Cyber security for airworthiness: new MAA regulations
To counter threats of cyber-attack on military air systems, new regulation has been introduced to assess and mitigate potential impacts on air safety.
Cyber-attack presents a significant threat to the safe operation of modern military air systems. The MAA has now equipped the regulated community with Cyber Security for Airworthiness (CSA) regulation to ensure our safety-related systems are appropriately protected from this non-traditional, emerging threat to air safety.
Background
The aviation ecosystem is becoming more complex and connected. Modern military air systems, like their civil counterparts, are reliant on the correct functioning of avionic systems for safe operation. Increasingly, advanced network architectures are being introduced to interconnect avionic systems and other systems for internal and external data transmission. These technological advancements bring greater efficiency and performance but could introduce threats to airworthiness and air safety if not sufficiently protected. It is vital that cyber security assessments are conducted for connected systems to identify and mitigate, if necessary, airworthiness and air safety risks.
Physical access security can provide some mitigation, but it is important to note that this can only go so far. For example, cyber security vulnerabilities can be introduced to airborne electronic hardware (AEH) or safety-related airborne software through insecure supply chains. Increasing reliance on computerised ground support systems and other systems which connect to avionics, such as connected-electronic flight bags (EFB) or mission equipment, could also introduce vectors for malicious software (malware) if not mitigated. Essentially, any external connectivity for the air system could introduce new threats.
Some legacy air systems may have fewer intrinsic threats due to older federated architectures, bespoke computer technologies, and less reliance on avionic systems for safe operation. It is essential, however, that any extant risks are understood and mitigated. It should also be noted that type design changes which introduce new capabilities may establish connectivity to older systems; these could have been developed without consideration for cyber security controls, thereby introducing new vulnerabilities.
Aviation cyber security – a civil perspective
The European Union Aviation Safety Agency (EASA) has taken a holistic view to the development of a cyber resilient aviation ecosystem. Conceptually, the problem has been addressed in two key areas: product security (including aircraft and engines) and organisation security (for aviation organisations - concerning people and processes).
Product security
EASA has introduced requirements to the certification specifications (CS) for large aeroplanes, small and large rotorcraft, engines, and propellers(footnote 1) for equipment, systems, and network information security protection. These requirements apply to new or modified aircraft. AMC 20-42 airworthiness information security risk assessment is the published acceptable means of compliance for these requirements and refers to the following standards, developed by the European Organisation for Civil Aviation Equipment (EUROCAE) and the Radio Technical Commission for Aeronautics (RTCA): ED-202A/DO-326A, ED-203A/DO-356, and ED-204/DO-355 (note: some of these standards have since been updated). The certification specification for normal-category aeroplanes has introduced guidance material referring to AMC 20-42 (GM 23.2500(b) refers), and CS-ETSO (European Technical Standard Orders) also recognises the AMC for ETSO articles.
Organisation security
In February 2023 EASA published Commission Implementing Regulation (EU) 2023/203 which, together with the earlier released Commission Delegated Regulation (EU) 2022/1645 completes the new Information Security (Part-IS) Regulation. This regulation is cross-cutting and applies to aviation organisations which contribute to aviation safety such as Approved Maintenance Organisations (AMO), Continuing Airworthiness Management Organisations (CAMO), Production and Design Organisations, Air Traffic Management / Air Navigation Service (ATM / ANS) providers, and aerodrome operators. The regulation requires organisations to introduce an Information Security Management System (ISMS) with a focus on aviation safety. The associated acceptable means of compliance (AMC) is currently in development and expected to be published soon.
CAA
The UK Civil Aviation Authority (CAA) has replicated the EASA requirements in the published certification specifications for large aeroplanes, small and large rotorcraft, engines, propellers, and the guidance material for normal-category aeroplanes and ETSO articles; these also refer to AMC 20-42 as the published acceptable means of compliance.
The CAA currently has a rulemaking task for the introduction of Cyber Security Regulation based on EASA Part-IS. There will be further consultations prior to publication of the new regulation.
