EUROCAE ED-202 PDF

Airworthiness security is the protection of the airworthiness of an aircraft from the information security threat: an adverse effect on safety due to human action (intentional or unintentional) using access, use, disclosure, denial, disruption, modification, or destruction of data and/or data interfaces. This includes the consequences of malware and forged data and access by other systems to aircraft systems.

Aircraft certification is the process whereby an applicant requests approval from a regulatory authority (referred to hereafter as the certification authority) for aircraft manufacturing, either as supplements or as amendments to aircraft. Aircraft certification processes use recommended standards, guidance, tests, methods, and procedures to establish certification approval. Additional required data and plan documentation would be submitted associated with the aforementioned activities. Certification can include but is not limited to

• Registration

• Design Approval

• Production Certification or Approval

• Continuing Operations from a safety perspective

• Maintenance Repair and Overhaul Shop

• Airworthiness Approval

The guidance of this document augments current guidance for aircraft certification to handle the information security threat to aircraft safety (see Figure 1). It was developed in the European context of The European Aviation Safety Agency (EASA) Certification Specification CS-25 "Large Aeroplanes" and the American context of Title 14 Code of Federal Regulations (14CFR) Part 25 "Transport Category Aircraft". Tailoring of this guidance may allow it to be applicable in other contexts such as CS- 23, CS-27, CS-29, CS-E, Part 23, Part 27, Part 29, and Part 33.

This guidance makes no specific assumptions about the motivations or capabilities of attackers. Rather, attacker characteristics must be established as part of the assessment process, documented in threat source profiles and agreed to by the certification agency.

This guidance addresses the aircraft development life cycle from project initiation until the Aircraft Type Certificate is issued for the aircraft type design. This covers the first three life cycle stages of an aircraft type (Initiation, Development or Acquisition, and Implementation). In addition, it includes the handover of information about the Type Design that is necessary to ensure continuing airworthiness with respect to the information security threat, and the handover of information necessary to safeguard the Development Environment (see Figure 1). For the final stages (Operation, Support, Maintenance, Administration, and Disposal) an industry standard can be found in ED-204/DO-YYY "Security Guidance for Continuing Airworthiness" (in preparation).

Within the development life cycle of the aircraft type and the type design, this guidance addresses assessment of the acceptability of the airworthiness security risk and the design and verification of the airworthiness security attributes. Those aspects of information security or aerospace systems that are not part of the airworthiness security of the type design are not subject to this guidance. Recommendations for handling those aspects can be found in other guidance. However, if those aspects affect the airworthiness security of the type design, determining that dependence and its effect is addressed by this guidance.

Information security threats can potentially impair the condition of the digital systems to operate properly. This document treats information security threats as manageable risks to aircraft safety through the airworthiness security process supporting type certification. While physical security threats can potentially impede condition of the aircraft relative to wear and tear, they are not considered part of the scope of this document, which treats physical security as an external dependency of airworthiness security.

PURPOSE

This document is a resource for certification authorities and the aviation industry for developing or modifying aircraft systems and equipment when there is the possibility of adversely affecting the safety of flight from human action involving information or information system interfaces. It specifies data requirements and compliance objectives of an airworthiness security process, presented using a set of representative generic activities for managing data and objectives.

An industry standard for methods and instructions for data, activities and compliance objectives defined in this document can be found in ED-203/DO-YYY "Airworthiness Security Methodology and Instructions" (in preparation).