Yesterday DOT’s Federal Aviation Administration published an airworthiness criteria in the Federal Register (87 FR 56743-56749) for Special Class Airworthiness Criteria for the MissionGO MGV100 Unmanned Aircraft. While these specific requirements only apply to the listed UAS, they do reflect how the FAA currently views the airworthiness criteria for commercial UAS. The criteria address cybersecurity issues.
Public Comment
The FAA is soliciting public comments on this airworthiness criteria. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; docket #FAA-2022-0353). Comments should be submitted by October 17th, 2022.
Commentary
It looks to me that there are two shortcomings in the cybersecurity requirements in this airworthiness criteria. First, both the software and cybersecurity sections of the document address issues and concerns with the software (presumably including firmware) in the aircraft, there is no mention of the software in the AE (allied equipment), or as it is more commonly called, the flight controller. Remote access vulnerabilities in the flight controller could have just as serious a set of consequences for flight safety as vulnerabilities in the aircraft.
Second, in keeping with the intent of EO 14078, D&R110 should include a requirement to track vulnerabilities in third-party components of the UAS and allied equipment software. I would have said ‘publish and maintain a software bill of materials’, but the FAA is trying to specify outcomes not processes.
For more details about the requirements of the airworthiness
criteria, including the cybersecurity provisions, see my article at CFSN
Detailed Analysis - https://patrickcoyle.substack.com/p/faa-publishes-special-class-airworthiness
- subscription required.
No comments:
Post a Comment