Have you ever thought about who is responsible for the EFB security? - Part 1

Verified

Vasileios PAPAGEORGIOU
Vasileios PAPAGEORGIOU • 24 April 2024
in community Cybersecurity
2 comments
3 likes

Have you ever thought about who is responsible for the EFB security? - Part 1

 

As you most certainly know by now, it is not an understatement to say that aviation cybersecurity is a complex domain. In this system of systems is not always easy to trace who has the responsibility and/or accountability for certain actions, particular for people not working in the relevant positions of such organisation or in their oversight.

We have regulations and guidance in place that should clearly outline the accountabilities and responsibilities of personnel involved in critical aviation safety functions. However, we recognise that given the complexity of the aviation system, it can sometimes be a little difficult to determine who is responsible and/or accountable for certain actions, and this also applies to cybersecurity requirements. So let us give you an example by asking you an intellectually challenging (?) question:

Have you ever thought about who is responsible for the EFB security?

Take a couple of minutes and try to answer this question. If you are unsure no worries, the answer is just below.

EFB

According to the rules for Air Operations under the Specific Approvals part (SPA.EFB.100) the air operators are the ones that have to evaluate the security of the Electronic Flight Bag (EFB). In order to obtain the approval for the use of an EFB application, operators have to provide evidence to the competent authority that a risk assessment related to the use of the EFB device and the EFB application and its associated functions has been conducted. The aim of this risk assessment is to ensure that any associated risks are properly mitigated and managed. On top of that there should be also certain procedures and training has been established for a number of things including for EFB security.

EFB has to be protected by both intentional and unintentional modification and for this purpose there are also guidelines for EFB software application developers to design, develop and integrate software applications into an installed EFB or with certified resources for portable EFB (AMC for Airworthiness of Products, Parts and Appliances - AMC 20-25). More information on these can be found under the relevant rules and AMC material.

A practical scenario of compromising the integrity of the information in the EFB could be the following:

Example

This is the first part of a post on EFB security. In the next post we will touch upon what happens in case a vulnerability is discovered, what is the current regulatory status in terms of applicability and what will the future status including reporting when Part-IS starts to be applicable. 

What are your thoughts on this? Did you guess right when it comes to whom is responsible for the EFB security? Let us know in the comments below and stay tuned for Part-2!

Related content
Easy Access Rules - Air Ops

Comments (2)

Default profile image
Michal Walczak 1 week ago

Are the EFBs considered as having direct impact on aviation safety? I have found a view that as long as the other Aircraft systems can correct wrong EFB calculations they are not considered as having direct impact on safety.

Davide MARTINI
Davide MARTINI 5 days ago

Hi Michal, thanks for the feedback.

As mentioned in the article, the use of EFBs in operations requires a risk assessment (by the operator) and specific approval (by the competent authority) as there may be an impact on safety that should be managed.

Like you wrote, one way to control this is to compare the results with other systems or another EFB, or to compare with manuals etc. From a security point of view, it is better if the comparison is made against a different /dissimilar system.

You are not allowed to comment on content in a group you are not member of.

View group

Cybersecurity

Public community
4687
Available to join Read more