New FAA Regulations Target Cybersecurity Vulnerabilities in Aircraft Design
The Federal Aviation Administration ("FAA") has proposed new rules to standardize its criteria for addressing cybersecurity threats for transport category airplanes, engines, and propellers.
On August 21, 2024, the FAA published a Notice of Proposed Rulemaking ("NPRM") to codify current industry cybersecurity practices and address vulnerabilities that may result in an adverse effect on aircraft security. This comes after the May 2024 enactment of the FAA Reauthorization Act of 2024, which gives the FAA Administrator sole rulemaking authority to implement cybersecurity regulations for aircraft, aircraft engines, propellers, and appliances.
The NPRM notes that, as the current trend in aircraft design has integrated the airplane, engine, and propeller systems with internal and external networks, the FAA's airworthiness regulations are "inadequate and inappropriate to address the cybersecurity vulnerabilities caused by [this] increased interconnectivity." Such increased interconnectivity raises the possibility of intentional unauthorized electronic interactions ("IUEI"), which is defined as "[a] circumstance or event with the potential to affect the aircraft due to human action resulting from unauthorized access, use, disclosure, denial, disruption, modification, or destruction of information and/or aircraft system interfaces."
To address the security risks posed by IUEI, the NPRM introduced a type certification, or design approval of aircraft and component parts, and continued airworthiness requirements designed to protect the equipment, systems, and networks associated with transport category airplanes. Design applicants will be required to conduct an assessment to identify and assess risks by potential IUEI to aircraft assets and systems, as well as develop vulnerability mitigation plans to control such risks. The FAA Administrator will determine whether design applicants sufficiently met these requirements.
In the NPRM, the FAA identified an added benefit of reducing the costs and time necessary to certify new aircraft products by harmonizing FAA requirements with other civil aviation authorities to address cybersecurity vulnerabilities. Public comment on the NPRM will be open through October 21, 2024.
Cybersecurity threats to the airline transport infrastructure continue to be a key focus and priority for U.S. federal regulators. In anticipation of the final rule, manufacturers of transport category airplanes, engines for transport category airplanes, and propellers should review, pressure-test, and update as necessary their existing processes to identify, assess, and mitigate cybersecurity risks.
