US Proposes New Cyber Security Standards For Aviation

The cyber security problem in aviation is that aircraft engines are increasingly designed to be connected to both internal and external data networks and this could make them vulnerable to cyber threats. 

Now,  US Federal Aviation Administration (FAA) has recently unveiled a proposal for new rules governing the cyber security of aircraft and equipment. 

The FAA says that the  new regulations are being introduced as aviation equipment has become more connected to internal and external data networks, including satellite communications and Internet-connected devices.

The new rules would require new applicants of airworthiness certifications to “protect” transport category airplanes, engines, and propellers from intentional unauthorised electronic interactions (IUEI) by identifying, assessing, and then mitigating potential security risks “as necessary. 

The goal of the effort is to standardise what the FAA calls “special conditions”, effectively making permanent temporary regulations previously issued on a case-by-case basis. 

The FAA has had to issue more and more special conditions to cover cyber security in recent years, prompting them to formalise the rules in an effort to reduce the cost of certification. Applicants would be required to identify cyber security deficiencies and develop instructions for how pilots would continue operating in the event of a cyber incident.  The FAA is also hoping the rules reduce the amount of time necessary to certify new and changed products while also harmonising their regulatory requirements with others used by civil aviation authorities in other countries.  

The proposal is being made in response to widespread changes in how airplanes are now being designed. The FAA and several experts have said airplanes, engines and propellers are now being increasingly connected to internal or external data networks and services, forcing regulators to consider the cybersecurity threat environment.

 The threats include the maintenance laptops used to check planes, the networks deployed by airports or airline gates, wireless aircraft sensors and sensor networks, cellular networks, connected devices, satellite communications, GPS and more.  

Their efforts to standardise mandatory cyber security rules began with Boeing’s controversial 787 program, which they had to issue special conditions for in order to address “intentional unauthorised electronic interactions.” The new rules require applicants to protect airplanes, engines, and propellers from IUEI, “identify and assess” the security risks posed by IUEI, and to “mitigate” those risks as necessary. 

  • Assessments need to be done to analyse the likelihood of exploitation of certain vulnerabilities and applicants would need to install a single or multiple layers of protection to keep airplane controls safe.
  • Risks include attacks that could corrupt data in crew displays and incidents affecting the kind of decisions pilots and crew have to make during emergencies.  

The FAA wants to limit the scope of the rules to vulnerabilities that would result in tangible effects on the safety and operation of the airplane. For example, the new rules would not cover potential vulnerabilities that would affect airplane devices that process passenger credit cards.  

The European Air Traffic Management Computer Emergency Response Team (EATM-CERT)  has found that the number of reported cyber attacks amongst airline industry organisations grew fivefold between  2019 and 2020. 

The growing concerns over cybersecurity are not limited to aircraft in-flight, but include ground installations too. In 2023 Britain's air traffic control system suffered an unaccountable severe disruption resulting in long delays, with no clear explanation.

FAA   |   FAA   |   The Record   |    Tenable  |   NextGov   |    Flying   |   Infosecurity-magazine

Image: Alexander Mils

You Might Also Read: 

Ransomware Trends In The Aviation & Maritime Industries:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« China Aims to Compete With OpenAI, Gemini & Grok
Hacker Kills Himself »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Techmeme

Techmeme

Techmeme is an online news curation service focused on leading edge technology, including cyber security.

Infiltrate

Infiltrate

INFILTRATE is a deep technical conference that focuses entirely on offensive security issues.

iLand

iLand

iland is a global cloud service provider of secure and compliant hosting for infrastructure (IaaS), disaster recovery (DRaaS), and backup as a service (BaaS).

International School of IT Security (ISITS)

International School of IT Security (ISITS)

The International School of IT Security (ISITS) is a leading provider of professional training in the field of IT Security.

Matias Consulting Group (MCG)

Matias Consulting Group (MCG)

Your Business needs competitive and resilient ICT solutions. MCG defines, deploy & support them enabling you to focus on your core business.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

Propelo

Propelo

Propelo (formerly LevelOps) is an engineering excellence platform that helps increase developer productivity and improve security with data-led insights and workflow automation.

Zero Networks

Zero Networks

With Zero Network, you can achieve affordable, airtight network access security at scale.

Rizikon Assurance

Rizikon Assurance

Rizikon Assurance is an Online System that improves Third-Party Assurance and Risk Management, through efficiency, automation and better visibility.

ANSEC IA

ANSEC IA

ANSEC is a consultancy practice providing independent Information Assurance and IT Security focussed services to customers throughout the UK, Ireland and internationally.

Byos

Byos

Byos provides visibility of devices across all networks, regardless of location, integrating with your existing security stack.

Alethea

Alethea

Alethea is a technology company helping companies, nonprofits, and democracies protect themselves from harms stemming from disinformation and social media manipulation.

KnoTra Global

KnoTra Global

KnoTra Global is a next-generation Managed Service provider with a portfolio of services including Cybersecurity Solutions, Network Management, IT Leadership, and Day-to-Day Helpdesk and IT services.

eGyanamTech (EGT)

eGyanamTech (EGT)

eGyanamTech provides robust security solutions tailored for Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure systems.

SecureKloud Technologies

SecureKloud Technologies

SecureKloud is a global leader in the Cloud services arena. Our experience in cloud consulting and servicing for highly regulated industries extends more than a decade.

Black Alps

Black Alps

Black Alp's mission is to promote cybersecurity through the organization of dedicated events.