EUROCAE規格 ED-202B, 2024: Airworthiness Security Process Specification

Description

The guidance of this document adds to current guidance for aircraft certification to handle the threat of IUEI to aircraft safety. It adds data requirements and compliance objectives, as organized by generic activities for aircraft development and certification, to handle the threat of IUEI to aircraft safety. This document is intended to be used in conjunction with related guidance material, including ED-203, ED-204, and ED-206. It is also intended to be used with other applicable guidance material, including ED-79/SAE ARP4754, ED-12/DO-178, and ED-80/DO-254, in the context of Part 25, CS-25, and JAA JAR-25. Tailoring of this guidance may allow it to be applicable in other contexts such as CS-23, CS-27, CS-29, CS-E, Part 23, Part 27, Part 29, and Part 33.

This process specification addresses electronic attacks (digital, not physical or electrical) and assumes trust may be placed in one or more of the following services, as negotiated with regulator:
• Airport, Airline or Air Traffic Service Provider security (e.g., access to airplanes, ground control facilities, data centers),
• Communication and surveillance services managed by national agencies or their international equivalents (e.g., ATC communications, ADS-B), and
• Navigation services managed by national agencies or their international equivalents (e.g., GPS, SBAS, GBAS).

This guidance material is for equipment manufacturers, aircraft manufacturers, and anyone else who is applying for an initial Type Certificate (TC), and afterwards (e.g., for Design Approval Holders (DAH)), Supplemental Type Certificate (STC), Amended Type Certificate (ATC) or changes to Type Certification for installation and continued airworthiness for aircraft systems.

This guidance is designed to be implemented across the full life cycle of an aircraft from design, through in-service, to disposal. As such, it is recommended to apply this guidance to the design stage before its use in subsequent stages of the life cycle. In cases where changes are made to an aircraft and all the previous security artifacts are not available (for example, the aircraft was not certified with security special conditions or security rules), this document provides guidance for the applicant to identify objectives applicable to the change (see CHAPTER 4).

IUEI is defined as human-initiated actions with the potential to affect the aircraft due to unauthorized access, use, disclosure, denial, disruption, modification, or destruction of electronic information or electronic aircraft system interfaces. This definition includes the effects of malware on infected devices and the logical effects of external systems on aircraft systems but does not include physical attacks or electromagnetic jamming.

Certification Context:
Airworthiness security is the protection of the airworthiness of an aircraft from IUEI.
While the airworthiness certification process addresses failures and errors, this guidance extends this to address IUEI with aircraft systems resulting in a safety effect. Just as failures and errors are treated as manageable risks to aircraft safety by the airworthiness certification process, the threat of IUEI is treated equally through the airworthiness security activities. In this context airworthiness security activities do not directly address the interfaces, policies, and procedures of external systems. However, aircraft systems may depend upon external systems to perform their functions and so the dependencies of airworthiness security on external systems are included in the considerations. To address these considerations, the applicant documents the assumptions about external factors as part of the airworthiness security process.

Product Life Cycle Context:
This document provides guidance in addressing airworthiness security during the aircraft product life cycle from project initiation until the aircraft Type Certificate is issued for the aircraft type design, including afterwards the issuance of STCs and ATCs. In addition, it includes the handover of information about the type design that is necessary to ensure continuing airworthiness with respect to IUEI. For the other stages of the product life cycle (operation, support, maintenance, administration, and disposal), guidance may be found in a companion document ED-204/DO-355 "Information Security Guidance for Continuing Airworthiness."
Those aspects of information security that have no safety effect are not in the scope of this document.

PURPOSE
This document is a resource for Airworthiness Authorities (AA) and the aviation industry for certification when the development or modification of aircraft systems and the effects of IUEI can affect aircraft safety. It deals with the activities that need to be performed in support of the airworthiness process when it comes to the threat of IUEI (the “What”). ED-203/DO-356 provides methods and considerations (the “How”). The document ED-204/DO-355 "Information Security Guidance for Continuing Airworthiness" addresses airworthiness security for continued airworthiness. ED-206/DO-392 addresses guidance for managing security events.