Cybersecurity in the Air: Addressing Modern Threats with DO-326A
Not long ago, getting on an airplane meant being largely out of touch with everyone on the ground for the duration of one’s flight. Of course, there were in-flight telephones for those who could afford them, and pilots could connect with personnel on the ground in case of emergency, but the rank-and-file passenger had limited options for connecting with the world outside the aircraft.
The 21st century has changed flying from a largely isolated endeavor that exists in a closed loop to one that integrates with ground systems through the miracle of the Internet. For travelers who want to enjoy their own personal entertainment options, conduct business, or take advantage of downtime to do online shopping, accessing the Internet during a flight is a tremendous boon. For air freight carriers and their customers, Internet connectivity improves visibility and streamlines supply chains with better real-time information.
Of course, the advantages of connectivity come with disadvantages as well. The more airborne systems are interconnected with the broader Internet, the more vulnerable systems are to hacking. In 2015, a researcher was kicked off a United Airlines flight after tweeting about security vulnerabilities; the researcher claimed to have accessed in-flight networks multiple times between 2011 and 2014, including one time when he allegedly commandeered the plane. In 2016, the US Department of Homeland Security hacked the system of a Boeing 757 using “typical stuff that could get through security.” And in 2022, Boeing announced a software update to repair a vulnerability that could allow hackers to modify data and cause pilots to miscalculate landing and take-off speeds.
Aviation cybersecurity has become a critical issue across the globe. Not only do millions of passengers depend on airlines to get them safely from point A to point B every day, but manufacturers, shipping services, and militaries rely on aircraft systems to support supply chains and execute missions. Cyberattacks have skyrocketed since the onset of the COVID-19 pandemic; a 2022 report found a 140% increase in cyberattacks against industrial operations — including four attacks that caused flight delays for tens of thousands of passengers.
Clearly, aviation systems can be vulnerable to malicious actors. For developers and manufacturers in the aviation industry, DO-326A provides compliance guidelines to address the vulnerabilities of avionics systems.
To create the safest, highest quality vehicle, REGENT knew that they must implement a world-class development process.
See how Jama Connect® plays a key role in that process
What is DO-326A?
Known as the “Airworthiness Security Process Specification,” DO-326A (and its European counterpart, ED-202) is the aviation cybersecurity standard developed jointly by the Radio Technical Commission for Aeronautics (RTCA) and the European Organisation for Civil Aviation Equipment.
The original edition, DO-326, was issued in 2010; its revised version, DO-326A, was issued in 2014. The standard became mandatory in 2019.
The DO-326A/ED-202A set focuses primarily on how to prevent malware that can infect avionics systems during both development and flight operations. A cyberattack on these critical systems can impact how the aircraft works and potentially endanger operators and passengers. DO-326A/ED- 202A describes the Airworthiness Security Process that one should follow.
What is Airworthiness/Airworthiness Security Process?
“Airworthiness security” involves protecting an aircraft from intentional unauthorized electronic interaction, including malware, ransomware, and other cyber threats.
The Airworthiness Security Process (AWSP) is intended to establish that aircraft will remain safely operable if it is subjected to unauthorized interaction.
DO-326A outlines the Airworthiness Security Process in seven steps:
1. Plan for Security Aspects of Certification (Aircraft Level Planning/System Level Planning)
2. Security Scope Definition (Threat Assessment Process)
3. Security Risk Assessment (Threat Assessment Process)
4. Decision Gate (Threat Assessment Process)
5. Security Development (Definition of Security Measures and Requirements)
6. Security Effectiveness Assurance (Verification and Validation of Security Measures and Requirements)
7. Communication of Evidence (PSecAC Summary Reporting)
To read this entire whitepaper, visit: Cybersecurity in the Air: Addressing Modern Threats with DO-326A
- The Strategic Transition: From Word and Excel to Modern Requirements Management - November 30, 2023
- Project Lifecycle Management (PrLM): A Comprehensive Guide - November 28, 2023
- Software Defined Vehicles Part 3: Revolutionizing the Future of Transportation - November 21, 2023