Government

FAA to issue cyber rule for newly built airplanes and equipment

The Biden administration looks to add cybersecurity defenses to a plane's airworthiness.

August 20, 2024

Aircraft engineers inspecting landing gear on large jet. (Getty Images)

The Federal Aviation Administration this week will formally propose cybersecurity mandates for future manufactured aircraft and equipment like engines and propellers, according to a post in the Federal Register.

The proposed rulemaking set to be published Wednesday will add new cybersecurity requirements to the “airworthiness” of a newly built plane. The Biden administration has made cyber mandates for critical infrastructure sectors a priority through the national cybersecurity strategy, which served as an acknowledgment that relying on voluntary measures did not lead to increased security.

The new proposal is aimed at standardizing “the FAA’s criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety,” according to the document. The FAA said the rules are in line with current cyber standards.

Specifically, the new rules take aim at the “equipment, systems, and networks of transport category airplanes, engines, and propellers” that require connected, digital components that can be hacked. The FAA warned that industry trends of increasing connectivity could introduce vulnerabilities to airplanes from new sources, such as maintenance laptops or airline gate link networks.

The proposal is also aimed at “harmonizing” existing regulations in an effort to reduce costs and the time needed to approve new or changed equipment. Cyber regulatory harmonization, which aims to dial down the red tape of certain critical infrastructure sectors, is one of the White House’s policy proposals widely embraced by industry. Harmonization could reduce costs for organizations that operate in more than one sector.

The FAA said the existing rules “are neither standardized between projects nor harmonized” between varying authorities.

The agency said any new designs should take into account and mitigate cyber threats. The proposal, however, does not apply to physical electronic attacks like signal jamming that has been an increasing issue in areas close to war zones. Existing planes and equipment also do not have to follow the proposed rule.

The FAA said in an emailed statement that the agency has “a comprehensive approach to protect the National Airspace System from cybersecurity threats. The agency works closely with intelligence and security experts throughout the federal government to identify and mitigate potential risks to our systems, as well as those of our partners in the private sector.”

Public comments are due 60 days after official publication on the Federal Register.

This story was updated Aug. 20, 2024, with comments from the FAA.