We use necessary cookies to make our website work. We'd also like to use optional cookies to understand how you use it, and to help us improve it.

For more information, please read our cookie policy.



Introduction

The Cyber Security Certification Team ensures UK regulatory requirements regarding cyber security are adhered to as part of the initial stages of an application, authorisation, or licence issue.

This work is split down into 4 main areas, with each explained in more detail below. Cyber assessment or validation is carried out by Cyber Security Certification Specialists using risk assessments that are tailored to the domain in which the application falls under; these risk assessments have been developed using industry recognised frameworks and standards from organisations, such as the International Organization for Standardization, Mitre, EUROCAE and SAE International, along with threat and vulnerability information in consultation with government partners such as the Department for Transport and the National Cyber Security Centre (NCSC).

Remotely Piloted Aircraft Systems (RPAS)

Please Note: The requirements for RPAS operations in the Specific Category are currently being updated as part of the Digitising Specific Category Operations (DiSCO) project. This will include the implementation of UK SORA which is due for public consultation in 2024.

This section offers guidance to operators on how to implement and satisfy the air safety requirements pertaining to ‘security and privacy’ for RPAS operations in the Specific Category, as part of the Operating Safety Case (OSC) guidance within CAP 722A.

In this context, security refers to the security of the Unmanned Aircraft System (UAS), including both physical and cyber elements. UAS operators should ensure robust safety and security measures are in place that relate to the planned operational environment of the UAS. These security measures and controls are designed to be reasonable and proportionate, in order to ensure risks are As Low As Reasonably Practicable, as well as to protect the system from unauthorised modification, interference, corruption or command/control action; this can take multiple forms but could include things such as:

  • System failsafe, redundancy and emergency response plan.
  • Physical protection of system assets, operational equipment and crew.
  • Security Operating Procedures (SyOps) detailing processes such as software patching and manufacturer firmware updates.
  • Use of technical controls e.g. encryption, 2FA, anti-jamming measures.
  • Consideration to operating areas, such as rural vs urban safety complexities.

As part of Article 11 of UK Reg (EU) 2019/947 and depending on the nature, complexity and associated risks of the intended UAS operation, the OSC should identify and detail how air safety and cybersecurity have been considered in the following areas:

Topic

Detail

Organisational Governance and Culture

  • Cyber security policy exists within the OSC and details roles and responsibilities.
  • Cyber security awareness training is conducted appropriate to roles undertaken.

RPAS Maintenance/Update

  • The OSC details maintenance procedures that include periodic review of available manufacturer security updates.
  • Policy exists stating software/firmware updates are to be applied in a timely manner.

C2 Link Characteristics

  • The OSC provides information on data link encryption implementation.
  • Where applicable, the details of 2 separate data links are provided.

Operational Procedures and Reporting

  • The OSC details IT equipment and data security policies and procedures that are in place.
  • There is a reporting mechanism in place for suspected safety or security incidents.

Crew Training

  • A crew training regime is in place to educate the operator(s) on new and emerging air safety and security risks.

Safe Design and Operation

  • A safety and security Safety Risk Assessment Process has been completed, detailing any controls or mitigations that have been implemented.
  • The OSC explains how authentication is carried out between the control station and the UAS.

Data protection from both unintentional and intentional interference

  • Information regarding the authentication methods for users and any access control policies that are enforced.
  • Confirmation that default passwords are changed and what the new password policy is.
  • Detail on data at rest encryption and any removable data media protection measures that are in place.

External Supporting Services

  • The OSC should contain information regarding any external services that are in use and what due diligence has been carried out, for example cloud service providers.

Third party supplier security verification and management

  • Supply chain risks have been considered and evaluated as part of the security risk assessment.

The nature and complexity of the UAS operation will be measured against trigger criteria such as:

  • The UAS Maximum Take-Off Mass is considered to be high and therefore has a large kinetic energy potential, meaning third party risk could be elevated.
  • The operator is intending to fly a ‘swarm’ which could introduce higher levels of cyber and air safety risk.
  • The operator being a government or law enforcement agency, which increases the attractiveness of the cyber target.
  • The Operator intends to fly near sensitive areas such as Critical National Infrastructure, Designated Sites, etc. which require increased protection.

The ongoing oversight of security design, assessment, mitigations and operational safety processes will be reviewed in line with the cybersecurity requirement of RPAS regulation:

  • The cyber obligation for RPAS operators in the Specific Category is identified within UK Reg (EU) 2019/947, Part B, UAS.SPEC.050 – reference paragraph (1)(a)(iii) - measures to protect against unlawful interference and unauthorised access.
  • Safeguarding against acts of unlawful interference is detailed within ICAO Annex 17, with measures relating to cyber threats covered in Chapter 4.9 of the document.

General information on risk assessment requirements within the Specific Category can be found on the CAA RPAS website.

Initial Airworthiness (IAW)

Cyber Security for IAW is based on two leading questions agreed between the Design & Certification and Cyber Security Certification Teams of UK CAA.

Question 1:

Is xx.1319 or associated special condition (or CS-23, CS-ETSO, CS-E or CS-P equivalent) included in the certification basis from an applicant?

Where xx.1319 is applicable, AMC20-42 is an Acceptable Means of Compliance. (AMC20 amendment 19 – AMC20-42 Airworthiness information security risk assessment)

Question 2:

Does the project affect the design of a system that:

  • Introduces or modifies potential connectivity between the aircraft control domain and the open, less controlled domain, or 
  • Change the content of data such that, if compromised, that data’s availability or integrity could introduce an unsafe condition/adverse effect. 

