Home' RTCA Documents for Review : DO-356A Contents 41
© RTCA, 2018
Core Principles for Risk Assessment Methodology
The risk assessment methodology used by the applicant should adhere to the following
Core Principle #1: Airworthiness security is its own discipline, needing unique
expertise, and requires its own analysis techniques and assurance
Core Principle #2: The degree in which the airworthiness security is integrated
into overall system safety and development needs to be a variable dependent on
program/project and organization factors.
Safety and security are not the same thing, however there is a strong overlap. There
can be Security Events that Cause Safety Events (SECSE), which is the focus of current
regulations. Before airplane security was well understood, safety regulations were used
Safety and security have their own techniques. Having said that, security process is
integral to system development, so safety and security processes should be
Core Principle #3: There is considerable variance in methodology that has
evolved and has been approved by the regulatory agencies.
Different numerical scales have been developed to which the security
effectiveness and the likelihood of a successful attack are measured.
Security Assurance considerations have been proposed both without-
regard-to and also in-conjunction-with safety assurances.
Industry standards are supposed to help the applicant and regulator, not cause tedious
rework. There should be flexibility to allow for the applicant’s method and expertise.
Regarding assurance and effectiveness, safety assurance is covered by the existing
safety processes. Security effectiveness is defined and used by the airworthiness
security process to determine if security controls sufficiently mitigate threats. The
applicant must be mindful of both because you can implement a security measure at a
high DAL, but if it is not a good fit for the threat scenario, it will not be effective against
the threat. Likewise, you can implement a security measure at a low DAL and it can still
be effective against the threat. There are security protocols and applications/APIs that
have been proven effective over time and are incorporated in low DAL software. For
example, WPA2, TLS, SSH, iptables, etc.
Core Principle #4: Airworthiness security evaluation methodology is a work in
progress and will continue to evolve.
While we anticipate revisions to industry standards, the methodology should be agnostic
from changes in technology. Particular assessments may need to be updated for such
changes. Also, the methodology should account for changes in the attacker’s skill level
and changes in the availability of tools.
The following are high level recommendations and guidance that will be discussed in
detail throughout the document. Note that an applicant’s methodology may already be
following some or all of these:
Due to the Advanced Persistent Threat (APT) and ever-changing cybersecurity
landscape, the methodology should be process oriented, not a checklist.
The methodology should utilize security expertise and experience of the security
analyst, AR, DOA, and/or Regulator to complete.
Training guidance is out of scope for this document.
Links Archive Navigation Previous Page Next Page