How DO-326 and ED-202 Are Becoming Mandatory for Airworthiness

The recent European Aviation Safety Agency (EASA) “proposal” of cybersecurity amendments to aircraft and systems electronic networks and systems certification — combined with lower profile, but very real proposals for amendments by the U.S. Federal Aviation Administration (FAA — finally set a long-overdue deadline for all aviation stakeholders to comply with the emerging aviation cybersecurity standards by the third quarter of 2019.

As this deadline is just a few months away, many questions arise now as aircraft makers, equipment providers and other stakeholders scramble to meet this deadline. Being presented with such questions by DO-326/ED-202 webinars attendees, DO-326/ED-202-set white-paper readers and DO-326/ED-202-set training students, I felt those most affected by the aviation regulatory community would be served best if at least the most common ones were addressed.

EASA and FAA Proposals

These cybersecurity amendment proposals from EASA and the FAA are an all-in-one proposition, making the DO-326 and ED-202-set an official European acceptable means of compliance (AMC) for all types of aircraft, rotorcraft, engines and propellers. The practical meaning of it, and with no other AMC in the foreseeable future, is that any certifications of aircraft, rotorcraft, engines and propellers — and any related equipment or service sought from EASA — would need to comply with this set of standards as early as this year.

While the EASA proposition is indeed inclusive and scheduled to become regulation by Q3 of 2019, the FAA process aims to first address the AMC by issuing an advisory circular (AC) making the DO326/ED-202 set a U.S. official acceptable means of compliance by the third quarter of 2019, then proceed to the stricter formalities of revising 14 CFR Parts 21/23/25/27/29/33/35 in the following months.

Under the new amendments proposed by EASA, manufacturers and operators seeking certification of new aircraft systems and networks, or modifications to existing ones, will be required to address threats that can lead to unauthorized access and disruption of electronic aircraft system interfaces or information. EASA is proposing the new amendments to address the growing presence of connectivity within modern aircraft network designs.

“Since aircraft systems are increasingly connected, and thus potentially vulnerable to security threats, EASA needs to consider the state-of-the-art means of protection against these threats when certifying new products or parts,” the agency said in the NPA.

EASA identified seven different certification specifications areas, including technical regulatory requirements for business jets, commercial airliners and rotorcraft. Amendments were developed based on recommendations provided by an Aviation Rulemaking Advisory Committee (ARAC) that was tasked by the FAA with standardizing the way aircraft systems are protected from emerging cyber threats. The amendments will also introduce more harmonization between EASA and FAA regulations.

The practical implications for certifications sought from the FAA are exactly the same as the ones from EASA, which will harmonize FAA and EASA in terms of aviation cyber security certification.

What is, at the end of the day, the DO-326/ED-202 set, that is to become mandatory this year?

The DO-326/ED-202 set of standards, jointly developed by RTCA (U.S.) and EUROCAE (Europe) since 2006 includes, at its core, the following standards:

• • DO-326A/ED-202A: “Airworthiness Security Process Specification,” with the original edition issued in 2010, and its revision A in 2014. This is the “header” standard, from which all the others evolve, and which defines the cyber-security process for aircraft and systems development, including the actions to be taken for certification per-se.
• DO-356A/ED-203A: “Airworthiness Security Methods & Considerations,” with the original editions issued in 2014 and 2015 (respectively), and its revision A in 2018. This is a detailed, practical, guide for the implementation of DO-326A/ED-202A, and could be as well considered its “part B.”DO-355/ED-204: “Information Security Guidance for Continuing Airworthiness,” issued in 2014. This is an “in-service” guide for airworthiness cybersecurity, versus the previous two standards, aiming at the development stage, and as such is already in relatively wide use by developers as well as operators.

Additionally, Eurocae issued two more documents, without RTCA U.S. equivalents at this stage:

• ED-201: “Aeronautical Information System Security (AISS) Framework Guidance,” issued in 2015. This top-level “strategy” document merely aims at drawing the “big picture” of aviation Cyber-Security for the various aviation stakeholders, rather than serving as a practical “standard.”
• ED-205: “Process Standard for Security Certification/Declaration of Air Traffic Management/Air Navigation Services (ATM/ANS) Ground Systems,” issued in January 2019. Unlike ED-201, it is designated to become a mandatory standard during the next phase of EASA’s new cybersecurity aspect of regulating airworthiness for aircraft systems.

Who is going to be affected by this new regulation, and to what extent?

