New cybersecurity rules have been proposed in the US to mitigate vulnerabilities caused by the interconnectedness of modern aircraft.
The proposal, published by Federal Aviation Administration (FAA) in the Federal Register on August 21, highlighted the current trend in aircraft design of increased integration of airplane, engine and propeller systems with internal or external data networks and services.
The regulator warned that these designs are leading to vulnerabilities from sources such as maintenance laptops, public networks, wireless aircraft sensors, satellite communications and portable electronic devices, potentially affecting the safe operation of aircraft.
The FAA acknowledged that current regulations do not adequately address cyber-risks caused by the increased interconnectivity of these critical systems.
Read now: Israeli Aircraft Survive “Cyber-Hijacking” Attempts
The FAA’s proposed rules will require aircraft manufacturers to demonstrate that their design both:
- Protects against unauthorized access from inside or outside of the airplane
- Prevents malicious changes to, and adverse impacts on, the airplane equipment, systems, and networks required for safe operation
Manufacturers will be required to conduct a security risk analysis to identify all security risks posed by intentional unauthorised electronic interactions (IUEI), and mitigate those risks as necessary for safety, functionality and continued airworthiness.
The applicants would also be required to develop procedures to ensure the maintenance of such protections.
The proposed rule applies to any engine and propeller systems installed in airplanes, equipment, and networks that are susceptible to IUEI.
FAA Rules Harmonize with EU Standards
The FAA aims to harmonize its cybersecurity standards for aircraft with other civil aviation authorities, including the European Union Aviation Safety Agency’s Easy Access Rules for Large Aeroplanes CS-25 regulation. The US agency acknowledged that currently, aircraft manufacturers must meet both airworthiness standards to obtain certification in the US and other jurisdictions.
This approach “would benefit manufacturers and modifiers by providing them a single set of requirements with which they must show compliance, thereby reducing the cost and complexity of certification and codifying a consistent level of safety,” the FAA said.
The proposed rules would also eliminate the need for the FAA to continually issue special conditions during the certification process, reducing costs and time for the regulator.
These special conditions address a project-specific novel or unusual feature of the applicant’s proposed design.