Skip to Content

Rule

Special Conditions: Embraer S.A. Model ERJ 190-300 Airplane; Electronic System Security Protection From Unauthorized Internal Access

Comments on this document are being accepted at Regulations.gov. Submit a formal comment

Read the 15 public comments

Document Details

Information about this document as published in the Federal Register.

Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 27105

AGENCY:

Federal Aviation Administration (FAA), DOT.

ACTION:

Final special conditions; request for comments.

SUMMARY:

These special conditions are issued for the Embraer S.A. (Embraer) Model ERJ 190-300 airplane. This airplane will have a novel or unusual design feature when compared to the state of technology envisioned in the airworthiness standards for transport-category airplanes. This design feature is a digital-systems network architecture requiring isolation or protection from unauthorized internal access. The applicable airworthiness regulations do not contain adequate or appropriate safety standards for this design feature. These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.

DATES:

This action is effective on Embraer on June 14, 2017. We must receive your comments by July 31, 2017.

ADDRESSES:

Send comments identified by docket number FAA-2017-0239 using any of the following methods:

  • Federal eRegulations Portal: Go to http://www.regulations.gov/and follow the online instructions for sending your comments electronically.
  • Mail: Send comments to Docket Operations, M-30, U.S. Department of Transportation (DOT), 1200 New Jersey Avenue SE., Room W12-140, West Building Ground Floor, Washington, DC 20590-0001.
  • Hand Delivery or Courier: Take comments to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.
  • Fax: Fax comments to Docket Operations at 202-493-2251.

Privacy: The FAA will post all comments it receives, without change, to http://www.regulations.gov/​, including any personal information the commenter provides. Using the search function of the docket Web site, anyone can find and read the electronic form of all comments received into any FAA docket, including the name of the individual sending the comment (or signing the comment for an association, business, labor union, etc.). DOT's complete Privacy Act Statement can be found in the Federal Register published on April 11, 2000 (65 FR 19477-19478), as well as at http://DocketsInfo.dot.gov/​.

Docket: Background documents or comments received may be read at http://www.regulations.gov/​ at any time. Follow the online instructions for accessing the docket or go to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE., Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Varun Khanna, FAA, Airplane and Flight Crew Interface, ANM-111, Transport Airplane Directorate, Aircraft Certification Service, 1601 Lind Avenue SW., Renton, Washington 98057-3356; telephone 425-227-1298; facsimile 425-227-1320.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The FAA has determined that notice of, and opportunity for prior public comment on, these special conditions is impracticable because these procedures would significantly delay issuance of the design approval and thus delivery of the affected airplane.

In addition, the substance of these special conditions has been subject to the public-comment process in several prior instances with no substantive comments received. The FAA therefore finds that good cause exists for making these special conditions effective upon publication in the Federal Register.

Comments Invited

We invite interested people to take part in this rulemaking by sending written comments, data, or views. The most helpful comments reference a specific portion of the special conditions, explain the reason for any recommended change, and include supporting data.

We will consider all comments we receive by the closing date for comments. We may change these special conditions based on the comments we receive.

Background

On September 13, 2013, Embraer applied for an amendment to Type Certificate No. A57NM to include the new Model ERJ 190-300 airplane. The Model ERJ 190-300 airplane, which is a derivative of the Embraer Model ERJ 190-100 STD airplane currently approved under Type Certificate No. A57NM, is a 97- to 114-passenger transport-category airplane, designed with a new wing with a high aspect ratio and raked wingtip, and a new electrical-distribution system. The maximum take-off weight is 124,340 lbs (56,400 kg).

Type Certification Basis

Under the provisions of title 14, Code of Federal Regulations (14 CFR) 21.101, Embraer must show that the Model ERJ 190-300 airplane meets the applicable provisions of the regulations listed in Type Certificate No. A57NM, or the applicable regulations in effect on the date of application for the change, except for earlier amendments as agreed upon by the FAA.

If the Administrator finds that the applicable airworthiness regulations (i.e., 14 CFR part 25) do not contain adequate or appropriate safety standards for the Model ERJ 190-300 airplane because of a novel or unusual design feature, special conditions are prescribed under the provisions of § 21.16.

Special conditions are initially applicable to the model for which they are issued. Should the type certificate for that model be amended later to include any other model that incorporates the same novel or unusual design feature, or should any other model already included on the same type certificate be modified to incorporate the same novel or unusual Start Printed Page 27106design feature, these special conditions would also apply to the other model under § 21.101.

In addition to the applicable airworthiness regulations and special conditions, the Embraer Model ERJ 190-300 airplane must comply with the fuel-vent and exhaust-emission requirements of 14 CFR part 34 and the noise-certification requirements of 14 CFR part 36.

