FAA proposes new cyber rules for airplanes and aviation equipment
The rules are designed to combat cybersecurity threats targeting aircraft, engines and networks aviation systems.
The Federal Aviation Administration is seeking public comment on proposed updates to its cybersecurity standards for future airplanes and critical equipment, according to a Federal Register notice published on Wednesday.
The outlined rules “would impose new design standards to address cybersecurity threats for transport category airplanes, engines and propellers.” The FAA requires aircraft with more than 19 passenger seats or “a maximum takeoff weight greater than 19,000 lbs” to be certified in this category.
The agency said it put forward the new mandates as a result of flight equipment becoming increasingly connected “to internal or external data networks and services,” such as through the use of satellite communications and internet-connected devices.
The proposed regulations would “introduce type certification and continued airworthiness requirements” mandating that future “design approval applicants” take steps to protect their aircraft and associated equipment from cyber threats.
This includes, in part, requiring design applicants to conduct “a security risk analysis to identify all threat conditions associated with the system, architecture and external or internal interfaces.” The FAA said this review should assess the severity of threats to reviewed flight assets, and that applicants would then be required to mitigate any identified vulnerabilities.
“The intended effect of this proposed action is to standardize the FAA's criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety provided by current special conditions,” the notice said.
The agency currently addresses cybersecurity concerns related to transport category airplanes, engines and propellers through the issuance of “special conditions” that require design applicants to protect vulnerable equipment from unauthorized access.
Joe Saunders, CEO of cybersecurity firm RunSafe Security, said in a statement that the proposed enhancements to the FAA’s airworthiness requirements were “a great step but long overdue.” He added, however, that “the regulation does not go far enough in addressing and maintaining multi layer defenses to protect against unknown vulnerabilities.”
In an emailed statement to Nextgov/FCW, the FAA said it “works closely with intelligence and security experts throughout the federal government to identify and mitigate potential risks to our systems, as well as those of our partners in the private sector.”
The agency is receiving public comment on the new rule through Oct. 21.