FAA addresses aircraft design cybersecurity

The Federal Aviation Administration (FAA) proposes to add and revise airworthiness regulations to address product cybersecurity issues starting from the design forward. The changes “would introduce type certification and continued airworthiness requirements to protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI) that could create safety hazards.”

Why are the changes needed? The FAA found its airworthiness regulations “inadequate and inappropriate” to address cybersecurity vulnerabilities caused by growing interconnectivity and IUEI.

Modern airplane design includes an increasing level of integration of airplane, engine, and propeller systems with more connectivity to internal or external data networks and services. These designs can introduce cybersecurity vulnerabilities from sources such as field-loadable software, maintenance laptops, wireless aircraft sensors and networks, universal serial bus (USB) devices, and satellite communications (including GPS data).

The FAA has issued special conditions to address IUEI in every new transport category airplane certification project and relevant design change since the advent of the Boeing 787 Dreamliner.

In the updated rule, design approval applicants would be required to identify, assess, and mitigate vulnerability hazards and develop Instructions for Continued Airworthiness (ICA) ensuring protections continue in service. The changes would affect applicants seeking design approval and future operators of these products via the ICA.

The Institute of Electrical and Electronics Engineers (IEEE), a professional association and source for engineering, computing, and technology information, offered its experts to help unpack the proposal.

IEEE Senior Member Kayne McGladrey explains, “Connected systems introduce vulnerabilities that could be entry points for cyberattacks. Ensuring strong cybersecurity for these systems is key to maintaining an aircraft’s safety and operation.”

McGladrey says, “The industry will need to follow stricter practices during design and certification. This change will likely simplify the certification process by reducing the need for special conditions, which slow down and complicate the process. Aligning these rules with international standards, such as those from the European Union Aviation Safety Agency (EASA), will promote global consistency. This approach can make operations easier for manufacturers and operators working in multiple countries.”

IEEE member Rebecca Herold adds, “The proposal will strengthen cybersecurity throughout the aerospace industry, if each organization thoughtfully, and comprehensively, considers its own unique threats and vulnerabilities, and then establishes the protections appropriate to the context of their operations to mitigate risks to acceptably low levels.”

Both experts agree a security risk analysis plan is vital for identifying and reducing cybersecurity threats. Herold says to include it as part of the larger, comprehensive security risk management plan.