FAA Published Final Airworthiness Criteria for Hummingbird UA
Today the DOT’s Federal Aviation Administration (FAA) published a final airworthiness criteria (FAC) in the Federal Register (89 FR 2118-2125) for the Wing Aviation LLC Hummingbird unmanned aircraft (UA). The notice of proposed airworthiness criteria (NPAC) for this aircraft was published on February 8th, 2023. In the preamble to today’s FAC discusses comments on cybersecurity issues submitted in response to the NPAC.
Background
The NPAC included cybersecurity language under section D&R.115, Cyber Security. After noting that current certification regulations “do not adequately address potential security vulnerabilities that could be exploited by unauthorized access to aircraft systems, data buses, and services”, the FAA reported that:
“To address the risks to the UA associated with intentional unauthorized electronic interactions, the applicant would be required to design the UAS's systems and networks to protect against intentional unauthorized electronic interactions and mitigate potential adverse effects. The FAA based the language for the proposed criteria on recommendations in the final report dated August 22, 2016, from the Aircraft System Information Security/Protection (ASISP) working group, under the FAA's Aviation Rulemaking Advisory Committee.”
Cybersecurity Comments
Comments received from the Air Line Pilots Association (ALPA) on the NPAC included extensive comments on cybersecurity issues:
The FAA should require all UA manufacturers and operators to implement robust cybersecurity measures to protect against potential intrusions and unauthorized access to the aircraft's control and surveillance systems. This should include measures such as encryption, multi-factor authentication, and intrusion detection systems.
The FAA should establish a clear set of guidelines and standards for assessing the security of UA control and surveillance systems, including a set of metrics for measuring an acceptable level of security.
The FAA should work with industry stakeholders to develop and implement best practices for cybersecurity in the UA industry, including training programs for operators and maintenance personnel.
The FAA should require that all UA systems undergo rigorous testing and validation to ensure they are secure against potential cyber threats.
The FAA should establish a reporting system for cybersecurity incidents involving UA, with a requirement for all operators and manufacturers to report any potential breaches or intrusions.
The FAA should work with international aviation authorities to establish a global framework for UA cybersecurity, with the aim of creating a unified set of standards and best practices.
The FAA should require all UA manufacturers and operators to undergo regular security audits and assessments to ensure compliance with cybersecurity standards.
The FAA should provide training and resources to law enforcement and other security agencies to help them detect and respond to potential threats to UA systems.
The FAA should require that all UA systems have redundancy and fail-safe mechanisms in place to prevent unauthorized access or control in the event of a cyber-attack.
The FAA should work with academic and industry partners to research and develop new technologies and methods for enhancing the cybersecurity of UA systems, including machine learning and artificial intelligence-based systems for detecting and responding to potential threats.
FAA Response to Cybersecurity Comments
The FAA responds to the ALPA cybersecurity comments by noting that the Airworthiness Criteria document is not the appropriate place to address the level of specificity provided in the comments, noting that:
“The level of detail regarding the assessment of failures and the required protection level of equipment, systems, and networks will be addressed in the means of compliance (MOC) to these airworthiness criteria.”
That compliance document is not published as part of the publish/comment process used for the FAC. That document would not be generally available to the public.
The FAA does note that any cybersecurity issues that could affect the reliability of the communications link (C2) between the operator and the aircraft would ultimately be dealt with in D&R.120 Contingency Planning for a C2 lost link.
Effective Date
This final airworthiness criteria becomes effective on February 12th, 2024.
Commentary
There is another interesting recommendation made in the ALFP comment on the NPAC:
“ALPA strongly urges the FAA to adopt the use of "uncrewed" terminology in all future discussions and written documents to promote the use of more appropriate and inclusive language in the aviation industry. By doing so, we can ensure that the language used accurately represents the nature of the technology being used and is respectful and inclusive to all members of the industry, regardless of gender or other characteristics.”
Unfortunately, this is not really within the purview of the FAA or DOT to change this terminology. Those definitions are generally set by Congress in the legislation establishing the US Code. The specific definitions that would apply in this case are established in 49 USC 44801. While the FAA could technically establish separate terminology that could included ‘uncrewed aircraft, keeping that language tied back to the authorizing legislation would get complicated and would upset any number of lawyers and judges.
I appreciate the intent of ALFP in making this comment, but it really should be directed at Congress.