Federal Register: December 28, 2007 (Volume 72, Number 248)

DOCID: fr28de07-5 FR Doc E7-25075

DEPARTMENT OF TRANSPORTATION

Federal Aviation Administration

CFR Citation: 14 CFR Part 25

Docket ID: [Docket No. NM365 Special Conditions No. 25-357-SC]

NOTICE: RULES

DOCID: fr28de07-5

ACTION: Airworthiness standards:

DOCUMENT ACTION: Final special conditions.

SUBJECT CATEGORY:

Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security-Protection of Airplane Systems and Data Networks from Unauthorized External Access

DATES: Effective Date:

January 28, 2008.

DOCUMENT SUMMARY:

These special conditions are issued for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. The architecture of the Boeing Model 7878 computer systems and networks may allow access to external systems and networks, such as wireless airline operations and maintenance systems, satellite communications, electronic mail, the Internet, etc. Onboard wired and wireless devices may also have access to parts of the airplane's digital systems that provide flight critical functions. These new connectivity capabilities may result in security vulnerabilities to the airplane's critical systems. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing standards. Additional special conditions will be issued for other novel or unusual design features of the Boeing Model 7878 airplanes.

SUMMARY:

Boeing Model 787-8 airplane,

SUPPLEMENTAL INFORMATION

Background

On March 28, 2003, Boeing applied for an FAA type certificate for its new Boeing Model 7878 passenger airplane. The Boeing Model 7878 airplane will be an allnew, twoengine jet transport airplane with a twoaisle cabin. The maximum takeoff weight will be 476,000 pounds, with a maximum passenger count of 381 passengers.

Type Certification Basis

Under provisions of 14 Code of Federal Regulations (CFR) 21.17, Boeing must show that Boeing Model 7878 airplanes (hereafter referred to as ``the 787'') meet the applicable provisions of 14 CFR part 25, as amended by Amendments 251 through 25117, except Sec. Sec. 25.809(a) and 25.812, which will remain at Amendment 25115. If the Administrator finds that the applicable airworthiness regulations do not contain adequate or appropriate safety standards for the 787 because of a novel or unusual design feature, special conditions are prescribed under provisions of 14 CFR 21.16.

In addition to the applicable airworthiness regulations and special conditions, the 787 must comply with the fuel vent and exhaust emission requirements of 14 CFR part 34 and the noise certification requirements of part 36. The FAA must also issue a finding of regulatory adequacy pursuant to section 611 of Public Law 92574, the ``Noise Control Act of 1972.''

The FAA issues special conditions, as defined in Sec. 11.19, under Sec. 11.38, and they become part of the type certification basis under Sec. 21.17(a)(2).

Special conditions are initially applicable to the model for which they are issued. Should the type certificate
[[Page 73583]]
for that model be amended later to include any other model that incorporates the same or similar novel or unusual design feature, the special conditions would also apply to the other model under Sec. 21.101.

Novel or Unusual Design Features

The digital systems architecture for the 787 consists of several networks connected by electronics and embedded software. This proposed network architecture is used for a diverse set of functions, including the following.

1. Flightsafetyrelated control and navigation and required systems (Aircraft Control Domain).

2. Airline business and administrative support (Airline Information Domain).

3. Passenger entertainment, information, and Internet services (Passenger Information and Entertainment Domain).

The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It may allow connection to and access from external sources and airline operator networks to the previously isolated Aircraft Control Domain and Airline Information Domain. Types of connections and access from external sources may include wireless systems, satellite communications, electronic mail, the Internet, etc. The Aircraft Control Domain and the Airline Information Domain perform functions required for the safe operation of the airplane.

Capability is proposed for providing electronic transmission of fieldloadable software applications and databases to the aircraft. These would subsequently be loaded into systems within the Aircraft Control Domain and Airline Information Domain. Also, it may be proposed that onboard wired and wireless devices have access to the Aircraft Control Domain and Airline Information Domain. These new connectivity capabilities and features of the proposed design may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. Existing regulations and guidance material did not anticipate this type of system architecture or Internet and wireless electronic access to aircraft systems that provide flight critical functions. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities that could be caused by unauthorized external access to aircraft data buses and servers. Therefore, special conditions are proposed to ensure the security, integrity, and availability of the critical systems within the Aircraft Control Domain and the Airline Information Domain by establishing requirements for:

1. Protection of Aircraft Control Domain and Airline Information Domain systems, hardware, software, and databases from unauthorized access.

