Length: 3 Days
Print Friendly, PDF & Email

Aviation Cybersecurity Airworthiness Certification

The aviation digital attack surface continues to grow in such a way that both managing risk and gaining insight into it remain difficult.

With emerging technologies like machine learning and 5G telecommunications experiencing wider adoption—alongside electric vertical takeoff and landing (eVTOL), and autonomous aircraft—aviation cybersecurity risk management is becoming more and more complex.

According to a recent study, 97 out of 100 the world’s largest airports have security risks related to vulnerable web and mobile applications, misconfigured public cloud, Dark Web exposure or code repositories leaks. The only international airports that passed with top grades were Schiphol airport in Amsterdam, Helsinki-Vantaa airport in Finland, and Ireland’s Dublin Airport.

Cybersecurity vulnerabilities are a concern in almost all industries, but in aviation there is a key life safety issue. A cyberattack, if successful, might end up in loss of numerous lives — resulting in a complete catastrophe.

During the last decade, the introduction of e-enabled or digital airplanes and widespread connectivity have increased the operational efficiency of the airlines. Nevertheless, this also involves increased interaction with many information systems that are outside the traditionally defined security perimeter. However, in the past, a major line of defense for the aviation industry was the nearly impossible to obtain knowledge needed by a cybercriminal regarding aviation specific software and hardware that was unavailable to the general public.

However, advanced digitalization has changed all that. Now the aviation industry leans on the use of commercial off-the-shelf software and solutions that do not require the referred-to aviation specific knowledge to attack them.

Also, gaping vulnerabilities now exist because of the interoperation of multiple interconnected systems.

It should be noted that the aircraft of the future is heading to software updated on the fly, which also creates salient addition security challenges.

Experts believe one of the leading defense weapons against cybersecurity-attacks is artificial intelligence. With AI, systems will have the ability to learn patterns and identify deviations in a way that traditional systems or analysts could only dream of.

The use of encryption will also continue to be critical to the aviation industry to help protect both air traffic control and flight traffic management systems’ information as well as customer and employee information which might include payment cards, national IDs, passport number, bank accounts and other Personal Identifiable Information (PII) and privacy.

Big Data and Predictive Analytics are also expected to play an important role as we are entering a new age of aircraft sensors and processors that incessantly input data throughout all the aviation ecosystem, including connectivity, operations and predictive maintenance.

Aviation Cybersecurity Airworthiness Certification

Aviation Cyber Security Airworthiness Certification Training, is a 3-day Aviation Cyber Security Airworthiness training that introduces participants to aviation industry’s best practices cyber-security risk assessment, analysis, development, mitigation and assurance.

Participants learn about the new and mandatory Aviation Cybersecurity regulation and standards such as DO-326A (U.S.) and ED-202A (Europe). Airworthiness Security Process Specification are the concepts  of the “DO-326/ED-202 Set” and key acceptable means of compliance by FAA & EASA (European Aviation Safety Agency) for aviation cybersecurity airworthiness certification.

Learning Objectives

Participants will learn about guidelines, compliance, regulations, specifications and best practices in :

  • The “DO-326/ED-202 Set” compliance, risks and costs
  • Analyzing cyber-security levels for the development, deployment & in-service phases
  • Aircraft security aspects of safety, systems-approach to security, security planning, the airworthiness security process, and security effectiveness assurance
  • Aviation avionics software development
  • Safety-oriented development process including the SAE standards ARP-4761 for Safety & ARP-4754A for Systems Development
  • Software & Hardware development standards DO-178C & DO-254
  • DO-356A/ED-203A: “Airworthiness Security Methods and Considerations”
  • DO-355/ED-204: “Information Security Guidance for Continuing Airworthiness” (U.S. & Europe) and ED-201: “Aeronautical Information System Security (AISS) Framework Guidance”
  • ED-205: “Process Standard for Security Certification / Declaration of Air Traffic Management / Air Navigation Services (ATM/ANS) Ground Systems” (Europe only)

Aviation Cyber Security Airworthiness Certification participants work in a group workshop to identify the key principles and consequences of aviation cybersecurity.

Course Agenda and Topics

The Airworthiness Security Process

  • What is cybersecurity airworthiness?
  • Airworthiness security
  • FAA & EASA (European Aviation Safety Agency) for aviation cybersecurity airworthiness certification
  • NIST Standards
  • ISO Standards
  • European Cybersecurity Standards Coordination Group (ECSCG)
  • Cyber Safety Commercial Aviation Team (Cyber Safety CAT)
  • Other Aerospace Standards
  • FAA/EASA Aviation Cybersecurity mandates & recommendations
  • DO-326A guidance for aircraft certification to handle the information security (i.e., cybersecurity) threat to aircraft safety
  • Security engineering process corresponding compliance objectives
  • Cybersecurity aspects of Operational Technology (OT)
  • Security as a Safety Aspect
  • Security into Safety through SAE ARP 4754(A) / 4761
  • Aeronautical Information System Security (AISS) Framework Guidance
  • Airworthiness Security Process Specification
  • Airworthiness Security Methods and Considerations
  • Information Security Guidance for Continuing Airworthiness
  • Process Standard for Security Certification/Declaration of Air Traffic Management/Air Navigation Services (ATM/ANS) Ground Systems
  • The Airworthiness Security Process: Risk Assessment, Security Architecture & Measures
  • Applications for Field Loadable Software (FLS), COTS equipment, In-Flight Entertainment (IFE) systems, Electronic Flight Bags (EFBs), Aircraft Network Security Program (ANSP), Security Incident Management and more

