Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Pre-RIA RMT.0648

European Aviation Safety Agency — Rulemaking Directorate
Preliminary Regulatory Impact Assessment
B6
Safety risks
20
15
Aircraft cyber security
RMT.0648 — 30.5.2014
Regulatory coordination and
harmonisation
10
Environmental
issues
5
0
Economic
issues
Social issues
For explanation on the Pre-RIA methodology, see Explanatory Note.
EXECUTIVE SUMMARY
This proposal addresses a safety issue related to modern aircraft design architectures which make them
sensitive to cyber-security threats.
The specific objective is to mitigate the impact on safety stemming from cyber security risks due to acts of
unlawful interference with on-board electronic networks and systems.
The safety risk level is considered to be medium.
The resulting Pre-RIA score is B6. See radar chart and Chapter 3 for the driving factors.
Based on this Pre-RIA, rulemaking is recommended.
The proposed rulemaking action is considered complex and controversial because several CSs are impacted
and there is no consensus among stakeholders on the issue.
Applicability
Affected
regulations
and decisions:
Affected
stakeholders:
Driver/origin:
Reference:
Process map
Rulemaking lead:
Concept Paper:
CS-25; CS-29
Terms of Reference:
Rulemaking group:
Applicants for Type Certificate (TC)/ RIA type:
Supplemental Type Certificate (STC) for
Technical consultation
CS-25 and CS-29 aircraft exposed to
during NPA drafting:
data security threats
Duration of NPA consultation:
Safety
Review group:
Not applicable
Focussed consultation:
TE.RMP.00037-005 © European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
R4
No
2015/Q1
TBD
Full
TBD
3 months
TBD
TBD
Page 1 of 8
European Aviation Safety Agency
1.
Pre-RIA RMT.0648
Introduction
The purpose of this document is to give guidance on two critical questions regarding the
rulemaking proposal:
—
Is rulemaking necessary? Or should the issue better be addressed by other means
(e.g. research, awareness-raising campaigns, etc.)?
—
If rulemaking is recommended, what should be the priority of this proposal?
The answers to these questions will be based on the issue analysis in Chapter 2 and the baseline
assessment in Chapter 3 below. Chapter 5 discusses if rulemaking is required and which options
are available.
2.
Issue analysis and preliminary safety risk assessment
2.1. What is the issue and the current regulatory framework?
For the last 10 years, Transmission Control Protocol (TCP) and Internet Protocols (IP) have been
used in aviation — from Air Traffic Management (ATM) systems to aircraft on-board avionics.
New aircraft designs are using TCP/IP technology for Integrated Modular Avionics (IMA), the
backbone which is connecting critical avionics functions and sensors with classical avionics
equipment. Today, gateways are also connecting these avionics critical assets with passenger
information and entertainment systems, which may also be connected to the ground worldwide
Internet through Satellite Communication (SATCOM). Aircraft maintenance functions are also
connected to the operator’s servers for long-distance data loading or maintenance operations.
These interconnections are susceptible to new threats, which may potentially have catastrophic
effects on the safety of air transport. Those threats are caused by unauthorised electronic
interaction which can be triggered by human action either intentionally or unintentionally. Such
threats have the potential to affect the airworthiness of the aircraft due to unauthorised access,
use, disclosure, denial, disruption, modification or destruction of electronic information or
electronic aircraft system interfaces. They include the effects of malware on infected devices, but
do not include physical attacks or electromagnetic jamming.
All recently designed Large Aeroplanes are known to be sensitive to those threats due to their
avionics architecture. Recent avionics modifications also render legacy aircraft sensitive to this
risk.
Today, cyber security is addressed as part of the aircraft safety assessment during the
certification activities of new designs and Supplemental Types Certificates (when the modification
presents obvious sensitivity of the modified systems to cyber threats). In the absence of
dedicated specifications in CS-25, this is done in accordance with Part 21A.16B through a Special
Condition called ‘Security Assurance Process to isolate or protect the Aircraft Systems and
Networks from internal and external Security Threats’. Normally, such a Special Condition is
included in CS-25 through a rulemaking activity when it is considered to be mature.
Such a sensitive subject would require at least coordination with other major aviation authorities.
In the United States, the Federal Aviation Administration (FAA) is also using a Special Condition to
address cyber security during certification projects. The FAA recently decided to continue to use
the Special Condition. The FAA has to date no plan to start a rulemaking project on the subject.
The Special Condition requires that aircraft systems and networks covered by CS 25.1309 are
assessed against potential failure caused by information security threats, in order to evaluate their
vulnerabilities to these threats.
However, there is controversy over the means to address cyber security in the context of
airworthiness:
TE.RMP.00037-005© European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
Page 2 of 8
European Aviation Safety Agency
Pre-RIA RMT.0648
—
Some consider that although ‘security” and “safety” share the same high level objective, […]
both cannot be simply merged’. They argue that ‘safety addresses errors, failures, and
attempts to minimize the rate of their occurrence. In contrast, security addresses
vulnerabilities and attempts to minimize the possibility of their successful exploitation’.
