September 22, 2016
U.S. aviation authorities on Thursday took the strongest formal action yet to combat potential cyberthreats to planes in the air as well as on the ground.
The Federal Aviation Administration’s top technical advisory group adopted language seeking to ensure that cybersecurity protections will be incorporated into all future industrywide standards—affecting everything from aircraft design to flight operations to maintenance practices.
The move by RTCA Inc.’s program-management committee at a meeting here stops short of mandating detailed engineering requirements or safeguards. Those are reserved for FAA-created committees of experts focused on drafting specific standards for individual industry segments.
But by officially elevating cyber issues to such a high priority for the first time, the decision means manufacturers, carriers, maintenance facilities and even airports eventually will be obligated to include cybersecurity factors in routine activities.
The RTCA committee, among other things, called on manufacturers to rely on “a layered approach to aircraft security risk mitigation,” spanning both software and hardware. That includes consideration of how vulnerabilities “could propagate to existing downstream systems.”
The move is “undoubtedly very important,” according to veteran RTCA committee member George Liger, because such language goes substantially beyond previous generic cyber-protection guidance. “At a high level,” he added, “it makes sure appropriate considerations will be given” to cyber vulnerabilities across the board. From now on, he noted, “this will apply to everything we do.”
The guidelines apply to all aviation standards that ultimately end up as regulations, advisories or guidance documents adopted by the FAA.
Mr. Ligler’s panel piggybacked on more than a year of work by a separate international working group of industry and government officials assembled by the FAA. That earlier panel, among other things, recommended that all airplane systems must be protected from potential hackers or other unauthorized intrusions.
And the FAA ought to formulate new airworthiness regulations, according to the international advisory panel, requiring that such security risks “have been identified, assessed and mitigated as necessary.”