The Military Aviation Authority (MAA) and MOD have announced enhanced requirements for cyber-security, to evaluate and counter the threat to air safety. In addition, the European Aviation Safety Agency (EASA) has published two notices of proposed amendment (NPA) related to cyber-security.
The following is extracted from the official statement:
NPA 2019-01 ‘Aircraft cyber-security’ was added in February 2019 and NPA 2019-07 ‘Management of information security risks’ added in May 2019. NPA 2019-01 introduced the new acceptable means of compliance (AMC) 20-42 which detailed changes to various existing certification specifications (CS) that now include new cyber-security requirements. For example, CS 25 (large aircraft) will introduce a new clause, CS 25-1319, which requires applicants to protect against ‘intentional unauthorised electronic interactions that may result in adverse effects on the safety of the aeroplane’, whilst demanding that ‘security risks have been identified, assessed and mitigated as necessary’.
NPA 2019-07 has a wider scope, introducing new draft regulation to cover the direct (aircraft specific) and indirect effects on air safety caused by a cyber event impacting the normal functioning of the European Aviation Traffic Management Network (EATMN).
When it comes to military aviation, in 2015, the MAA formally recognised the risk posed by cyber-attacks by updating its default airworthiness code, Defence Standard (Def Stan) 00-970, to introduce requirements for assessing cyber risks to airworthiness. At the time, there were no equivalent requirements within civil regulation, although civilian standards for assessing cyber-risks to safety had been published. Therefore, these civilian standards, RTCA DO-326 and DO-356, were introduced to a single clause in part 13 of Def Stan 00-970 and tailored for the military requirement. Def Stan 00-970 is invoked for both type airworthiness (through regulatory article (RA) 5810) and changes to type design (through RA 5820).
The MAA endorses the wider Defence principle of ‘as civil as possible, as military as necessary’. In line with this, Def Stan 00-970 is currently undergoing transformation, as reported in a previous article titled MAA transformation of the design and airworthiness requirements for service aircraft (Defence Standard 00-970). Basing its requirements on recognised civil airworthiness codes to which military deltas are applied, where necessary.
The initial MAA focus is to provide updated guidance on the assessment of cyber-security considerations on type airworthiness and changes to type design. As the new EASA AMC 20 42 is based upon the same civilian cyber standards as previously embodied in Def Stan 00-970, the MAA is seeking to introduce both this new AMC and the updated CS clauses to the equivalent parts of Def Stan 00-970, with necessary military deltas applied. For example, introduce CS 25.1319 to the large aircraft standard, Def Stan 00-970 part 5.
Further reviews of MAA cyber-security policy are anticipated and are likely to include:
consideration of overarching MAA regulation of cyber-security, applicable to all military air safety-critical and safety-enabling systems, including a new RA for cyber-security and/or updates to existing MAA regulation. This work will embody the overarching cybersecurity framework requirements of the US National Institute of Standards and Technology (namely: identify, protect, detect, respond and recover), but with a specific focus on air safety
embodiment of cybersecurity requirements into MAA regulation and guidance where they relate to wider air safety, such as Air Traffic Management requirements in Def Stan 00-972 and continuing airworthiness
working with the other cybersecurity regulators and the Regulated Community to establish best practice for cybersecurity in military aviation platforms and their supporting systems
The MAA says it is mindful that impending Brexit outcomes may bring changes to national civil aviation requirements and is liaising with the Civil Aviation Authority with respect to their ongoing cybersecurity work.
The statement concludes with a summary stating that cyber-attack poses a significant threat to the safe and efficient operation of modern military aviation systems and noting: "By supplementing existing civil regulation where necessary, the MAA must now equip the Regulated Community with cyber-security regulation that, by design and sufficient through-life support, will ensure our critical systems and infrastructure are appropriately protected from this non-traditional, emerging threat."