2. Protection of fieldloadable software (FLS) applications and databases that are electronically transmitted from external sources to the onaircraft networks and storage devices, and used within the Aircraft Control Domain and Airline Information Domain.

3. Test and evaluation of security protection means and change control procedures of aircraft systems, hardware, software, and databases, especially for critical systems and those areas that could affect safety of flight.

Discussion Of Comments

Notice of Proposed Special Conditions No. 250702SC for the 787 was published in the Federal Register on April 16, 2007 (72 FR 18923). Several comments were received from Airbus.

  • AIRBUS General Comment 1: In Airbus's opinion these special conditions leave too much room for interpretation, and related guidance and acceptable means of compliance should be developed in an advisory circular (AC) for use by future applicants.

    FAA Response: We agree that guidance is necessary. Detailed guidelines and criteria have been developed for this aircraft certification program, specific to this airplane's network architecture and design, providing initial guidance on an acceptable means of compliance for the 787. Additionally, the FAA intends to participate in an industry committee chartered with developing acceptable means of compliance to address aircraft network security issues, and hopes to endorse the results of the work of that committee by issuing an AC. Until such time as guidance is developed for a general means of compliance for network security protection, these special conditions and the agreedto guidance are imposed on this specific network architecture and design. We have made no changes to these special conditions as a result of this comment.

  • AIRBUS Comment (a): Airbus said that the meaning of ``shall ensure system security protection * * * from unauthorized external access'' in the first sentence is not accurate enough. Airbus commented that this could be interpreted as a zero allowance and demonstrating compliance with such a requirement all through the aircraft's life cycle is quite impossible since security threats evolve very rapidly. The commenter maintained that the only possible solution to such a requirement would be no link and no communication at all between the aircraft and the outside world. Airbus asked, ``if some residual vulnerabilities are allowed, which criteria have to be used to assess their acceptability?''

    FAA Response: The applicant is responsible for the design of the airplane network and systems architecture and for ensuring that potential security vulnerabilities of providing external access to airplane networks and systems are mitigated to an appropriate level of assurance, depending on the potential risk to the airplane and occupant safety. This responsibility is similar to that entailed in the current system safety assessment process of 14 CFR 25.1309. (See also AC 25.13091A and the ARACrecommended Arsenal version of this AC, at http://www.faa.gov/regulations_policies/rulemaking/committees/arac/media/tae/TAE_SDA_T2.pdf and SAE ARP 4754). These special conditions
    do not prescribe a specific level of assurance because assurance levels are dependent on the aircraft network architecture, specific external access points allowed, potential threats and vulnerabilities of each access, and various means of mitigating those vulnerabilities, whether by aircraft and network design features, monitoring features, operational procedures, maintenance procedures, and/or combinations thereof. Detailed compliance guidelines and criteria, specific to the 787 network architecture and design, have been developed to provide initial guidance for an acceptable means of compliance for this aircraft model. Residual vulnerabilities may have to be assessed on a casebycase basis to ascertain whether sufficient and acceptable mitigation is provided. As mentioned earlier, the FAA intends to participate in an industry forum chartered with determining appropriate criteria and acceptable means of compliance, and hopes to endorse that guidance with an AC. We have made no changes to these special conditions as a result of this comment.

  • AIRBUS Comment (b): Airbus commented that external access can be interpreted in two ways: external to the aircraft, or external to the Aircraft Control Domain and Airline Information Domain. It said that the Passenger Information and Entertainment Domain (PIED) may be considered external and,
    [[Page 73584]]
    if it is, this special condition is redundant to Proposed Special Condition 250701SC.

