US Proposes New Cyber Security Standards For Aviation

Uploaded on 2024-08-28 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel

The cyber security problem in aviation is that aircraft engines are increasingly designed to be connected to both internal and external data networks and this could make them vulnerable to cyber threats. 

Now,  US Federal Aviation Administration (FAA) has recently unveiled a proposal for new rules governing the cyber security of aircraft and equipment. 

The FAA says that the  new regulations are being introduced as aviation equipment has become more connected to internal and external data networks, including satellite communications and Internet-connected devices.

The new rules would require new applicants of airworthiness certifications to “protect” transport category airplanes, engines, and propellers from intentional unauthorised electronic interactions (IUEI) by identifying, assessing, and then mitigating potential security risks “as necessary. 

The goal of the effort is to standardise what the FAA calls “special conditions”, effectively making permanent temporary regulations previously issued on a case-by-case basis. 

The FAA has had to issue more and more special conditions to cover cyber security in recent years, prompting them to formalise the rules in an effort to reduce the cost of certification. Applicants would be required to identify cyber security deficiencies and develop instructions for how pilots would continue operating in the event of a cyber incident.  The FAA is also hoping the rules reduce the amount of time necessary to certify new and changed products while also harmonising their regulatory requirements with others used by civil aviation authorities in other countries.  

The proposal is being made in response to widespread changes in how airplanes are now being designed. The FAA and several experts have said airplanes, engines and propellers are now being increasingly connected to internal or external data networks and services, forcing regulators to consider the cybersecurity threat environment.

 The threats include the maintenance laptops used to check planes, the networks deployed by airports or airline gates, wireless aircraft sensors and sensor networks, cellular networks, connected devices, satellite communications, GPS and more.  

Their efforts to standardise mandatory cyber security rules began with Boeing’s controversial 787 program, which they had to issue special conditions for in order to address “intentional unauthorised electronic interactions.” The new rules require applicants to protect airplanes, engines, and propellers from IUEI, “identify and assess” the security risks posed by IUEI, and to “mitigate” those risks as necessary. 

  • Assessments need to be done to analyse the likelihood of exploitation of certain vulnerabilities and applicants would need to install a single or multiple layers of protection to keep airplane controls safe.
  • Risks include attacks that could corrupt data in crew displays and incidents affecting the kind of decisions pilots and crew have to make during emergencies.  

The FAA wants to limit the scope of the rules to vulnerabilities that would result in tangible effects on the safety and operation of the airplane. For example, the new rules would not cover potential vulnerabilities that would affect airplane devices that process passenger credit cards.  

The European Air Traffic Management Computer Emergency Response Team (EATM-CERT)  has found that the number of reported cyber attacks amongst airline industry organisations grew fivefold between  2019 and 2020. 

The growing concerns over cybersecurity are not limited to aircraft in-flight, but include ground installations too. In 2023 Britain's air traffic control system suffered an unaccountable severe disruption resulting in long delays, with no clear explanation.

FAA   |   FAA   |   The Record   |    Tenable  |   NextGov   |    Flying   |   Infosecurity-magazine

Image: Alexander Mils

You Might Also Read: 

Ransomware Trends In The Aviation & Maritime Industries:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« China Aims to Compete With OpenAI, Gemini & Grok
Hacker Kills Himself »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Glasswall Solutions

Glasswall Solutions

Glasswall Solutions has developed a disruptive, innovative security technology which provides unique protection against document based cyber threats.

Cyber Security Expo

Cyber Security Expo

Cyber Security EXPO is a unique one day recruitment event for the cyber security industry.

Saudi Federation for Cyber Security and Programming (SAFCSP)

Saudi Federation for Cyber Security and Programming (SAFCSP)

SAFCSP is a national institution under the umbrella of the Saudi Arabian Olympic Committee, which seeks to build national and professional capabilities in the fields of cyber security and programming.

CybernetIQ

CybernetIQ

CLAW by CybernetIQ is the industry's most advanced SOAR platform helping unify all cybersecurity tools under one umbrella and providing organizations faster, better and more accurate cybersecurity.

DataCloak

DataCloak

DataCloak is an innovation company that focus on providing enterprise data-in-motion security solutions based on zero-trust security technology.

Cloud & Cyber Security Expo

Cloud & Cyber Security Expo

Cloud & Cyber Security Expo is the UK’s largest cloud and cyber security event.

Australian Cyber Collaboration Centre (Aus3C)

Australian Cyber Collaboration Centre (Aus3C)

The Australian Cyber Collaboration Centre (Aus3C) is committed to building cyber capacity and securing Australia's digital landscape.

HancomWITH

HancomWITH

Hancomwith is an information security company. We provide optimized blockchain solutions in areas including next-generation authentication, security and digital asset transaction.

Lattice Semiconductor

Lattice Semiconductor

Lattice Semiconductor solves customer problems across the network, from the Edge to the Cloud, in the growing communications, computing, industrial, automotive and consumer markets.

Spotit

Spotit

Spotit offers a wide-ranging portfolio of technologies and services, from consultancy, assessments and pentesting to the set up of completely new security and network infrastructures.

Tentacle

Tentacle

Tentacle has developed a configurable data management tool that helps organizations to improve their information security programs and overall security posture.

Cognisys Group

Cognisys Group

Cognisys provides cyber security penetration testing and compliance services from its offices in Leeds and Manchester.

Exiger

Exiger

Exiger is revolutionizing the way corporations, government agencies and banks navigate risk and compliance in their third-parties, supply chains and customers.

Longbow Security

Longbow Security

Longbow automates root cause for your application and cloud risks, enabling teams with intelligent remediation actions that reduce the most risk with the least effort.

DataTrails

DataTrails

DataTrails enables organizations to prove and verify the provenance and authenticity of any data they use in their business operations.

Attura

Attura

Atturra is one of Australia's leading advisory and IT solutions providers, focused on providing end-to-end transformation services to its clients.