This tutorial aims to introduce participants to the critical aspect of product security in the aerospace environment. It will cover the motivation behind the need for product security, its definition, and the methods to address it within a company. Attendees will learn that the aspect of security nowadays does not only cover the protection of confidentiality, but expands in the aeronautical domain the additional upcoming challenge of airworthiness aspects as well as the assurance of the aircraft’s mission capability under adverse cyber conditions.
This tutorial will cover a comprehensive range of applicable standards, norms, and regulations in the international aerospace environment. It will address international standards such as ISO/IEC 27001 for information security management systems. Additionally, it will delve into aviation-specific standards, including the certification activities related to Part-IS as well as the related DO-326A and DO-356 for airworthiness security processes and methods, along with their European equivalents, ED-202A and ED-203. The tutorial will also explore regulatory frameworks from the FAA and EASA, as well as ICAO Annex 17 for aviation security standards and recommended practices. Furthermore, it will mention military standards such as MIL-STD-3022 for cybersecurity in military systems, NIST SP 800-53 for security and privacy controls, and the Common Criteria (ISO/IEC 15408) for evaluating the security properties of IT products. This broad coverage ensures that participants gain a thorough understanding of the regulatory landscape governing product security in both civil and military aerospace environments.
Participants will gain insights how a security risk analysis is being performed and they will also engage in a group training exercise to apply the concepts learned.