12.1 Within the aviation safety domain, cyber security is commonly understood as the protection of information systems against intentional unauthorised electronic interactions (IUEI). Aircraft systems and parts are increasingly interconnected, and those interconnections are vulnerable to cyber security threats. These threats have the potential to affect the airworthiness of an aircraft due to unauthorised access, use, disclosure, denial, disruption, modification or destruction of electronic information or electronic aircraft system interfaces.
12.2 The implementation of a robust and effective cyber security approach to Defence aircraft design supports aviation safety. The objective of this approach is to take into account the interdependencies between aviation safety and security in order to mitigate the potential effects of cyber security threats on aircraft airworthiness. This approach will reduce the vulnerability of aircraft systems, and ultimately improve safety, by reducing the risk of cyber security incidents or accidents.
12.3 The Authority has evaluated recognised NAA and MAA approaches to cyber security, and their associated aviation cyber security standards, and concluded that intelligent application and in some cases expansion is required to effectively implement cyber security into Defence aircraft designs. A number of Authority recognised NAAs and MAAs have not yet defined or promulgated prescribed cyber security design requirements. Further, cyber security standards may not account for Defence’s obligations under the WHS legislation, since they may permit ‘risk acceptance’ once a specified risk level has been achieved. To promote the intelligent application of cyber security standards, this chapter first defines the requirements that should be satisfied for robust cyber security. The chapter then identifies where recognised NAA/MAA approaches to cyber security require particular attention if they are to meet the Authority’s prescribed requirements. This approach, which should be applied using the system safety principles in Section 2 Chapter 2, provides design organisations with guidance to embed robust cyber security practices into their engineering procedures.
12.4 Note that the prescribed requirements are currently only recommended to allow for the broader Defence Cyber Strategy to mature, whilst offering designers the opportunity to proactively apply current international good practice design requirements. The Authority will monitor recognised NAA and MAA prescription of design requirements as well as the maturity of the broader Defence Cyber Strategy and at an appropriate time update the prescribed requirements in this chapter.
Scope
12.5 This chapter presents Authority-prescribed cyber security design requirements that are applicable to design activities conducted for new manned aircraft and changes to the aircraft type design.
12.6 The desired cyber security outcomes are that:
Information systems within Defence aircraft subject to Australian military type certifications are protected from IUEIs
Changes to the type design of in-service Defence aircraft do not compromise protections from IUEIs
In-service management of Defence aircraft contributes to protections from IUEIs through effective instructions for continuing airworthiness and an effective continued airworthiness management framework.
12.7 Cyber Security Requirement (Recommended). Aircraft equipment, systems and networks, considered separately and in relation to other systems, should be protected from IUEIs that may result in adverse effects on the safety of the aircraft. Protection should be ensured by showing that the security risks have been identified, assessed and treated as necessary.
12.8 Compliance with this requirement can be demonstrated through adopting the cyber security processes defined in EUROCAE ED-202A Airworthiness Security Process Specification dated June 2014/RTCA DO-326A Airworthiness Security Process Specification dated 6 Aug 14. These documents provide a process centred on a focused security risk assessment which:
determines the security environment for the information security of the aircraft
identifies the attack paths
assesses the safety consequences of the threats
evaluates, by considering the existing security protection means, the level of threat that would impact safety
determines whether the risks, which are the result of the combination of the severities and the potentiality to attack (or, inversely, the difficulty of attacking), are acceptable.
12.9 Guidance material for conducting the risk assessments can be found in EUROCAE ED-203A Airworthiness Security Methods and Considerations dated June 2018/RTCA DO-356A Airworthiness Security Methods and Considerations dated 21 Jun 18. Designers should engage with the appropriate Defence Cyber experts for assistance in determining the security environment, attack paths and associated level of threat.
12.10 Cyber Security Requirement (Recommended). Instructions for continuing airworthiness and a continued airworthiness management framework should be defined and promulgated to ensure that the security protections of the aircraft’s equipment, systems and networks are maintained.
12.11 International good practice recognises that the management of cyber security risks extends into the operational life of type-certificated aircraft. Effective continued and continuing airworthiness programs need to be informed by the results of the security risk assessments created to support type certification. Guidance on this requirement can be found in EUROCAE ED-203A/RTCA DO-356A Airworthiness Security Methods and Considerations and EUROCAE ED-204/RTCA DO-355 Information Security Guidance for Continuing Airworthiness dated June 2014.
