Cyber-Security and Safety for Aircraft and Aircraft Systems: DO-326A guidance

CSL has been an active member of the international committee, RTCA SC 216, charged with the responsibility of developing guidance material that will help ensure safe, secure and efficient operations amid the growing use of highly integrated electronic systems and network technologies used on-board aircraft, for CNS/ATM systems and air carrier operations and maintenance. Recent efforts of the committee have resulted in a revision of RTCA DO 326 “Airworthiness Security Process Specification” that was released on the RTCA web site in August 2014.

The guidance of DO-326A is intended to augment current guidance for aircraft certification to handle the information security (i.e., cybersecurity) threat to aircraft safety. In a nutshell, this new document describes a security engineering process that includes generic activities with corresponding compliance objectives.

The scope of DO-326A not only covers the initial Aircraft Type Certification but also Aircraft (systems) changes. As a result, it is likely to become a very influential guidance document.

Why is this standard likely to be important for the aerospace community?

Aviation certification authorities have seen the need for more official guidance in this area and have been actively supporting the effort of this special committee. In this context, it is highly expected that this guidance document will receive formal recognition from civil aviation certification authorities such as the FAA and EASA as acceptable means of compliance with the security rules. Note: this standard has also been published by EUROCAE under the reference ED-202A.

This standard carries even more weight as it is not an ‘isolated’ publication; it is one of a set of three documents dedicated to security engineering. The other two standards are:

  • DO-355 “Information Security Guidance for Continuing Airworthiness” covers operations and maintenance, published in June, 2014
  • DO-356 “Airworthiness Security Methods and Considerations”, published in September 2014

DO-326A is one of the very few standards that tackle the topic of integration of Security Engineering with Safety Engineering. At a time when cybersecurity is in the news almost on a daily basis, it is noteworthy to see that there is a guidance document that addresses the interactions between security and safety. In particular, this standard discusses the links between the security process, the safety assessment process (SAE ARP 4761), and the system engineering process (SAE ARP 4754A). Aerospace standards have often paved the way for, or at least influenced, other industries. This standard might be another example of this paradigm.

By being an active member of RTCA SC-216, CSL gained essential knowledge to help organisations such as Aircraft OEM and Aircraft System suppliers become proficient with this guidance material.