be ensured by showing that the security risks have been identified, assessed and mitigated as necessary.
CS 25.1319 (b) When required by paragraph (a), the applicant must make procedures and Instructions for Continued Airworthiness (ICA) available that ensure that the security protections of the aeroplane’s equipment, systems and networks are maintained.
All the regulations refer to AMC 20-42 for the compliance with the cybersecurity amendments introduced in the specifications. AMC 20-42 is therefore the main source of cybersecurity proceedings to comply with EASA requirements.
Airworthiness Information Security Risk Assessment
The section AMC 20-42 is titled “Airworthiness information security risk assessment” and describes the Acceptable Means of Compliance for applicable rules for the certification of products and parts in the field of Cybersecurity. It is a workable summary of the safety engineering analyses to be developed in order to verify the cybersecurity requirements. It refers to the following three standards:
The section AMC 20-42 is titled “Airworthiness information security risk assessment” and describes the Acceptable Means of Compliance for applicable rules for the certification of products and parts in the field of Cybersecurity. It is a workable summary of the safety engineering analyses to be developed in order to verify the cybersecurity requirements. It refers to the following three standards:
- ED-202A/DO-326A: Airworthiness Security Process Specification. It explains the fundamental concepts behind the Airworthiness cybersecurity.
- ED-203A/DO-356A: Airworthiness Security Methods and Considerations. It explains how to perform a cybersecurity assessment: how to evaluate threats, the security measure of the system, mitigation measures to apply, etc.
- ED-204/DO-355: Information Security Guidance for Continuing Airworthiness. This is only applicable if there are changes in an already certified system.
The most relevant document for this assessment is Product Information Security Risk Assessment (PISRA). This analysis should be conducted according to ED-202A & ED-203A. After the assessment and application of any mitigation, the system must be free of vulnerabilities that creates a hazard on the system. It is important to consider that the risk acceptability depends on Part Type.
How to perform a Cybersecurity Assessment to ensure compliance to EASA specifications
First of all, the operation environment must be determined. This is important because it helps to identify the assets of the system. Then it is important to identify the attack paths through the system and their further Safety Consequences Assessment. Next step is to evaluate the system solidness: how to difficult is to attack it. Once determined the difficulty of attacking, the difficulty must be compared with the severity of each of the failure or threat conditions. If the risk acceptability is fine, no actions are needed. Otherwise, it would be necessary to apply the corresponding mitigation.
Security Risk Assessment
In order to perform the Security Risk Assessment, two inputs are necessary:
- Failure Conditions & Severity (FHA)
- Security Scope
There are different types of Threat conditions related to how the threat affects to the Part or System. For instance, the following examples are kind of these threat conditions:
- Integrity: Misuse/ interference function
- Availability: access denial
- Confidentiality: data exposure
Then, the Threat Scenario is composed by the following parameters:
- Attack source (SE): the attacker
- Attack vector (SP): how the attack enters into the system
- Attack path: path through the attack goes, so which assets are affected.
- Security measures: obstacles in the system in order to mitigate the attack
- Effects: possible consequences of the attack
The security measures can prevent or degrade the effect of the attack can be of different types: Preventive, Deterrent, Detective, Corrective or Restorative. These security measures are the ones that need to be evaluated in order to see the level of threat in a given scenario. So, for each Threat scenario, the level of threat must be evaluated.
Security Verification & Vulnerability Testing
According to ED-202A, a testing campaign should be carried out. Once the SMs are obtained after the assessment, these must be verified. In order to check if the security measures perform correctly, the Security Requirements Tests must be planned and executed. Also, Security Robustness Tests must be performed to check if the functions behave correctly under abnormal inputs. And finally, Vulnerability tests which is the most aggressive testing of any kind.
Continued Airworthiness
Finally, regarding the Continued Airworthiness, the ED-204 must be followed. This document explains that for any change that may have an impact on cybersecurity, it is necessary to change the Impact Analysis (check protection, procedures, SMs). In some cases, it could be also necessary to reassess some cybersecurity risk assessments. The overall effort depends on the rework size: installation of new system, replacement of existing one, modification of the existing one, etc.
For the Continued Airworthiness, EASA demands the following documentation:
Activity | CAT/HAZ | MAJ | MIN | NE |
Plan for Security Aspects of Certification (PSAC) | Yes | Yes | As Neg | No |
Aircraft Security Scope Definition (ASSD) | As Neg | As Neg | As Neg | No |
Preliminary Aircraft Security Risk Assessment (PASRA) | As Neg | As Neg | As Neg | No |
Aircraft Security Risk Assessment (ASRA) | AsNeg | As Neg | As Neg | No |
System Security Scope Definition (SSSD) | Yes | Yes | As Neg | No |
Preliminary System Security Risk Assessment (PSSRA) | Yes + | Yes | As Neg | No |
System Security Risk Assessment (SSRA) | Yes + | Yes | As Neg | No |
PSAC Summary | Yes | Yes | As Neg | No |
* Yes + stands for Yes + Process Independence
* As Neg stands for As Negotiated with the certification authority
For further detail on Cybersecurity regulatory issues, you can read the EASA FAQs on Airworthiness Cybersecurity or check the Technology Watch of the European Center for Cybersecurity in Aviation (ECCSA).
Lovejinder Singh
At DMD Solutions, we are always abreast of the latest amendments and have a wealth of experience in aerospace systems to help designers, manufacturers or maintainers adapt their products to changing regulatory frameworks and safety requirements. Stay in touch!