With the publication in July 2018 of the Regulation (EU) 2018/1139, also known as “the Basic Regulation”, on common rules in the field of civil aviation, that replaced the previous Regulation (EU) 216/2008, EASA is mandated to implement measures taking also into account interdependencies between safety and cybersecurity.
Aviation Products Certification
The Basic Regulation establishes, amongst other things, the legal framework to comply with the certification requirements for civil aircraft. Therefore, every aircraft designed and manufactured in the European Union requires a “certification” issued by EASA. The procedures for certification of aeronautical products (aircraft, engines and propellers) are contained in EC Regulation 748/2012 Annex I - Part 21.
Following up the updated mandate in the Basic Regulation of July 2018, EASA has implemented amendments to the certification provisions in order to address information security aspects in the certification process of aeronautical products. More precisely, the EASA ED Decision 2020/006/R of July 2020 issued amendments to CS-25, CS-27, CS-29, CS-APU, CS-E, CS-ETSO, CS-P, and to the related acceptable means of compliance (AMC) and/or guidance material (GM), together with the creation of AMC 20-42, AMC/GM to CS-23 and AMC/GM to Part 21.
In the context of aircraft certification, cybersecurity is commonly understood as the protection of aviation information systems against intentional unauthorised electronic interactions (IUEI), and the means to mitigate their consequences on safety. To this extent, the above-mentioned amendments to the Certification Specifications (CS), with a wording adapted to the specific context, all require that “aeroplane equipment, systems and networks, considered separately and in relation to other systems, must be protected from intentional unauthorised electronic interactions that may result in adverse effects on the safety of the aeroplane”.
EASA regulations on products relies extensively on industry standards developed specifically on the topic of airworthiness information security. The picture bellow describes how Certification Specifications are calling the Acceptable Means of Compliance 20-42 which present a summarized version of the process and calls the specialized standards.
Today to address airworthiness information security (The protection of the airworthiness of an aircraft from intentional unauthorized electronic interaction), the specifications and acceptable means of compliance rely on:
- EUROCAE ED-202A “Airworthiness security process specification” a resource for both the Authorities and the industry for aircraft certification when the systems impacted by a modification or a new development may be affected by intentional unauthorized electronic interaction that can affect aircraft safety. It describes the activities that need to be performed in support of the airworthiness process when it comes to the threat of intentional unauthorized electronic interaction (the “What”).
- EUROCAE ED-203A “Airworthiness security methods and considerations” which provides the tools that can be used for showing compliance for airworthiness security during the aircraft design and development life cycle (the “How”).
- EUROCAE ED-204A “Information security guidance for continuing airworthiness” which provides complementary tools for airworthiness security focusing on the instructions and recommendations to be developed by the manufacturer and followed by the operators of the aircraft in order to maintain the security protection.
Other standards have been developed, although not yet referenced in EASA regulatory material. In particular the ED-201A which addresses the big picture of aviation information security and the complex relationship between the different stakeholders, specifically how information security risk is shared along a functional chain, like a supply chain for example. The group developed also ED-205A, similar to ED-202A but for air traffic management ground systems, very likely to provide the required process for the regulatory framework on the conformity assessment of ATM/ANS systems and ATM/ANS constituents in preparation. Last, in June 2022 EUROCAE published ED-206 which address Information Security Event Management, which is very likely to be referenced in Guidance Material to Part IS requirements related to reporting.
Last Regulation & Standards Topics on the Community: