Equipment, Systems, and Network Information Security Protection

DEPARTMENT OF TRANSPORTATION <SUBAGY>Federal Aviation Administration</SUBAGY> <CFR>14 CFR Parts 25, 33, and 35</CFR> <DEPDOC>[Docket No.: FAA-2024-1398; Notice No. 24-23]</DEPDOC> <RIN>RIN 2120-AL94</RIN> <SUBJECT>Equipment, Systems, and Network Information Security Protection</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Aviation Administration (FAA), Department of Transportation (DOT). <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> This proposed rulemaking would impose new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers. The intended effect of this proposed action is to standardize the FAA's criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety provided by current special conditions. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Send comments on or before October 21, 2024. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Send comments identified by docket number FAA-2024-1398 using any of the following methods: • <E T="03">Federal eRulemaking Portal:</E> Go to <E T="03">www.regulations.gov</E> and follow the online instructions for sending your comments electronically. • <E T="03">Mail:</E> Send comments to Docket Operations, M-30; U.S. Department of Transportation, 1200 New Jersey Avenue SE, Room W12-140, West Building Ground Floor, Washington, DC 20590-0001. • <E T="03">Hand Delivery or Courier:</E> Take comments to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. • <E T="03">Fax:</E> Fax comments to Docket Operations at (202) 493-2251. <E T="03">Privacy:</E> In accordance with 5 U.S.C. 553(c), DOT solicits comments from the public to better inform its rulemaking process. DOT posts these comments, without edit, including any personal information the commenter provides, to <E T="03">www.regulations.gov,</E> as described in the system of records notice (DOT/ALL-14 FDMS), which can be reviewed at <E T="03">www.dot.gov/privacy.</E> <E T="03">Docket:</E> Background documents or comments received may be read at <E T="03">www.regulations.gov</E> at any time. Follow the online instructions for accessing the docket or go to the Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> For technical questions concerning this action, contact Varun Khanna, AIR-626D, Policy and Standards Division, Aircraft Certification Service, Federal Aviation Administration, 2200 South 216th Street, Des Moines, WA 98198; telephone (206) 231 3159; email <E T="03">varun.khanna@faa.gov.</E> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Executive Summary</HD> <HD SOURCE="HD2">A. Overview of Proposed Rule</HD> The FAA proposes to add new regulations to and revise certain existing regulations in title 14, Code of Federal Regulations (14 CFR) part 25 (Airworthiness Standards: Transport Category Airplanes), part 33 (Airworthiness Standards: Aircraft Engines), and part 35 (Airworthiness Standards: Propellers). These changes would introduce type certification and continued airworthiness requirements to protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI)  <SU>1</SU> <FTREF/> that could create safety hazards. Design approval applicants would be required to identify, assess, and mitigate such hazards, and develop Instructions for Continued Airworthiness (ICA) that would ensure such protections continue in service. Proposed changes to parts 25, 33, and 35 would mandate such protection and apply to applicants for design approval of transport category airplanes, engines, and propellers. The changes would also affect future operators of these products through the application of the ICA. <FTNT> <SU>1</SU>  RTCA Glossary page 24: Intentional Unauthorized Electronic Interaction (IUEI) is defined, for purposes of this rulemaking, as “[a] circumstance or event with the potential to affect the aircraft due to human action resulting from unauthorized access, use, disclosure, denial, disruption, modification, or destruction of information and/or aircraft system interfaces. Note that this includes malware and the effects of external systems, but does not include physical attacks such as electromagnetic jamming.” </FTNT> The substance of the proposed rules would generally reflect current practice ( <E T="03">e.g.,</E> special conditions) that the FAA has used to address product cybersecurity since 2009. Under the proposed regulations, the FAA would continue to apply the same substantive requirements established by current special conditions via the same methods of compliance to new applicable certification projects; thus, the impact on applicants and operators would not be significant. The intended effect of this action is to reduce the costs and time necessary to certify new and changed products and harmonize FAA regulatory requirements with the regulations that other civil aviation authorities are using to address cybersecurity vulnerability, while maintaining the level of safety provided by current Aircraft System Information Security/Protection (ASISP) special conditions. <HD SOURCE="HD2">B. Background</HD> The current trend in airplane design includes an increasing level of integration of airplane, engine, and propeller systems with increased connectivity to internal or external data networks and services. Regulators and industry must constantly monitor the cybersecurity threat environment in order to identify and mitigate new threat sources. These designs can introduce or allow cybersecurity vulnerabilities from sources such as: • Field Loadable Software; • Maintenance laptops; • Airport or airline gate link networks; • Public networks, <E T="03">e.g.,</E> internet; • Wireless aircraft sensors and sensor networks; • Cellular networks; • Universal Serial Bus (USB) devices; • Satellite communications; • Portable electronic devices and portable electronic flight bags (EFBs); and • GPS and satellite-based augmentation system digital data. The FAA has found its airworthiness regulations, including §§ 25.1301, 25.1309, 25.1319, 25.1529, 33.28, and 35.23, inadequate and inappropriate to address the cybersecurity vulnerabilities caused by increased interconnectivity. Beginning with the Boeing 787 program, the FAA has been addressing the need to protect aircraft systems from the threat of IUEI. Since then, the FAA has issued special conditions to address IUEI in every new transport category airplane certification project and relevant design change. A special condition is a rule that applies to a particular aircraft, aircraft engine, or propeller design. The FAA issues special conditions when the agency's airworthiness regulations do not contain adequate or appropriate safety standards to address a proposed novel or unusual design feature. The FAA provides the public with an opportunity to comment on proposed special conditions. <SU>2</SU> <FTREF/> <FTNT> <SU>2</SU>  14 CFR 21.16. </FTNT> Each set of special conditions addresses a project-specific novel or unusual feature of the applicant's proposed design. The FAA's special conditions addressing cybersecurity on transport category airplanes have generally required applicants' proposed designs to accomplish three things. Applicants have been required to: 1. Show that their proposed airplane designs either provide isolation from or protection against internal or external unauthorized access. 2. Show that their designs prevent inadvertent changes, malicious changes, and all adverse impacts to the airplane equipment, systems, and networks necessary for safe operation. 3. Establish procedures to ensure that they maintain such cybersecurity protections. <E T="03">e.g.,</E> 88 FR 46953 (July 21, 2023) and 89 FR 3333 (January 18, 2024). </FTNT> Applicants have met the first two criteria using the method of compliance (MoC) part of the cybersecurity special condition issue papers. Special conditions are issued if the existing applicable airworthiness standards do not contain adequate or appropriate safety standards for an aircraft, aircraft engine, or propeller because of novel or unusual design features of the product to be type certificated. Issue papers provide a structured means for describing and tracking the resolution of significant technical, regulatory, and administrative issues that occur during a project. The early cybersecurity MoC followed the positions listed in those issue papers: the applicants created a certification plan meeting those positions, then the FAA approved that certification plan. After RTCA, Inc. published its guidance (Document (DO)-326, DO-355, and DO-356), industry wanted to use them as a MoC. After it became evident to the FAA that this new level of system interconnectivity would most appropriately be addressed through a single set of objective airworthiness standards, on December 18, 2014, the Aviation Rulemaking Advisory Committee (ARAC) accepted a task from the FAA to provide recommendations regarding ASISP  <SU>4</SU> <FTREF/> rulemaking, policy, and guidance on best practices for aircraft systems and parts, including both certification and continued airworthiness. ASISP refers to the protection of aircraft from electronic threats from IUEI. The ARAC created the ASISP Working Group comprised of a wide range of domestic and i ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 57k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━