MAA cyber security for airworthiness and air safety
The latest issues of Defence Standard 00-970 for fixed wing combat air systems, small and medium type air systems, large type air systems and rotorcraft(footnote 2) include requirements for CSA; this applies to both new air systems and type design changes to existing air systems. Note: Defence Standard 00-970 part 9 (remotely piloted air systems (RPAS)) is currently undergoing a major review; there is an expectation that CSA requirements are included on any RPAS Type Certification Basis (TCB) in the interim, both for new air systems and depending on the specifics of any type design change.
The new CSA regulations have been introduced to ensure that all air systems on, or destined for, the UK Military Aircraft Register (MAR) are assessed for cyber security threats, and that suitable mitigations are put into place to address any potential negative impacts on airworthiness and air safety. The regulations also address a need to inform owners of air safety risks of any potential CSA risks, so that these could be understood, owned, and integrated into core air safety management activities.
Changes to the MRP include the introduction of two new regulatory articles (RA), amendments to the roles and responsibilities of two existing RAs, and publication of a supporting regulatory instruction (RI) to provide compliance latitude. The regulations introduce new responsibilities for Type Airworthiness Authorities (TAA), Type Airworthiness Managers (TAM), Aviation Duty Holders (ADH), Accountable Managers (Military Flying) (AM(MF)), and Senior Responsible Owners (SRO); a summary is detailed below.
In addition, as published in the MAA’s programme of work for regulations - Financial Year 23 / 24 (MAA/RN/2023/02) following the publication of the EASA part-IS regulations, and the expected incorporation by the CAA, the MAA will investigate the overlaps with current MoD policy and determine whether future Information Security Regulation for aviation organisations is required.
The new CSA regulations
RA 5890 – Cyber Security for Airworthiness and Air Safety – Type Design and Changes / Repairs to Type Design
The regulation introduces responsibilities for TAAs / TAMs to ensure that air system cyber security risk assessments are conducted. Identified cyber threats shall be suitably mitigated to combat the potential negative impact on CSA and air safety. The MAA recognises the risk assessment and mitigation process detailed in RTCA DO-326A / EUROCAE ED-202A and associated standards RTCA DO-356A / EUROCAE ED-203A as an acceptable means of compliance. TAAs / TAMs should provide appropriate Instructions for Sustaining Type Airworthiness (ISTA) to the relevant ADH / AM(MF), including security event management procedures.
RA 1202 – Cyber Security for Airworthiness and Air Safety
This regulation introduces responsibilities for ADH / AM(MF) / SRO to ensure that cyber security threats to airworthiness and Air Safety are identified, suitably mitigated, and managed through life. Direction to operators should be provided to mitigate cyber security threats to airworthiness and air safety during operation and maintenance of air systems. The MAA recognises RTCA DO-355A / EUROCAE ED-204A with JSP 440 as an acceptable means of compliance. ADH / AM(MF) / SRO should ensure that the ongoing CSA activity contributes to the development and management of the applicable Air System Safety Cases.
MAA/RI/2023/03 – Cyber Security for Airworthiness and Air Safety
This RI details transitional arrangements which provide compliance latitude; it is broken up into specified milestones which should be achieved.
Some future changes
To complement the new CSA regulations there will be some changes to existing 1000-series regulations as follows:
RA 1015 – Type Airworthiness Management – roles and responsibilities
There will be an amendment to this regulation with the inclusion of a new TAM responsibility to ensure that air systems are assessed for their cyber risks to combat potential impact on CSA and air safety.
RA 1020 - Aviation Duty Holder and Aviation Duty Holder-Facing Organizations - Roles and Responsibilities
Additional text will be included in the guidance material for ADH responsibilities in operations. Clarification will be included in the operating envelope guidance to state that the activities should include emerging cyber threats to air safety which have the potential to impact risk to life during operations.
Summary
The new regulations will ensure that military air systems are assessed for and appropriately protected from cyber threats to airworthiness and air safety. The MAA will continue to engage and support the regulated community as required.
Footnotes
(1): CS 25.1319, CS 27.1319, CS 29.1319, CS-E 50(l), CS-P 230(g) refer respectively.
(2): Parts 1, 3, 5 and 7 respectively.