Newly proposed rules from the Federal Aviation Administration (FAA) would require, if adopted, that unmanned aircraft systems (UAS) – also known as drones – undergo new cybersecurity screening processes to prevent security breaches and unauthorized access.
Those policies were outlined in the 731-page document made public by the FAA on Aug. 6, which in addition to requiring additional cybersecurity practices, would allow drones to be flown beyond the visual line of sight (BVLOS) of their pilots or those observing autonomous aircraft.
“From drones delivering medicine to unmanned aircraft surveying crops, this technology will fundamentally change the way we interact with the world,” said Sean Duffy, secretary of the Department of Transportation. “Our new rule will reform outdated regulations that were holding innovators back while also enhancing safety in our skies. Thanks to President Trump, America – not China – will lead the way in this exciting new technology.”
If adopted, the new FAA rules would require that all drone operators – except those using the technology recreationally – develop and implement cybersecurity policies and processes to protect networks, devices, and data from unauthorized access.
“FAA understands that integrating low-altitude UAS BVLOS operations into the [national air space] may create conditions conducive to new and innovative safety and security threats,” reads the document. “FAA anticipates that proposed … operations may introduce vulnerabilities, particularly regarding cybersecurity.”
Some of those threats that FAA anticipates include unauthorized access to hardware, software, control stations, and employee networks. It also noted the risk of cyberattacks from malicious actors.
Many of those threats would likely come from interconnected systems required to operate drones BVLOS, FAA explained, saying that the “proposed rule would rely on complex technologies,” and that “UAS would thus be susceptible to many of the same cybersecurity risks as other connected technologies.”
FAA said operators would specifically be required to continuously assess and monitor cyber risks by ensuring employee network access privileges are limited; preparing and responding to the impact of cyberattacks; collecting and analyzing data to measure the effectiveness of cybersecurity policies and process; conducting annual reviews and updates of cybersecurity policies; and reporting security incidents to the FAA.
Drone manufacturers would also need to implement security measures to prevent unauthorized electronic interactions under the proposed rule, following standards accepted by the FAA and National Institute of Standards and Technology’s Cybersecurity Framework.