The European Union Aviation Safety Agency (EASA) has published Executive Director (ED) Decision 2020/006/R, Aircraft Cybersecurity (see, CBR20-2 for additional background).

This Decision “includes amendments to CS-25, CS-27, CS-29, CS-APU, CS-E, CS-ETSO, CS-P, and to the related acceptable means of compliance (AMC) and/or guidance material (GM), together with AMC-20, AMC/GM to CS-23 and AMC/GM to Part 21.”

Attached to this memo is a copy of EASA’s Explanatory Note to the Decision. The specific amendments can be accessed on the agency’s website at:

https://www.easa.europa.eu/document-library/agency-decisions/ed-decision-2020006r

As stated by the agency in the Explanatory Note: “The draft text of this Decision has been developed by EASA, considering existing special conditions (SCs), and has been also based on the ARAC ASISP Working Group recommendations. All interested parties were consulted through Notice of Proposed Amendment (NPA) 2019-01 ‘Aircraft cybersecurity’.”

Key items in the Decision, include:

• AMC 20-42 recognizes as an acceptable means of compliance EUROCAE and RTCA documents:
  • ED-202A / DO-326A
  • ED-203A / DO-356
  • ED-204 / DO355
• Guidance Material (GM) 23.2500(b) to CS-23 states that an “applicant that wishes to certify an aeroplane with certification level 4 to consider cybersecurity threats as possible sources of ‘improper functioning” of the equipment and systems.”
• CS-25 introduces a new CS 25.1319, Equipment, systems and network information protection:
  • (a) Aeroplane equipment, systems and networks, considered separately and in relation to other systems, must be protected from intentional unauthorised electronic interactions (IUEIs) that may result in adverse effects on the safety of the aeroplane. Protection must be ensured by showing that the security risks have been identified, assessed and mitigated as necessary.
  • (b) When required by paragraph (a), the applicant must make procedures and Instructions for Continued Airworthiness (ICA) available that ensure that the security protections of the aeroplane’s equipment, systems and networks are maintained.
• CS-27 introduces a new CS 27.1319 similar to CS 25.1319, but limited to Category A rotorcraft.
• CS-29 introduces a new CS 29.1319 similar to CS 25.1319.
• And, additional amendments adapted to CS-APU, CS-E, CS-ETSO, and CS-P.

Please contact me (jhennig@GAMA.aero), Jonathan Archer (jarcher@GAMA.aero), and Kyle Martin (kmartin@GAMA.aero) with any questions.

[…]

The objective of this Notice of Proposed Amendment (NPA) is to mitigate the potential effects of cybersecurity threats on safety. Such threats could be the consequences of intentional unauthorised acts of interference with aircraft on-board electronic networks and systems.

This NPA proposes amendments to CS-23, CS-25, CS-27, CS-29, CS-E, CS-ETSO, CS-P, and, as applicable to their related acceptable means of compliance (AMC)/guidance material (GM), together with AMC-20. The amendments would introduce cybersecurity provisions into the relevant certification specifications (CSs), taking into account the existing special conditions (SCs) and the recommendations of the Aviation Rulemaking Advisory Committee (ARAC) regarding aircraft systems information security/protection (ASISP).

The proposed amendments are expected to contribute to updating the EASA CSs to reflect the state of the art of protection of products and equipment against cybersecurity threats. They are also expected to improve harmonisation with the Federal Aviation Administration (FAA) regulations. Overall, they would improve safety, would have neither social nor environmental impact, and would have a neutral-to-positive economic impact.

This Decision introduces new Acceptable Means of Compliance (AMC) for Part-21 production and design
organisation approvals, which complement the existing AMC. The objective is to provide a more proportionate
approach for small, non-complex organisations that produce lower-risk products and the parts installed on
these products.
The new AMC shifts the focus of both the applicant and the competent authority onto the effects on the output
of the process, instead of the focus being on the detailed step-by-step documentation of the process. This is a
more product-oriented approach.
The AMC provides for more proportionality for the affected organisations, without having any impact on the
level of safety. It is avoiding an over-burdensome and disproportionate administrative application of regulations
for these small and simple organisations.
The AMC can also serve as the baseline when a means of compliance with the Subpart G and J requirements
needs to be developed outside the applicability of the AMC. In that case, coordination is needed between the
applicant and the competent authority to review and, when necessary, to complement the baseline with more
stringent or detailed processes or procedures so as to provide a consistent and acceptable result.
The AMC can be used by small companies that design and produce low-risk general aviation (GA) aircraft within
the current Part-21. The AMC also allows experience to be gained for a possible future combined (design and
production) company approval. It is anticipated that it will be used until amendments to Part-21, based on the
changes brought about by the new Basic Regulation (Regulation (EU) 2018/1139), allow for new concepts for a
more proportionate regulatory system. At that point, the current AMC may need to be revisited.