Home' RTCA Documents for Review : DO-356A Contents 22
© RTCA, 2018
environment. In any event, even for these systems an initial assessment is needed to
The effect to hazard classification considering Safety Effect Caused by Security
The potential impact on surrounding systems, no matter the hazard classification
The existing mitigations
This section addresses the determination of when a logical or physical resource
becomes an asset that must be protected, and also provides criteria to verify those
concepts. A list of equipment is not provided, as it would become outdated before it
could be published. Considerations for security controls at safety hazard classification
of Minor and No Safety Effect are also addressed.
The content of the following subsections is based on the ARAC ASISP report .
Determination of Hazard Classification considering Safety Effect Caused by
Security Events (SECSE)
It would be impossible to determine the hazard classification considering Safety Effect
Caused by Security Events (SECSE) of an asset without some level of assessment of
the asset and its security environment. For a Minor or No Safety Effect system or
equipment, the assessment should focus on what connectivity it would have and
therefore what vulnerabilities might be introduced. This should consider assets that are
part of the Type Certificate (TC), amended TCs, and as far as practical, that are part of
Supplemental TCs (STCs) or amended STCs (the TC holder can take into consideration
the STC changes only if notified by the Operator).
The initial assessment can be very brief; it is dependent on the level of connectivity
required by the system or equipment under assessment. If the system or equipment has
connectivity in one or more ways with other systems on the aircraft and/or off the aircraft,
this needs further examination to determine the type of connectivity. Some regulators
will exclude connectivity with external systems as those systems have a level of security
that is accepted through other means. The connectivity can be important even in non-
flight modes since during maintenance it could be used to update other systems. In the
trivial case, the system or equipment has no internal connectivity and it is a Minor or No
Safety Effect hazard classification, then the assessment ends here.
The initial assessment can be brief but should answer the following questions at a
What electrical and RF interfaces exist between the asset and the remainder of
the aircraft (internal connectivity)?
What electrical and RF interfaces exist between the asset and external systems
outside the aircraft (external services connectivity)?
What electrical and RF interfaces exist between the asset and untrusted systems
outside the aircraft (external untrusted services connectivity)?
In what phases of development, operations, and maintenance is the asset and its
If connectivity defined by the above questions is positive, can digital data be
exchanged and in what directions can logical data flows be established?
The answers to these and any similar questions should be documented and, when
relevant, used for discussion between regulator and applicant. The result of this
assessment is to define the potential for unexpected SECSE on the asset in its intended
environment and the potential for SECSE on other systems on the aircraft.
Analyzing Potential Impact on Surrounding Systems
In the case that an asset has connectivity with another aircraft system, the level of
connectivity with other systems and the possible interactions must be examined. Simple
connectivity such as power is not the same concern as a bidirectional connection
exchanging digital data.
A bidirectional connection to a Major or higher asset is a significant concern, but even
a connection to another Minor or No Safety Effect system will require assessment since
Links Archive Navigation Previous Page Next Page