Safety and Security Considerations in the Certification of

Next Generation Avionics and

Air Traffic Management Systems
Eranga Batuwangala, Subramanian Ramasamy, Lanka Bogoda and Roberto Sabatini

School of Engineering – Aerospace and Aviation Discipline,

RMIT University, Melbourne, Victoria, 3001, Australia

Abstract

The technological developments in next generation avionics and air traffic management
systems triggered through various regional and international research initiatives and
modernization programs introduces greater interdependency and interconnectivity between
airborne systems, ground systems and various stakeholders in the supply chain. The
communication infrastructure would be the backbone of Communication, Navigation,
Surveillance and Air Traffic Management Systems (CNS/ATM). Furthermore the introduction
of the System Wide Information Management (SWIM) which is an integral part of the Global
Air Navigational Plan (GANP) of International Civil Aviation Organisation (ICAO) will
become the global platform for information exchange. Security considerations against the
threat of intentional unauthorised electronic interactions, commonly known as cyber security
are a growing concern in Information Communication Technology (ICT) systems. In this
regard, this paper reviews the existing framework for the assessment of safety and cyber
security during the system design and development life cycle process, and presents an
integrated safety-security assessment model for the purpose of integrated avionics and air
traffic management system certification.

Keywords: Safety, Cyber Security, Cyber Physical Systems, Certification, Avionics, Air
Traffic Management
Introduction

Technological developments and novel operational concepts being adopted by the industry
will be of paramount importance in overcoming challenges of air traffic growth and related
demands for capacity, efficiency and environmental sustainability [1]. Enhanced connectivity
and integration between airborne and ground systems have been introduced through the
numerous modernisation programs including Single European Sky Air Traffic Management
Research (SESAR) and Next Generation Air Transportation Systems (NextGen) [2, 3].
Communication, Navigation, Surveillance and Air Traffic Management (CNS/ATM) is an
evolving concept that has progressed in its journey since the Future Air Navigation Systems
(FANS) committee was established by the International Civil Aviation Authority (ICAO) in
1983. The latest road map has been laid out by ICAO’s Aviation System Block Upgrade
(ASBU) of the Global Air Navigation Plan (GANP) [4].

The highly regulated airworthiness certification framework has played an increasingly

important role in maintaining a sound safety record in air transportation, considering the
safety critical nature of operations. The current and next generation technological
developments and innovations warrant a review and renovation of the existing certification
framework. The traditional certification methods may not encapsulate the latest safety and
cyber security risks and related assessments in order to assure the required level of system
reliability and resilience for the ultimate airworthiness assurance of aircraft.

17th Australian Aerospace Congress, 26-28 February 2017, Melbourne

In this paper we present the cyber physical systems in the CNS/ATM context. Next we
analyse cyber security threats, vulnerabilities and the relationship to safety and airworthiness
of aircraft. Cyber security threats considered here include intentional unauthorised electronic
interactions with aircraft systems, ground systems, related system Human Machine Interface
(HMI) and Signal in Space (SIS). The ground systems considered include communication,
navigation, and surveillance support systems and ATM systems. While cyber-attacks can
cause numerous types of impacts including safety, economic/financial, military, political and
social impacts, in this paper we consider the safety impacts of cyber-attacks that affect the
airworthiness of civil aircraft. We further review the existing framework for safety and
security assessment for the purpose of certification and propose a new integrated framework
for safety-security assessment to be used for system certification.

Cyber Physical Systems in CNS/ATM Context

Cyber Physical Systems (CPS) are engineered systems with integration between physical
systems and computational systems involving monitoring and control functions executed by
computational systems in a networked environment using Information Communication
Technology (ICT). CPS are becoming very popular in various industries including power
generation, medical systems, defence, manufacturing, logistics and supply chain management
systems, intelligent transport systems, aircraft systems and air space/air traffic management
systems.

