The FAA is proposing changes to improve cybersecurity standards for aircraft, aircraft engines and propellers! But why are they necessary?
Aircraft avionics have been getting more advanced for some time now. This equipment is very helpful in presenting information to pilots and in allowing engineers to access and diagnose aircraft systems quickly.
But with new innovations comes greater interconnectivity between various devices. And with that, there is the potential for cybersecurity threats, or what the FAA and others in the industry call Intentional Unauthorized Electronic Interaction or IUEI. The definition for that is:
circumstance or event with the potential to affect the aircraft due to human action resulting from unauthorized access, use, disclosure, denial, disruption, modification, or destruction of information and/or aircraft system interfaces. Note that this includes malware and the effects of external systems, but does not include physical attacks such as electromagnetic jamming.
Today, pilots can use Electronic Flight Bags (EFBs) which are basically tablets containing checklists, performance calculation programs, maps and possibly other company-specific software. In many cases, these devices don’t communicate directly with aircraft systems.
FAA – Newer Designs Bring New Cybersecurity Challenges
However, newer aircraft often allow, for example, a pilot to transfer a flight plan from an iPad to the aircraft’s flight management computer. Similarly, airline engineers can connect to aircraft systems with tablets or laptops using either hard-wired or wireless connections. USBs or memory cards are often used to update system software, too.
The FAA now wants to make changes to regulations that will address cybersecurity vulnerabilities from these and other sources. The complete list includes sources like:
- Field Loadable Software;
- Maintenance laptops;
- Airport or airline gate link networks;
- Public networks, e.g. Internet;
- Wireless aircraft sensors and sensor networks;
- Cellular networks;
- Universal Serial Bus (USB) devices; Satellite communications;
- Portable electronic devices and portable electronic flight bags (EFBs); and
- GPS and satellite-based augmentation system digital data.
The FAA already has airworthiness regulations that address cybersecurity threats in aircraft. However, the agency now believes that existing regulations aren’t adequately addressing the ways that newer aircraft and systems communicate.
Fortunately, a lot of such systems in new aircraft remain secure. That’s because the FAA and other regulators worldwide have been issuing special conditions for certification that address newer cybersecurity threats.
The new regulations should standardize these special conditions, which should ease the certification of aircraft and aircraft components. The FAA will accept comments on regulations to address IUEI until October 21st this year.