Consequently, the methods and characterisations for the evaluation of the effects on the
aircraft systems are different and so should be the requirements. Therefore, the existing
CS 25.1309 and CS 29.1309 and their related AMC are inappropriate to address security,
and a new specification should be developed.
—
Others consider that CS 25.1309 and CS 29.1309 would be the appropriate specification,
with some adaptations. For instance, CS 25.1309 requires that a safety analysis must
consider possible failure conditions and their causes, modes of failure, and damage from
sources that can be either:

external to the system,

design errors (including software),

errors when performing maintenance actions.
They also consider that it is easier to add system vulnerabilities to the list of potential causes
or contributors to a failure in CS XX.1309 rather than creating a specific code, where anyway
links to CS XX.1309 would be needed (see the example of CS 25.1709 ‘System Safety for
Electrical Wiring Interconnect Systems’).
2.2. Who is affected?
Applicants for Type Certificate (TC)/Significant Supplemental Type Certificate (STC) for CS-25 or
CS-29 aircraft exposed to data security threats.
2.3. What are the safety risks (probability and severity)?1
Security threats have existed for a long time and have evolved with technology, thus posing a
continued risk to civil aviation. These new threats, originated from acts of unlawful interference
with on-board electronic networks and systems (like computer viruses, Trojan Horse programs
(Trojans), denial of services) may jeopardise the airworthiness of the aircraft by causing loss or
corruption of avionics functions, navigation databases, configuration files, and other electronics
data required for the safe operation of the aircraft.
The effect of such interference can be catastrophic.
There is currently no evidence of any accident caused by unlawful interference with aircraft onboard electronic networks and systems.
It is to be noticed, however, that the rate of cyber-attack incidents in the non-aviation world has
increased over the last years.
Based on the above, the risk is considered extremely improbable/catastrophic. The level of risk
today is, thus, considered to be medium.
1
This section is only to be filled in if safety risks are identified. For environmental risks, please discuss under
Section 2.1.
TE.RMP.00037-005© European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
Page 3 of 8
European Aviation Safety Agency
Pre-RIA RMT.0648
Table 1: Safety risk matrix2
Probability of
occurrence
2
Severity of occurrence
Extremely
improbable
1
Improbable
2
Remote
3
Occasional
4
Frequent
5
Negligible
Minor
Major
Hazardous
Catastrophic
1
2
3
5
8
X
Enter ‘X’ in the appropriate box and see the Explanatory Note for the resulting risk index ‘high’, ‘medium’ or ‘low’. The
risk level may vary depending on the aviation domain.
TE.RMP.00037-005© European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
Page 4 of 8
European Aviation Safety Agency
3.
Pre-RIA RMT.0648
Baseline assessment (Pre-RIA scoring)
The following questionnaire provides a quick assessment of the current situation taking into
account the objectives of Regulation (EC) No 216/2008 and the feedback loops.
Type of risks and issues under the current regulatory
conditions
Estimated significance
None
Low
Medium
High
(0)
(1)
(3)
(5)
3.1. Safety risks
Q-1. Have any safety risks been identified in Section 2.3?
X
Reasoning: See 2.3.
Q-2. Has a safety recommendation been addressed to the Agency?
X
Reasoning:
Q-3. Is the issue linked to a safety action from EASp?
X
Reasoning:
Q-4. Has a related recommendation from Standardisation been issued?
X
Reasoning:
Q-5. Has a future challenge from research, technological advancements,
business evolution or new best practices been identified?
X
Reasoning:
3.2. Environmental risks
Q-6. Have environmental risks been identified in terms of gaseous
emissions (greenhouse gases/local air quality) or noise?
Reasoning:
X
3.3. Social risks and issues
Q-7. Have the EASA rules created social risks or issues, e.g. in terms of
limiting free movement of persons, health issues, licencing issues?
Reasoning:
X
3.4. Economic risks including level playing field and proportionality
Q-8. Have excessive costs of regulatory framework been identified for
authorities, industry, licence holders, or consumers?
Reasoning:
Q-9. Has a competitive disadvantage been identified for certain economic
entities (obstacles on the level playing field)?
Reasoning:
Q-10. Has an issue for General Aviation (GA)/SMEs been identified
contradicting the guidelines in the European GA strategy3?
Reasoning:
X
X
X
3.5. Regulatory coordination and harmonisation (including legal requirements)
Q-11. Have implementation problems or regulatory burden been identified?
X
Reasoning:
Q-12. Has a difference or non-compliance with ICAO Standards been
identified, or a State Letter been received?
Reasoning:
X
Q-13. Has a need for harmonisation with third countries (e.g. FAA, TCCA)
X
been identified?
Reasoning: Such a sensitive subject would require at least coordination with other major aviation
authorities.
