The Federal Aviation Administration (FAA) within the U.S. Department of Transportation (DOT) and the Transportation Security Administration (TSA), part of the Department of Homeland Security (DHS), published a notice of proposed rulemaking (NPRM) to address performance-based regulations to enable the design and operation of unmanned aircraft systems (UAS) at low altitudes beyond visual line of sight (BVLOS) and for third-party services, including UAS Traffic Management (UTM), that support these operations. Operators and service providers are now expected to develop their cybersecurity standards rooted in the NIST cybersecurity framework for conducting risk assessments, while also embedding secure-by-design principles into their systems and practices.
Published Thursday in the Federal Register, the FAA and TSA notice outlines proposed regulations that would require most operators to implement formal cybersecurity policies. The rule aims to ensure operators actively address and manage cybersecurity risks as part of their operations.
The proposed regulations aim to ensure operators actively address and manage cybersecurity risks. Most operators, excluding recreational ones, would be required to establish cybersecurity policies and continuously assess and monitor threats. The overarching goal is to safeguard computers and networked systems, with operators expected to take ongoing, proactive measures to prevent compromise.
The FAA anticipates that operations may introduce new cybersecurity vulnerabilities. These include risks such as unauthorized access to a facility’s hardware, software, control stations, or other aeronautical equipment; weak protocols for employee network access; and cyberattacks by malicious actors. UAS operations under this rule are expected to rely on complex, interconnected technologies that support remote control, communication, data transfer, and other functions, making them susceptible to many of the same cybersecurity threats that affect other connected systems.
Cybersecurity threats can generally be evaluated through a combination of intent, capability, and opportunity. While intent and capability lie beyond the FAA’s control, opportunity can be reduced by securing vulnerable access points. To that end, the FAA has determined that operators must proactively address these vulnerabilities. The proposed rule already incorporates measures to mitigate such risks. For example, operators would be required to develop and implement physical security measures that prevent unauthorized access to operational facilities and other restricted areas. Also, UAS manufacturers would be mandated to protect their systems from intentional, unauthorized electronic interference.
To further address cybersecurity risks, the FAA proposes requiring operators to develop and implement cybersecurity policies and procedures aimed at protecting networks, devices, and data from unauthorized access. These measures are intended to preserve the integrity, accuracy, and reliability of UAS operations.
The notice detailed that certificated operators would be required to include, at a minimum, processes to secure software, hardware, and network infrastructure critical to operations; controls to ensure employees have only the network access necessary to perform their job duties; procedures to revoke access privileges promptly for former employees; plans to detect, respond to, and mitigate cyberattacks; methods for collecting and analyzing data to evaluate the effectiveness of cybersecurity protections; and any additional processes deemed necessary to maintain cybersecurity.
Additionally, the FAA-TSA identified that cybersecurity protection efforts must be informed by standards acceptable to the FAA. “For cybersecurity, there may be acceptable standards produced by entities other than voluntary consensus standards bodies. Cybersecurity standards and guidelines, such as the Cybersecurity Framework developed by National Institute of Standards and Technology (NIST), typically promote protection by utilizing a risk assessment that demonstrates how security and safety risks associated with IUEI are identified and assessed.”
It added that the risk assessment identifies which equipment, systems, and networks require protection from IUEI (Intentional Unauthorized Electronic Interaction). If a cybersecurity risk is identified that can adversely affect the safety of the UAS, the manufacturer can then develop mitigation plans and provide them to the operator. This approach would help ensure a consistent and thorough framework for securing the unmanned aircraft’s equipment, systems, and networks, aligned with the specific risks associated with UAS operations.
FAA expects that a standard with similar requirements to the NIST Cybersecurity Framework would be found acceptable as an MOC for cybersecurity. FAA invites comments on cybersecurity standards for UAS.
The notice detailed that the FAA also understands that cybersecurity vulnerabilities must be addressed quickly and that undue delays could be detrimental to users or the network. The required notification interval enables the FAA to prioritize how it manages changes to services, with time to provide limited review as needed. In the event, a potential problem is identified, and in the event of a major software update to Service Level 2 or Service Level 3 services, this notification requirement would allow the FAA to delay the release of the software update while it conducts further review.
The FAA would require each certificated service provider to develop comprehensive cybersecurity policies for protecting data. These must include processes to secure software, hardware, and network infrastructure against unauthorized access; limit employee access privileges strictly to what is necessary for their job functions; prepare for, respond to, and mitigate the impact of cyberattacks; collect and analyze data to evaluate the effectiveness of cybersecurity measures; and regularly update the cybersecurity policy to address emerging threats and operational changes.
The notice identified that these proposed requirements are based on the Cybersecurity and Infrastructure Security Agency’s ‘Secure by Design’ best practices. “FAA encourages service providers to engage in best practices for cyber and data security; however, FAA determined that it was in the interest of public and aviation safety to propose these particular elements as requirements. By proposing these requirements as performance-based requirements, FAA believes it would encourage the continuous improvement of the automated data service provider’s cybersecurity policy.”
Furthermore, the FAA does not believe it would be effective to prescribe cybersecurity requirements by rule, as service providers must be able to rapidly adjust their cybersecurity measures to keep pace with the introduction of new cybersecurity threats. FAA anticipates that service providers may be able to demonstrate compliance with this provision by relying on industry consensus standards.
Last year, members of the U.S. House Committee on Homeland Security called for the DHS and the Department of Energy (DOE) to declassify information about the national security threats posed by unmanned aerial systems (UAS), or drones, from the People’s Republic of China, notably those by Da Jiang Innovations (DJI) and Autel Robotics. The request stems from findings by Sandia National Laboratories (SNL) that highlight significant national security risks associated with these drones.
