Home' RTCA Documents for Review : DO-356A Contents 39
© RTCA, 2018
Consideration of relevant operational and maintenance policies
Typical inputs to this activity include all aircraft and system specifications.
And typical outputs from this activity include:
Role descriptions of persons, organizations, or external systems that interact with
A description of expected interactions with aircraft for each role
List of persons, organizations, or external systems that interface the system
Assumptions about the roles (references for security environment assumptions
is found in Appendix D of ARINC Technical Application Bulletin ABN-035A
“Considerations for the Incorporation of Cyber Security in the Development of
Industry Standards”, and ISO Guide 73:2009)
Responsibilities of the roles, tools, systems and security measures
External dependencies regarding regulations and national laws
External agreements (contracts and requirements to embedded system to
establish connection with external systems)
Classification of threat sources and vulnerabilities (An example classification is
found in ARINC 811, Attachment 3, 3-4.2.1.)
Validation of Trustworthiness
Trust relations in the security environment are defined by the assumptions and
requirements about the persons, organizations, and external systems that interact with
the assets under consideration, and the practices that assure or validate that the
assumptions/requirements are met.
Trustworthiness can be viewed as a binary relationship between an external entity and
an asset- If the external entity has access to the asset, is the security risk acceptable?
If not, then access to the asset should either not be possible, or blocked by effective
security measures, or the trust relations needs to be changed. An entity that is
sufficiently trustworthy is not considered to be a threat source.
The trustworthiness assumptions include those assets which the external entity is
intended to be trusted with. The external entity should not be trusted to interact with
assets whose risks were not communicated to the entity, and so are not part of the
external entity’s requirements, policies, and procedures, or with assets which they do
not value consistently with the SECSE impact of the asset on the aircraft.
Trust relations include “cautionary” assets- assets which the external entity is
instructed/required/assumed to leave untouched and unmodified. In this way, the
possibility of unintended access to a cautionary asset is included in the trust
For operators, owners, and support organizations, the trust relationship is defined
through the Security Instructions and Guidance (see section 4.1.4) which documents
what is required to be able to operate the aircraft or product securely.
For other supporting organizations who are part of the overall global Aeronautical
System, such as ANSP services, or aeronautical data providers, trust is defined through
regulatory means. These organizations should be part of the trustworthiness
assumptions negotiated with the regulatory authorities (see section 2.6). For a trusted
entity, validation may not be required.
Passengers, the non-traveling public and their devices are assumed to be untrusted
entities for the purpose of airworthiness security risk assessments.
Changes in the Security Environment
The airworthiness security process should reflect changes in security risks due to
external evolution of threats as part of life-cycle security risk management.
The security environment is monitored and updated to capture the changing security
environment of an aircraft/system. During development, it is updated as part of the
development activities and during operation (see section 2.5), it is updated as part of
the continuing airworthiness activities.
Links Archive Navigation Previous Page Next Page