Airborne CPS

In the context of CNS/ATM, CPS have been part of the airborne and non-airborne systems
[5], and are undergoing revolutionary changes implemented through the modernisation
programs towards achieving next generation avionics and ATM systems. The airborne systems
consist of manned and unmanned aircraft. The CPS includes aircraft structure and various
systems including the flight control systems, flight management systems (FMS), electrical
systems, hydraulics systems, power plant, communication, navigation and surveillance
systems in a highly computerised and networked architecture. Aircraft sensors obtaining
physical environmental information interpreted through air data systems and flight
management systems assist the pilot to navigate and fly the aircraft, with the cockpit display
and control units providing a human machine interface for these functions. Aircraft
communication systems link with ground systems for voice and data communication and also
with satellite systems for not only communication functions but also for navigation and
surveillance functions. Next generation avionics systems would entail more integrated
modular avionics, federated architecture and software enabled upgrades bringing efficiency
for the operation and maintenance of the aircraft. Airborne FMS play a crucial role through its
integration and connectivity with ground ATM system in the evolving concept of 4
dimensional trajectory based operations (4D-TBO) [6].

Data networks on board the aircraft, between various aircraft systems including,
communication, navigation and surveillance systems, flight control systems, flight
management systems and cockpit display and control systems are an integral part of the
airborne cyber space.

E-enabled aircraft include connectivity of passenger systems for inflight entertainment,

airborne data loading systems and connectivity for health monitoring /maintenance functions

17th Australian Aerospace Congress, 26-28 February 2017, Melbourne

which are also considered as CPS of the aircraft. The discussion of this paper however focuses
primarily on CNS/ATM systems as CPS systems.

Ground based CPS

Ground systems consist of the systems that support communication, navigation, surveillance
and ATM services provided by Air Traffic Service Providers (ATSP) or Air Navigation
Service Providers (ANSP). They also include Automatic Terminal Information Services
(ATIS), and Airline Operations Centres (AOC). ATM is essentially a combination of airborne
functions and ground-based functions in keeping the movement of aircraft through the air
space safe and efficient [7]. This involves conflict detection and resolution by the air traffic
controllers and ensuring a safe separation between aircraft. Conventional methods of air
traffic control required aircraft flight paths to be constrained to Air Traffic Services (ATS)
routes and to be channelled to a great extent. Air traffic controllers use the information
received from Primary Surveillance Radar (PSR) and Secondary Surveillance Radar (SSR)
indicating the aircraft positions in real time within the controlled air space. Surveillance of
aircraft en-route over oceanic/continental airspace involves position reporting by the pilot
over traditional High Frequency (HF) channels or more modern methods such as Controller
Pilot Data Link Communication (CPDLC) or automatic reporting using Automatic Dependent
Surveillance-Contract (ADS-C). Automatic Dependent Surveillance-Broadcast (ADS-B) is a
cooperative surveillance system which is gradually being introduced by various States for
their air space surveillance purposes as an alternative to PSR and SSR. This requires aircraft
to transmit its position obtained from the Global Navigation Satellite System (GNSS) and
other key information, on 1090MHz frequency. Multiple ADS-B receivers on ground will
receive this information and transfer the data to ATM systems. The main functions of ATM
functions include Air Space Management (ASM), Air Traffic Services (ATS) and Air Traffic
Flow Management (ATFM).

Next generation ATM systems will involve more Collaborative Decision Making (CDM)
between airspace users and stakeholders, and will further support Trajectory Based Operations
(TBO) which allows airlines to fly more economic business trajectories resulting in lesser
flying time and fuel burn. TBO involves the ground ATM systems receiving the aircraft
position information together with the time of arrival in specific points in air space, which is
computed by the airborne Flight Management Systems (FMS).

Cyber space of CNS/ATM

As illustrated by Fig. 1 various multilayered cyber physical sub-systems consisting of

airborne and ground based systems form the integrated cyber physical system of CNS/ATM.
The cyber space of CNS/ATM consists of the following which are used for all four functions
of communication, navigation, surveillance and air traffic management:
 airborne network (network within each aircraft and between aircraft),
 air-ground network, and
 ground-ground network (local area network and wide area network).