The FAA issues special conditions, as defined in 14 CFR 11.19, in accordance with § 11.38, and they become part of the type certification basis under § 21.101.

Novel or Unusual Design Features

The Embraer Model ERJ 190-300 airplane will incorporate the following novel or unusual design feature: A digital-systems network architecture requiring isolation or protection from unauthorized internal access.

Discussion

Networks, both in safety-related and non-safety-related applications, have been implemented in existing commercial-production airplanes. However, network security considerations and functions have played a relatively minor role in the certification of such systems because of the isolation, protection mechanisms, and limited connectivity between these networks.

To provide an understanding of the airplane electronic equipment, systems, and assets, these special conditions use the concept of domains. However, this does not prescribe any particular architecture.

The aircraft-control domain consists of the airplane electronic systems, equipment, instruments, networks, servers, software and hardware components, databases, etc., which are part of the type design of the airplane and are installed in the airplane to enable the safe operation of the airplane. These can also be referred to as flight-safety-related systems, and include flight controls, communication, display, monitoring, navigation, and related systems.

The operator-information domain generally consists of functions that the airplane operator manages or controls, such as administrative functions and cabin-support functions.

The passenger-entertainment domain consists of all functions required to provide the passengers with information and entertainment systems.

The Embraer Model ERJ 190-300 airplane design introduces the potential for access to the aircraft-control domain and airline-information-services domain by unauthorized persons through the passenger-information-services domain; and the security vulnerabilities related to the introduction of viruses, worms, user mistakes, and intentional sabotage of airplane networks, systems, and databases.

For electronic systems-and-assets security in these domains, the level of protection provided against security threats should be based on a security-risk assessment, noting that the level of protection could differ between domains and within domains, depending on the security threat. For each security vulnerability and airplane electronic asset, Embraer should identify in which domain the asset will be addressed.

In addition, the operating systems for current airplane systems are usually and historically proprietary. Therefore, they are not as susceptible to corruption from worms, viruses, and other malicious actions as are more-widely used commercial operating systems, such as Microsoft Windows, because access to the design details of these proprietary operating systems is limited to the system developer and airplane integrator. Some systems installed on the Embraer Model ERJ 190-300 airplane will use operating systems that are widely used and commercially available from third-party software suppliers. The security vulnerabilities of these operating systems may be more widely known than are the vulnerabilities of proprietary operating systems that the avionics manufacturers currently use.

These special conditions contain the additional safety standards that the Administrator considers necessary to establish a level of safety equivalent to that established by the existing airworthiness standards.

Applicability

As discussed above, these special conditions are applicable to the Embraer Model ERJ 190-300 airplane. Should Embraer apply at a later date for a change to the type certificate to include another model incorporating the same novel or unusual design feature, these special conditions would apply to that model as well.

Conclusion

This action affects only a certain novel or unusual design feature on one model of airplane. It is not a rule of general applicability.

The substance of these special conditions has been subject to the notice and comment period in several prior instances and has been derived without substantive change from those previously issued. It is unlikely that prior public comment would result in a significant change from the substance contained herein. Therefore, the FAA has determined that prior public notice and comment are unnecessary and impracticable, and good cause exists for adopting these special conditions upon publication in the Federal Register. The FAA is requesting comments to allow interested persons to submit views that may not have been submitted in response to the prior opportunities for comment described above.

Start List of Subjects

List of Subjects in 14 CFR Part 25

  • Aircraft
  • Aviation safety
  • Reporting and recordkeeping requirements
End List of Subjects

The authority citation for these special conditions is as follows:

Start Authority

Authority: 49 U.S.C. 106(g), 40113, 44701, 44702, 44704.

End Authority

The Special Conditions

Accordingly, pursuant to the authority delegated to me by the Administrator, the following special conditions are issued as part of the type certification basis for Embraer Model ERJ 190-300 airplanes.

1. The applicant must ensure that the airplane design provides isolation from, or airplane electronic-system security protection against, access by unauthorized sources internal to the airplane. The design must prevent inadvertent and malicious changes to, and all adverse impacts upon, airplane equipment, systems, networks, or other assets required for safe flight and operations.

2. The applicant must establish appropriate procedures to allow the operator to ensure that continued airworthiness of the airplane is maintained, including all post-type-certification modifications that may have an impact on the approved electronic-system security safeguards.

Start Signature

Issued in Renton, Washington, on June 2, 2017.

Michael Kaszycki,

Assistant Manager, Transport Airplane Directorate, Aircraft Certification Service.

End Signature End Supplemental Information

[FR Doc. 2017-12281 Filed 6-13-17; 8:45 am]

BILLING CODE 4910-13-P