12.12 Cyber Security Requirement (Recommended). Changes to the type design of Defence aircraft should ensure the ongoing protection from IUEIs, where known, that may result in adverse effects on the safety of the aircraft. Protection should be ensured by showing that the security risks have been identified, assessed and treated as necessary.
12.13 Changes to the aircraft type design may undermine the cyber security protections provided by the original military type certification, resulting in changes to cyber security hazards and their associated risks. Accordingly, the process described in the RTCA/EUROCAE process specifications detailed in paragraph 12.7 should be followed, limited in scope to the proposed change to type design. Designers should engage with the appropriate Defence Cyber experts for assistance in determining the security environment, attack paths and associated level of threat.
12.14 Cyber Security Requirement (Recommended). Amendments to instructions for continuing airworthiness, and the continued airworthiness management framework should be promulgated as part of a change to type design, where necessary, to ensure that the security protections of the aircraft’s equipment, systems and networks are maintained.
12.15 Changes to the aircraft type design may require updates to the ongoing management of cyber security risks. Accordingly, the process described in the RTCA/EUROCAE specifications detailed in paragraph 12.10 should be followed, limited in scope to the proposed change to type design.
12.16 This section describes the extent to which the cyber security elements of type certifications by Authority-recognised NAA/MAAs may be relied upon if offered as evidence of prior certifications.
12.17 Where the application is based on a prior certification from a recognised NAA/MAA, the applicant may be able to rely on a security risk assessment provided for the prior certification. Whether the applicant can rely on such risk assessments, wholly or in part, depends on the:
scope, conditions and caveats of the relevant NAA/MAA recognition certificate
extent that decisions in the risk assessment on whether identified risks were acceptable are valid given Australian WHS statutory obligations
extent that Australian changes to the aircraft’s configuration, role and environment (CRE) vary the cyber security risks identified in the risk assessment, or introduce new cyber security risks.
12.18 Australian WHS legislation. EUROCAE ED-202A/RTCA DO-326A Airworthiness Security Process Specification requires that decisions on risk acceptability be assessed using criteria defined by the relevant airworthiness authority. Accordingly, risk assessments performed for other NAAs/MAAs would not consider Australian WHS legislation. To comply with Australian statutory obligations, for any identified risks that were not eliminated during the prior certification, the applicant and relevant Military Air Operator (MAO), would decide whether the risks can be eliminated SFARP. If elimination is possible through reasonably practicable design controls, such design controls should be implemented before the aircraft enters service. If such design controls are not reasonably practicable, the applicant and MAO should consider the design controls necessary to minimise risks SFARP. If risk-minimising design controls are reasonably practicable, such design controls should be implemented before the aircraft enters service. If the implemented design controls would not eliminate the identified risks, then the MAO should undertake in-service risk management of the residual risks, including the implementation of reasonably practicable operational controls.
12.19 CRE changes. The applicant will need to consider the effect of any Australian CRE changes on the cyber security risks identified in security risk assessments provided as part of prior certifications. Such changes may require the security risk assessment to be supplemented by further analysis so that it considers all cyber security risks relevant to the Australian CRE. Where such analysis identifies new, or varies previously identified risks, the applicant and MAO should consider how to eliminate or otherwise minimise the risks as previously discussed.
12.20 If the applicant cannot rely on a security risk assessment provided as part of a prior certification, then the applicant would need to perform the process in the RTCA/EUROCAE process specifications detailed in paragraph 12.7, or engage a suitable organisation to perform one. Such a requirement is consistent with any other application where prior certification does not satisfy the entirety of the requirement, the applicant needs to undertake additional compliance demonstration activity to resolve the shortfall. The identified cyber security risks should be eliminated or otherwise minimised as previously discussed. Residual risks would be communicated to the MAO.
12.21 EASA. To ensure designers consider cyber security hazards to aircraft airworthiness, EASA has introduced cyber design requirements into the following certification standards: CS-25 (Large Aeroplanes), CS-27 (Small Rotorcraft), CS-29 (Large Rotorcraft) CS-APU (Auxiliary Power Units), CS-E (Engines), CS-ETSO (European Technical Standard Orders) and CS-P (Propellers). The provisions take a common form, requiring the applicant to show during certification that the possible security risks posed by IUEI have been identified, assessed and mitigated as necessary. To demonstrate compliance with EASA’s cyber security design requirements, EASA AMC 20-42 provides acceptable means, guidance and methods to perform security risk assessments and mitigation for aircraft information systems. The AMC refers to the three RTCA/EUROCAE cyber-related specifications detailed in paragraphs 12.7, 12.8 and 12.10.