The aircraft network will usually comprise of ARINC 429, ARINC 629, and MIL-STD 1553
type data buses for data communication between systems/computers. More recent aircraft also
use Transmission Control Protocol/Internet Protocol (TCP/IP) networks which are more prone
to security threats.

17th Australian Aerospace Congress, 26-28 February 2017, Melbourne

Communication channels between airborne aircraft mainly consist of Mode-S
Datalink/Extended Squitter, which is used for TCAS and well as ADS-B In.

The air-ground network for data communication consists of

 High Frequency (HF) Datalink (HFDL) (reduced usage)
 Very High Frequency (VHF) Datalink (VDL) modes 2, 3
 SATCOM
 Satellite Data Link (Aeronautical Mobile Satellite Service (AMSS), Aeronautical
Mobile Satellite (Route) Services (AMS(R)S))
 Controller Pilot Data Link Communication (CPDLC) is an application which uses
VHF or AMSS
 SSR Mode S Datalink
 Next generation systems will include L-Band Digital Aeronautical Communication
System (LDACS)
 Aeronautical Adhoc Networks (AANet)

Aeronautical Telecommunication Network (ATN) which is based on the International

Standards Organisation-Open Systems Interconnection (ISO-OSI) model provides an interface
for interchange of digital data between a variety of end users in air and ground using
dissimilar networks (VHF, HF, AMSS, Mode S etc.).

System Wide Information Management (SWIM) is a concept of SESAR and NextGen, and
standardised through ICAO Doc 10039 [8] which defines SWIM to consist of standards and
infrastructure enabling the management and exchange of ATM related information between
various stakeholders including ANSP/ATS, AOC and aircraft. The network connectivity will
be based on public/private IP networks.

Inter-Satellite Link
GNSS

SATCOM
SATCOM
Air/Air AANet
Communication

Air/Ground
Communication

Air/Ground
communication

AeroMACS LDACS
VDLM2

HFDL

LANKA BOGODA

HF VHF

AIDC
Terrestrial Network

Ground/Ground
communication

Fig. 1: Cyber Physical Systems and Cyber Space of CNS/ATM

17th Australian Aerospace Congress, 26-28 February 2017, Melbourne

 Cyber Domain, Security Threats, Vulnerabilities and Consequences

According to Martin C Libicki, the cyber domain is structured into a five layer model [9] as
depicted in Table 1 below, and each layer is vulnerable to various cyber-attacks.

Table 1: Five layer model of CPS and types of cyber attacks

Layer Cyber Attacks

Phishing, Online behaviour

Cognitive Layer
tracking, Rogueware/Scareware,
– Understanding of Information
Identity Theft, Sybil Attack
Denial of Service (DoS),
Service Layer Distributed Denial of Service
– Services and Media (DDoS), Spoofing, Advanced
Persistent Attack (APT)
Information theft, destroying or
Semantic Layer
falsifying information,
– Information and Datasets in
Compromising confidential
Computers and Servers
informaiton, APT
Syntactic Layer
SysAdmin assumption, Drive by
– System Controls and
Exploits, SQL-Injection Attacks,
Management Programs, Network
Search Engine Poisoning
Protocols
Kinetic destruction, Physical
Physical Layer
Theft/Loss/Damage, Component
– Network Devices, Wired and
Corruption, Hack, Shack, Lab
Wireless Connections
attack

When considering the Signal in Space (SIS) of CNS/ATM systems, there are three main attack
methods that are currently of greater concern in the military domain than the civil domain of
aircraft operation. These are:
 Jamming,
 Meaconing, and
 Spoofing.

With increased usage of datalink communication methods for all functions of communication,
navigation, surveillance and air traffic management, safety and security assessment of the
systems in the civil domain is becoming increasingly relevant. The increased use of GNSS
for aircraft navigation and the use of ADS-B for surveillance are examples where above
mentioned attack methods may become and in some case have already become threats in civil
aircraft operations.

