In response to the growing cyber threats facing modern aircraft, the Federal Aviation Administration (FAA) has introduced a proposal to establish new cybersecurity regulations for airplanes, engines, and propellers. As aviation technology increasingly integrates with both internal and external data networks, these systems become more vulnerable to cyberattacks, prompting the FAA to take action.
The proposed rules aim to standardize what the FAA refers to as “special conditions,” which are temporary regulations issued on a case-by-case basis. Over the years, the FAA has had to issue an increasing number of these special conditions to address cybersecurity concerns, leading to the decision to formalize these rules and streamline the certification process.
“These disconnects increase the certification complexity, cost, and time for both the applicant and regulator,” explained Wesley Mooty, the acting Executive Director of the FAA’s Aircraft Certification Service, who added the proposal to the federal register. “This proposed rulemaking package codifies the substantive requirements of frequently-issued cybersecurity special conditions to address these issues.”
The new regulations are designed to protect the equipment, systems, and networks of transport category airplanes, engines, and propellers from intentional unauthorized electronic interactions (IUEI) that could pose safety risks. Under these rules, applicants would be required to identify cybersecurity vulnerabilities and develop contingency plans for pilots to maintain control in the event of a cyber incident.
Mooty emphasized that the proposed rules would largely reflect current practices, such as the special conditions the FAA has used to address product cybersecurity since 2009. He also noted that the impact of these new regulations “would not be significant.”
The FAA hopes these rules will not only reduce the time required to certify new and modified products but also align U.S. regulations with those of other civil aviation authorities worldwide. The proposal comes in response to significant changes in aircraft design, as airplanes, engines, and propellers are increasingly connected to data networks, both internally and externally, necessitating a stronger cybersecurity framework.
The potential threats include vulnerabilities in maintenance laptops, airport and airline gate networks, wireless aircraft sensors, cellular networks, connected devices, satellite communications, GPS, and more. These cyber risks could directly impact the airworthiness of an airplane, making robust cybersecurity measures essential.
The Transportation Security Administration (TSA) previously issued emergency regulations in 2023 requiring airports and aircraft operators to implement enhanced security measures. The FAA’s latest proposal builds on these efforts by addressing the cybersecurity vulnerabilities that have emerged due to increased interconnectivity in aviation systems.
The proposed rules would require applicants to safeguard airplanes, engines, and propellers from IUEI, identify and assess cybersecurity risks, and implement mitigation strategies as needed. These assessments would analyze the likelihood of vulnerabilities being exploited, and applicants would need to install protective measures to ensure the safety of airplane controls. The FAA also highlighted the risks of cyberattacks that could corrupt data in crew displays or interfere with critical decision-making during emergencies.
To limit the scope of the rules, the FAA focused on vulnerabilities that would have tangible effects on the safety and operation of the airplane, excluding potential issues related to non-safety-critical systems, such as passenger credit card processing devices.
Cybersecurity expert Joseph Saunders praised the FAA’s effort to move beyond special conditions, calling it “long overdue” given the increasing reliance on communications and connected components in modern aircraft. However, Saunders, CEO of RunSafe Security, argued that the regulations do not go far enough in addressing unknown vulnerabilities and maintaining defenses against future cyber threats.
“We need both the capability to prevent future attacks against unknown vulnerabilities discovered after a manufacturer delivers instructions for continued airworthiness and a process for the manufacturer and operator to agree when to update the operators’ aircrafts to address future software vulnerabilities affecting airworthiness,” Saunders added.
The urgency of these new rules is underscored by data from the European Air Traffic Management Computer Emergency Response Team (EATM-CERT), which reported a 530% increase in cyberattacks targeting airline industry organizations from 2019 to 2020.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
