Special Conditions: Boeing Model 787-8 Airplane; Systems and Data Networks Security-Protection of Airplane Systems and Data Networks From Unauthorized External Access

AGENCY:

Federal Aviation Administration (FAA), DOT.

ACTION:

Notice of proposed special conditions.

SUMMARY:

This notice proposes special conditions for the Boeing Model 787-8 airplane. This airplane will have novel or unusual design features when compared to the state of technology envisioned in the airworthiness standards for transport category airplanes. The architecture of the Boeing Model 787-8 systems and networks allows access to external systems and networks, including the public Internet. On-board wired and wireless devices may also have access to parts of the airplane's digital systems that provide flight critical functions. These new connectivity capabilities may result in security vulnerabilities to the airplane's critical systems. For these design features, the applicable airworthiness regulations do not contain adequate or appropriate safety standards for protection and security of airplane systems and data networks against unauthorized access. These proposed special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards. Additional special conditions will be issued for other novel or unusual design features of the Boeing Model 787-8 airplanes.

DATES:

Comments must be received on or before May 31, 2007.

ADDRESSES:

Comments on this proposal may be mailed in duplicate to: Federal Aviation Administration, Transport Airplane Directorate, Attention: Rules Docket (ANM-113), Docket No. NM365, 1601 Lind Avenue, SW., Renton, Washington 98057-3356; or delivered in duplicate to the Transport Airplane Directorate at the above address. All comments must be marked Docket No. NM365. Comments may be inspected in the Rules Docket weekdays, except Federal holidays, between 7:30 a.m. and 4 p.m.

FOR FURTHER INFORMATION CONTACT:

Will Struck, FAA, Airplane and Flight Crew Interface, ANM-111, Transport Airplane Directorate, Aircraft Certification Service, 1601 Lind Avenue, SW., Renton, Washington 98057-3356; telephone (425) 227-2764; facsimile (425) 227-1149.

SUPPLEMENTARY INFORMATION:

Comments Invited

The FAA invites interested persons to participate in this rulemaking by submitting written comments, data, or views. The most helpful comments reference a specific portion of the special conditions, explain the reason for any recommended change, and include supporting data. We ask that you send us two copies of written comments.

We will file in the docket all comments we receive as well as a report summarizing each substantive public contact with FAA personnel concerning these proposed special conditions. The docket is available for public inspection before and after the comment closing date. If you wish to review the docket in person, go to the address in the ADDRESSES section of this notice between 7:30 a.m. and 4 p.m., Monday through Friday, except Federal holidays.

We will consider all comments we receive on or before the closing date for comments. We will consider comments filed late if it is possible to do so without incurring expense or delay. We may change the proposed special conditions based on comments we receive.

If you want the FAA to acknowledge receipt of your comments on this proposal, include with your comments a pre-addressed, stamped postcard on which the docket number appears. We will stamp the date on the postcard and mail it back to you.

Background

On March 28, 2003, Boeing applied for an FAA type certificate for its new Boeing Model 787-8 passenger airplane. The Boeing Model 787-8 airplane will be an all-new, two-engine jet transport airplane with a two-aisle cabin. The maximum takeoff weight will be 476,000 pounds, with a maximum passenger count of 381 passengers.

Type Certification Basis

Under provisions of 14 CFR 21.17, Boeing must show that Boeing Model 787-8 airplanes (hereafter referred to as “the 787”) meet the applicable provisions of 14 CFR part 25, as amended by Amendments 25-1 through 25-117, except 25.809(a) and 25.812, which will remain at Amendment 25-115. If the Administrator finds that the applicable airworthiness regulations do not contain adequate or appropriate safety standards for the 787 because of a novel or unusual design feature, special conditions are prescribed under provisions of 14 CFR 21.16.

In addition to the applicable airworthiness regulations and special conditions, the 787 must comply with the fuel vent and exhaust emission requirements of 14 CFR part 34 and the noise certification requirements of part 36. In addition, the FAA must issue a finding of regulatory adequacy pursuant to section 611 of Public Law 92-574, the “Noise Control Act of 1972.”

Special conditions, as defined in § 11.19, are issued in accordance with § 11.38 and become part of the type certification basis in accordance with § 21.17(a)(2).

Special conditions are initially applicable to the model for which they are issued. Should the type certificate for that model be amended later to include any other model that incorporates the same or similar novel or unusual design feature, the special conditions would also apply to the other model under the provisions of § 21.101.

Novel or Unusual Design Features

The digital systems architecture for the 787 consists of several connected networks. This proposed network architecture is used for a diverse set of functions, including the following.

1. Flight-safety-related control and navigation systems (Aircraft Control Domain).

2. Airline business and administrative support (Airline Information Services Domain).

3. Passenger entertainment, information, and Internet services (Passenger Information and Entertainment Services Domain).

The proposed architecture of the 787 is different from that of existing production (and retrofitted) airplanes. It allows connection to and access from external sources (the public Internet) and airline operator networks to the previously isolated Aircraft Control Domain and Airline Information Services Domain. The Aircraft Control Domain and the Airline Information Services Domain perform functions required for the safe operation of the airplane.

Capability is proposed for providing electronic transmission of field-loadable software applications and databases to the aircraft. These would subsequently be loaded into systems within the Aircraft Control Domain and Airline Information Services Domain. Also, it may be proposed that on-board wired and wireless devices have access to the Aircraft Control Domain and Airline Information Services Domain. These new connectivity capabilities and features of the proposed design may result in security vulnerabilities from intentional or unintentional corruption of data and systems critical to the safety and maintenance of the airplane. The existing regulations and guidance material did not anticipate this type of system architecture or Internet and wireless electronic access to aircraft systems that provide flight critical functions. Furthermore, 14 CFR regulations and current system safety assessment policy and techniques do not address potential security vulnerabilities that could be caused by unauthorized external access to aircraft data buses and servers. Therefore, a special condition is proposed to ensure the security, integrity and availability of the critical systems within the Aircraft Control Domain and Airline Information Services Domain by establishing requirements for:

1. Protection of Aircraft Control Domain and Airline Information Services Domain systems, hardware, software, and databases from unauthorized access.

2. Protection of field-loadable software (FLS) applications and databases which are electronically transmitted from external sources to the on-aircraft networks and storage devices, and used within the Aircraft Control Domain and Airline Information Services Domain.

Applicability

As discussed above, these proposed special conditions are applicable to the 787. Should Boeing apply at a later date for a change to the type certificate to include another model incorporating the same novel or unusual design features, these proposed special conditions would apply to that model as well under the provisions of § 21.101.

Conclusion

This action affects only certain novel or unusual design features of the 787. It is not a rule of general applicability, and it affects only the applicant that applied to the FAA for approval of these features on the airplane.

List of Subjects in 14 CFR Part 25

• Aircraft
• Aviation safety
• Reporting and recordkeeping requirements

The authority citation for these Special Conditions is as follows:

Authority: 49 U.S.C. 106(g), 40113, 44701, 44702, 44704.

The Proposed Special Conditions

Accordingly, the Administrator of the Federal Aviation Administration (FAA) proposes the following special conditions as part of the type certification basis for the Boeing Model 787-8 airplane.

The applicant shall ensure system security protection for the Aircraft Control Domain and Airline Information Services Domain from unauthorized external access. The applicant shall also ensure that security threats are identified and risk mitigation strategies are implemented to minimize the likelihood of occurrence of each of the following conditions:

1. Reduction in airplane safety margins or airplane functional capabilities, including those possibly caused by maintenance activity;

2. An increase in flightcrew workload or conditions impairing flightcrew efficiency, and;

3. Distress or injury to airplane occupants.