For the first time in almost two decades, the Federal Aviation Administration is writing cybersecurity regulations for airplane makers to streamline standards currently compartmentalized within the industry—rules proposed as minor updates amid a fast-evolving threat landscape.
The proposed rules, unveiled on Aug. 21, seek to establish uniform design standards to address cybersecurity threats against airplanes, engines, and propeller systems. While the agency says the impact of the proposed changes on applications and operators “would not be significant,” Joseph Saunders, CEO and founder of RunSafe Security, pushed back on the rulemaking’s scope and questioned its ability to sharpen defenses in the face of more brazen cyber attacks that could “instantly ground an entire fleet.”
This initiative aligns with the Biden Administration’s broader effort to bolster critical infrastructure security, as outlined in the FAA Reauthorization Act of 2024. While in-flight cyber threats remain rare, a 2020 Government Accountability Office report highlighted risks to avionics systems and urged enhanced FAA oversight.
While real-world threats become clearer, the proposal may be too narrow to coax industry into adapting to those evolving threats. The FAA’s cautious approach may reflect an attempt to navigate its regulatory constraints following the Supreme Court’s Loper Bright decision, which limited the power of federal agencies to defend some rules in court.
“They are going to try and say that this is not a big change,” said Erik Dullea, Husch Blackwell partner focusing on cybersecurity and emerging technology legal challenges.
He added, “I don’t know to what extent the FAA’s comment in the proposed rule that this is not a significant change in practice is an attempt to step away from Loper Bright and questions on deference to agency authorities. And whether it’s a bit of a PR and a marketing aspect, or whether they are setting the stage for challenges to the requirements down the road.”
FAA’s Approach
Up until now, the FAA has issued “special conditions” for certain aircraft, engines, or propellers when existing regulations lack adequate safety standards for novel design features. These conditions mandate that designs protect vulnerable systems from unauthorized access.
The proposed update would codify the frequently issued cybersecurity requirements previously addressed through these special conditions.
The proposed rules would require new applicants of airworthiness certifications to “protect” transport category airplanes, engines, and propellers from intentional unauthorized electronic interactions (IUEI) by identifying, assessing, and then mitigating potential security risks “as necessary.”
“It’s focused on certifications for new aircrafts. So in my mind, that is somewhat consistent with the national strategy of putting the burden, or the accountability for cybersecurity, onto the organizations that will be involved in the development of those products,” Dullea said.
For aircraft, engine, and propeller manufacturers, that means they would have to turn to their software developers to ensure that technology built into these different components has factored in security concepts before installation, he added.
The rules’ targeted scope is a divergence from other regulators’ approach to cyber requirements, said Michael Borgia, lead of Davis Wright Tremaine LLP’s information security group in the technology, communications, and privacy and security practice.
“That is actually fairly refreshing, because what we’ve seen from a number of regulators is this very broad, expansive approach to take on cybersecurity writ large, which is creating a lot of complication and has raised a lot of questions about the jurisdictional reach of these agencies, especially in light of some of the recent court decisions like Loper Bright,” Borgia said.
The agency’s focus on risk assessments as a foundation to its cyber rulemaking, however, is more closely aligned with other recent regulatory efforts.
“What is familiar here is the focus on risk assessments—that’s certainly been a common approach to cyber regulation, including by the TSA. And no doubt the FAA has thought about how the TSA has approached these issues, given that they have adjacent jurisdiction over different parts of the transportation industry,” Borgia said.
Clarifying—or Magnifying—Ambiguities
Some of the impetus behind the FAA’s rulemaking is to clarify and harmonize its requirements with the international regime—which means new compliance obligations shouldn’t feel so novel, said Anna Rudawski, cybersecurity and privacy partner at A&O Sherman.
“I don’t think it’s really going to change practice, but it’s going to sort of enshrine baseline level of practice for these companies,” she said. “That’s sort of what I see with these regulations, not a sea change, but more of a harmonization.”
Moving away from the reliance on special actions and toward a single, unified approach should help clarify the process to obtain airworthiness approval, said RunSafe Security’s Saunders.
“At the same time, that clarification then only magnifies where there are ambiguities,” Saunders added, especially in regard to instances where a software bug or vulnerability might be discovered after airworthiness is determined and the hand-off between manufacturer and operator has already occurred.
What such a long-term, ongoing collaboration will look like, especially with systems built to last decades, could prove difficult, Dullea said.
“Having requirements that are going to be specific enough to address the FAA concerns, but adaptable for the applicants for airworthiness certificates to improve the product for the future is going to be probably a technical challenge as well as a policy challenge,” he said.
The proposed rulemaking’s focus on interconnectedness of airplane systems also raised questions about the rulemaking’s scope. The rules state that systems and networks must be considered both separately and in relation to other systems in order to protect them from unauthorized access.
“That may be another practical challenge, is understanding entirely what systems are in scope or out of scope,” said Borgia. “If you’re a manufacturer of one of these pieces of equipment or systems, to what extent might you have to take into account interconnectivity with systems that you don’t manufacture?”
To contact the reporter on this story:
To contact the editors responsible for this story: