US regulators are seeking to revise and simplify the framework for cybersecurity provision on aircraft, in order to harmonise with European certification standards and avoid continually having to issue special conditions.
This revision follows several years of work to address the need to protect against unlawful electronic interference as aircraft systems have evolved – notably since the development of the Boeing 787 – to feature increasing levels of data-exchange and interconnectivity.
Previously the US FAA has tackled the cybersecurity requirement by issuing special conditions – rules which apply to individual aircraft or engine designs to overcome safety concerns which are not covered by current airworthiness standards.
But it states that, as interconnectivity proliferates, the repeated issuance of such conditions could result in certification criteria for cybersecurity which are “neither standardised between projects nor harmonised between the FAA and other civil aviation authorities”.
“These disconnects increase the certification complexity, cost, and time for both the applicant and regulator,” it adds.
A working group for aircraft system information security drew up recommendations in 2016, outlining a regulatory framework with a single set of airworthiness standards for transport aircraft.
The FAA has used these recommendations as the basis for its proposed cybersecurity revision, which it published on 21 August.
It states that the proposal will “generally reflect current practice” – maintaining the aims previously achieved through special conditions – and claims that, as a result, the impact on applicants and operators “would not be significant”.
The intention, it says, is to reduce the costs and time needed to certify new products, as well as harmonise its requirements with those of other regulators – particularly the European Union Aviation Safety Agency which finalised its own similar guidance in 2020.
Under the FAA’s proposed revision, applicants would generally need to show that a design protects against unauthorised access from inside or outside the aircraft, and that it prevents malicious changes to – and adverse impact on – the aircraft’s equipment, systems and networks.
The regulations would require applicants to consider equipment and systems “separately and in relation to other systems”.
“This language reflects the concern [expressed by the working group] that cybersecurity threats can propagate from one system to another,” the FAA states.
Applicants would be expected to carry out risk-analysis methodology to identify all system and network vulnerabilities, it adds, and determine which require mitigation for safe operation.
It says the scope of the regulation is limited to protecting only against effects that could impact safety and airworthiness of the aircraft and its engines – not those relating to electromagnetic jamming or such matters as passenger data security.