The fivefold cyber threat model based on Myriam Dunn Cavelty’s structural model consists of
[9]:
Level 1: Cyber activism which includes cyber vandalism, hacking and hacktivism.
Level 2: Cybercrime which is defined by the Commission of the European Commission
are criminal acts committed using electronic communication networks and
information systems or against such networks and systems.
17th Australian Aerospace Congress, 26-28 February 2017, Melbourne
Level 3: Cyber espionage which can be defines as actions for the purpose of obtaining
secret information for political, military or economic gain.
Level 4: Cyber terrorism which involves attacks on networks concerning critical ICT
systems and their controls.
Level 5: Cyber warfare including strategic/tactical/operational warfare that involves a
state of war between states or organisations.

The airborne and ground based CNS/ATM systems together with the voice and data link
communication systems and networks discussed in this paper consist of cyber domains with
the layers of the Martin C Libicki’s model. We focus on cyber threats on CNS/ATM systems
where the consequence involves a safety risk on the aircraft, thus affecting the airworthiness
of the aircraft. Out of the five levels of threats described above, the levels of threats affecting
CNS/ATM systems and operations include cyber activism and cyber terrorism. While
cybercrime may affect CNS/ATM systems through attacks against networks and systems, it is
of more relevance to criminal acts such as illegal internet credit card transactions.

Vulnerabilities are be defined as manifestations of some inherent states of the system that can
be subjected to a natural hazard or be exploited to adversely affect the normal operation of the
system [10]. The adverse effect on the system may result in system failure or loss of
confidentiality, availability or integrity. Natural hazards may include unintentional or
accidental actions such as component or system failure or human error. On the other hand an
exploitation of the vulnerability to cause a failure would be an intentional or malicious action.
It is the accidental or intentional nature of the action that differentiates safety from security. In
the context of airworthiness, the ultimate aim is to avoid all losses or failures which may
affect the safe flight of the aircraft.

Fig. 2 illustrates the relationship between safety, security and airworthiness of aircraft.

Loss of Airworthiness

Probability of Loss/
Severity of Loss/
Failure (Resulting in Loss of System Safety
Failure
Loss of System Safety)
Safety Risk Severity of Loss of
System Safety caused
Probability of Threat by Loss of Security
Loss of System leading to Loss/
Syecurity Failure

System Vulnerability

System Vulnerability Security Risk

Intentional/
Unintentional/ Malicious
Accidental Actions Actions
(Threat)

Fig.2: Relationship between safety, security and airworthiness of aircraft.

While improving system reliability and human factors considerations mitigates system
failures due to accidental or unintentional actions, understanding and analysing threats
together with improving system resilience to threats mitigates system failures due to
intentional malicious actions. Since malicious actions and attack methods are limitless, more
focus should be given to what can be controlled at system design [11] to safeguard the asset. A
minimum level of system resilience and reliability is required to be established for the
airworthiness assurance of aircraft.

17th Australian Aerospace Congress, 26-28 February 2017, Melbourne

Vulnerabilities that can be exploited by malicious action in the CNS/ATM context include all
vulnerabilities in airborne systems and networks, ground systems and networks, and the signal
in space. The attack types on the various layers of CPS are detailed in Table 1. As explained in
the previous section titled Cyber Physical Systems of CNS/ATM Context, there are many CPS
and related cyber space which can be considered as assets susceptible to attack. If the required
resilience are not built into the system, increased vulnerabilities would result in increased
security risks, and thereby the safety risks. On the other hand, a less reliable aircraft with more
safety risks, introduces increased vulnerabilities that can be attacked causing security risks.
Therefore the relationship between vulnerabilities, safety and security risks, related risk
margins and risk appetites should be analysed as part of the system design and development
life cycle [12], when systems, sub-systems, functionalities and their relationships are
designed. Introducing modifications and upgrades after the system is operational is an
expensive exercise.