 Aircraft control domain = aircraft system required by airworthiness or operational requirements (e.g. display, navigation, flight/engine control system).  

 Open, less controlled domain examples =  

  • Wifi connection within the aircraft to PED, EFB etc
  • 2-way transmission of digital data, for example via Satcom or Gatelink 
  • data loader

Cyber Specific Notes - xx.1319  

“CS 25.1319 Equipment, systems and network information protection  

  • Aeroplane equipment, systems and networks, considered separately and in relation to other systems, must be protected from intentional unauthorised electronic interactions (IUEIs) that may result in adverse effects on the safety of the aeroplane. Protection must be ensured by showing that the security risks have been identified, assessed and mitigated as necessary.  
  • When required by paragraph (a), the applicant must make procedures and Instructions for Continued Airworthiness (ICA) available that ensure that the security protections of the aeroplane’s equipment, systems and networks are maintained. [Amdt No: 25/25]” 

The Initial Airworthiness CS-25 - Amendment 27 is adopted in accordance with CAA ORS9 Decision No.36. 

Additional Information:

xx.1319 is the shorthand for any EASA Certification Specification (CS) which includes the section cited above. This has been added to CS-25 (large aircraft), CS-27 (small helicopters), CS-29 (large helicopters). CS-E, CS-ETSO, CS-P contain similar requirements and it is implied within CS-23 but not explicitly stated. 

Important Note – dependent on the change product rule, an earlier version of the CS may be applicable which does not include xx.1319 but may include an earlier CS Special Condition called “Information Security Protection of Aircraft Systems and Networks”.  

EASA Part-21, Appendix A to GM 21.A.91, Section 4. Systems: 

“In the context of a product information security risk assessment (PISRA), a change that may introduce the potential for unauthorised electronic access to product systems should be considered to be ‘major’ if there is a need to mitigate the risks for an identified unsafe condition. The following examples do not provide a complete list of conditions to classify a modification as major, but rather they present the general interactions between security domains. Examples of modifications that should be classified as major are when any of the following changes occur: 

  • A new digital communication means, logical or physical, is established between a more closed, controlled information security domain, and a more open, less controlled security domain. 
    • For example, in the context of large aircraft, a communication means is established between the aircraft control domain (ACD) and the airline information services domain (AISD), or between the AISD and the passenger information and entertainment services domain (PIESD) (see ARINC 811). 
    • As an exception, new simplex digital communication means (e.g. ARINC 429) from a controlled domain to a more open domain is not considered as major modification, if it has been verified that the simplex control cannot be reversed by any known intentional unauthorised electronic interaction (IUEI). 
  • A new service is introduced between a system of a more closed, controlled information security domain and a system of a more open, less controlled security domain, which allows the exploitation of a vulnerability of the service that has been introduced, creating a new attack path. 

For example: 

  • opening and listening on a User Datagram Protocol (UDP) port in an end system of an already certified topology; 
  •  activating a protocol in a point-to-point communication channel.
  • The modification of a service between a system of a more closed, controlled security domain and a system of a more open, less controlled security domain.” 

More general guidance material on airworthiness can be found on the CAA Approval Information and Guidance pages.

Space

Our vision is to have a proportionate and effective approach to cyber security that enables Space entities to manage their cyber security risks without compromising safety, security or resilience; as well as to stay up-to-date and positively influence cyber security within space, to support the UK’s national security strategy.

Cyber Security under the Space Industry Regulations 2021

Under the Space Industry Regulations, all applicants are required to have a cyber security strategy for their proposed operation, which must be based on a cyber security risk assessment and, where required, a safety case.

Our guidance material for Cyber Security Strategies for Space provides a process for producing the basis of a strategy, consisting of 3 key activities:

  1. Critical System Scoping
  2. Threat Analysis and Risk Assessments
  3. Risk Monitoring, Gaps, and Future Plans

Each applicant should follow the guidance material to assist in the creation of their Cyber Security Strategy to submit as part of their application for any of the Space licences.

Please contact the Cyber Security Certification Team at cyber@caa.co.uk if you have any further questions.

Information Handling

We are aware that some information relating to cyber security in the space domain may be commercially sensitive.

Direction on information handling is currently being developed as part of the Space Cyber Security guidance material, though should you have any queries please contact us at cyber@caa.co.uk where we will be able to provide further consultation to ensure commensurate protections are established based on the sensitivity of the information in question.

More general information on space security requirements can be found on the CAA spaceflight activities website.

 

Innovation Projects

If you are in conversation with the CAA Innovation Team, then you may also get in contact with the Cyber Security Certification team. We offer advice and guidance around the current cyber security legislation, regulations and what we will be expecting of you during the certification process. If your project does not fall within any of our current regulations, we will work with you and the Innovation Team to start development on new policies and regulations so that your project can begin its certification journey as soon it is ready.

Cyber Security Guidance for Innovators is due to be published in Quarter 1 2024 as CAP 2973 and is designed to give a head-start in understanding the cyber risks that may be encountered, as well as helping prepare for the implementation of controls and mitigations to allow an easier journey to certification.

If you would like to know more or get in contact with the Innovation Team more information can be found here: Innovation Team.

Please note once your project beings the process of certification, you will no longer be able to access guidance from the Innovation Team as it would be a conflict of interest for the CAA to assist a project currently going through certification.

Useful Links

NCSC Cyber Guidance

ICAO Aviation Cybersecurity

Risk Management (NCSC)

IATA Aviation Cyber Security