Aviation Cyber Security & DO-326A: The New 2019 Mandates

15 Jan

Aviation Cyber Security will be perhaps the largest new development affecting all avionics developers and aircraft integrators for 2019.

Are you ready?  If not, read below for a free technical 1-hour tutorial webinar on February 7th and also training in Munich at Aviation Tech Week on March 12, 2019. To sign up for the free Feb 7 webinar, click here:   Click Here To Watch 1-Hour AFuzion DO-326A / ED202A Aviation Cyber-Security Webinar/Recording

To register for the March 12 Munich Aviation Week Aviation Security Training, click here: Aviation Security 1-Day Training Info & Registration Munich March 12

Aviation Security – it’s imperative in 2019 to develop an understanding of what is required for new avionics/aircraft development and operations via the new mandatory DO-326A/ED-202A documents.

The DO-326A/ED-202A set of documents is all about the mitigation of the aviation/aircraft safety effects of “Intentional Unauthorized Electronic Interaction (IUEI)”, a.k.a. “Cyber Threats”, and which were explicitly excluded from the classic DO-178/ED-12/ARP4754 set.

DO-326A/ED-202A & DO-356A/ED-203A focus upon type certification during the first three phases of an aircraft (including avionics) type: 1) Initiation, 2) Development or Acquisition, and 3) Implementation. Their companions DO-355/ED-204 focus upon security for continued airworthiness. DO-326A/ED-202A currently has 3 (three) companion documents: ED-201, DO-355/ED-204 and DO-356A / ED-203A, and a few more planned. DO-326A / ED202A provide requirements and objectives in a similar fashion to DO-178C, DO-254, and ARP4754A; while the DO-326A guidance is just that, certification authorities increasingly assess DO-326A compliance as added requirements for aviation suppliers.

The DO-326A/ED-202A set currently applies to fixed-wing aircraft (Part 25), with clear FAA recommendations for the adaptation/tailoring of DO-326A/ED-202A for general aviation (Part 23),rotorcraft (Parts 27 and 29), engines (Part 33) and propellers (Part 35), and clear indications of it will increasingly being applied to these other aircraft including military beginning in 2022 or thereafter.

DO-326A/ED-202A is “Airworthiness Security Process Specification”, used to mitigate effects of intentional electrical equipment intrusion, a.k.a. “IUEI” (Intentional Unauthorized Electronic Interaction) which could impact aircraft safety. DO-326A/ED-202A currently has 3 (three) companion documents: ED-201, DO-355/ED-204 and DO-356A / ED-203A (see below for detailed information) , and a few more planned. DO-326A / ED202A provide requirements and objectives in a similar fashion to DO-178C, DO-254, and ARP4754A; while the DO-326A guidance is just that, certification authorities increasingly assess DO-326A compliance as added requirements for aviation suppliers. Currently, DO-326A/ED-202A only applies to larger commercial aircraft, greater than 19 seats, hence is for Part 25 fixed-wing aircraft, however – clear FAA recommendations already exist for the adaptation/tailoring of DO-326A/ED-202A for general aviation (Part 23),rotorcraft (Parts 27 and 29), engines (Part 33) and propellers (Part 35). AFuzion’s participation in various committees and client work indicates DO-326/ED-202 will increasingly be applied to these other aircraft including military beginning in 2022 or thereafter. DO-326A focuses upon type certification during the first three phases of an aircraft (including avionics) type: 1) Initiation, 2) Development or Acquisition, and 3) Implementation. See DO-355/ED-204 below which focuses upon security for continued airworthiness.

Avionics and aircraft manufacturers need to address both developmental and operational aspects of their aircraft/systems. This ecosystem of secure safety within aviation development and operation focuses upon prevention of malware entering the avionics systems while they are being developed or data-loaded, and also during flight operations where such malware (or external hacking) could alter intended aircraft operations and safety.

As their titles suggest, ED-201 serves as the top-level “WHY” guide for the entire information security process. DO-326A/ED-202A define the “WHAT”, including risk assessment for ARP4761A; DO-356A/ED-203A comprise the “HOW” – more or less the “security-companions” of DO-178C/ED-12C et al; DO-355/ED-204 are the “WHAT THEN” – feeding to ARP5150; and the new ED-205 is for the ground (CNS/ATM, e.g. companions to DO-278A), more or less the “security-companions” of DO-278A/ED-109A, et al. Where the base aviation guidelines (DO-178C, DO-254, DO-278A, ARP4754A,…) suggest safe and verifiable engineering processes, the aforementioned security-related documents provide guidance and rules which augment those engineering processes for security intrusions and extend through aircraft operations. For DO-326A / ED-202A Guidance, DO-326A Training, DO-326A Mentoring, or DO-326A Gap Analysis, contact AFuzion.

For information on private DO-326A Training and ED-202A Training, see the AFuzion training page for more details here: AFuzion Cyber Security Training Info Click Here

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: