Critical Infrastructure Security , Standards, Regulations & Compliance
Are the New FAA Cyber Requirements for Future Planes Enough?
Federal Aviation Administration Seeks Public Input on New Cyber Rules for AirplanesAirplanes are no different than ground transport counterparts: They're increasingly moveable computers loaded with controllers connected by internal networks leading to digital screens.
See Also: Live Webinar | Staying Secure and Compliant in a Work From Home Environment
A regulatory step the U.S. Federal Aviation Administration took Wednesday would make cybersecurity a component of certification for airworthiness, but the agency and experts both say that little about the substance of airliner cybersecurity will change as a result.
A proposed rule would elevate cybersecurity soundness into a formal element for determining whether an aircraft is fit to fly.
The new regulation "is a great step" but "does not go far enough" in protecting against unknown vulnerabilities, said Joseph Saunders, CEO and founder of the security firm RunSafe Security. Saunders said the cybersecurity requirements currently lack a process for the manufacturer and operator to jointly decide when to update aircraft to address future software vulnerabilities affecting airworthiness.
"Unlike loose bolts or faulty sensors, cyber exploits carry the potential for a large-scale, remote sabotage attack that can instantly ground an entire fleet," he said.
The FAA said it doesn't intend to change the "same substantive requirements" it first started enforcing in 2009. Hacking an airplane - the actual avionics that flight crews use to keep airplanes safely in the air - is no easy feat.
A researcher in 2015 claimed to have briefly seized control of a United flight through the onboard entertainment system - although whether he really did isn't clear. A 2019 paper from a Rapid7 researcher says that a hacker with physical access to an airplane's wiring could attach a device that would display incorrect telemetry data such as engine status, altitude and airspeed. "A pilot relying on these instrument readings would not be able to tell the difference between false data and legitimate readings, so this could result in an emergency landing or a catastrophic loss of control of an affected aircraft," the researcher wrote.
The Government Accountability Office has long called on the FAA to strengthen cybersecurity oversight for airplanes, warning in 2020 that "evolving cyber threats and increasing connectivity between airplanes and other systems could put future flight safety at risk if the FAA doesn't prioritize oversight."
The FAA said in a notice published to the Federal Register that the proposed rules aim to standardize its criteria for addressing cybersecurity threats "while maintaining the same level of safety provided by current special conditions." Key stakeholders have until Oct. 21 to provide public comment on the new rules.