90 FR 42 pgs. 11211-11212 - Special Conditions: Universal Avionics; Electronic System Security Protection From Unauthorized External Access
Type: RULEVolume: 90Number: 42Pages: 11211 - 11212
Pages: 11211, 11212Docket number: [Docket No. FAA-2024-2640; Special Conditions No. 25-874-SC]
FR document: [FR Doc. 2025-03493 Filed 3-4-25; 8:45 am]
Agency: Transportation Department
Sub Agency: Federal Aviation Administration
Official PDF Version: PDF Version
[top]
DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
14 CFR Part 25
[Docket No. FAA-2024-2640; Special Conditions No. 25-874-SC]
Special Conditions: Universal Avionics; Electronic System Security Protection From Unauthorized External Access
AGENCY:
Federal Aviation Administration (FAA), DOT.
ACTION:
Final special conditions; request for comments.
SUMMARY:
These special conditions are issued for a supplemental type certificate (STC) to install a digital systems architecture on certain transport category airplanes. These airplanes, as modified by Universal Avionics, will have a novel or unusual design feature when compared to the state of technology envisioned in the airworthiness standards for transport-category airplanes. This design feature is a digital systems architecture that will allow increased connectivity to and access from external network sources ( e.g., operator networks, wireless devices, internet connectivity, service provider satellite communications, electronic flight bags, etc.) to the airplane's previously isolated electronic assets (networks, systems, and databases). The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.
DATES:
This action is effective on Universal Avionics on March 5, 2025. Send comments on or before April 21, 2025.
ADDRESSES:
Send comments identified by Docket No. FAA-2024-2640 using any of the following methods:
• Federal eRegulations Portal: Go to www.regulations.gov and follow the online instructions for sending your comments electronically.
• Mail: Send comments to Docket Operations, M-30, U.S. Department of Transportation (DOT), 1200 New Jersey Avenue SE, Room W12-140, West Building Ground Floor, Washington, DC 20590-0001.
• Hand Delivery or Courier: Take comments to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.
• Fax: Fax comments to Docket Operations at 202-493-2251.
Docket: Background documents or comments received may be read at www.regulations.gov at any time. Follow the online instructions for accessing the docket or go to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.
FOR FURTHER INFORMATION CONTACT:
Thuan T. Nguyen, Avionics Software and Components Unit, AIR-626D, Technical Policy Branch, Aircraft Certification Service, Federal Aviation Administration, 2200 South 216th Street, Des Moines, Washington 98198; telephone and fax (206) 231-3365; email Thuan.T.Nguyen@faa.gov.
SUPPLEMENTARY INFORMATION:
The substance of these special conditions has been published in the Federal Register for public comment in several prior instances with no substantive comments received. Therefore, the FAA finds, pursuant to 14 CFR 11.38(b), that new comments are unlikely, and notice and comment prior to this publication are unnecessary.
Privacy
Except for Confidential Business Information (CBI) as described in the following paragraph, and other information as described in title 14, Code of Federal Regulations (14 CFR) 11.35, the FAA will post all comments received without change to www.regulations.gov, including any personal information you provide. The FAA will also post a report summarizing each substantive verbal contact received about these special conditions.
Confidential Business Information
Confidential Business Information (CBI) is commercial or financial information that is both customarily and actually treated as private by its owner. Under the Freedom of Information Act (FOIA) (5 U.S.C. 552), CBI is exempt from public disclosure. If your comments responsive to these special conditions contain commercial or financial information that is customarily treated as private, that you actually treat as private, and that is relevant or responsive to these special conditions, it is important that you clearly designate the submitted comments as CBI. Please mark each page of your submission containing CBI as "PROPIN." The FAA will treat such marked submissions as confidential under the FOIA, and the indicated comments will not be placed in the public docket of these special conditions. Send submissions containing CBI to the individual listed in the FOR FURTHER INFORMATION CONTACT section above. Comments the FAA receives, which are not specifically designated as CBI, will be placed in the public docket for these special conditions.
Comments Invited
The FAA invites interested people to take part in this rulemaking by sending written comments, data, or views. The most helpful comments reference a specific portion of the special conditions, explain the reason for any recommended change, and include supporting data.
The FAA will consider all comments received by the closing date for comments. The FAA may change these special conditions based on the comments received.
Background
[top] On February 19, 2024, Universal Avionics applied for an STC to install the Solid-State Data Transfer Unit Plus (SSDTU+) in the airplanes listed on the approved model list (AML) for STC No. ST04656CH. Universal Avionics may periodically amend this STC to expand its applicability to include additional transport-category airplane makes and models.
