DO-326A / ED-202A Intro to Aviation Cyber-Security – Free 21-page AFuzion Technical Whitepaper
The Worst Nemesis – Aviation Cyber Threats… or DO-326 / ED-202?
A passenger walks into a commercial-flight airplane with a laptop, hacks its network, making it fly even higher… funny? Well, unfortunately, this is not the beginning of a joke – but rather of a potential nightmare.
The bad news? This (almost as described above) allegedly happened in 2015… The good news? The person was a “white-hat-hacker” – one of the “good guys”, who only strive to prove their point about the need to strengthen cyber-defense, so the airplane was actually “safe”.
That hacker got banned from almost any future flight, but RTCA & EUROCAE didn’t even require this stimulus, as by then – they were already frantically developing a solution for almost a decade. This solution, the first complete and workable DO-326/ED-202 “set” of documents was finally published in June 2018 – but even earlier than that, the FAA and EASA made the set’s earlier versions as mandatory as practical at any given point in time. Following its mid-2018 publication, this DO-326/ED-202 “set” is already widely regarded as an “Acceptable Means of Compliance” (AMC), i.e.: a de-facto mandatory standard.
How did we get “here” from “there”? Good question:
The “digital aircraft” is already as commonplace as the aircraft itself – as natural as aircraft wings or engines, to the extent that modern aircraft could be regarded as winged & powered computers.
The turn of the millennium saw the rise of the next aviation digital phenomenon – the “connected aircraft”: in which everything is connected to… well… everything else… This trend is anything but novel – digital radio-systems, GPS, ACARS, ADS-B: all these, and more, have been integral components of passenger aircraft for decades. Consequently, today’s new aircraft contain thousands of processors performing both independent and intricately related operations: where old aircraft had hundreds of processors in a “closed” system, today’s aircraft architectures and connectivity necessitate more openness. (Remaining 21 pages of DO-326A / ED-202A, DO-354, DO-355, DO-356 Aviation Cyber-Security Technical Whitepaper available by download from AFuzion – click below).
What Is “DO-326/ED-202”, And Why Couldn’t Just “ARP-4754/DO-178” Be Applied?
As previously implied, when the European and American aviation industry via coordination with EASA and FAA, embarked on their standard-setting process circa 2005, no existing Cyber-Security standard at the time could provide a “ready-made” solution. So, in 2006 EUROCAE formed Working Group 72 (WG-72) and in 2007 RTCA formed Special Committee 216 (SC-216), both named “Aeronautical Systems Security”, and the process that yielded DO-326/ED-202 and their companion ecosystem documents, began.
The first resulting documents, ED-202 in Europe and DO-326 in the U.S., both named “Airworthiness Security Process Specification”, were published in 2010. The original DO326/ED-202 documents were intended to serve as an “all in one” guidance for the Information-Security of the development phase of aircraft from inception to certification and deployment. The original document language clearly stated that they are “…the first of a series of documents on Aeronautical Systems Security that together will address information security for the overall Aeronautical Information System Security (AISS) of airborne systems with related ground systems and environment…”, but this phase was yet to come.
DO-326/ED-202 were heavily based on the then-already-published ISO/IEC 27005 of the ISO27K family, and on the de-facto industry standard SAE ARP 4754, “Certification Considerations for Highly-Integrated or Complex Aircraft Systems”, and created a useful continuum with those in a relatively seamless manner.
However, anyone who ever had even a brief acquaintance with ARP4754 and/or RTCA’s DO-178, “Software Considerations in Airborne Systems and Equipment Certification”, should be rightly wondering why was this effort required in its entirety: why couldn’t Information-Security simply made part of ARP4754 and/or DO-178, especially in light of both going through major revisions at the time?
The simple, practical, reason is stated in a DO-326/ED-202 companion document, published a few years later: “… Airworthiness security is its own discipline, needing unique expertise, and requires its own analysis techniques and assurance considerations…”, in the sense that it is distinct from safety, and from other security considerations. Another consideration was – that Information Security was not necessarily all about software – as it involves quite a few other aspects of aviation. Therefore – ARP 4754 and DO-178 had to be coordinated with, but they also had to be kept “clean” of Cyber-Security issues.
