Military Aviation Authority
Cyber-attack presents a significant threat to the safe operation of modern military air systems. TheMAAhas now equipped the regulated community with Cyber Security for Airworthiness (CSA) regulation to ensure our safety-related systems are appropriately protected from this non-traditional, emerging threat to air safety.
Background
The aviation ecosystem is becoming more complex and connected. Modern military air systems, like their civil counterparts, are reliant on the correct functioning of avionic systems for safe operation. Increasingly, advanced network architectures are being introduced to interconnect avionic systems and other systems for internal and external data transmission. These technological advancements bring greater efficiency and performance but could introduce threats to airworthiness and air safety if not sufficiently protected. It is vital that cyber security assessments are conducted for connected systems to identify and mitigate, if necessary, airworthiness and air safety risks.
Physical access security can provide some mitigation, but it is important to note that this can only go so far. For example, cyber security vulnerabilities can be introduced to airborne electronic hardware (AEH) or safety-related airborne software through insecure supply chains. Increasing reliance on computerised ground support systems and other systems which connect to avionics, such as connected-electronic flight bags (EFB) or mission equipment, could also introduce vectors for malicious software (malware) if not mitigated. Essentially, any external connectivity for the air system could introduce new threats.
Some legacy air systems may have fewer intrinsic threats due to older federated architectures, bespoke computer technologies, and less reliance on avionic systems for safe operation. It is essential, however, that any extant risks are understood and mitigated. It should also be noted that type design changes which introduce new capabilities may establish connectivity to older systems; these could have been developed without consideration for cyber security controls, thereby introducing new vulnerabilities.
Aviation cyber security a civil perspective
The European Union Aviation Safety Agency (EASA) has taken a holistic view to the development of a cyber resilient aviation ecosystem. Conceptually, the problem has been addressed in two key areas: product security (including aircraft and engines) and organisation security (for aviation organisations - concerning people and processes).
Product security
EASA has introduced requirements to the certification specifications (CS) for large aeroplanes, small and large rotorcraft, engines, and propellers(footnote 1) for equipment, systems, and network information security protection. These requirements apply to new or modified aircraft. AMC 20-42 airworthiness information security risk assessment is the published acceptable means of compliance for these requirements and refers to the following standards, developed by the European Organisation for Civil Aviation Equipment (EUROCAE) and the Radio Technical Commission for Aeronautics (RTCA): ED-202A/DO-326A, ED-203A/DO-356, and ED-204/DO-355 (note: some of these standards have since been updated). The certification specification for normal-category aeroplanes has introduced guidance material referring to AMC 20-42 (GM 23.2500(b) refers), and CS-ETSO (European Technical Standard Orders) also recognises the AMC for ETSO articles.
Organisation security
In February 2023 EASA published Commission Implementing Regulation (EU) 2023/203 which, together with the earlier released Commission Delegated Regulation (EU) 2022/1645 completes the new Information Security (Part-IS) Regulation. This regulation is cross-cutting and applies to aviation organisations which contribute to aviation safety such as Approved Maintenance Organisations (AMO), Continuing Airworthiness Management Organisations (CAMO), Production and Design Organisations, Air Traffic Management / Air Navigation Service (ATM / ANS) providers, and aerodrome operators. The regulation requires organisations to introduce an Information Security Management System (ISMS) with a focus on aviation safety. The associated acceptable means of compliance (AMC) is currently in development and expected to be published soon.
CAA
The UK Civil Aviation Authority (CAA) has replicated the EASA requirements in the published certification specifications for large aeroplanes, small and large rotorcraft, engines, propellers, and the guidance material for normal-category aeroplanes and ETSO articles; these also refer to AMC 20-42 as the published acceptable means of compliance.
The CAA currently has a rulemaking task for the introduction of Cyber Security Regulation based on EASA Part-IS. There will be further consultations prior to publication of the new regulation.
MAAcyber security for airworthiness and air safety
The latest issues of Defence Standard 00-970 for fixed wing combat air systems, small and medium type air systems, large type air systems and rotorcraft(footnote 2) include requirements for CSA; this applies to both new air systems and type design changes to existing air systems. Note: Defence Standard 00-970 part 9 (remotely piloted air systems (RPAS)) is currently undergoing a major review; there is an expectation that CSA requirements are included on any RPAS Type Certification Basis (TCB) in the interim, both for new air systems and depending on the specifics of any type design change.
The new CSA regulations have been introduced to ensure that all air systems on, or destined for, the UK Military Aircraft Register (MAR) are assessed for cyber security threats, and that suitable mitigations are put into place to address any potential negative impacts on airworthiness and air safety. The regulations also address a need to inform owners of air safety risks of any potential CSA risks, so that these could be understood, owned, and integrated into core air safety management activities.
Changes to the MRP include the introduction of two new regulatory articles (RA), amendments to the roles and responsibilities of two existing RAs, and publication of a supporting regulatory instruction (RI) to provide compliance latitude. The regulations introduce new responsibilities for Type Airworthiness Authorities (TAA), Type Airworthiness Managers (TAM), Aviation Duty Holders (ADH), Accountable Managers (Military Flying) (AM(MF)), and Senior Responsible Owners (SRO); a summary is detailed below.
In addition, as published in the MAAs programme of work for regulations - Financial Year 23 / 24 (MAA/RN/2023/02) following the publication of the EASA part-IS regulations, and the expected incorporation by the CAA, the MAA will investigate the overlaps with current