EASA Grafts Cybersecurity Onto Certification Standards

 - July 20, 2020, 11:25 AM

EASA has issued decision 2020/006/R to introduce cybersecurity provisions via amendments to its aircraft certification standards, including CS-27 and CS-29 that cover helicopters. The certification amendments would apply to helicopters (both CS-27 and CS-29), large airplanes, engines, auxiliary power units, propellers, and European Technical Standard Orders (ETSO).

According to EASA, the provisions require applicants “to show during certification that the possible security risks have been identified, assessed, and mitigated as necessary.” These new rules pertain to aircraft systems, equipment, and networks.

EASA said the changes are necessary to protect aircraft from “unauthorized electronic interactions” that “may result in catastrophic or hazardous effects on the safety of the rotorcraft” and said that it would “monitor” the effectiveness of the proposed amendments “once they become applicable.” However, the agency acknowledged that “due to the evolving nature of cybersecurity threats and vulnerabilities, the monitoring indicators cannot be specified exhaustively.”

The new rules would require EASA to “review the results of regular proactive testing of the effectiveness of the cybersecurity protection means,” and the agency can also access cybersecurity incidents via the European Coordination Centre for Accident and Incident Reporting Systems (ECCAIRS).