EUROCAE Call for participation WG-72

EUROCAE Working Group 72

Aeronautical Systems Security

The development of standards on aviation information security is adapting to the changes one can observe in the European aviation regulatory landscape. EUROCAE has launched four new standardisation activities. This Call for Participation is to inform interested parties about the possibility to nominate project participants to these activities developed jointly with RTCA SC-216. The activity is structured around four subgroups developping two revisions and two new documents.

WG-72 SG-3

WG-72 SG-3 is focusing on organisational aspects of information security in a revision of ED-206 published last year: a guidance on information security event management (ISEM). This standard is targeting organisations that need to manage information security events that can affect aviation safety.

ED-206A/DO-392A - Guidance on Information Security Event Management (target publication date Q4/2024)

Stakeholders: approved organisations subject to EASA regulation on management of cyber security risks (Part IS):

  • DOA, POA
  • AOC 
  • Maintenance 
  • CAMO
  • Training organisations
  • Aero-medical centres
  • Operators of flight simulation training devices (FSTDs)
  • ATM/ANS providers; U-space service providers and single common information service providers
  •  Aerodrome operators; apron management service providers
  • Member States

Expertise needed:

  •  SoC, CERT, ISAC (with or without knowledge of aviation regulatory context),
  • Cyber threat intelligence specialist
  • Cyber security risk manager
  • Cyber security researcher
  •  Aviation regulations and certification
  • Occurrence reporting (e.g.  reg 2014/376)

WG-72 SG-4

WG-72 SG-4 is working on the adaptation of information security management system (ISMS) to aviation. EASA published new regulation including requirements on the management of cybersecurity risks for approved organizations and competent authorities in aviation. Requirements in this regulation are asking organisations and competent authorities to implement and maintain an ISMS. The document is intended to be used by organisations and authorities subject to the new EASA regulation in a standardised way to implement, maintain and improve an ISMS in the aviation framework and as a baseline for auditing by certified organisations.

ED-xxx/DO-xyz - Information Security Management System for aviation organisations (target publication date Q3/2024)

Stakeholders: approved organisations subject to EASA regulation on management of cyber security risks (Part IS):

  • DOA, POA
  • AOC 
  • Maintenance 
  • CAMO
  • Training organisations
  •  Aero-medical centres
  •  Operators of flight simulation training devices (FSTDs)
  •  ATM/ANS providers; U-space service providers and  single common information service providers
  •   Aerodrome operators; apron management service providers
  •  Member States

Expertise needed:

  • Implementation of organisation information security management (with or without knowledge of aviation regulatory context),
  • Information security management
  • Aviation regulations and certification
  • Aviation safety management system

WG-72 SG-5

WG-72 SG-5 addresses end to end security for data. The resulting standard is expected to ensure that the data having an impact on aviation safety is secured during production, transport, storage and usage, this may include, airborne software, databases, production and maintenance data, and possibly data used in end-to-end digital communication.  The assurance of data and information security for aviation demands for a holistic approach across all the involved sub-sectors and in particular the ground segment, e.g. airports and air navigation services/air traffic control. Data security can be approached from an aircraft-centric view however, must consider all the supporting functions – in the form of an aviation functional chain – that contribute to safe and secure flight operations.

ED-xxx/DO-xyz Standard on Aviation Data Security (target publication date Q1/2025)

Stakeholders: approved organisations subject to EASA regulation on management of cyber security risks (Part IS):

  • DOA, POA 
  • AOC 
  • Maintenance 
  • CAMO
  •  ATM/ANS 
  •  Aerodrome 
  • Member States

Expertise needed:

  • Implementation of organisation information security management (with or without knowledge of aviation regulatory context),
  •  Information security managers,
  •  Aviation regulations and certification
  •  Aviation safety management system

WG-72 SG-6

Finally, WG-72 SG-6 is working on an update of ED-202A with improvement on change impact analysis related to information security of embedded systems. EASA has provided some guidance in part 21 A.91 for classification of minor / major change and the update of the standard could improve this guidance material. The revision is intended to identify minimum set of activities required to demonstrate compliance of the change, provide some guidance for the authority involvement on the compliance demonstration, and the implementation of security update on certified products. 

WG-72 SG-6 is aligning guidance for performing Change Impact Analysis with respect to security with the process found in another technical disciplines and to better integrate with the process for managing changes to a certified product. The new Change Impact Analysis guidance will also provide more support for securely managing Supplemental Type Certificates. SG-6 will also use this opportunity to align the complementary documents ED-202 and ED-203.

ED-202B/DO-326B Airworthiness Security Process Standard (target publication date Q2/2024)

Stakeholders:

  • Design organisations
  • Systems suppliers
  • Aviation authorities

Expertise needed:

  •  Airworthiness information security,
  •  Airworthiness process
  •  Product change
  • System change impact analysis

The group is meeting four times per year, alternatively in Europe and on the North American continent. The physical participation to the meetings is steadily increasing, although the hybrid format is maintained.

The planned face to face meetings are:

  • 17-21 April 2023: EASA, Cologne
  • 12-16 June 2023: RTCA, Washington DC
  • 18-22 September 2023: EUROCAE, Saint-Denis (Paris Region)

If your company is interested in contributing to these new activities, please join WG-72 from your account in My WGs and relevant subgroups, if you do not have an account yet, please reach out to Anna Guégan anna.guegan@eurocae.net.