Length: 3 Days
Print Friendly, PDF & Email

Aviation Cybersecurity Airworthiness Certification

Cyberattacks against aviation organizations appear to be increasing.

Consequently, from an aviation-cybersecurity-standards perspective, there has been significant activity by both the European Aviation Safety Agency (EASA) and the U.S. FAA. New regulations, established just last year, make it so that the only way aircraft, aviation systems, engines, etc. will be able to achieve airworthiness certification is to comply with the recently updated DO-326 and ED-202.12.

Also, a new initiative of the U.S. Department of Homeland Security (DHS), in partnership with the U.S. Air Force (USAF), will increase scrutiny of aircraft cybersecurity.

These new regulations are considerably more detailed and comprehensive in their approach to the management of cybersecurity risk.

Although progress is being made, significant challenges remain to both gaining insight into aviation-cybersecurity risk and globally managing it.

The aviation industry relies on a complex infrastructure integrated in multiple systems that need to be individually and holistically protected. It’s generally believed that a thorough cyber assessment is needed involving aircraft and equipment manufacturers, air-traffic control, airports, airlines and all the other elements of the aviation infrastructure as an information system.

This should include penetration testing or red teaming where cyber experts try to gain access to the systems as well as vulnerability testing to look for flaws in security.

Digitalization has opened up new vulnerabilities. Areas the experts say are especially vulnerable, include:

  • Cargo handling and shipping
  • Cabin crew devices
  • Fuel gauges
  • Reservation systems
  • In-fight entertainment and connectivity systems
  • The Airplane Information Management Systems (AIMS)
  • Flight traffic management systems

Another very important element to consider is insider threat. Reports show that insider threat is on the rise, requiring employees to be educated in their role in mitigating such threats and adhering to cybersecurity policies and best practices.

Experts say that processes and playbooks should be periodically reassessed and rigorously tested to ensure continuous improvement.  In addition, access controls should be put in place to only allow the people who absolutely need clearance to certain areas to the airport or the aircraft.

Improving aviation cybersecurity is a serious challenge, and bringing along all stakeholders is essential if global, systemic risk is to be reduced.

Aviation Cybersecurity Airworthiness Certification

Aviation Cyber Security Airworthiness Certification Training, is a 3-day Aviation Cyber Security Airworthiness training that introduces participants to aviation industry’s best practices cyber-security risk assessment, analysis, development, mitigation and assurance.

Participants learn about the new and mandatory Aviation Cybersecurity regulation and standards such as DO-326A (U.S.) and ED-202A (Europe). Airworthiness Security Process Specification are the concepts  of the “DO-326/ED-202 Set” and key acceptable means of compliance by FAA & EASA (European Aviation Safety Agency) for aviation cybersecurity airworthiness certification.

Learning Objectives

Participants will learn about guidelines, compliance, regulations, specifications and best practices in :

  • The “DO-326/ED-202 Set” compliance, risks and costs
  • Analyzing cyber-security levels for the development, deployment & in-service phases
  • Aircraft security aspects of safety, systems-approach to security, security planning, the airworthiness security process, and security effectiveness assurance
  • Aviation avionics software development
  • Safety-oriented development process including the SAE standards ARP-4761 for Safety & ARP-4754A for Systems Development
  • Software & Hardware development standards DO-178C & DO-254
  • DO-356A/ED-203A: “Airworthiness Security Methods and Considerations”
  • DO-355/ED-204: “Information Security Guidance for Continuing Airworthiness” (U.S. & Europe) and ED-201: “Aeronautical Information System Security (AISS) Framework Guidance”
  • ED-205: “Process Standard for Security Certification / Declaration of Air Traffic Management / Air Navigation Services (ATM/ANS) Ground Systems” (Europe only)

Aviation Cyber Security Airworthiness Certification participants work in a group workshop to identify the key principles and consequences of aviation cybersecurity.

Course Agenda and Topics

The Airworthiness Security Process

  • What is cybersecurity airworthiness?
  • Airworthiness security
  • FAA & EASA (European Aviation Safety Agency) for aviation cybersecurity airworthiness certification
  • NIST Standards
  • ISO Standards
  • European Cybersecurity Standards Coordination Group (ECSCG)
  • Cyber Safety Commercial Aviation Team (Cyber Safety CAT)
  • Other Aerospace Standards
  • FAA/EASA Aviation Cybersecurity mandates & recommendations
  • DO-326A guidance for aircraft certification to handle the information security (i.e., cybersecurity) threat to aircraft safety
  • Security engineering process corresponding compliance objectives
  • Cybersecurity aspects of Operational Technology (OT)
  • Security as a Safety Aspect
  • Security into Safety through SAE ARP 4754(A) / 4761
  • Aeronautical Information System Security (AISS) Framework Guidance
  • Airworthiness Security Process Specification
  • Airworthiness Security Methods and Considerations
  • Information Security Guidance for Continuing Airworthiness
  • Process Standard for Security Certification/Declaration of Air Traffic Management/Air Navigation Services (ATM/ANS) Ground Systems
  • The Airworthiness Security Process: Risk Assessment, Security Architecture & Measures
  • Applications for Field Loadable Software (FLS), COTS equipment, In-Flight Entertainment (IFE) systems, Electronic Flight Bags (EFBs), Aircraft Network Security Program (ANSP), Security Incident Management and more

