FAA Publishes Two Cybersecurity Special Condition Rules

Today the DOT’s Federal Aviation Administration (FAA) published two cybersecurity related special condition final rules in the Federal Register (83 FR 58739-58740, and 83 FR 58740-58742). Both rules are for Garmin International G5000 avionics systems in Textron Model 560XL aircraft. The FAA has crafted these rules due to the fact that the G5000 system allows internal and external connections “to previously isolated data networks, which are connected to systems that perform functions required for the safe operation of the airplane”.

Special Conditions

The first rule addresses internal (to the aircraft) access and provides the following additional safety certification requirement:

“The applicant must ensure that the design provides isolation from, or airplane electronic-system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.”

The second rule addresses external (to the aircraft) access to the control system and provides the following two additional safety certification requirements:

“The applicant must ensure airplane electronic-system security protection from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.

“The applicant must ensure that electronic-system security threats are identified and assessed, and that effective electronic-system security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.”

Both rules also contain the following additional safety certification requirement:

“The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post-type-certification modifications that may have an impact on the approved electronic-system security safeguards.”

Public Comment

Both special conditions have an effective date of today. The FAA is soliciting public comments on both rules. Comments need to be submitted by January 7^th, 2019. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket #s, FAA-2018-0782 and FAA-2018-0781).

Commentary

These ‘special conditions’ are identical to those that the FAA has released in similar situations in the past (see here for example). The requirements are generic. What will be important (and largely outside of public view) will be the processes the FAA uses to verify the efficacy of the efforts that Garmin, Textron and aircraft owners exhibit during the certification process.

I continue to be disappointed that the FAA does not provide a generic requirement in these special condition notices requiring that the manufacturer and aircraft owners establish processes to accept, evaluate and notify the FAA of any reported vulnerabilities in the avionics systems or the cybersecurity processes employed to protect those systems. I would like to think that the FAA considers this lumped in with the “continued airworthiness” standard included in both special condition rules, but I suspect that this rather reflects a serious oversight on the part of the FAA.