Early End-to-End Cybersecurity Testing Urged for Commercial/Business Aircraft
IFA Comment: One of IFA’s priority issues.
As wireless next-generation communications systems become the standard for commercial and business aviation, early end-to-end cybersecurity testing may become more normalized, as aircraft OEMs and owners seek to prevent the backdoor vulnerabilities of connected aircraft, including the introduction of malicious code and the hacking of aircraft communication data links.
The European Union Aviation Safety Agency (EASA) and the Federal Aviation Administration (FAA) now consider cybersecurity a sine qua non [essential] for commercial aircraft.
For the FAA, cybersecurity became an area of interest in 2004 with the launch of the Boeing 787 Dreamliner.
“Since we didn’t have any rules concerning malicious intent, we decided that we could do it under special conditions,” Varun Khanna, the FAA cybersecurity subject matter expert for large transports and the designated federal official/government authorized representative (DFO/GAR) for the RTCA SC-216 Aeronautical Systems Security Committee, said during an Apr. 22 webinar hosted by RTCA.
“We created two special conditions during that process, which were completed around 2007-2008, about the time RTCA launched the SC-216 activity, as well as [the European Organization for Civil Aviation Equipment—EUROCAE] WG-72 [committee],” he said. “These two committees ran concurrently. It was a sincere desire from both sides to make sure that all the guidance that came out of these two committees was harmonized and acceptable to both sides of the pond, including some other regulators.”
In concurrence with the broad cybersecurity rule effort instituted in 2019 by EASA, the FAA is now looking to devise a 12-rule package for Part 25 large transport aircraft, Part 33 engines, and Part 35 propellers.
The FAA has finished a first draft of the Part 25 rule, which “will essentially mimic the rule EASA has put out” with a final rule likely by the end of next year or early 2023, Khanna said.
The agency’s cybersecurity rulemaking has had delays, as the “last four years were not conducive to rulemaking,” Khanna said. The former Trump administration had mandated the removal of two regulations for every new one that went on the books.
Cyrille Rosay, EASA’s senior expert on cybersecurity in aviation and the chair of the WG-72 committee and the European Cybersecurity Standards Coordination Group (ECSCG), said EASA “plans to rely as much as possible on industry standards” for cybersecurity regulation, including the new rule that went into effect for large aircraft and general aviation on Jan. 1.
Financed by the European Commission, ECSCG is “intended to prevent the duplication of standards so that we don’t spend too much time developing things that already exist,” Rosay said.