The FAA has proposed updating airworthiness standards for transport category aircraft, engines, and propellers to guard against potential cybersecurity threats. Applying to FAR Parts 25, 33, and 35, the proposal released yesterday would outline requirements for type certification and continued airworthiness to protect equipment, systems, and networks against “intentional unauthorized electronic interactions” (IUEI) that could compromise safety.
Under the proposal, manufacturers or others seeking certification would be required to identify, assess, and mitigate potential hazards and develop instructions for continued airworthiness to protect the aircraft and its components while in service.
According to the FAA, much of the proposal reflects currently required practices. Only most of those requirements were established through special conditions. “Thus, the impact on applicants and operators [of the proposal] would not be significant,” the agency said. “The intended effect of this action is to reduce the costs and time necessary to certify new and changed products and harmonize FAA regulatory requirements with the regulations that other civil aviation authorities are using to address cybersecurity vulnerability.”
These regulations are increasingly necessary, the FAA added, because newer aircraft have designs with much more system integration and connectivity, including to outside sources such as field loadable software, maintenance laptops, airport gate link networks, USB devices, portable electronic flight bags, and GPS, cellular, and satellite communications. “Regulators and industry must constantly monitor the cybersecurity threat environment in order to identify and mitigate new threat sources.”
As far as addressing cybersecurity risks, the FAA noted, this began with the Boeing 787. “Since then, the FAA has issued special conditions to address IUEI in every new transport-category airplane certification project and relevant design change,” the agency said.
These conditions have required applicants to show that their designs provide for isolation from or protection against unauthorized access; show that the designs prevent inadvertent and malicious changes; and establish procedures to maintain cybersecurity protections.
But the FAA determined that addressing these concerns would be better through a single rule rather than a series of special exemptions and ultimately tasked the aviation rulemaking advisory committee (ARAC) to develop recommendations. The ARAC’s aircraft systems information security/protection working group—co-chaired by the General Aviation Manufacturers Association (GAMA)—submitted recommendations, including those for harmonization with international regulations, in August 2016.
Since then, EASA has developed its own requirements, and the U.S. Congress has weighed in, directing the FAA to develop rules. The FAA said the proposal implements the ARAC recommendations, as well as harmonizes with the corresponding EASA standards. Importantly, it will reduce the need for special conditions, which can delay or add to the cost of certification programs.
“We are pleased that the FAA got this NRPM out of the building and adopted the recommendations provided by the ARAC in 2016,” said Jens Hennig, v-p of operations for GAMA. “The rulemaking moving forward is important for several reasons, including shifting from the current process of issuing special conditions for connected systems on transport category airplanes—which is cumbersome and takes agency and industry resources—but also to close out a regulatory difference between US and EU, which has caused validation challenges.”
This is part of a series of actions that the FAA has been taking surrounding cybersecurity. Hennig explained that Part 23 has previously addressed cybersecurity and pointed out that the FAA also recently issued a policy statement for Parts 27 and 29, covering helicopters.
Comments on the proposal issued yesterday are due October 21, while those on the policy statement for helicopters are due September 2.