The Federal Aviation Administration (FAA) has proposed new cybersecurity rules to address vulnerabilities that could impact air travel safety.
The FAA says the proposed rules would “protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI) that could create safety hazards.”
Additionally, they would streamline the certification process that forces the FAA to use “special conditions” on a case-by-case basis since 2009, thus lengthening the certification process and increasing costs. The FAA disclosed it spends about 170 hours and $13,498 to process a “special condition” of average complexity.
“These disconnects increase the certification complexity, cost, and time for both the applicant and regulator,” said acting Executive Director of the FAA’s Aircraft Certification Service Wesley Mooty.
Similarly, it would harmonize aircraft design standards with other jurisdictions, such as the European Union. The FAA already accepts European aircraft cybersecurity standards as an “accepted Means of Compliance.”
According to the FAA, the proposal was prompted by the increased interconnectedness of modern airplanes and the lack of “adequate and appropriate” rules to address the issue.
Proposed FAA cybersecurity rules codifies “special conditions” for certification
The lack of codified aircraft cybersecurity rules has forced the FAA to issue special conditions to “address IUEI in every new transport category airplane certification project and relevant design change” since Boeing 787.
Thus, the proposed cybersecurity rules would consolidate frequently issued special conditions into a single standard instead of disjoint provisions that require the recommendation of the Aviation Rulemaking Advisory Committee (ARAC).
“This proposed rulemaking package codifies the substantive requirements of frequently-issued cybersecurity special conditions to address these issues,” said Mooty.
Previously, the lack of codified cybersecurity rules forced the FAA to use special conditions whenever “the agency’s airworthiness regulations do not contain adequate or appropriate safety standards to address a proposed novel or unusual design feature.”
This situation has resulted in disjointed special conditions that are aircraft designers’ compliance and the FAA’s assessment nightmare.
“Harmonization is an important step for industry and regulators,” said Jeff Le, VP of Global Government Affairs and Public Policy at SecurityScorecard. “It makes rules transparent, accountable, and less confusing. We applaud the steps taken on harmonization, especially as it continues to augment the priorities of the White House and the bipartisan Senate.”
FAA: address cybersecurity vulnerabilities to maintain airworthiness
The proposed aircraft cybersecurity rules obligate applicants to assess and identify cybersecurity risks, determine their severity and likelihood of exploitation, and mitigate them by providing single or multi-layered protections.
“To provide such protection for each product, applicants would be required by regulation to “identify and assess” the security risks posed by IUEI, and to “mitigate” those risks as necessary for safety, functionality, and continued airworthiness.”
In addition, the applicants must provide “instructions for continued airworthiness necessary to maintain such protections.”
The FAA also identified numerous cyber threats that could impact the airworthiness of airplanes and their components. They include maintenance laptops, Field Loadable Software, airport link networks, public networks, cellular networks, wireless aircraft sensors and sensor networks, USB devices, satellite communications, EFBs, and GPS systems.
The FAA also stressed that “regulators and industry must constantly monitor the cybersecurity threat environment in order to identify and mitigate new threat sources.”
However, the FAA limited the scope of the proposed cybersecurity rules to areas that directly impact the aircraft’s ability to remain airborne. The rules also target airplanes with a 19-passenger capacity or “maximum takeoff weight greater than 19,000 lbs.”
Similarly, issues impacting travelers’ cyber security and privacy, such as booking systems that process customers’ credit cards and personal information, were out of scope.
The FAA also admits that the proposed rules were not a silver bullet and that “special conditions may still be required on occasion.”
Nonetheless, the proposed cybersecurity rules were long overdue. Nation-state adversaries and terrorist organizations are interested in exploiting cybersecurity vulnerabilities to weaponize airplanes.
In February 2024, the Jerusalem Post reported that “hostile elements” attempted to take over the communications network of a Ben-Gurion Airport-bound plane, the second attempt in a week. In May, the BBC also reported that Russia was jamming satellite navigation systems, affecting thousands of civilian planes.
“The proposed changes from 2009 on ART 25-AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES under authority 49 U.S.C. 106(f), 106(g), 40113, 44701, 44702 and 44704; Pub. L. 115-254, 132 Stat 3281 (49 U.S.C. 44903 note) is valuable to modernize and acknowledge the expanding attack surface area and risk that these digital openings provide,” Le said.
According to the European Air Traffic Management Computer Emergency Response Team (EATM-CERT), the airline industry witnessed a 530% increase in cyber attacks between 2019 and 2020.
Meanwhile, public comments on the proposed aviation cybersecurity regulations are due on October 1, while those affecting helicopters should be submitted by September 2.