Existing Regulatory Framework for Safety, Security Assessment and Certification

The existing framework for the certification of airborne systems comprises of regulations and
industry standards. The International Civil Aviation Organisation (ICAO) has established
Standards and Recommended Practices (SARPS) published as Annexes which includes
airworthiness as well as safety and security of aviation in general. Fig. 3 below illustrates this
framework under European Aviation Safety Agency (EASA) and Federal Aviation
Administration (FAA). The regulations prescribe the minimum certification requirements of
airborne systems, while industry standards offer methods of compliance which are generally
accepted by regulatory authorities. The requirement for system certification (hardware and
software) is only for airborne systems. The ground systems of CNS/ATM are regulated by
means of organisational approvals and operator/controller licensing methods. Organisational
approval mechanism will ensure that ICAO SARPS and local regulations are adhered to by
the ATM/ANSP service providers and aerodrome service providers.

17th Australian Aerospace Congress, 26-28 February 2017, Melbourne

 ICAO Annexes on Safety, Security, Airworthiness
Certification and CNS/ATM Operation
Aircraft Annex 17
ATM /ANSP
Security

Annex 15
Annex 8 Annex 6 Annex 19
Annex 11 Aeoronautical
Airworthiness of Operation of Safety Management
Air Traffic Services Information
Aircraft Aircraft System
Services
Annex 10 Annex 14
Aeronautical Aerodromes
Telecommunications

EASA/FAA
Regulations on Airworthiness Certification
and CNS/ATM Operation
 (EC) No 216/2008 Basic Regulation for EASA and
 Title 14: CFR: Aeronautics and space Subchapter C: Aircraft for FAA

 Initial Airworthiness - EASA Part 21; FAR Part 
21
 Continuing Airworthiness EASA Part M; FAR
Part 26, 43
 EASA Certification Specifications (CS 25, CS 23,
CS-ACNS); FAR Part 25, 23
Air Navigation Services and Air Traffic Services
and their oversight - EC 1034 and 1035/2011;
Air Traffic Control and Navigational Services
Facilities FAR Part 170, 171

No similar standards for Safety and Security

Industry Standards for Safety, Security and
Assessment and Certification of Ground
Airworthiness Certification of Aircraft
Systems
System Safety Assessment
ARP 4761/ED-135

System Development
ARP 4754/ED-79

Hardware Software Airworthiness

Assurance Assurance Security
DO-254/ DO-178/ Process/
ED-80 ED-12 Methods
DO-326/ED-202
356/ED-203

Fig.3: Existing framework for certification

Industry standards commonly accepted by regulatory authorities for the certification of civil
aircraft and installed systems include those published by Radio Technical Commission for
Aeronautics (RTCA), the European Organisation for Civil Aviation Equipment (EUROCAE)
and the Society of Automotive Engineers (SAE). SAE ARP 4754 (first published in 1996 and
revised to ARP 4754A in 2010) equivalent to EUROCAE ED-79 provides guidelines for the
processes used to develop civil aircraft and systems [13], and forms and integral part of the
system develop life cycle. SAE ARP 4761 (published in 1996) equivalent to EUROCAE ED -
135 provides guidelines and methods for conducting the safety assessment processes which
are to be carried out during the system development. More recent standards on airworthiness
security process specifications have been published as RTCA DO-326 (published in 2010 and
revised in 2014) and RTCA DO-356 (published in 2014) [14, 15] equivalent to ED-202 and
ED-203. These are to be used in conjunction with RTCA DO-254 and DO-178 for hardware
assurance and software certification guidance.

The safety assessment process provided by SAE ARP 4761 includes methodologies to
evaluate aircraft functions and the design of systems performing these functions to ensure
hazards associated with each function have been properly addressed [16]. This is done by a
Functional Hazard Assessment (FHA) at aircraft level as well as system level. The identified
failure conditions associated with aircraft functions and combinations of aircraft functions are
classified based on the failure condition severity (i.e., Catastrophic, Hazardous/Severe-Major,
Major, Minor, or No Safety Effect) and related probability of failure (which is the safety risk).
The system assurance level to be defined at development stage is governed by this
classification. During the Preliminary System Safety Assessment (PSSA) and subsequent
17th Australian Aerospace Congress, 26-28 February 2017, Melbourne
System Safety Assessment (SSA) processes a systematic examination is carried out to
determine failures that can cause the failure conditions identified through the FHA. These are
taken into consideration in establishing safety related design requirements of system hardware
and software. The tools used for this assessment during the PSSA process includes Fault Tree
Analysis (FTA) carried out using Dependence Diagrams (DD) or Markov Analysis (MA)
techniques. The SSA which is usually based on the PSSA FTA also considers the values
obtained from Failure Modes and Effects Summary (FMES). Common Cause Analysis (CCA)
supports the development of system architecture that affects specific and related systems that
have sensitivity to common cause events.

The airworthiness security process prescribed in RTCA DO-326 includes a plan for security
certification, security scope definition, security risk assessment and subsequent decision
whether the risk is acceptable or not. For unacceptable risks security development and securi-
ty assurance activities are initiated. The security risk assessment process is analogous to the
SAE ARP 4761 for safety assessment, and includes a Preliminary Aircraft Security Risk As-
sessment (PASRA), Preliminary System Security Risk Assessment (PSSRA), System Security
Risk Assessment (SSRA) and Aircraft Security Risk Assessment (ASRA). Similar to the iden-
tification of failure conditions in the safety assessment process, threat conditions are
identified and related impacts on safety are analysed, upon which severity is classified based
on the effect (i.e., Catastrophic, Hazardous/Severe-Major, Major, Minor, or No Safety Effect)
[16].

Further to above standards, ARINC standards such as ARINC 811 provide a framework for
commercial aircraft information security concepts of operation and processes.

All of the standards mentioned above are for airborne systems, with the security standard
mainly focusing on aircraft approved to carry more than 19 passengers. Furthermore DO-326
standards states that it does not address the security of ground systems including those that
provide services for communication, navigation, surveillance and air traffic services. With the
next generations systems, the ground systems will be a subsystem supporting the aircraft’s
flight, and form an integral part of the system of systems of the aircraft in flight and thus
should be considered in integration during the system development life cycle and certification
process. The ground systems are connected to the aircraft, not physically, but electronically
through the signal in space. Therefore a certification framework for future CNS/ATM should
consider the airborne and ground systems as a system of systems which are integrated and
interconnected. The existing framework for safety, security assessment and certification does
not address this.

Proposed new Integrated Safety and Security Assessment Model for CNS/ATM System
Certification

The integrated safety and security assessment model that we propose for CNS/ATM systems
(consisting of airborne and ground based systems), comprises of safety assessment and
security assessment processes having inputs to and from the system development process at
various stages. Fig. 4 illustrates this process where a functional hazard assessment process
identifies failure conditions for aircraft and system functions, as part of the safety assessment
process. The security assessment process which starts with the security scope definition and
identification of threat conditions that are probable attack scenarios which could lead to
failure conditions. These failure conditions may be caused by or contributed to by the loss of
the security attributes of the assets including confidentiality, availability and integrity. The
failure conditions that may occur due to a security threat condition are then assessed as part
17th Australian Aerospace Congress, 26-28 February 2017, Melbourne
the safety assessment process for classification of the failure safety effects and safety risks.
Here the security assessment process integrates with the safety assessment process.

