FAA proposes new cybersecurity rules for airplanes

The Federal Aviation Administration unveiled a proposal this week for new rules governing the cybersecurity of airplanes, engines and propellers as they are increasingly designed to be connected to both internal and external data networks that could make them vulnerable to cyber threats.

The goal of the effort is to standardize what the FAA calls “special conditions” — effectively temporary regulations issued on a case-by-case basis. The FAA has had to issue more and more special conditions to cover cybersecurity in recent years, prompting them to formalize the rules in an effort to reduce the cost of certification. 

“These disconnects increase the certification complexity, cost, and time for both the applicant and regulator,” said acting Executive Director of the FAA’s Aircraft Certification Service Wesley Mooty, who added the proposal to the federal register. “This proposed rulemaking package codifies the substantive requirements of frequently-issued cybersecurity special conditions to address these issues.”

The FAA believes the rules will “protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI) that could create safety hazards.” 

Applicants would be required to identify cybersecurity deficiencies and develop instructions for how pilots would continue operating in the event of a cyber incident. 

“The substance of the proposed rules would generally reflect current practice (e.g., special conditions) that the FAA has used to address product cybersecurity since 2009,” Mooty said, arguing that the impact “would not be significant.”

The FAA is also hoping the rules reduce the amount of time necessary to certify new and changed products while also harmonizing their regulatory requirements with others used by civil aviation authorities in other countries. 

The proposal is being made in response to widespread changes in how airplanes are now being designed. The FAA and several experts have said airplanes, engines and propellers are now being increasingly connected to internal or external data networks and services — forcing regulators to consider the cybersecurity threat environment. 

The threats include the maintenance laptops used to check planes, the networks deployed by airports or airline gates, wireless aircraft sensors and sensor networks, cellular networks, connected devices, satellite communications, GPS and more. 

Attacks on these systems “have the potential to affect the airworthiness of the airplane.” TSA issued emergency regulations in 2023 for airports and aircraft operators that require them to have pre-approved implementation plans for increased security measures.

Mooty explained that recent reviews of FAA regulators found the current rules “inadequate and inappropriate to address the cybersecurity vulnerabilities caused by increased interconnectivity.”

Their efforts to further round out cybersecurity rules began with Boeing’s controversial 787 program, which they had to issue special conditions for in order to address “intentional unauthorized electronic interactions.”

The proposed rules require applicants to protect airplanes, engines, and propellers from IUEI, “identify and assess” the security risks posed by IUEI, and to “mitigate” those risks as necessary.

Assessments need to be done to analyze the likelihood of exploitation of certain vulnerabilities and applicants would need to install a single or multiple layers of protection to keep airplane controls safe. They warned of attacks that could corrupt data in crew displays and incidents affecting the kind of decisions pilots and crew have to make during emergencies. 

The FAA sought to limit the scope of the rules to vulnerabilities that would result in tangible effects on the safety and operation of the airplane. As an example, the new rules would not cover potential vulnerabilities that would affect airplane devices that process passenger credit cards. 

Cybersecurity expert Joseph Saunders told Recorded Future News that said the effort to move beyond special conditions is “long overdue” given the rise in communications and connected components on aircrafts. 

He noted that unlike loose bolts or faulty sensors, cyberattacks “carry the potential for a large-scale, remote sabotage attack that can instantly ground an entire fleet.” 

But Saunders, who is CEO of RunSafe Security, argued that the regulation does not go far enough in addressing and maintaining defenses to protect against unknown vulnerabilities. 

“We need both the capability to prevent future attacks against unknown vulnerabilities discovered after a manufacturer delivers instructions for continued airworthiness and a process for the manufacturer and operator to agree when to update the operators’ aircrafts to address future software vulnerabilities affecting airworthiness,” he added.

The European Air Traffic Management Computer Emergency Response Team (EATM-CERT) found the number of reported cyberattacks among airline industry organizations grew 530% from 2019 to 2020.