WASHINGTON - The Federal Aviation Administration (FAA) announced that the agency is looking to standardize cyber security requirements along with harmonizing those standards with existing requirements as part of its airworthiness certification process.
The FAA outlined the agency's reasoning and goals and noted that it is seeking comments from the public. The document, available here, states that comments are due by 21 October 2024. Comments on the proposed rule can be made here.
The proposed changes would introduce type certification and ongoing airworthiness requirements to safeguard transport category airplanes, engines, and propellers from intentional unauthorized electronic interactions (IUEI) that could pose safety risks. Applicants for design approval would need to mitigate these hazards and develop Instructions for Continued Airworthiness (ICA) to maintain protections throughout the product's service life.
The trends in airplane design involve a growing integration of systems between airplanes, engines, and propellers, along with increased connectivity to both internal and external data networks and services. As a result, regulators and the industry must continuously monitor the cybersecurity landscape to identify and address emerging threats.
One potential vulnerability comes from field loadable software, which can be used to update or modify onboard systems but may also open the door to unauthorized access. Maintenance laptops, often connected to aircraft systems for diagnostics and repairs, represent another point of entry for cyber threats.
Additionally, airport or airline gate link networks, used for communications between the aircraft and ground systems, can introduce risks, particularly if they are not properly secured. Public networks, such as the internet, also pose a threat, as increased connectivity could allow external attackers to exploit security gaps.
Wireless aircraft sensors and sensor networks, designed to enhance data collection and system performance, may also create vulnerabilities if they are not adequately protected. Similarly, cellular networks, often used for communication and data transmission, can be a target for cyber attacks if they are not properly managed.
Universal Serial Bus (USB) devices, commonly used to transfer data or install updates, are another potential entry point for malicious software. Satellite communications, which provide critical links for navigation and communication, can also be susceptible to cybersecurity threats.
Portable electronic devices and portable electronic flight bags (EFBs), used by pilots and crew for operational tasks, add another layer of risk due to their connectivity and reliance on digital systems. Lastly, GPS and satellite-based augmentation system digital data can be vulnerable to spoofing or other cyber attacks that could disrupt operations.