CNS/ATM Operation

Aircraft System Ground System

Development Development
Process Process

Aircraft and System
Safety Assessment Process
Aircraft and System
Functional Hazard Assessment
Ground System and Sub-System Aircraft and System Ground System and Sub-System
Safety Assessment Process Security Assessment Process Security Assessment Process
Ground System
Aircraft and
and Sub-
Aircraft System
System
Functions
Ground System and Sub-System Functions
Aircraft and System Ground System and Sub-System
Functional Hazard Assessment Security Scope Definition Security Scope Definition

Identify Failure Conditions, Failure Safety Effects and Safety Risk Classification Identify Threat Conditions, Resulting Failure Conditions

Ground
Aircraft System
System
Hardware and
Preliminary System Safety Hardware and Preliminary System Security
Software
Assessment ( For each Failure Software Assessment (Vulnerability Analysis,
Requirement
Condition - Fault Tree Analysis, etc) Requirement related Fault Tree Analysis)
Allocation
Allocation
(Safety +
(Safety +
Security
Security
Measures)
Measures)

System Security Assessment

System Safety Assessment ( Fault
(Vulnerability Analysis, related Fault
Tree Analysis, etc) and Safety Risk Ground
Aircraft System Tree Analysis) and Security Risk
Conclusion System
Architecture Conclusion
Architecture

Ground
Aircraft System System Aircraft
Implementation, System
Integration, Implementation,
System Integration,
Verification System
and Validation Verification
and Validation

Aircraft Ground
System/Aircraft System
Certification Certification

Fig. 4: Proposed model for integrated safety and security assessment for the purpose of
CNS/ATM system certification

The safety and security assessment processes then proceeds to the Preliminary System Safety
Assessment/ Preliminary System Security Assessment processes, and subsequently to the
System Safety Assessment/ System Security Assessment processes. Fault tree analysis is
useful in identifying the effects of other systems’ fault conditions and combination of fault
conditions that could result in the system failure condition. This method is also useful to find
the system vulnerabilities that could be exploited for an attack. The methods for improving the
safety of the systems would include, fail safe protection methods, system cautions and
warnings before failure and safety related maintenance tasks to be performed during
operation. The methods for improving the security of the systems would include deterrent,
preventive, detective, corrective and recovery measures. The safety requirements and security
requirements identified by the safety and security risk assessment are to be included in the
system design/system development process. The requirements are identified based on the
level of risk.

The parameters, failures and the severity of the failure condition, govern the measurement of
safety risk[16] while threats, vulnerabilities and consequences govern the measurement of
security risk [17] as given in Eqn (1) and (2).
17th Australian Aerospace Congress, 26-28 February 2017, Melbourne
 Safety Risk = Probability of Failure X Severity (1)

𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑅𝑖𝑠𝑘 = 𝑇ℎ𝑟𝑒𝑎𝑡𝑠 ∩ 𝑉𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 ∩ 𝐶𝑜𝑛𝑠𝑒𝑞𝑢𝑒𝑛𝑐𝑒𝑠 (2)

Considering the measure of consequences to be equivalent to the measure of severity, and

considering security risk to be dependent on the probability of threat, vulnerabilities and
severity, Eqn (2) can be written as:

𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝑅𝑖𝑠𝑘 = 𝑃𝑟𝑜𝑏𝑎𝑏𝑖𝑙𝑖𝑡𝑦 𝑜𝑓 𝑇ℎ𝑟𝑒𝑎𝑡𝑠 𝑋 𝑉𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑖𝑒𝑠 𝑋𝑆𝑒𝑣𝑒𝑟𝑖𝑡𝑦 (3)

The expected total risk due to failures from intentional or unintentional/accidental actions
would be:

Expected Total Risk = System Safety Risk + System Security Risk (4)

Vulnerability = Function of Probability of Failure (5)

Using Eqns. (1), (3) and (4),

Expected Total Risk is:
𝐸 (𝑇𝑜𝑡𝑎𝑙 𝑅𝑖𝑠𝑘 ) = ∑𝑛𝑖=1 Pr(𝐿𝑖) × 𝑆𝑖 + (Pr(𝑇 )) × ∑𝑛𝑖=1 Pr(𝐿𝑖) × 𝑆𝑖 (6)
0 ≤ Pr(T) ≥ 1

0 ≤ Pr(Li) ≥ 1

Where,
Li = Loss of safety in the system i due to failure
T= Threat
Pr(T) = Probability of Threat
Pr(Li) = Probability of loss of safety in the system i due to failure
Si = Severity of loss of safety in system i
n= total number of subsystems

The safety requirements and security requirements should keep the Expected Total Risk
within a calculated risk margin, taking into consideration the calculated risk appetite of the
system. The safety and security requirements are to be verified and validated during the
system development life cycle, then implemented and certified.

