US Proposes New Cyber Security Standards For Aviation
The cyber security problem in aviation is that aircraft engines are increasingly designed to be connected to both internal and external data networks and this could make them vulnerable to cyber threats.
Now, US Federal Aviation Administration (FAA) has recently unveiled a proposal for new rules governing the cyber security of aircraft and equipment.
The FAA says that the new regulations are being introduced as aviation equipment has become more connected to internal and external data networks, including satellite communications and Internet-connected devices.
The new rules would require new applicants of airworthiness certifications to “protect” transport category airplanes, engines, and propellers from intentional unauthorised electronic interactions (IUEI) by identifying, assessing, and then mitigating potential security risks “as necessary.
The goal of the effort is to standardise what the FAA calls “special conditions”, effectively making permanent temporary regulations previously issued on a case-by-case basis.
The FAA has had to issue more and more special conditions to cover cyber security in recent years, prompting them to formalise the rules in an effort to reduce the cost of certification. Applicants would be required to identify cyber security deficiencies and develop instructions for how pilots would continue operating in the event of a cyber incident. The FAA is also hoping the rules reduce the amount of time necessary to certify new and changed products while also harmonising their regulatory requirements with others used by civil aviation authorities in other countries.
The proposal is being made in response to widespread changes in how airplanes are now being designed. The FAA and several experts have said airplanes, engines and propellers are now being increasingly connected to internal or external data networks and services, forcing regulators to consider the cybersecurity threat environment.
The threats include the maintenance laptops used to check planes, the networks deployed by airports or airline gates, wireless aircraft sensors and sensor networks, cellular networks, connected devices, satellite communications, GPS and more.
Their efforts to standardise mandatory cyber security rules began with Boeing’s controversial 787 program, which they had to issue special conditions for in order to address “intentional unauthorised electronic interactions.” The new rules require applicants to protect airplanes, engines, and propellers from IUEI, “identify and assess” the security risks posed by IUEI, and to “mitigate” those risks as necessary.
- Assessments need to be done to analyse the likelihood of exploitation of certain vulnerabilities and applicants would need to install a single or multiple layers of protection to keep airplane controls safe.
- Risks include attacks that could corrupt data in crew displays and incidents affecting the kind of decisions pilots and crew have to make during emergencies.
The FAA wants to limit the scope of the rules to vulnerabilities that would result in tangible effects on the safety and operation of the airplane. For example, the new rules would not cover potential vulnerabilities that would affect airplane devices that process passenger credit cards.
The European Air Traffic Management Computer Emergency Response Team (EATM-CERT) has found that the number of reported cyber attacks amongst airline industry organisations grew fivefold between 2019 and 2020.
The growing concerns over cybersecurity are not limited to aircraft in-flight, but include ground installations too. In 2023 Britain's air traffic control system suffered an unaccountable severe disruption resulting in long delays, with no clear explanation.
FAA | FAA | The Record | Tenable | NextGov | Flying | Infosecurity-magazine
Image: Alexander Mils
You Might Also Read:
Ransomware Trends In The Aviation & Maritime Industries:
If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible