In the past couple of decades, cybersecurity protecting aircraft and their systems has increasingly captured the attention of government leaders and stakeholders worldwide as global communications evolve, along with potential vulnerabilities. Those activities have intensified more recently, including the long-awaited release of a notice of proposed rulemaking [NPRM] that came out last year along with updated standards, congressional directives, and even a White House memorandum.

“It’s been a really busy year from a regulatory policy and technical perspective in the cybersecurity land,” said Jens Hennig, v-p of operations for the General Aviation Manufacturers Association.

Many of these efforts are the culmination of work that began in the 2000s. Before 2007, FAA regulations and safety guidance did not specifically address key airborne network and data security concerns as global communications were still maturing. The FAA instead began issuing various special conditions to new and updated aircraft and their systems to ensure that they provided adequate cybersecurity projects.

These conditions have required applicants to show that their designs provide for isolation from or protection against unauthorized access; show that the designs prevent inadvertent and malicious changes; and establish procedures to maintain cybersecurity protections.

This began with the Boeing 787, the FAA noted, but continued to every other new project. As such, Boeing asked the FAA to explore the possibility of more blanket guidance, and that spawned the early work on creating standards. The agency collaborated with companies such as Honeywell and Collins Aerospace, in addition to Boeing, on the issue, and that initially culminated in guidance issued about a decade ago through the standards organization RTCA, in concert with the European organization EUROCAE.

More than a half-dozen documents were released and have since been updated multiple times, most recently last year, as the community learns more and technologies evolve. “We’ve learned a lot in the last 10 years,” Hennig noted.

Meanwhile, as it continued to issue the special conditions, the FAA contemplated how best to address the cybersecurity landscape. Could it be folded into safety requirements? The agency concluded that cybersecurity was unique enough that it needed a rulemaking committee to work on it. 

Ultimately, a government/industry Aircraft Systems Information Security/Protection working group was chartered in 2015 to explore necessary regulatory changes that build on the standards-setting efforts.

That group not only included the U.S. community, but also international regulators such as EASA, Brazil’s ANAC, and Transport Canada, and other communities such as the Transportation Security Administration (TSA), the U.S. Coast Guard, and the Department of Defense.

It issued 30 recommendations in 2016 on airworthiness regulations that would specifically address cybersecurity, according to Hennig, a co-chair of that working group.

EASA moved forward relatively quickly on a notice of proposed amendment and issued its rulemaking in 2019. That effort went into effect in 2021.

However, Hennig noted ongoing challenges with the FAA’s rulemaking. “It had ground to a halt several years ago,” he said. “There were challenges getting anything out of the agency.”

GAMA president and CEO Pete Bunce appealed to lawmakers noting key issues such as cybersecurity were languishing. Congress took notice and so too did the FAA.

“The rulemaking office was paying attention, and if you’ve seen the volume of regulatory proposals that have come out this [past] year, it’s really impressive,” Hennig said, adding that leaders “have unclogged the backup that had occurred for many, many years.”

One of those rulemakings was the cybersecurity NPRM released in August 2024.

That rulemaking aligns with the working group recommendations but is narrower in scope than EASA’s rulemaking, focused primarily on Parts 25 (transport category airplanes), 33 (engines), and 35 (propellers).

“We’re having some discussions about the rotorcraft community where they see a regulatory gap,” Hennig said. “It’s not a difference of philosophy that we wouldn’t do cybersecurity in the United States. But it’s always additional bureaucracy when there’s a difference in rules.”

But closing those gaps is important. “The requirements aren’t harmonized, and that’s not good,” he continued, adding that the NPRM may need an amendment, or the FAA may need a second NPRM to align with Europe.

As for the NPRM, the FAA maintained that the proposal largely reflects currently required practices established through special conditions. “Thus, the impact on applicants and operators [of the proposal] would not be significant,” the agency said.

These regulations are increasingly necessary, the FAA added, because newer aircraft have designs with much more system integration and connectivity, including to outside sources such as field loadable software, maintenance laptops, airport gate link networks, USB devices, portable electronic flight bags, and GPS, cellular, and satellite communications. “Regulators and industry must constantly monitor the cybersecurity threat environment in order to identify and mitigate new threat sources.”

Hennig agreed: “The rule is obviously not a surprise to anybody because most manufacturers were at the table when we wrote the draft, and most manufacturers are also at the table in the development of technical standards. There’s a great degree of experience across manufacturers for doing the technical work, to meet the rule when it finally goes final,” Hennig said.

The rulemaking essentially codifies what has already been ongoing, he added. “It will simplify the bureaucracy and harmonize standards between Europe and the United States,” he said. “It’s an efficiency rule, and it also finally clears up that this is what we’re doing.”

The proposed regulations take a high-level look at all the systems and not just in the flight deck. In-flight entertainment is one such example. “In order to be on an aircraft, an in-flight entertainment system has to have a supplemental type certificate [STC]. You cannot just slap it in there. The FAA will look at this through the lens of the standards that are on the books,” he said, adding that as the STC process is ongoing, “the topic that always pops up is addressing cybersecurity.”

Further, it sets the template for how to consider other aspects. “A big component of cybersecurity protections are the processes around how you manage it.” This includes maintenance instructions, particularly as the connected aircraft becomes more prevalent.

Now laptops or computers connect to aircraft for maintenance or other data purposes. “This laptop should obviously have a set of protections to it as well so that that doesn’t become the pathway through which bad things can happen,” he said. “It’s an entire ecosystem of protections. It’s through the lifetime of the aircraft that we’ve got to look at it as well, and training, of course, the pilots and mechanics and others for their roles within that system.”

But also important for the rulemaking, he added, is that numerous federal agencies have jumped into the cybersecurity space. “There have been conversations about which agency, which department owns cybersecurity for transportation, aviation, and so forth,” he said. “The release of this NPRM ensures that the FAA clearly occupies the space of cybersecurity for aircraft and aircraft systems. That’s been the trajectory we’ve been on.”

The FAA had already been establishing its path through special conditions. “But when we get beyond the FAA, a special condition is hard to explain,” Hennig added. “It’s much clear to say, here’s a [rule]. We own this, we’re managing this part of the risk equation.”

Hennig conceded that some parts of security are better handled outside the agency, such as airport and air carrier requirements from the TSA. “That makes sense. Airports and air carriers are regulated entities by the TSA. Manufacturers are not,” he said.

Also last year, the White House helped delineate cybersecurity responsibilities through a “National Security Memorandum on Critical Infrastructure Security and Resilience.” The White House made it clear that it’s a dual jurisdiction between DHS and DOT, Hennig said.

While the White House essentially deemed, “You each own a piece of the equation,” he said that was not what was playing out. With the NPRM, the FAA has come out and said: “We got the aircraft. We got the aircraft systems,” Hennig added.

On top of all this activity has been Congress, which included numerous measures on cybersecurity in the most recent FAA reauthorization bill that was adopted last year. These included a subtitle and prods the FAA on the rulemaking, along with protections in areas such as air traffic control.

Meanwhile, as the FAA mulls the comments for a final rule, cybersecurity is not remaining static. This will especially become topical with new entrants. “They’re already looking at the numerous technical approaches to addressing cybersecurity,” he said, particularly as some of the systems involving these operations lie outside of the aircraft. There will be multiple layers of protection, he surmised.

For the current regulations, “we are dealing with aircraft that still have a pilot on board.” However, this is an issue that must still be explored.