EASA Proposes New Aircraft Cybersecurity Certification Amendments

The European Aviation Safety Agency (EASA) is proposing new cybersecurity amendments to the way aircraft electronic networks and systems are certified. Under the new amendments, manufacturers and operators seeking certification of new aircraft systems and networks or modifications to existing ones will be required to address threats that can lead to unauthorized access and disruption of electronic information or electronic aircraft system interfaces. EASA is proposing the new amendments to address the growing presence of connectivity within modern aircraft network designs. “Since aircraft systems are increasingly connected, and thus potentially vulnerable to security threats, EASA needs to consider the state-of-the-art means of protection against these threats when certifying new products or parts,” the agency said in the NPA. EASA identified seven different certification specifications areas, including technical regulatory requirements for business jets, commercial airliners and rotorcraft. Amendments were developed based on recommendations provided by an Aviation Rulemaking Advisory Committee (ARAC) that was tasked by the FAA with standardizing the way aircraft systems are protected from emerging cyber threats. The amendments will also introduce more harmonization between EASA and FAA regulations. As more satellite and air to ground-based connectivity has been introduced onto aircraft over the last decade, the industry has relied upon the separation of aircraft networks into three different domains: aircraft control, airline information and passenger information domains. EASA’s proposed amendments focus solely on protecting the aircraft control domain, which features safety-critical flight controls used by pilots. As aircraft system designs evolve from point-to-point data bus communications to standardized protocols connected by switched Ethernet, they are increasingly susceptible to new cyber threats. “These interconnections are susceptible to new threats, which may potentially have catastrophic effects on the safety of air transport. Those threats are caused by unauthorized electronic interaction that can be triggered by human action either intentionally or unintentionally,” the agency said. The proposed amendments come as cyber attacks on airline and aircraft networks are increasingly occurring. As an example, in October 2018, Cathay Pacific reported the largest data breach ever suffered by a commercial airline when a hacker accessed information about 9.4 million of its customers. Alaska Airlines was also at the center of a major attack in 2017 when it merged with Virgin America. Researchers with cybersecurity firm IOACTIVE also demonstrated their ability in late 2017 to hack into a live commercial aircraft satellite communications modem. EASA made it clear within the proposed amendments though that it is only concerned with threats to the safe operation of aircraft or continued airworthiness of systems or parts. Those would not include the type of attack demonstrated by IOACTIVE, or the data breach suffered by Cathay. EASA is seeking industry comments on the new amendments through May 22, 2019, and expects to make a decision on implementing the new rules by the third quarter.