Harmonised Software EASA AMC and FAA AC 20-115D have been published!
Two almost simultaneous headlines, one positive and the other distressing, raise the question: did they talk together? There are few issues as complex as cybersecurity and both articles involve an area of expertise hard for mere mortals to fathom, much less comment on intelligently. However, it may be worthwhile to ask whether the FAA/EASA experts were aware of/talked to/incorporated the findings of the DHS & FBI?
EASA published its new AMC 20-115D “AIRBORNE SOFTWARE DEVELOPMENT ASSURANCE USING EUROCAE ED-12 AND RTCA DO-178” and FAA issued AC 20-115D which is technically identical. These documents jointly provide state-of-the-art means for showing compliance with the applicable airworthiness regulations for certification (TC, STC, TSO) of the software associated with aircraft systems and equipment. These advisory documents are the results of two years of work in coordination between and among EASA, FAA, and US & European industry associations. It paves the way towards more harmonization and mutual recognition of each other’s activities in the domain of Software aspects of certification.
Usually these policy development discussions focus on the integration of new software with existing computers, communication systems and avionics. Appropriately, the EASA press release does not mention whether these standards incorporate hardening of the software from hacking.
About the same date, the US FBI and DHS issued a warning that aviation, and critical industries, are at high-risk of computer hacking. The urgency of this report is magnified by the fact that only months there was a successful cyber-attack back of an airline system.
According to sources, the primary hacker is known as APT33, an acronym for “advanced persistent threat,” and it has targeted several aviation companies in the U.S. and abroad within the last few years in an effort to conduct cyber espionage operations at the behest of the Iranian government. “APT33’s targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored,” the report said. “This coupled with the timing of operations — which coincides with Iranian working hours — and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government.”
The hackers’ Trojan horse ploy used is recruitment-themed emails to aviation industry employees containing files designed to infect victims’ computers upon being opened, occasionally launching their attacks from web addresses mimicking the names of companies including Boeing, Alsalam Aircraft Company and Northrop Grumman, FireEye said. “Based on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically diverse organizations across multiple industries.
These attacks appear to be focused on stealing the highly proprietary information. Given this level of infestation, IS IT POSSIBLE the other possible malware deposits may have compromised the software to be installed?
As earlier posited, did the FBI and DHS share this intelligence with EASA and FAA?
Share this article: