US Proposes New Cyber Security Standards For Aviation

The cyber security problem in aviation is that aircraft engines are increasingly designed to be connected to both internal and external data networks and this could make them vulnerable to cyber threats. 

Now,  US Federal Aviation Administration (FAA) has recently unveiled a proposal for new rules governing the cyber security of aircraft and equipment. 

The FAA says that the  new regulations are being introduced as aviation equipment has become more connected to internal and external data networks, including satellite communications and Internet-connected devices.

The new rules would require new applicants of airworthiness certifications to “protect” transport category airplanes, engines, and propellers from intentional unauthorised electronic interactions (IUEI) by identifying, assessing, and then mitigating potential security risks “as necessary. 

The goal of the effort is to standardise what the FAA calls “special conditions”, effectively making permanent temporary regulations previously issued on a case-by-case basis. 

The FAA has had to issue more and more special conditions to cover cyber security in recent years, prompting them to formalise the rules in an effort to reduce the cost of certification. Applicants would be required to identify cyber security deficiencies and develop instructions for how pilots would continue operating in the event of a cyber incident.  The FAA is also hoping the rules reduce the amount of time necessary to certify new and changed products while also harmonising their regulatory requirements with others used by civil aviation authorities in other countries.  

The proposal is being made in response to widespread changes in how airplanes are now being designed. The FAA and several experts have said airplanes, engines and propellers are now being increasingly connected to internal or external data networks and services, forcing regulators to consider the cybersecurity threat environment.

 The threats include the maintenance laptops used to check planes, the networks deployed by airports or airline gates, wireless aircraft sensors and sensor networks, cellular networks, connected devices, satellite communications, GPS and more.  

Their efforts to standardise mandatory cyber security rules began with Boeing’s controversial 787 program, which they had to issue special conditions for in order to address “intentional unauthorised electronic interactions.” The new rules require applicants to protect airplanes, engines, and propellers from IUEI, “identify and assess” the security risks posed by IUEI, and to “mitigate” those risks as necessary. 

  • Assessments need to be done to analyse the likelihood of exploitation of certain vulnerabilities and applicants would need to install a single or multiple layers of protection to keep airplane controls safe.
  • Risks include attacks that could corrupt data in crew displays and incidents affecting the kind of decisions pilots and crew have to make during emergencies.  

The FAA wants to limit the scope of the rules to vulnerabilities that would result in tangible effects on the safety and operation of the airplane. For example, the new rules would not cover potential vulnerabilities that would affect airplane devices that process passenger credit cards.  

The European Air Traffic Management Computer Emergency Response Team (EATM-CERT)  has found that the number of reported cyber attacks amongst airline industry organisations grew fivefold between  2019 and 2020. 

The growing concerns over cybersecurity are not limited to aircraft in-flight, but include ground installations too. In 2023 Britain's air traffic control system suffered an unaccountable severe disruption resulting in long delays, with no clear explanation.

FAA   |   FAA   |   The Record   |    Tenable  |   NextGov   |    Flying   |   Infosecurity-magazine

Image: Alexander Mils

You Might Also Read: 

Ransomware Trends In The Aviation & Maritime Industries:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« China Aims to Compete With OpenAI, Gemini & Grok
Hacker Kills Himself »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Huawei

Huawei

Huawei is a leading global ICT solutions provider. with end-to-end capabilities across the carrier networks, enterprise, consumer, and cloud computing fields.

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

Global Station for Big Data & Cybersecurity (GSB)

Global Station for Big Data & Cybersecurity (GSB)

GSB is an interdisciplinary research hub to cover big data, information networks, and cybersecurity.

Digital Guardian

Digital Guardian

Digital Guardian is a next generation data protection platform designed to stop data theft.

NowSecure

NowSecure

NowSecure are the experts in mobile app security testing software and services.

Viasat

Viasat

Viasat is a provider of high-speed satellite broadband services and secure networking systems covering military and commercial markets.

National Security Authority (NBU) - Slovakia

National Security Authority (NBU) - Slovakia

The National Security Authority (NBU) is the central government body in Slovakia for the Protection of Classified Information, Cryptographic Services, Trust Services and Cyber Security.

Fortiphyd Logic

Fortiphyd Logic

Fortiphyd Logic equips operators of the power grid, oil & gas, and other critical infrastructure with the tools and training they need to defend their industrial networks from advanced cyberattacks.

Aware

Aware

Aware is the only comprehensive AI solution for governance, risk, compliance and insights for leading collaboration platforms.

Gray Analytics

Gray Analytics

Gray Analytics is a Cybersecurity Risk Management company providing best-practice services across a broad spectrum of cyber scenarios for both government and commercial customers.

Fortified Health Security

Fortified Health Security

Fortified’s team of cybersecurity specialists is dedicated to helping healthcare providers, payers and business associates protect their patient data across the Fortified Healthcare Ecosystem.

Palitronica

Palitronica

Palitronica build cutting-edge hardware and breakthrough software that revolutionizes how we defend critical infrastructure and key resources.

NexGen Cyber

NexGen Cyber

NexGen Cyber helps customers in commercial SMB markets with IT security, security integration, service management, outsourced service transition, and transformative security solutions.

Incyber

Incyber

Incyber is a fully integrated network and cybersecurity solutions provider contracted to safeguard public and private enterprise, high value data and sensitive industries.

Benchmark IT Services (BITS)

Benchmark IT Services (BITS)

BITS is a leading cyber security company in Australia. Our certified professionals work with you to keep your data assets safe and secure.

IndoSec

IndoSec

IndoSec is an annual cybersecurity summit that powers an in-person gathering of cybersecurity leaders from Indonesia’s major corporations, leading businesses and key government entities.