FAA and EASA Civil Aviation Certification

  • Aviation safety, reliability and security principals
  • Security process, the safety assessment process (SAE ARP 4761), and the system engineering process (SAE ARP 4754A
  • How DO-326 and ED-202 Mandatory for Airworthiness
  • Aviation/aircraft safety effects of “Intentional Unauthorized Electronic Interaction (IUEI)”
  • Cyber Threats
  • DO-178C/ED-12C/ARP4754A
  • DO-326A/ED-202A: “Airworthiness Security Process Specification
  • DO-356A/ED-203A: “Airworthiness Security Methods & Considerations
  • ED-201: “Aeronautical Information System Security (AISS) Framework Guidance
  • SAE’s ARP-4754A, SAE ARP-4761, DO-178C, DO-254
  • Physical security or physical attacks on the aircraft (or ground element)
  • Airport, Airline or Air Traffic Service Provider
  • Communication, navigation, and surveillance services managed by national agencies or their international equivalents (e.g., GPS, SBAS, GBAS, ATC communications, ADS-B)

FAA and EASA Airworthiness Security Certification

  • FAA certification
  • DO-326A, Airworthiness Security Process Specification
  • DO-355, Information Security Guidance for Continuing Airworthiness,
  • DO-356A, Airworthiness Security Methods and Considerations
  • Airworthiness Security
  • FAA Regulations, standards
  • Design Assurance Level (DLA) requirements and systems/functional critically
  • EASA certification
  • ED-201 – Aeronautical Information System Security (AISS) Framework Guidance
  • ED-202A – Airworthiness Security Process Specification
  • ED-203A – Airworthiness Security Methods and Considerations
  • ED-204 – Information Security Guidance for Continuing Airworthiness
  • ED-205 – Process Standard for Security Certification and Declaration of ATM ANS Ground Systems

Aviation Cybersecurity Principles

  • Cyber-Physical-Systems Security
  • Aviation Cybersecurity: The DO-326/ED-202-Set
  • Context, Background & References of the DO-326/ED-202-Set
  • The DO-326/ED-202-set Structure, Contents
  • ARP-4754
  • ED-201: “Aeronautical Information System Security (AISS) Framework Guidance”
  • The Airworthiness Security Process Steps
  • The DO-326/ED-202-Set “Core”
  • In-Service Cyber-Security
  • DO-355/ED-204: “Information Security Guidance for Continuing Airworthiness”
  • Aircraft, Ground Equipment, Generic InfoSec, Organizational & Personnel Aspects
  • Security Events/Incidents Management
  • ATM/ANS Cybersecurity Certification
  • ED-205: “Process Standard for Security Certification / Declaration of Air Traffic Management / Air Navigation Services (ATM/ANS) Ground Systems”

The Airworthiness Security Process Steps, Activities & Objectives

  • Cybersecurity Plan for Certification
  • Security Risk Assessment Process
  • Security Development Process
  • Cyber-Physical-Systems Security
  • Security Effectiveness Assurance
  • DO-326A/ED-202A & DO-356A/ED-203A: “Airworthiness Security Process Specification” & “Airworthiness Security Methods & Considerations“
  • DO-356A/ED-203A: “Airworthiness Security Methods and Considerations”
  • Cybersecurity for Development-Supplements
  • Modifications
  • COTS & Previously-Certified Systems

Cybersecurity and Safety Practices for Aircraft and Aircraft Systems

  • Cybersecurity definitions, key principles, methods and considerations
  • Integration of the DO-326/ED-202-set to avionics development & certification processes
  • DO-326/ED-202-set components, processes, steps, activities & objectives
  • Cybersecurity certification strategies for avionics initial Airworthiness
  • Continued Airworthiness
  • Advisory Circular (AC) 119-1
  • “Airworthiness & Operational Authorization of Aircraft Network Security Program (ANSP)”
  • “In-service” DO-355 segment of the DO-326 set
  • Advisory Circular (AC) 20-140C (Sep 2016): “Guidelines for Design Approval of Aircraft Data Link Communication Systems Supporting Air Traffic Services (ATS) (U.S.)
  • DO-326 set: DO-326, DO-356 & DO-355.
  • Advisory Circular (AC) 120-76D
  • Authorization for Use of Electronic Flight Bags

Aeronautical Information System Security Design, Development, and Operation                                     

  • Electronic Flight Bag (EFB)
  • Field Loadable Software (FLS)
  • In-Flight Entertainment (IFE)
  • Non-trusted Services
  • Logging
  • Air Traffic Management (ATM)
  • Internet Protocol Suite (IPS)
  • Aircraft-Ground Links, SATCOM
  • Continued Airworthiness (CA)
  • Service of Aircraft
  • Software
  • Supply Chain Audit

Workshop and Group Activities

  • Tonex Road Maps
  • Cybersecurity Awareness
  • Understanding Aviation Threat Vectors
  • Assets
  • Actors
  • Trust Boundaries
  • Information Flows
  • Threats
  • Ensuring a Product Cybersecurity Culture
  • Design and Operational Principles
  • Establishing Cybersecurity Regulations/Standards
  • Understanding and Managing the Shared Risk
  • Communicating the Threats and Assuring Situational Awareness
  • Incident Response & Mitigation
  • Strengthening the defensive system
  • Key Policy Priorities
  • Developing an Engagement Road Map for Addressing Cybersecurity Concerns
  • Engagement Plan & Stakeholders
  • International Collaboration
  • Develop improved secure interoperable connectivity for commercial aviation

Aviation Cybersecurity Airworthiness Certification

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.