Type Certification Basis
Under the provisions of title 14, Code of Federal Regulations (14 CFR) 21.101, Universal Avionics must show that the airplanes, for which they make application to modify by FAA STC No. ST04656CH, as changed, continue to meet the applicable provisions of the regulations listed in each airplane's respective type certificate or the applicable regulations in effect on the date of application for the change except for earlier amendments as agreed upon by the FAA.
If the Administrator finds that the applicable airworthiness regulations ( e.g., 14 CFR part 25) do not contain adequate or appropriate safety standards for the listed airplanes because of a novel or unusual design feature, special conditions are prescribed under the provisions of §?21.16.
Special conditions are initially applicable to the model for which they are issued. Should the applicant apply for an STC to modify any other model included on the same type certificate to incorporate the same novel or unusual design feature, these special conditions would also apply to the other model under §?21.101.
In addition to the applicable airworthiness regulations and special conditions, the airplanes listed in the AML must comply with the exhaust-emission requirements of 14 CFR part 34, and the noise-certification requirements of 14 CFR part 36.
The FAA issues special conditions, as defined in 14 CFR 11.19, in accordance with §?11.38, and they become part of the type certification basis under §?21.101.
Novel or Unusual Design Features
The airplanes listed on the AML in STC No. ST04656CH will incorporate the following novel or unusual design feature:
The installation of a digital systems architecture that will allow increased connectivity to and access from external network sources, ( e.g., operator networks, wireless devices, internet connectivity, service provider satellite communications, electronic flight bags, etc.) to the airplane's previously isolated electronic assets (networks, systems, and databases).
Discussion
The electronic system architecture and network configuration change of the airplanes listed on the AML is novel or unusual for commercial transport airplanes because it may allow increased connectivity to and access from external network sources, airline operations, and maintenance networks, to the airplane control domain, and airline information services domain. The airplane's control domain and airline information-services domain perform functions required for the safe operation and maintenance of the airplane. Previously, these domains had very limited connectivity with external network sources. This data network and design integration creates a potential for unauthorized persons to access the airplane's control domain and airline information-services domain and presents security vulnerabilities related to the introduction of computer viruses and worms, user errors, and intentional sabotage of airplane electronic assets (networks, systems, and databases) critical to the safety and maintenance of the airplane.
The existing FAA regulations did not anticipate these networked airplane-system architectures. Furthermore, these regulations and the current guidance material do not address potential security vulnerabilities, which could be exploited by unauthorized access to airplane networks, data buses, and servers. Therefore, these special conditions ensure that the security ( i.e., confidentiality, integrity, and availability) of the airplane's systems is not compromised by unauthorized wired or wireless electronic connections. This includes ensuring that the security of the airplane's systems is not compromised during maintenance of the airplane's electronic systems. These special conditions also require the applicant to provide appropriate instructions to the operator to maintain all electronic-system safeguards that have been implemented as part of the original network design so that this feature does not allow or introduce security threats. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.
Applicability
As discussed above, these special conditions are applicable to airplanes listed in the AML of STC No. ST04656CH. Should Universal Avionics apply at a later date for another STC, to include another airplane model with the same novel or unusual design feature, these special conditions would also apply to that model as well. These special conditions are not applicable to those airplane models for which special conditions for protection from unauthorized external access have already been issued to the type certificate for those specific models.
These special conditions are only applicable to design changes applied for after its effective date.
Conclusion
This action affects only a certain novel or unusual design feature for airplane models listed on the AML of STC No. ST04656CH, as modified by Universal Avionics. It is not a rule of general applicability and affects only the applicant.
List of Subjects in 14 CFR Part 25
Aircraft, Aviation safety, Reporting and recordkeeping requirements.
Authority Citation
The authority citation for these special conditions is as follows:
Authority:
49 U.S.C. 106(f), 106(g), 40113, 44701, 44702, and 44704.
The Special Conditions
Accordingly, pursuant to the authority delegated to me by the Administrator, the following special conditions are issued as part of the type certification basis for the airplane models listed on the approved model list of STC No. ST04656CH, as modified by Universal Avionics.
1. The applicant must ensure airplane electronic system security protection from access by unauthorized sources external to the airplane, including those possibly caused by maintenance activity.
2. The applicant must ensure that electronic system security threats are identified and assessed, and that effective electronic system security protection strategies are implemented to protect the airplane from all adverse impacts on safety, functionality, and continued airworthiness.
3. The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the aircraft is maintained, including all post type certification modifications that may have an impact on the approved electronic system security safeguards.
Issued in in Kansas City, Missouri, on February 27, 2025.
Patrick R. Mullen,
Manager, Technical Policy Branch, Policy and Standards Division, Aircraft Certification Service.
[FR Doc. 2025-03493 Filed 3-4-25; 8:45 am]
BILLING CODE 4910-13-P