Airbus A321 cabin. Photo: Airbus
Two U.S. lawmakers have reintroduced legislation that would require the disclosure of information relating to cyberattacks on aircraft systems and maintenance and ground support systems for aircraft. Under the proposed legislation, airlines and original equipment manufacturers would be required to disclose to the FAA any attempted or successful cyberattack on any system onboard an aircraft.
U.S. Senators Edward Markey and Richard Blumenthal Wednesday announced the reintroduction of the Cybersecurity Standards for Aircraft to Improve Resilience Act of 2017 (Cyber Air Act). Markey first introduced legislation aimed at improving aircraft cyber security protection in April 2016, following a survey of U.S. airline CEOs, Airbus and Boeing in 2015 to discover standard cybersecurity protocols used by the aviation industry.
If signed into law, the bill would require the U.S. Transportation Dept. to work with the U.S. departments of Defense and Homeland Security, the Federal Communications Commission (FCC) and the director of national intelligence to incorporate requirements relating to cybersecurity into the requirements for obtaining an air carrier operating certificate or a production certificate.
There would also be new requirements for all “entry points” to the electronic systems of aircraft operating in the U.S. to be equipped with new methods for protection against cyber attacks. This would include the use of isolation measures to separate critical software systems from noncritical software systems.
Awareness of the possible threats from introducing more Internet Protocol onto aircraft has increased, especially among regulatory agencies, lawmakers, airline passengers and mainstream media outlets in recent years, after a professional hacker, Chris Roberts, claimed that he was able to use a cabin-based in-flight entertainment system to control a Boeing 777 engine in flight.
While manufacturers of internet-facing aircraft systems already heavily test their technology for cybersecurity risks before integrating them into aircraft technology architectures, Markey has been seeking to increase the FAA’s ability to regulate cyber security protocols across the various segments of the commercial aviation community.
The FAA has also taken steps to improve its regulation of aircraft-related cybersecurity protection mechanisms in recent years, including assigning the agency’s Aviation Rulemaking Advisory Committee with the task of providing new cybersecurity recommendations. In November, the committee submitted recommendations, which were not publicly released. However, Markey and Blumenthal summarized the recommendations in a letter to the FAA after they were submitted.
That summary said the recommendations included mandating periodic evaluation, testing and updating of cybersecurity protections, and requiring aircraft to separate critical flight control systems from noncritical software systems such as in-flight entertainment technology. Aircraft designs already feature this type of separation by separating their data transmission systems into three separate domains, including the aircraft control domain used by pilots for communicating with air traffic control, airlines operations center (AOC) and gaining access to weather updates and noncritical AOC messages.
The second domain is the aircraft information services domain primarily used for flight operations and maintenance to gain access to aircraft maintenance data and softwawre updates.
The third domain is the passenger services one used in the cabin for in-flight entertainment. However, it appears the lawmakers want to ensure the FAA stipulates this as a regulation for new airframe designs.
The letter also noted a recommendation for the FAA to establish a process for information sharing about cybersecurity threats, attacks and protections among airlines, aircraft original equipment manufacturers and government agencies.
At this point, the Cyber Air Act has simply been reintroduced. Moving forward, it will be referred to a committee for consideration. There has yet to be a discernible timeline for this motion.