All aircraft operators, even operators of legacy, non-e-enabled aircraft need to understand the ramifications of evolving security requirements related to continued airworthiness. Guidance in this area is evolving and will only become more operationally critical in the coming years. Security is a complex area with a great deal of fear and doubt sown by self-interested third parties. Aircraft cybersecurity demands a robust network security program. A sound strategy with guidance from a proven partner can minimize your risk.
Not only are aircraft cybersecurity threats becoming more sophisticated, but their potential impacts are also increasing. Grounding a fleet because of cyber vulnerabilities that affect continued airworthiness can easily cost $100 million. The aviation industry has been spared from a serious cyber event, but the potential damage resulting from intentional interference is undeniable. As a result, the regulatory climate is one of mounting scrutiny toward Aircraft Information Security Programs (AISPs).
Guidance Forcing Operational Change
Two international standards – the DO-326A/ED-202A Airworthiness Security Process Specification and DO-355A/ED-204A Information Security Guidance for Continued Airworthiness – together form a much-needed framework for how operators ensure compliance with the security aspects of continuing airworthiness. They were jointly authored and supported by the RTCA and EUROCAE with the participation of operators, original equipment manufacturers (OEMs), the FAA and EASA. These standards provide guidance beyond traditional OEM documentation such as the Boeing ANSOG. In fact, Boeing’s new ANSOG Revision A specifically utilizes DO-355A/ED204A as the industry standard for security objectives.
The time has come. DO-326A and DO-355A are forcing operational change on the aviation industry, both in the United States and abroad. All aircraft operators will be required to have operations specifications (OpSpec) approval related to their ANSP or their Aircraft Information Security Program (AISP). The AISP described in DO-355A is more dynamic than a traditional ANSP and has potential overlap with information security management systems (ISMSs). These are not equivalent systems and involve different types of expertise and controls.
Fleet size/mix/age, the extent to which maintenance is distributed, and the maturity of the tech ops and IT cybersecurity capability are the primary variables that drive complexity. The evolution of the legacy ANSP concept on the path to OpSpec involves proper upfront scoping, a greater breadth of stakeholder involvement, prioritization of execution elements and regulatory partnership.
SeaTec’s project teams combine consulting, digital and technical expertise with direct, hands-on experience that ease the pain points for adopting a DO-355A-compliant AISP. We help airlines build upon their existing safety cultures in cost-effective ways that reflect operators’ individual needs. We provide a project framework and set of human and technical resources so operators can ensure continued airworthiness compliance with emerging aircraft cybersecurity standards. The following outlines how we partner with airlines to create a phased execution program designed to create a dynamic, living security system that achieves full organizational buy-in and ownership.
SeaTec’s Steps to Greater Cybersecurity
- Properly define the end state using DO-355A as a guiding framework.
- Assess current state and construct a gap analysis between the current and desired end state.
- Build an appropriate, prioritized, controlled program scope and plan that includes key organizational stakeholders across both business and technical domains.
- Partner with your regulatory entities early and communicate with them constantly.