3
http://intranet.easa.local/R/Important%20Files/European%20General%20Aviation%20Safety%20Strategy_final_edit.pdf
TE.RMP.00037-005© European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
Page 5 of 8
European Aviation Safety Agency
Pre-RIA RMT.0648
Pre-RIA score
Significance level
A = high safety risk,
B = medium safety risk or other high/medium risk,
C = low or no significance.
Significance points
(Total from questions 1–13)
B
4.
6
Objectives of the proposal
The objectives of the European Union in the field of civil aviation are defined in Article 2 of
Regulation (EC) No 216/20084 (hereinafter referred to as the ‘Basic Regulation’). This proposal will
contribute to the achievement of these objectives by addressing the issues outlined in Chapter 2.
The specific objective of this proposal is to mitigate the safety effects stemming from cybersecurity risks due to acts of unlawful interference with the aircraft on-board electronic networks
and systems.
To achieve this objective, the Certification Specifications and/or AMC of CS-25 and CS-29 should
be amended.
5.
Options, preliminary impacts and recommended action
5.1. Options
In order to achieve the above objective, the options below were identified. These options are nonexhaustive, preliminary and indicative and, thus, do not prejudge future rulemaking activities
which may contain different options. Only the baseline option (no regulatory change) is
mandatory.
Option
Description
0
No rulemaking (baseline option; issues remain as outlined in Chapter 3).
1
Transpose the existing cyber-security Special Conditions material into CS 25.1309 and
CS 29.1309.
2
Create a new specification in CS-25 and CS-29 addressing cyber security.
Both Option 1 and 2 are likely to achieve the objective. However, there is a trade-off between the
two.
5.2. Preliminary impacts identified
Option 0
Today, security matters related to aircraft design requirements are not in the remit of EASA
according to the Basic Regulation. So, the conclusion could be that the Agency should not act on
security threats. However, the Agency has the mandate to issue certification specifications that
‘shall reflect the state of the art and the best practices in the fields concerned and be updated
taking into account worlwide aircraft experience in service, and scientific and technical progress’.
4
Regulation (EC) No 216/2008 of the European Parliament and the Council of 20 February 2008 on common rules in the
field of civil aviation and establishing a European Aviation Safety Agency, and repealing Council Directive 91/670/EEC,
Regulation (EC) No 1592/2002 and Directive 2004/36/EC (OJ L 79, 19.3.2008, p. 1), as last amended by Commission
Regulation (EU) No 6/2013 of 8 January 2013 (OJ L 4, 9.1.2013, p. 34).
TE.RMP.00037-005© European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
Page 6 of 8
European Aviation Safety Agency
Pre-RIA RMT.0648
Option 1
Safety
This option would only incorporate a Special Condition, already used during certification activities,
into existing specifications (CS 2X.1309). Implementing cyber security as part of CS 2X.1309, like
software development assurance, would strengthen the links between security and safety.
It would, however, render security aspect less visible, in particular if only AMC 2X.1309 is
modified.
Economic
Applicants would benefit from prior awareness of the EASA expectations by having the
corresponding material directly available in the CSs. This may hinder the development of
unacceptable designs in the early stage of the projects; in the end, both applicants and EASA
would save the time which could have been wasted in discussing and correcting unacceptable
designs.
Option 2
Safety
This option creates a new dedicated specification which would make cyber security more visible
during a certification project. However, the link to safety (CS 2X.1309) could be considered less
obvious.
Economic
This option presents the same economic advantage as Option 1 does.
5.3. Recommended action
Based on the issue analysis and the Preliminary Regulatory Impact Assessment, the Agency
concludes:
Rulemaking action required
Yes
6.
Complexity and controversy
The proposed rulemaking action is considered complex and controversial for the following
reasons:
—
It affects several CSs;
—
Cooperation is needed with other bodies apart from the Agency: coordination with the
European Commission on the Agency’s policy regarding aviation security specifications.
—
There is no consensus among stakeholders on the interpretation of the existing Special
Conditions and the preferred place of these provisions within the CSs.
The working method and process map on the cover page were developed on the basis of this
assessment of complexity and controversy.
TE.RMP.00037-005© European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
Page 7 of 8
European Aviation Safety Agency
7.
Pre-RIA RMT.0648
Annex I: References
7.1. Affected regulations
N/A
7.2. Affected decisions
CS-25, CS-29
7.3. Reference documents
N/A
8.
Annex II: RIA data needs
TBD
TE.RMP.00037-005© European Aviation Safety Agency. All rights reserved.
Proprietary document. Copies are not controlled. Confirm revision status through the EASA intranet/Internet.
Page 8 of 8
Related documents
speed and capacity of air travel
speed and capacity of air travel
Form for reporting violation of confidentiality and IPR - EASA
Form for reporting violation of confidentiality and IPR - EASA
Jean-Marc Cluzeau is a Graduate Engineer in
Jean-Marc Cluzeau is a Graduate Engineer in
Day 2 – Wednesday 9th November
Day 2 – Wednesday 9th November
Daily Flight Crew Briefing Checklist
Daily Flight Crew Briefing Checklist
Part M General) 1 day
Part M General) 1 day
Download