FAA Proposes Standardized Cybersecurity Rules for Aircraft

The Federal Aviation Administration proposed a set of cybersecurity standards for new aircraft to simplify the airworthiness certification process, which has been carried out on a case-by-case basis on designs submitted since 2009, beginning with the Boeing 787.

The proposed rules would generally adhere to the current cybersecurity requirements that are issued via what the FAA calls “special conditions,” which are unique rules that apply to each new aircraft, aircraft engine or propeller design submitted for approval, “thus, the impact on applicants and operators would not be significant,” the agency said in a notice of proposed rulemaking.

The purpose of the proposed regulations is to reduce the time and costs of certifying new and updated aircraft, both for the manufacturer and the agency, and to “harmonize” FAA requirements with other civil aviation authorities, the European Union in particular.

The need for standardized rules has grown as aircraft are increasingly connected to internal and external data networks and services, the FAA said. Cybersecurity vulnerabilities arise from a host of sources, including maintenance laptops, airport gate-link networks, public networks, wireless aircraft sensors, USB devices, satellite communications and more.

Related:Global Microsoft Outage Grounds Flights, Disrupts Businesses Worldwide

The special conditions addressing cybersecurity have typically required manufacturers to accomplish three things: Show their designs provide isolation or protection from internal or external unauthorized access, show their designs prevent unintended or unauthorized changes to airplane equipment, systems and networks, and establish procedures for maintaining cybersecurity protections for future owners and operators of the aircraft.

The proposed rules require manufacturers to “protect” so-called transport category airplanes, engines and propellers from intentional unauthorized electronic interactions, or IUEI, that could adversely affect safety. To provide the requisite cybersecurity protection, manufacturers would be required to perform a security risk analysis of the aircraft to identify all threats, mitigate those threats with one or multiple layers of protection and include procedures for the continued protection of the aircraft within the instructions issued for maintaining airworthiness.

The FAA noted that the rules apply only to cybersecurity threats that could affect an aircraft’s safety or operation; other cyber threats, such as those to personal information that could come from devices that process passenger credit cards, for example, would be covered by other regulations.

The FAA is accepting public comments on the proposed rule through Oct. 21.