US Proposes New Cyber Security Standards For Aviation

The cyber security problem in aviation is that aircraft engines are increasingly designed to be connected to both internal and external data networks and this could make them vulnerable to cyber threats. 

Now,  US Federal Aviation Administration (FAA) has recently unveiled a proposal for new rules governing the cyber security of aircraft and equipment. 

The FAA says that the  new regulations are being introduced as aviation equipment has become more connected to internal and external data networks, including satellite communications and Internet-connected devices.

The new rules would require new applicants of airworthiness certifications to “protect” transport category airplanes, engines, and propellers from intentional unauthorised electronic interactions (IUEI) by identifying, assessing, and then mitigating potential security risks “as necessary. 

The goal of the effort is to standardise what the FAA calls “special conditions”, effectively making permanent temporary regulations previously issued on a case-by-case basis. 

The FAA has had to issue more and more special conditions to cover cyber security in recent years, prompting them to formalise the rules in an effort to reduce the cost of certification. Applicants would be required to identify cyber security deficiencies and develop instructions for how pilots would continue operating in the event of a cyber incident.  The FAA is also hoping the rules reduce the amount of time necessary to certify new and changed products while also harmonising their regulatory requirements with others used by civil aviation authorities in other countries.  

The proposal is being made in response to widespread changes in how airplanes are now being designed. The FAA and several experts have said airplanes, engines and propellers are now being increasingly connected to internal or external data networks and services, forcing regulators to consider the cybersecurity threat environment.

 The threats include the maintenance laptops used to check planes, the networks deployed by airports or airline gates, wireless aircraft sensors and sensor networks, cellular networks, connected devices, satellite communications, GPS and more.  

Their efforts to standardise mandatory cyber security rules began with Boeing’s controversial 787 program, which they had to issue special conditions for in order to address “intentional unauthorised electronic interactions.” The new rules require applicants to protect airplanes, engines, and propellers from IUEI, “identify and assess” the security risks posed by IUEI, and to “mitigate” those risks as necessary. 

  • Assessments need to be done to analyse the likelihood of exploitation of certain vulnerabilities and applicants would need to install a single or multiple layers of protection to keep airplane controls safe.
  • Risks include attacks that could corrupt data in crew displays and incidents affecting the kind of decisions pilots and crew have to make during emergencies.  

The FAA wants to limit the scope of the rules to vulnerabilities that would result in tangible effects on the safety and operation of the airplane. For example, the new rules would not cover potential vulnerabilities that would affect airplane devices that process passenger credit cards.  

The European Air Traffic Management Computer Emergency Response Team (EATM-CERT)  has found that the number of reported cyber attacks amongst airline industry organisations grew fivefold between  2019 and 2020. 

The growing concerns over cybersecurity are not limited to aircraft in-flight, but include ground installations too. In 2023 Britain's air traffic control system suffered an unaccountable severe disruption resulting in long delays, with no clear explanation.

FAA   |   FAA   |   The Record   |    Tenable  |   NextGov   |    Flying   |   Infosecurity-magazine

Image: Alexander Mils

You Might Also Read: 

Ransomware Trends In The Aviation & Maritime Industries:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« China Aims to Compete With OpenAI, Gemini & Grok
Hacker Kills Himself »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

LEXFO

LEXFO

LEXFO specializes in the security of information systems, assisting clients in protecting information assets using an offensive and innovative approach.

TechDefence Labs

TechDefence Labs

TechDefence Labs provide pentesting and security assessment services for networks, web apps, mobile apps and source code reviews.

CyberPrism

CyberPrism

CyberPrism provides SaaS solutions using proprietary technology, underpinned by industry-leading technical practitioners to protect OT within Government, Maritime and Industrial markets.

Purple Security

Purple Security

Purple Security arises from the association of specialists in offensive security (ethical hackers, white hats) and experts in insurance, compliance and implementation of industry standards.

Cyan Securiy Group

Cyan Securiy Group

Cyan provide best-in-class cyber security solutions for mobile Internet and mobile devices that are extremely effective and highly intuitive in their use.

Nemko

Nemko

Nemko offers testing, inspection, and certification services worldwide, mainly concerning products and systems, but also for machinery, installations, and personnel.

Safetech Innovations

Safetech Innovations

Safetech Innovations is a team of cyber security experts, always at your service. We use human and cyber intelligence to help your business in uncertain times.

Rostelecom Solar

Rostelecom Solar

Rostelecom-Solar is a Cyber Security Company, providing software and managed detection and response (MDR) services to protect critical information from advanced cyber threats.

Flatt Security

Flatt Security

Flatt Security is a cyber security startup based in Japan providing security assessments and other cyber security services.

ORS Consulting

ORS Consulting

ORS Consulting is a specialist provider of risk management advisory services supporting asset-intensive industries such as chemicals, energy, power and utilities, defence and maritime.

Endure Secure

Endure Secure

Endure Secure is a managed cyber security & information security consultancy. Our passion for IS and our understanding of the threat landscape is reflected in the services that we provide.

SIGLA Group

SIGLA Group

SIGLA Group specialize in the design and development of IT and OT solutions, from analysis to design, from implementation to commissioning, as well as consultancy, training and assistance.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.

Atlas Systems

Atlas Systems

Atlas Systems helps companies large and small accelerate their digital transformation journeys – expanding their capabilities and delivering tailored solutions including cybersecurity.