Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The Federal Aviation Administration says it can save time and money by standardizing aviation cybersecurity requirements and rethinking “special condition” approvals, which the agency issues when airworthiness regulations don’t adequately address a designer’s proposed, perhaps unusual feature—say, an airplane with folding wingtips.
That special process “involves engineers, technical writers, and managers” to make project-specific recommendations (for instance, “a means must be provided to prevent airplane takeoff if a wingtip is not properly positioned” if we’re talking about those folding wingtips).
According to the aviation administration’s August 21 rule-change proposal, the exercise costs an average of $13,498 and 170 hours of time per special condition.
The agency estimated that its proposal—reducing project-specific “special” requests related to cybersecurity—would lead to about $783,366 in savings over the span of 10 years.
The FAA also said it went through 68 special conditions for cybersecurity from 2013 through 2022.
Special order, don’t upset us. A “special condition” is “a rule that applies to a particular aircraft, aircraft engine, or propeller design” when existing safety standards aren’t adequate “to address a proposed novel or unusual design feature.”
One example: Avionics International, in October 2021, reported on one company’s efforts to develop electric engines, which required special conditions “that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.”
The FAA said it has issued special conditions starting with the Boeing 787 program (which began testing in August 2010) to address the cybersecurity vulnerabilities related to intentional unauthorized electronic interactions, or IUEI.
Today’s planes are increasingly connected to “internal or external data networks and services,” the FAA noted. That means vulnerabilities can come from sources like airport link networks, maintenance laptops, and wireless aircraft sensors.
The “proposed rule-making package codifies the…requirements of frequently issued cybersecurity special conditions”: Applicants would be required to identify, assess, and mitigate the security risks posed by IUE, demonstrating protections against unauthorized access and preventing malicious changes.
In a one-question 2024 survey from the Aviation ISAC, industry CISOs responded to the prompt: “What are the three to five things you’ve committed to getting done in 2024 to reduce cyber risk?”
Top priorities the survey identified:
- Identity management (including network segmentation and access permissions);
- Supply-chain risk management (one example: a risk-assessment process to identify third-party component vendors)
- Governance (how to meet legal and regulatory requirements regarding cybersecurity and privacy)
The FAA hopes to lend a hand with some of that governance. In its proposal, it said:
“The intended effect of this action is to reduce the costs and time necessary to certify new and changed products and harmonize FAA regulatory requirements with the regulations that other civil aviation authorities are using to address cybersecurity vulnerability.”
Comments regarding the rule changes can be sent electronically to regulations.gov for 60 days following August 21.