The Federal Aviation Administration (FAA) has introduced new cybersecurity regulations for newly built aircraft to protect aircraft manufacturers against potential cyber threats.
The new Notice of Proposed Rulemaking (NPRN) was proposed by the FAA on August 21, 2024, and aims to revise existing regulations as well as adding new ones. The FAA’s goal is to simplify and speed up the new aircraft certification process while “maintaining the same level of safety” provided by current conditions.
The proposed new regulations are designed to protect the equipment, systems, and networks of airplanes, engines, and propellers against intentionally unauthorized electronic interactions (IUEI) or so-called cyber threats.
The FAA said the intended effect of the action is to “reduce the costs and time necessary to certify new and changed products and harmonize FAA regulatory requirements with other civil aviation authorities”.
Under the proposed regulations, multi-engine aircraft with more than 19 passenger seats or a maximum takeoff weight over 19,000 pounds (about 8618.25 kilograms) will be required to conduct a cybersecurity risk evaluation.
The FAA said it would expect such analysis “to assess the severity of the effect of threat conditions on associated assets (system, architecture, etc.), consistent with the means of compliance the applicant has been using to meet the FAA’s special conditions on this topic.”
The proposed regulation would then require each applicant to “mitigate” the vulnerabilities. The agency said it expected such mitigation “would occur through the applicant’s installation of single or multilayered protection mechanisms.” Also, each manufacturer would have to include the procedures in its instructions to maintain such protections.
According to the FAA, to address security risks, manufacturers must protect against unauthorized access from inside or outside the aircraft and prevent malicious modification of aircraft equipment, systems, and networks.
Additionally, the FAA has put forward new regulations to improve the safety of any engine and propeller systems installed in airplanes, equipment, and networks that are susceptible to IUEI.
Currently, an aircraft must meet airworthiness standards to obtain a US type certificate as well as have the certification validated by foreign authorities.