The European Union Aviation Safety Agency (EASA) intends to strengthen aircraft cybersecurity regulations by codifying the requirements into aircraft type certification specifications (CS), replacing the current regulatory process known as special conditions (SC). Also, EASA would expand cybersecurity requirements to more aircraft types.
Special conditions mean that regulations must be complied with by individual approval of each aircraft before they are granted airworthiness approval. In a recently issued notice of proposed amendment (NPA) the revised rules would not only replace the use of SCs to mitigate the potential effects of cybersecurity threats on avionics and other electronic systems, but also extend coverage from currently large airplanes to small airplanes, and small and large helicopters.
“Such threats could be the consequences of intentional unauthorized acts of interference with aircraft onboard electronic networks and systems,” EASA said. These threats have the potential to disrupt or destroy electronic information. All recently designed large airplanes are known to be potentially sensitive to those security threats due to the interconnectivity features of some of their avionics systems.
In addition to incorporating requirements into the CS of both large and small aircraft to reflect the state-of-the-art protection of products and equipment against cybersecurity threats, the amendments also are expected to improve harmonization with FAA regulations.
Why Amend Regulations Now?
In the context of aircraft certification, cybersecurity is commonly understood as the protection of aviation information systems from intentional unauthorized electronic interference. Over the last few years, “Electronic-based systems have been advancing at a rapid rate resulting in aircraft systems and parts being increasingly connected, and those interconnections are susceptible to security threats.”
Further, “These threats have the potential to affect the airworthiness of an aircraft due to unauthorized access, use, disclosure, denial, disruption, modification or destruction of electronic information or electronic aircraft systems,” EASA warns.
The EASA proposal is also the culmination of the findings of an FAA aviation rulemaking advisory committee (ARAC). In November 2016, the ARAC provided recommendations regarding aircraft information security protection of aircraft systems and networks, or cybersecurity, “Rulemaking, policy, and guidance on best practices, including for initial and continued airworthiness.”
EASA participated in the ARAC for regulatory harmonization purposes. The ARAC final report contains regulatory recommendations that affect large airplanes, general aviation, rotorcraft, engines, propellers, portable electronic devices, field-loadable software, commercial off-the-shelf equipment, and communication, navigation and surveillance/air traffic management products.
Via EASA guidance materials and acceptable means of compliance (AMC), aircraft owners and operators would be responsible for maintaining procedures to ensure the continued cybersecurity of targeted equipment. As well as avionics, other electronic equipment such as engine and propeller controls must be protected.
Before a new TC or STC is awarded, applicants must perform a “product information security risk assessment” to cover the following aspects: Determination of the operational environment for the information security of the product; identification of the possible attack paths; and the difficulty of performing a successful attack. After any necessary mitigation measures have been incorporated into the systems, it must be shown that vulnerabilities “cannot be exploited by any known security threat to create a hazard or generate a failure condition that would have an effect that is deemed to be unacceptable against the certification specification of the product considered.”
When a risk needs to be mitigated, the applicant should demonstrate, as described in EASA AMC documents, that the mitigations provide sufficient grounds for evaluating that the residual risk is acceptable. Once the overall risk has been deemed to be acceptable, the applicant should develop instructions, as described in the relevant AMC, “to maintain the information security risk of the systems of the product at an acceptable level after the entry into service of the product.”
If information security risks that are identified during the product information security risk assessment need to be mitigated, security verification should be used to evaluate the efficiency of the mitigation means. “This verification may be performed by a combination of analysis, security-oriented robustness testing, inspections, and reviews” and if necessary, by testing that addresses information security “from the perspective of a potential adversary.”
It is the responsibility of the aircraft owner or operator to report any information security issues to the designer of this product or part, “in a manner that would allow a further impact analysis and corrective actions, if appropriate.” If this impact analysis identifies a reasonably high potential for an unsafe condition, the designer of that part should report it to the competent regulatory authority in a timely manner.
Comments on the NPA are due by May 22. A decision is expected in the third quarter on whether to drop the proposals entirely, revise them based on the submitted comments, or enact them as originally proposed.