Unsettled Topics Concerning Airworthiness Cyber-Security Regulation

The certification process of the Boeing 787 starting in 2005 was a watershed for airworthiness regulation. The Dreamliner the first true flying data center could no longer be certified for airworthiness ignoring sabotage like the classic safety regulation for commercial passenger aircraft - as its extensive application of data networks including enhanced external digital communication forced the Federal Aviation Administration (FAA) for the first time to set Special Conditions for cyber-security.In the 15 years that followed airworthiness regulation followed suit and all key rule-making regulation-making and standard-making organizations weighed in to establish a new airworthiness cyber-security superset of legislation regulation and standardization. The resulting International Civil Aviation Organization (ICAO) resolutions U.S. and European Union (EU) legislation FAA and European Aviation Safety Agency (EASA) regulation and the DO-326/ED-202 set of standards are about to become the new standards for legislation regulation and best practices as soon as 2020 and in fact - some of them are already in effect. This emerging superset of documents is now carefully studied by all relevant actors - including industry regulators and academia - as the aviation ecosystem moves forward with DO-326/ED-202-set training gap-analysis and even with certification itself.This report suggests a deeper analysis of these sets of regulatory documents and their effects on the aviation sector as they gradually become the law-of-the-land starting with their expected effects on the aviation ecosystem the issues they pose to supply chains and the challenges they present to the airworthiness certification process itself. Then this report examines the major DO-326/ED-202-set gaps inherent dilemmas and methodological uncertainties. For each such unsettled domain six aspects are reviewed. Finally practical solution-seeking processes are proposed and some specific potential frameworks and solutions are pointed out whenever applicable. It is the intention of this report that these insights and observations would assist regulators applicants and standard-makers throughout the early 2020s with accommodating this new regulation and start adjusting it to emerging realities.