Home' RTCA Documents for Review : DO-356A Contents 73
© RTCA, 2018
Two or more security measure may also be needed to achieve
acceptable risk for threat scenarios with Threat Conditions with less
than Catastrophic severity.
3. At least two independent, diverse and isolated security measures are
recommended in every aircraft-level threat scenario that leads to a Threat
Condition with Hazardous severity.
4. SAL3 is assigned to at least one security measure in every aircraft-level threat
scenario that leads to a Threat Condition with Catastrophic or Hazardous
5. In case of Catastrophic severity, the second security measure in every aircraft-
level threat scenario (according to principle 2) needs to be assigned at least SAL
2. If needed or desired, further security measures can be assigned SAL1.
6. SAL2 is assigned to at least one security measure in every aircraft-level threat
scenario that leads to a Threat Condition with Major severity.
7. SAL1 should be assigned to security measures (that may be functions,
procedures, technical or operational, ...) that do not provide sufficient protection
alone against any threat scenario with Major or higher severity. This can be the
case if the development should implement a specific security architecture (e.g.
defense in depth with multiple layers).
SAL1 may be assigned to a security measure implementation that
is evaluated in a security risk assessment to provide additional
protection beyond the protection required for risk acceptance, for
example additional security measures imposed by a security
Developers may implement best practices for cyber security in their
designs and may employee SAL beyond regulatory requirements.
Security requirements may be levied on such assets, but they are
not required for airworthiness security purposes.
8. SAL 0 is assigned to all other systems and items within the security scope. These
assets are not security measures and do not contribute to the protection of the
aircraft for the purposes of certification. As such, for these assets no other
security assurance activities are required for airworthiness security.
9. Security Assurance Levels are additive, such that all objectives of a lower SAL
are also included by a higher one.
Principles 2, 3, 4, 5 and 6 apply to threat scenarios in aircraft security risk assessments.
Security measures in system-level threat scenarios have to contribute to the aircraft-
level threat scenarios. But there is no obligation to apply principles 2, 3, 4, 5 and 6 within
one system unless the aircraft-level threat scenarios are not available.
Specific SAL allocations beyond these principles may be different
depending on the security architecture.
Security Assurance Level assignment for legacy assets
Assets that have been developed prior to cybersecurity regulations may or may not
need to be updated for security. Many of the safety design objectives and activities
coincide with security considerations and result in architectures that provide a measure
of security. For example the practice of implementing partitions to limit and constrain
resources is a practice that is also used by security developers. In many cases a
thorough review of the development artifacts of a previously certified asset with a DAL
can be supplemented with a few additional activities to obtain a SAL. How much is
required to be done largely depends on the assessment of associated threat scenarios
and threat conditions that determine the required SAL. Dedicated tailored security
demonstrations and evaluations can replace a full SAL compliance. It is clear that for
legacy systems/items that were developed without security considerations, the security
effectiveness and SAL needs to be established and not just assumed.
For example, let’s assume that we have an asset that was previously developed and
certified to DAL B. Let’s also assume that after a thorough review and documented
security assessment of the asset, it was determined that no additional security functions
Links Archive Navigation Previous Page Next Page