The final deterrent from integrating Information Security into ARP 4754 and/or DO-178, was the fact that their “source of legitimacy”, FAA/EASA AC/AMC 25.1309 “System Design and Analysis”, explicitly excludes this option, by the mere definition of the term “event” covered by the document: “Event: An occurrence which has its origin distinct from the airplane, such as atmospheric conditions (e.g. gusts, temperature variations, icing and lightning strikes), runway conditions, conditions of communication, navigation, and surveillance services, bird-strike, cabin and baggage fires … The term is not intended to cover sabotage…”. Realizing that any change to FAA/EASA formal documents may delay the process for a decade or so, and reacting to the need to close the Information-Security regulatory gap immediately – both WG-72 and SC-216 were encouraged to develop separate documents, that would be tightly coordinated with ARP 4754 and DO-178, and so they did.
The first steps following the publication of DO-326 & ED-202 were still tightly coordinated:
- “Clean” DO-326/ED-202 to make it a “core” document that would only cover the “WHAT” of the certification process. The revised version, DO-326A/ED-202A, was published in 2014.
- Publish a new document, DO-355/ED-204, “Information Security Guidance for Continuing Airworthiness”, to cover the post-production, in-service phase: also in 2014. The new DO-355/ED-204 incorporated DO-326/ED-202 “spin-off” parts.
- Publish a new companion document that addresses the “HOW” of the certification process. The new pair, DO-356/ED-203, “Airworthiness Security Methods and Considerations”, intended to be a “security DO-178” to DO-326s “security ARP4754”.
However, at this third stage, the different nature of WG-72 and SC-216 started to take its toll, as the resulting DO-356 (published in 2014) and ED-203 (published in 2015) took different approaches, and were not technically identical like the other members of the “series”. Additionally, WG-72, applying its holistic approach, published in 2015 a document of its own, without an SC-216 equivalent: ED-201, “Aeronautical Information System Security (AISS) Framework Guidance”, intended as a strategic, top-level document to provide a “big picture”, aided by two background reports: ER-013, “Aeronautical Information System Security Glossary” in 2015, and ER-17, “International Aeronautical Information Security Activity Mapping Summary” in 2018.
At this stage, an FAA rulemaking committee, coordinating with EASA, ANAC (Brazil) and TCCA (Canada) intervened, and among a variety of other issues approached, brought EUROCAE and RTCA committees together again, resulting in a revised DO-356 and ED-203, that were published in 2018 as DO-356A/ED-203A, unifying their technical content. However, ED-201 was not matched by a DO equivalent, as it was not deemed a “working document” but an “orientation document”.
Meanwhile, WG-72 went on to produce another document of its own, ED-205, “Process Standard for Security Certification/Declaration of Air Traffic Management/Air Navigation Services (ATM/ANS) Ground Systems”, again – without an SC-216 equivalent, as the FAA manages most of its air-traffic ground-components internally, while EASA is a coalition of a few dozen civilian aviation authorities.
Thus, as of early 2019, the DO-326/ED-202 set comprises:
- The “core” guidance and considerations, DO-326A/ED-202A and DO-356A/ED-203A;
- The “in-service” guidance, DO-355/ED-204, based on the “core” guidance;
- The “top-level” documents, ED-201, ER-013, ER-017, serving as “philosophy guidelines”;
- The ground systems standard, ED-205, intended for mainly European usage, scheduled to be published in 2019.
To What Extent Is The “DO-326/ED-202 Set” Mandatory?
As most other RTCA and EUROCAE documents, the DO-326/ED-202 set is considered a de-facto aviation industry standard, as official mandates keep coming in. While “guidelines” in title, the lack of any meaningful “alternatives” mean these “guidelines” are treated as “standards” which need to be considered and their intent shown to be followed.