All of the above means that every aspect related to aircraft or aircraft components, from pre-inception to post-decommissioning, will be mandated by the DO-326/ED-202-set before the end of this year.

In the first stage, beginning this year, all developers and producers of aerospace platforms as well as all equipment developers and producers will naturally be affected. Operators, MROs and many other peripheral aerospace stakeholders will too, either directly or indirectly, with senior to mid-level executives and technical managers of aircraft, avionics and in-flight entertainment, as well as anything even remotely related to communication equipment, most likely to be affected immediately. Once EASA’s proposed amendment becomes regulation, all of the design engineers within each of these companies would need to intimately get acquainted with the DO-326/ED-202-set. The operators would immediately need to comply with DO-355 and ED-304, which are associated with in-service cybersecurity and operation rather than design and protection from intrusion.

Next, when regulation expands to become more inclusive, the air traffic management and air navigation service providers can expect to be affected, also as soon as next year – at least in Europe, while their U.S. colleagues would directly get their directions from the FAA, without any regulation for the time being.

The coming decade will probably see more and more aspects of aerospace affected by these new cybersecurity regulations, such as airports, for instance, to name but one aspect that is on the regulators’ stated agenda.

Relation to Existing Aviation Regulation

DO-326/ED-202 is often nicknamed “Cyber DO-178,” implying an equivalence between the classic avionics software development standard DO-178 (Euro: ED-12) and DO-326/ED-202. However, as tempting as this analogy may seem, carefully examining the existing aircraft/avionics standards and regulation would yield a more complex picture.

Indeed, there are close relations between the new cyber set of standards and the existing safety regulation eco-system, mainly including SAE’s ARP-4754A, SAE ARP-4761, DO-178C, DO-254 and a few more standards, but these relations would probably make DO-326A/ED-202A a “Cyber add-on” to ARP-4754A and DO-356A/ED-203A; the equivalent of a “Cyber ARP-4761” AND partly a “Cyber DO-178C.” Life is more complex than slogans here…

However, what is already completely clear is, that the new DO-326 and ED-202 set is a perfect fit into the current avionics standards/regulations ecosystem as it adds a new layer of man-made-failures protection to the classic natural-cause-failures safety considerations.

Parts of the DO-326/ED-202-set have already become de-facto acceptable means of compliance, at least in the United States — not entirely, not consistently, not immediately, but enough to convince fence-sitters that the FAA plays the cybersecurity game for keeps.

The most prominent examples for such early adoption are the following:

• Advisory Circular (AC) 119-1 (Sep 2015): “Airworthiness & Operational Authorization of Aircraft Network Security Program (ANSP),” which uses the “in-service” DO-355 segment of the DO-326 set.
• Advisory Circular (AC) 20-140C (Sep 2016): “Guidelines for Design Approval of Aircraft Data Link Communication Systems Supporting Air Traffic Services (ATS),” which uses the ENTIRE (U.S.) DO-326 set: DO-326, DO-356 & DO-355.
• Advisory Circular (AC) 120-76D (Oct 2017): “Authorization for Use of Electronic Flight Bags,” which in addition to incorporating a new “Security Procedures” section, uses an indirect reference to the DO-326 set by using the above-mentioned AC 20-140.
• However, the most indicative as to the FAA’s intentions is probably Policy Statement PS-AIR-21.16-02 Rev. 2 (Feb 2017): “Establishment of Special Conditions for Aircraft Systems,” which defines a “basket case” policy for establishing cybersecurity certification special conditions for all aircraft types, engines and propellers, with the original version issued in 2014. This policy statement is especially interesting as it just formalized a practice running back since 2005, when the FAA first issued cybersecurity special conditions for the certification of the Boeing 787, the first true “e-aircraft”, and proceeded with nearly 20 such cases before issuing the first edition of PS-AIR-21.16-02 in 2014.

All in all, EASA has already crossed the rubicon in February, while FAA has already been mandating as much as it possibly could for cybersecurity certification.

Look out for more updates on these concepts with concrete examples coming in a new cybersecurity column that I will be contributing to Avionics on a monthly basis.

Aharon David is the Chief WHO (White Hat Officer) of AFUZION Inc., a global leader of aviation development, certification, training and consulting. He received his BSc in Aerospace Engineering at the Technion, Israel’s Institute of Technology and his MBA at the Tel-Aviv University. His Avionics experience as a developer, manager, advisor, trainer and speaker spans almost four decades. Aharon delivers courses, webinars and presentations on the DO-326/ED-202 set of cybersecurity regulation.