Home' RTCA Documents for Review : DO-356A Contents 19
© RTCA, 2018
The Aviation Rulemaking Advisory Committee (ARAC) established the working group
on Aircraft System Information Security / Protection (ASISP) to provide information,
advice and recommendations on aviation related ASISP issues to the Federal Aviation
Administration (FAA) Administrator, through the Associate Administrator of Aviation
Safety. The ARAC is comprised of a wide range of domestic and international industry
and government experts to ensure that relevant design, airworthiness, and international
harmonization aspects of ASISP are considered in the recommendations. This included
representatives from other regulatory bodies such as EASA and ANAC, who
participated in the final report.
The ASISP working group has recommended the FAA consider RTCA standards DO-
326, DO-356 and DO-355 and EUROCAE standards ED-201, ED-202, ED-203, ED-204
as acceptable guidance materials to comply with the security rule 25.13xx for large
transport aircraft for new Type Certifications or new significant major changes or when
the applicant elects to use them on a voluntary basis.
The ASISP working group recommended that SC-216 create harmonized standards
jointly with WG 72 around the Risk Acceptability and Assurance Framework based on
the guidance material outlined in sections 220.127.116.11.1 – 18.104.22.168 .8 of the final report.
This chapter presents the ASISP final report recommendations and concerns that relate
to the methods and considerations for certification aspects. The material in this chapter
is intended to guide the applicant in issues that relate to certification of their equipment.
It does not contain methods but does provide information and considerations useful to
the applicant for the certification process.
And although the ARAC ASISP was tasked by the FAA, representatives of EASA, ANAC
and their related industries also participated and participated in the final report so this
material also applies to applicants in those contexts.
INTENTIONAL UNAUTHORIZED ELECTRONIC INTERACTION
This section aims at providing a detailed definition and scope for what is and what is not
considered Intentional Unauthorized Electronic Interaction (IUEI).
For purposes of this document, IUEI, its presence, absence, and impact, is the
underlying scope of the subject area that is meant when the term "Security" is used
Intentional Unauthorized Electronic Interaction - Definition and Meaning
Intentional Unauthorized Electronic Interaction (IUEI) is defined as "[a] circumstance or
event with the potential to affect the aircraft due to human action resulting from
unauthorized access, use, disclosure, denial, disruption, modification, or destruction of
information and/or aircraft system interfaces. Note that this includes malware and the
effects of external systems, but does not include physical attacks or electromagnetic
To fully understand the term, the reader should consider the meaning of its individual
parts in the context of a typical cyber-event:
The word “intention” clarifies that the event originates with an intentional act from
a human to separate it from other adverse events covered under ED-79A / ARP
4754A and ARP 4761, such as equipment failures, software logic errors, or
human input or decision errors. To clarify, a person who writes a piece of malware
defines the intention, not a person who unintentionally installs the malware, for
example by inserting an infected USB device into a system.
The word “unauthorized” specifies that the event is not defined as permitted within
the system definition / function or operational policies. Any not authorized aspect
regarding functionality, person or timing is considered as an unauthorized
interaction. Referring back to the example above, malware operating on a system
Links Archive Navigation Previous Page Next Page