Will Today’s Cybersecurity Guidelines and Standards Become Mandates for Connected Aircraft Systems?

April 09, 2020

Will Today’s Cybersecurity Guidelines and Standards Become Mandates for Connected Aircraft Systems?

Published in Avionics International
Written by Frank Wolfe

Aviation cybersecurity mandates by the European Union Aviation Safety Agency (EASA) and the Federal Aviation Administration (FAA) are coming in the next two years, according to participants in an Avionics International Apr. 7 webinar, Clearing the Skies of Cybersecurity Vulnerabilities from the Ground Up.

This year, EASA may adopt AMC 20-42 (NPA 2019-1) that will link information security guidelines to the high-level cyber standards of RTCA DO-326A or the EUROCAE ED-202 series.

Asked during the webinar how the avionics industry has thus far embraced airworthiness cybersecurity standards in RTCA DO-326A, 355, and 356, Alex Wilson, the director of aerospace and defense at Wind River, said that cybersecurity standards "have been adopted slowly, but I think we’ll see a more rapid adoption throughout this year and the coming year.”

"Currently, the standards are more voluntary or applied on a case by case basis on aircraft systems as they go into certification," he said. "These standards have been around in embryonic form since the [Boeing] 787 [Dreamliner] first went through its airworthiness process [a decade ago]."

Wilson predicted that "once we see those standards being mandated through rules and regulations, we’ll start to see a massive adoption and a requirement of all new avionics systems to go through [these] standards."

Such mandates may spark or re-ignite, the operational red teaming of aircraft cyber systems.

It has been unclear what the path forward is for cyber vulnerability testing of airliners in the United States after last month's decision by the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to end the testing of a Boeing 757-200 at the Federal Aviation Administration (FAA) William J. Hughes Technical Center in Atlantic City.

Cyber vulnerabilities are not the exclusive domain of commercial airliners but also are faced by military and business aircraft and future urban air mobility platforms and by diverse systems, such as onboard radar altimeters, Global Positioning System receivers, and military Identification Friend or Foe (IFF) systems.

Paul Hart, the chief technology officer at Curtiss-Wright Defense Solutions, said that combat search and rescue helicopters can have up to 60 computers onboard to run flight control processes, such as take-off and landing, and complex synthetic vision systems, while UAVs normally have less than 10 processors for flight control and detect and avoid systems, and airliners "typically have more than 100 computing platforms."

Read the full article.

Trusted Computing for Defense & Aerospace

Curtiss-Wright goes well beyond standard approaches to Trusted Computing to provide truly secure solutions for air, ground, and sea platforms. We keep cybersecurity and physical protection in mind, from design and testing to supply chain and manufacturing. This comprehensive, end-to-end approach creates an effective mesh of protection layers that integrate to ensure reliability of Curtiss-Wright products in the face of attempted compromise.