    FAA Response: Since these special conditions are applicable to the 787 aircraft, the interpretation of ``external'' means external to the 787 aircraft. Although the PIED is external to the other domains mentioned, it is ``internal'' to the aircraft. Special Condition 2507 01SC was developed to address interfaces between the PIED and the Aircraft Control and Airline Information Domains, and is therefore not redundant. We have made a minor change to these special conditions as a result of this comment. We have reworded the special conditions, changing the words ``unauthorized external access'' to ``access by unauthorized sources external to the airplane'' in order to clarify this point.

  • AIRBUS Comment (c): Airbus commented that the term ``unauthorized external access'' is too vague and could be interpreted in too restrictive a way, resulting in too few threats being considered. The commenter asked whether unauthorized external access encompasses physical access or unauthorized access by an authorized user and/or an unauthorized user. The commenter asked whether physical tampering has to be considered. Airbus suggested that any threats external to the aircraft be considered, and that we refer as well to the list of threats in the National Airspace System Communication System Safety Hazard Analysis and Security Threat Analysis.

    FAA Response: The applicant is responsible for the aircraft network architecture and design, and for implementing security protection mechanisms and controls. Examples include:

  • defining authorized versus unauthorized users,
  • user authentication,
  • defining the scope of authorized users' access to various components connected to the airplane networks,
  • ensuring correct software loads are stored on appropriately secured servers, are loaded into the correct systems, are compatible with other loads, etc.; and
  • defining the maintenance requirements for ensuring continued operational safety of the aircraft.
    Operators and maintainers are responsible for performing maintenance procedures in compliance with those requirements. For maintenance tasks, however, it may be appropriate to provide some level of security protection for mechanics to ensure they are authorized for specific tasks within certain domains or systems of the aircraft for performing repairs or loading software updates, which would typically require ``physical access.'' With current wireless technology, actual physical access may not be necessary to perform some maintenance functions. The applicant is responsible for developing a design which complies with these special conditions and other applicable regulations. The design may include specific technology and architecture features as well as operator requirements, operational procedures and security measures, and maintenance procedures and requirements to ensure an appropriate implementation that can be properly used and maintained to ensure safe operations and continued operational safety. Applicants should define all external accesses and the scope of their aircraft network security protections. Use of the threats listed in the abovementioned document may be appropriate for these purposes. We have made no changes to these special conditions as a result of this comment.
  • AIRBUS Comment (d): Airbus said that the external environment needs to be characterized in order to determine which threats the Aircraft Control Domain and Airline Information Domain must be protected from. Questions to be answered include who can and cannot access; who is and is not trusted; and what threat source profile must be considered. The commenter asked whether only new communication media (like internet protocol (IP) communications) would be considered not trusted, or whether all communications, including existing communications for which no security requirements have been applied up to now, would be considered not trusted. Airbus gave ACARS (the Aeronautical Radio Incorporated Communication Addressing and Reporting System) as an example of existing communications that currently have no security requirements.

    FAA Response: Each access (or communication) from an external source and its potential vulnerabilities to threats should be evaluated. The security mitigation should provide protection to an appropriate level, whether by design, monitoring, operational procedures, or other means. The security solution could certainly consider access rights and scope, trusted versus not trusted sources and data, how reliable incoming communication data may be, and other factors, depending on the intended use and potential for presenting a security risk. We have made no changes to these special conditions as a result of this comment.

  • AIRBUS Comment (e): Airbus said that the characterization of the external environment must be extended to the maintenance organization, because the security objectives of these special conditions must consider maintenance activity. Proposed condition 1 requires minimizing the likelihood of reductions in safety margins or airplane functional capabilities, ``* * * including those possibly caused by maintenance activity''. Airbus said that the trust level for the maintenance organization, to be defined, may significantly impact the design of the onboard security protections and the compliance demonstration.

    FAA Response: The proposed special conditions include the potential for security risks from maintenance activities. Applicants should develop a design and maintenance procedures which facilitate routine maintenance of the aircraft, networks and systems, and equipment. The design and maintenance procedures should also provide capabilities for ensuring that security features and updates can be maintained by the operators and maintenance personnel, to ensure continued airworthiness and operational safety of the aircraft for its service life. These are methods of compliance issues, and therefore we have made no changes to these special conditions as a result of this comment.

