New Developments in Aviation Cybersecurity and Next-Generation Crash Recorders


Published by SAE Mobilus

Last March, I had the pleasure of introducing Dietmar Freese, a software and electronic hardware certification expert working for the European Union Aviation Safety Agency (EASA) at the Avionics Electronics Europe conference in Munich, Germany. At the conference, Mr. Freese gave an update on the latest EASA regulations for cybersecurity. In addition to discussing the DO-326A Airworthiness Security Process Specification, Mr. Freese also shared an update on future EASA regulations for flight recorders.

On the cybersecurity front, EASA has issued a new notice of proposed amendment (NPA) related to an earlier RTCA document, DO-326A, which came out in 2014. Because DO-326A wasn’t tied to any regulation, it hasn’t been widely implemented since its introduction. Recent incidents have increased a focus on DO-326A, including an incident last year, during which an airline passenger on board a major international carrier, unwisely thought it would be funny to rename his iPhone’s personal wi-fi hot-spot account, “Bomb Onboard.” During the flight, when the other passengers sought the aircraft’s available wi-fi address, they were understandably frightened to find the prankster’s message. In this case, the crew had to divert the aircraft to address the confusion. When the media got wind of the story, pressure was put on aviation regulators to respond.

That unfortunate incident helped to revive interest and awareness of DO-326A, and EASA has now decided to make it mandatory for avionics vendors to implement the specification. EASA is using a route to fast-track the mandate through legislation and it’s now expected that, within the next three or four months, all new avionics developments will be required to perform a DO-326A cybersecurity assessment.

The DO-326A cybersecurity assessment entails seven steps, which branch into 39 security objectives, and comprise a total of 62 activities -- all of which will have to be carried out by the avionics vendor. For the most part, EASA is focused on avionics that connect with the outside world. On today’s aircraft, there are typically three wi-fi systems: the cabin wi-fi, the cockpit wi-fi, and the maintenance wi-fi. Of these three, EASA’s main concern resides with the maintenance wi-fi, which has become more important as the trend toward “zero-touch” aircraft maintenance increases.