12.22 The requirements in this chapter were based on EASA’s approach to considering cyber security during aircraft type certification. Accordingly, security risk assessments performed during prior EASA certifications may be used provided a CRE assessment is performed and previously accepted risks are reconsidered by applying Australian WHS legislation.
12.23 FAA. The FAA has not yet introduced cyber security design requirements into its published airworthiness codes. Instead, it has implemented separate cyber security design requirements for what are termed ‘connected aircraft’, that is aircraft in which the main aircraft backbone, connecting flight-critical avionics as well as passenger information and entertainment systems, is performed in a manner that makes the aircraft an airborne interconnected network. Connected aircraft are certified with a special condition reflected on the aircraft Type Certificate Data Sheet, requiring operator actions to mitigate electronic security risks. At this time the Authority cannot determine the FAA considerations relevant to each aircraft’s special condition.
12.24 Given that the FAA has not yet amended its airworthiness codes, applicants cannot rely on prior FAA certifications as a means of compliance with the cyber security design requirements detailed in this chapter. Nevertheless, available information relevant to the cyber security aspects of the FAA certification can inform Australian Defence security risk assessments.
12.25 United States Navy (USN). The USN approach is a policy called CYBERSAFE, based on recognised cyber security principles. Cyber security has been integrated into type certification processes as described within NAVAIR M-13034.1 Airworthiness and CYBERSAFE Process Manual, dated 13 Apr 16. Both the manual and instruction confirm that the key document is a flight clearance, either interim or permanent, issued by COMNAVAIRSYSCOM. As part of the flight clearance process, airworthiness and CYBERSAFE technical assessments are performed, with the resultant Flight Clearance confirming that an aircraft is both airworthy and meets the specified cyber security requirements. Circa 2021, insufficient information is available to confirm that the USN applies a security risk assessment equivalent to the process described in the RTCA/EUROCAE process specifications detailed in paragraphs 12.7, 12.8 and 12.10. Accordingly, applicants cannot rely on prior USN certifications as a means of compliance with the cyber security design requirements detailed in this chapter. Nevertheless, available information relevant to the cyber security aspects of USN certifications can inform Australian Defence security risk assessments.
12.26 United States Air Force (USAF). Despite attempts to glean information from published material and through DASA recognition channels, circa 2021, DASA cannot determine the United States Air Force regulatory approach to protecting aircraft from cyber hazards to aviation safety. Accordingly, applicants cannot rely on prior USAF certifications as a means of compliance with the cyber security design requirements detailed in this chapter. Nevertheless, available information relevant to the cyber security aspects of USAF certifications can inform Australian Defence security risk assessments.
12.27 US Army. Despite attempts to glean information from published material and through DASA recognition channels, circa 2021, DASA cannot determine the US Army regulatory approach to protecting aircraft from cyber hazards to aviation safety. Accordingly, applicants cannot rely on prior US Army certifications as a means of compliance with the cyber security design requirements detailed in this chapter. Nevertheless, available information relevant to the cyber security aspects of US Army certifications can inform
12.28 UK MAA. The UK MAA has amended its Defence Standard 00-970 Design and Airworthiness Requirements for Service Aircraft to introduce cyber security design requirements. These changes reference DEF STAN 00-55 Requirements for Safety of Programmable Elements in Defence Systems. Designers should ensure that platform cyber security vulnerabilities for safety-related software and complex electronic hardware do not purposefully or accidentally threaten airworthiness. An acceptable means of compliance with the cyber security requirements of DEFSTAN 00-055 are the RTCA/EUROCAE process specifications detailed in paragraph 12.7. Accordingly, security risk assessments performed during prior UK MAA certifications may be used provided a CRE delta assessment is performed and risks accepted within the UK MAA certification are reconsidered by applying Australian WHS legislation.
12.29 Further guidance on implementing the cyber security requirements prescribed in this chapter can be provided by the chapter sponsor.