Published in Avionics International
2020 will usher in a new mandate that will require all avionics suppliers to prove that their commercial avionics systems and processes are cyber-secure. All aviation stakeholders now must comply with the emerging aviation cybersecurity standards known as “Airworthiness Security Process Specification,” identified and first introduced as DO-326A in the US and ED-202A in Europe.
These documents, published in 2018 but in the works for almost a decade, are today widely regarded as the de-facto mandatory standard, according to AFuzion, a 45-person software systems and safety development consulting company that has trained more than 1,500 engineers on how to implement cybersecurity and software systems standards for FAA/military and EASA compliance.
Questions remain on how seriously the industry will get behind the measures, especially if they don’t see any bite to enforcement from non-compliance. In an industry that has leaned heavily on industry-led voluntary compliance, the new regulations concede the need for specific, well-defined regulations to ensure that vulnerability gaps are quickly identified and mitigated on aircraft systems.
Compared to the commercial IT world, the aviation sector has been slower to respond to the cyberthreat.
According to AFuzion, that’s because of the inaccurate perception that complex attacks on industrial infrastructure could only be carried out by state-level “actors.” Today’s wide adoption of COTS hardware and software and connected aircraft has changed everything.
Vance Hilderman, founder and CEO of AFuzion, says the level of commitment and innovation required to fight the avionics cyber threat will require a new collaborative approach across the aviation industry.
“Unlike static hardware and software design, the cyber threat is continually changing. We have to show as part of the new standard that we have an evolving process in place – a strategy – that will evolve to meet that need both during development and during operational deployment,” he explains. “That means it’s not just a one-time rubber stamp but rather a continuous involvement by IT, security, quality assurance, and hardware and software engineers and that’s something that’s never been done before.”
Steve Edwards, director of secure embedded solutions with Curtiss Wright, agrees that there will need to be a new level of vigilance.