EUROCAE ED-205 PDF

This document describes a process to assess the extent to which the ATM/ANS ground systems are appropriately secure for use. The process can be used to identify, evaluate and manage impacts on safety, operational delivery, economic concerns and others.

This document is a resource for the organisation (‘The Applicant’) addressing the security aspects of Service Provider (SP) certification, for the relevant systems in scope, against applicable security requirements. It also allows applicants to ‘selfcertify’ and issue a declaration that they have met applicable security requirements; this would be appropriate in the absence of, or in advance of, regulatory requirements. It has been written in the context of existing and proposed EU legislation.

‘Security Certification’ means a form of recognition based on an appropriate assessment, that an SP, including the ATM/ANS systems and constituents, complies with the applicable security requirements through the issuance of a Security Certificate attesting such compliance.

‘Security Self-Declaration’ means any written statement made under the sole responsibility of a legal or natural person to confirm that the applicable security requirements relating to an SP, including the ATM/ANS systems and constituents, are complied with.

The target audience is:

- Providers of ATM/ANS (e.g. ANSPs)

- ATM/ANS ground systems manufacturers

- Regulator/Security Oversight Audit/Inspection function (Appropriate Authority) Other interested parties are airport operators and aircraft/avionics manufacturers.

This document applies to the ATM/ANS ground systems that could have a direct or indirect impact on airborne systems. It considers information security throughout the data lifecycle, this includes the creation, storage, transmission, processing and decommissioning of data. Systems might include not just hardware and software, but also people and processes.

It is assumed that the Applicant will address the security aspects of Certification/Declaration within an existing Security Management System or Integrated Management System. ED-205 therefore focuses on the functional system level, rather than management system level. Furthermore, it takes into account the mutual interactions between safety and security.

The Appropriate Authority will approve means of compliance for the security aspects of Certification/Declaration, which may take into account any external security certification that an organisation may hold (e.g. ISO 27001).

The process is applicable to existing operational ATM/ANS ground systems and also to the new ATM/ANS ground systems under an acquisition or development process. The Appropriate Authority will be responsible for defining the set of ATM/ANS ground systems that need to go through the ED-205 process and address the security aspects of certification.

ED-205 was developed to answer the following questions:

• What does an aircraft and ATM/ANS ground systems manufacturer need to know to be sure that, when an unauthorised interaction occurs in the ATM/ANS ground system, the aircraft’s safety is preserved?

• How to ensure that the ATM/ANS ground system will not be compromised when the unauthorised interaction originates from the aircraft?

Stakeholders need to know that the relevant systems have been through the security aspects of certification and the ANSP is subsequently certified for operation. If so, then there should be sufficient confidence in the security of ATM/ANS ground systems. This document gives guidance on the process to follow to address the security aspects of certification. Following the steps of the process for each relevant ATM/ANS ground system gives confidence that those systems should not be compromised if/when an unauthorised interaction originates from the aircraft.

There is frequently confusion about where the boundaries lie between physical security, information security. There are distinctions which relate to what is being protected, the type of an attack and the means of defending the protected asset, but these basic elements are the same in concept. In many cases physical measures will protect an information asset, or systems will be built into a physical security measure such as electronic locks. The objective of securing assets should be the overriding factor in any security activities, although where a system has a potential for a safety impact then failsafe should take precedence over security and fail-secure. Therefore, this document focuses on the security requirements of ATM/ANS ground systems including the two security disciplines Physical security and Information security.

This first version of ED-205 is intended to establish a process, and to set an initial and minimum baseline, later versions and supplementary documents will be developed in order to provide progressively more guidance and details.