Conclusions and Future Research

Next generation CNS/ATM systems are cyber physical systems integrating and
interconnecting airborne systems with ground based systems. The safety and security
assessment models published as industry standards, which are currently used during system
certification process are only applicable for airborne systems. There are no similar models or
frameworks for ground systems. In this research we propose a new integrated safety and
security assessment model for CNS/ATM systems taking into consideration the CNS/ATM
operations which require airborne and ground systems to operate in a system of systems that
support the airworthiness of aircraft. The threat conditions and related failure conditions
17th Australian Aerospace Congress, 26-28 February 2017, Melbourne
identified through the security assessment process will integrate with the safety assessment
process for identification of safety effects and safety risk classification. This integrated
assessment model will contribute towards future research into the development of a unified
certification framework for next generation avionics and ATM systems. This model takes into
consideration the integrated and interconnected nature of airborne and ground systems in the
CNS/ATM context.

References

[1] S. Ramasamy and R. Sabatini, "Communication, navigation and surveillance performance criteria for
safety-critical avionics and ATM systems," in AIAC 16: Multinatioinal Aerospace Programs-Benefits
and Challenges, 2015, pp. 1-12.
[2] Welcome to the SESAR Project, European Commission. Available:
http://ec.europa.eu/transport/modes/air/sesar/index_en.htm
[3] NextGen, FAA Available: https://www.faa.gov/nextgen
[4] ICAO, "Global Air Navigation Plan 2013-2028, Doc 9750," 2013.
[5] K. Sampigethaya and R. Poovendran, "Cyber-physical integration in future aviation information
systems," in 2012 IEEE/AIAA 31st Digital Avionics Systems Conference (DASC), 2012, pp. 7C2-1-7C2-
12.
[6] A. Gardi, R. Sabatini, T. Kistan, Y. Lim, and S. Ramasamy, "4-Dimensional Trajectory Functionalities
for Air Traffic Management Systems," in IEEE/AIAA Integrated Communication, Navigation and
Surveillance Conference (ICNS 2015), Herndon, VA, USA, 2015.
[7] H. V. Sudarshan, Seamless sky: Ashgate Publishing, Ltd., 2003.
[8] ICAO, "Manual on System Wide Information Management (SWIM) Concept, DOC 10039."
[9] M. Lehto and P. Neittaanmäki, Cyber security: Analytics, technology and automation vol. 78: Springer,
2015.
[10] T. Aven, "On Some Recent Definitions and Analysis Frameworks for Risk, Vulnerability, and
Resilience," Risk Analysis, vol. 31, pp. 515-522, 2011.
[11] W. Young and N. G. Leveson, "An integrated approach to safety and security based on systems theory,"
Communications of the ACM, vol. 57, pp. 31-35, 2014.
[12] S. G. Casals, P. Owezarski, and G. Descargues, "Risk assessment for airworthiness security," in
International Conference on Computer Safety, Reliability, and Security, 2012, pp. 25-36.
[13] SAE International, "ARP 4754A, Guidelines for Development of Civil Aircraft and Systems," ed, 2010.
[14] RTCA Inc, "RTCA DO-326A, "Airworthiness Security Process Specification"," 2014.
[15] RTCA Inc, "RTCA DO-356, "Airworthiness Security Methods and Considerations"," 2014.
[16] SAE International, "ARP 4761 Aerospace recommended practice: guidelines and methods for
conducting the safety assessment process on civil airborne systems and equipment," ed: SAE, 1996.
[17] I. S. Organisation, "ISO/IEC 27005:2011 Information technology — Security techniques — Information
security risk management," 2011.

17th Australian Aerospace Congress, 26-28 February 2017, Melbourne