  • AIRBUS Comment (f): Airbus referred to wording in the second sentence of the proposed special condition : ``* * * to minimize the likelihood of occurrence of each of the following conditions: * * * '' Airbus noted that the definition of likelihood of occurrence and the criteria for fulfilling the security objectives are missing. The commenter asked, ``when is an identified risk considered mitigated?'' Airbus also noted that the 3 conditions at the end of the special conditions are quite similar to the description of safety severity effects for a ``Failure Condition classified Major'' per AC 25.13091A (or AC/AMJ No: 25.1309). Airbus maintained that, as a result, this description can be interpreted as an allowable qualitative likelihood of occurrence corresponding to ``remote'' and an allowable quantitative probability corresponding to less than 10E5. Airbus said that such a classification, if interpreted in this way, may be irrelevant in some cases, because consequences may be more severe, and only a security threat analysis process can conclude which safety effect is acceptable. The commenter said that recognizing this process as an acceptable means of compliance (through an AC) could
    [[Page 73585]]
    remove any dispute about how to assess the severity and likelihood of occurrence of a threat over which the applicant has no control.

    FAA Response: We agree that a ``security threat analysis process'' (or other acceptable means) should be conducted to determine the threats, vulnerabilities, and risks of each airplane network access from an external source to determine appropriate security mitigation protection and procedures for the aircraft, its operations, and maintenance. The aircraft and system safety assessments (as described in AC 25.1309) should certainly consider the impact of security vulnerabilities on aircraft safety and the capabilities of the aircraft's systems to satisfy reliability and integrity requirements. Detailed guidelines and criteria, specific to the 787 network architecture and design, have been developed for this aircraft and provide some initial guidance for an acceptable means of compliance. The FAA also intends to participate in industry efforts to develop additional guidance on the scope of security assessments and a general means of addressing aircraft network security concerns. We hope to endorse the industrydeveloped guidance, when it has been completed, with an advisory circular. We have made some minor changes to these special conditions as a result of this comment to clarify the scope for security threat analysis.

  • AIRBUS proposed text revision: Airbus proposed the following revised wording for these special conditions.

    The applicant shall ensure that security threats external to the aircraft (including those possibly caused by maintenance activity) are assessed and risk mitigation strategies are implemented to protect the Aircraft Control Domain and Airline Information Services Domain from adverse impacts reducing the aircraft safety.

    FAA Response: Airbus's comments and proposal have merit but the proposal does not address all of the FAA concerns. We have, however, adopted several aspects of the commenter's proposal into these final special conditions. We have made these wording changes for clarification, but the meaning and intent of these special conditions remain the same as originally proposed.

    Applicability

    As discussed above, these special conditions are applicable to the 787. Should Boeing apply at a later date for a change to the type certificate to include another model on the same type certificate incorporating the same novel or unusual design features, these special conditions would apply to that model as well.

    Conclusion

    This action affects only certain novel or unusual design features of the 787. It is not a rule of general applicability.

    List of Subjects in 14 CFR Part 25

    Aircraft, Aviation safety, Reporting and recordkeeping requirements.

    The authority citation for these special conditions is as follows:

    Authority: 49 U.S.C. 106(g), 40113, 44701, 44702, 44704. The Special Conditions

    Accordingly, pursuant to the authority delegated to me by the Administrator, the following special conditions are issued as part of the type certification basis for the Boeing Model 7878 airplane.

    The applicant shall ensure system security protection for the Aircraft Control Domain and Airline Information Domain from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity. The applicant shall ensure that security threats are identified and assessed, and that risk mitigation strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.

    Issued in Renton, Washington, on December 17, 2007. Ali Bahrami,
    Manager, Transport Airplane Directorate, Aircraft Certification Service.
    [FR Doc. E725075 Filed 122707; 8:45 am]
    BILLING CODE 491013P

    FOR FURTHER INFORMATION CONTACT

    Will Struck, FAA, Airplane and Flight Crew Interface, ANM111, Transport Airplane Directorate, Aircraft Certification Service, 1601 Lind Avenue, SW., Renton, Washington 98057 3356; telephone (425) 2272764; facsimile (425) 2271149.

    • © 2009 theFederalRegister.com    Created by: Craig Wood | styleshout | Congressional Record        Home | RSS Feed