The previously mentioned FAA rulemaking committee, FAA Aviation Rulemaking Advisory Committee (ARAC) Aircraft System Information Security / Protection (ASISP) Working Group (WG), that during 2015-2016 examined the entire information security regulation, considerably accelerated the process of establishing formal, mandatory, regulation, and the very clear recommendation on this was for the FAA to “…consider RTCA standards DO-326, DO-356 and DO-355 and EUROCAE standards ED-201, ED-202, ED-203, ED-204 as acceptable guidance materials to comply with the security rule 25.13xx for large transport aircraft for new Type type-certifications or new significant major changes or when the applicant elects to use them on a voluntary basis…”, which in regulatory parlance translated to “FAA: make it mandatory, now”. As EASA (Europe), ANAC (Brazil) and TCCA (Canada) actively cooperated with the FAA ARAC ASISP WG, the clear meaning of this is – the DO-326/ED-202 set is becoming mandatory, and very soon, all over the world. This recommendation is well harmonized with EASA’s task force RMT.0648, developing the “Certification Specifications for product design” and task force RMT.0720, developing the “Rules for risk management within organizations and service providers” – both “horizontal” guidance, designating the DO-326/ED-202 set, scheduled to be published in 2020.
As for the guidance/recommendations that are included in the set, these can be roughly described as:
1) The “Airworthiness Security Process” (AWSP), mostly detailed in DO-326A/ED-202A, that outlines the major steps, activities and objectives of security certification for airworthiness:
- AWSP comprises 7 steps: Plan for Security Aspects of Certification, Security Scope Definition, Security Risk Assessment, Risk Acceptability Determination, Security Development, Security Effectiveness Assurance and Communication of evidences.
- These 7 steps are detailed into 14 activities: Plan for Security Aspects of Certification (PSecAC), Plan for Security Aspects of Certification Summary (PSecAC Summary), Aircraft Security Scope Definition (ASSD), Preliminary Aircraft Security Risk Assessment (PASRA), Aircraft Security Risk Assessment (ASRA), System Security Scope Definition (SSSD), Preliminary System Security Risk Assessment (PSSRA), System Security Risk Assessment (SSRA), Aircraft Security Architecture and Measures (ASAM), Aircraft Security Operator Guidance (ASOG), Aircraft Security Verification (ASV), System Security Architecture and Measures (SSAM), System Security Integrator Guidance (SSIG), System Security Verification (SSV).
- These 14 activities include 62 objectives (combined) to be met.
- Detailed “Acceptable Means of Compliance” (AMC) – provided mostly in DO-356A/ED-203A.
2) “Guidance for Continuing Airworthiness”, mostly provided by DO-355/ED-204, but supported by the “core” documents of the set as well. This Guidance is provided for the following eleven aspects: Airborne Software handling, Aircraft Components handling, Aircraft Network Access Points, Ground Support Equipment (GSE), Ground Support Information Systems (GSIS), Digital Certificates, Aircraft Information Security Incident Management, Operator Aircraft Information Security Program, Operator Organization Risk Assessment, Operator Personnel Roles & Responsibilities, and Operator Personnel Training. See AFuzion’s DO-326A / ED-202A training for additional details here: https://afuzion.com/private-training/do-326a-ed-202a-training-aviation-cyber-security/
Combined, the AWSP and Guidance for Continuing Airworthiness form one integrated entity that comprises a complete set of information-security AMC for achieving and maintaining airworthiness for the entire aircraft life cycle.
See the following graphic, excerpted from AFuzion’s DO-326A / ED-202A Cyber-Security Basic Training, 2 Days (300+ pages of proprietary DO-326A training slides; reprinted with permission from AFuzion Infosec)
A crucial aspect of information security is ”Time”: it is not merely a one-way safety-type process that has a clear end-point and then retreats to just monitoring – but a continued struggle against any potential attacks and attackers, that keep evolving even if nothing else happens concerning the said system. Thus, any modification, addition, removal or even altered function should be re-processed according to the DO-326/ED-202 set in order to assess what time has wrought. Furthermore, even the mere passage of time, without any modification of the system or its functions can bring changes in the hostility of the cyber-environment, so keeping up with the DO-326/ED-202 set would require periodic risk analysis in order to assess whether the system is still as secure as originally intended. Both the DO-326/ED-202 & DO-356/DO-203 “core” development phase documents and the DO-355/ED-204 “continued airworthiness” phase document need to be followed on this aspect.
To download the remaining 12+ pages of this technical DO-330 AFuzion Tool Qualification whitepaper, please download below:
Free: Download Remaining 10+ Page Paper Here