FAA and EASA Civil Aviation Certification

  • Aviation safety, reliability and security principals
  • Security process, the safety assessment process (SAE ARP 4761), and the system engineering process (SAE ARP 4754A
  • How DO-326 and ED-202 Mandatory for Airworthiness
  • Aviation/aircraft safety effects of “Intentional Unauthorized Electronic Interaction (IUEI)”
  • Cyber Threats
  • DO-178C/ED-12C/ARP4754A
  • DO-326A/ED-202A: “Airworthiness Security Process Specification
  • DO-356A/ED-203A: “Airworthiness Security Methods & Considerations
  • ED-201: “Aeronautical Information System Security (AISS) Framework Guidance
  • SAE’s ARP-4754A, SAE ARP-4761, DO-178C, DO-254
  • Physical security or physical attacks on the aircraft (or ground element)
  • Airport, Airline or Air Traffic Service Provider
  • Communication, navigation, and surveillance services managed by national agencies or their international equivalents (e.g., GPS, SBAS, GBAS, ATC communications, ADS-B)

FAA and EASA Airworthiness Security Certification

  • FAA certification
  • DO-326A, Airworthiness Security Process Specification
  • DO-355, Information Security Guidance for Continuing Airworthiness,
  • DO-356A, Airworthiness Security Methods and Considerations
  • Airworthiness Security
  • FAA Regulations, standards
  • Design Assurance Level (DLA) requirements and systems/functional critically
  • EASA certification
  • ED-201 – Aeronautical Information System Security (AISS) Framework Guidance
  • ED-202A – Airworthiness Security Process Specification
  • ED-203A – Airworthiness Security Methods and Considerations
  • ED-204 – Information Security Guidance for Continuing Airworthiness
  • ED-205 – Process Standard for Security Certification and Declaration of ATM ANS Ground Systems

Aviation Cybersecurity Principles

  • Cyber-Physical-Systems Security
  • Aviation Cybersecurity: The DO-326/ED-202-Set
  • Context, Background & References of the DO-326/ED-202-Set
  • The DO-326/ED-202-set Structure, Contents
  • ARP-4754
  • ED-201: “Aeronautical Information System Security (AISS) Framework Guidance”
  • The Airworthiness Security Process Steps
  • The DO-326/ED-202-Set “Core”
  • In-Service Cyber-Security
  • DO-355/ED-204: “Information Security Guidance for Continuing Airworthiness”
  • Aircraft, Ground Equipment, Generic InfoSec, Organizational & Personnel Aspects
  • Security Events/Incidents Management
  • ATM/ANS Cybersecurity Certification
  • ED-205: “Process Standard for Security Certification / Declaration of Air Traffic Management / Air Navigation Services (ATM/ANS) Ground Systems”

The Airworthiness Security Process Steps, Activities & Objectives

  • Cybersecurity Plan for Certification
  • Security Risk Assessment Process
  • Security Development Process
  • Cyber-Physical-Systems Security
  • Security Effectiveness Assurance
  • DO-326A/ED-202A & DO-356A/ED-203A: “Airworthiness Security Process Specification” & “Airworthiness Security Methods & Considerations“
  • DO-356A/ED-203A: “Airworthiness Security Methods and Considerations”
  • Cybersecurity for Development-Supplements
  • Modifications
  • COTS & Previously-Certified Systems

Cybersecurity and Safety Practices for Aircraft and Aircraft Systems

  • Cybersecurity definitions, key principles, methods and considerations
  • Integration of the DO-326/ED-202-set to avionics development & certification processes
  • DO-326/ED-202-set components, processes, steps, activities & objectives
  • Cybersecurity certification strategies for avionics initial Airworthiness
  • Continued Airworthiness
  • Advisory Circular (AC) 119-1
  • “Airworthiness & Operational Authorization of Aircraft Network Security Program (ANSP)”
  • “In-service” DO-355 segment of the DO-326 set
  • Advisory Circular (AC) 20-140C (Sep 2016): “Guidelines for Design Approval of Aircraft Data Link Communication Systems Supporting Air Traffic Services (ATS) (U.S.)
  • DO-326 set: DO-326, DO-356 & DO-355.
  • Advisory Circular (AC) 120-76D
  • Authorization for Use of Electronic Flight Bags

Aeronautical Information System Security Design, Development, and Operation                                     

  • Electronic Flight Bag (EFB)
  • Field Loadable Software (FLS)
  • In-Flight Entertainment (IFE)
  • Non-trusted Services
  • Logging
  • Air Traffic Management (ATM)
  • Internet Protocol Suite (IPS)
  • Aircraft-Ground Links, SATCOM
  • Continued Airworthiness (CA)
  • Service of Aircraft
  • Software
  • Supply Chain Audit

Workshop and Group Activities

  • Tonex Road Maps
  • Cybersecurity Awareness
  • Understanding Aviation Threat Vectors
  • Assets
  • Actors
  • Trust Boundaries
  • Information Flows
  • Threats
  • Ensuring a Product Cybersecurity Culture
  • Design and Operational Principles
  • Establishing Cybersecurity Regulations/Standards
  • Understanding and Managing the Shared Risk
  • Communicating the Threats and Assuring Situational Awareness
  • Incident Response & Mitigation
  • Strengthening the defensive system
  • Key Policy Priorities
  • Developing an Engagement Road Map for Addressing Cybersecurity Concerns
  • Engagement Plan & Stakeholders
  • International Collaboration
  • Develop improved secure interoperable connectivity for commercial aviation

Aviation Cybersecurity Airworthiness Certification

Request More Information

  • Please complete the following form and a Tonex Training Specialist will contact you as soon as is possible.

    * Indicates required fields

  • This field is for validation purposes and should be left unchanged.