Blog
/
Compliance
/
September 4, 2024

What you need to know about FAA Security Protection Regulations 2024

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Sep 2024
This blog gives an overview of the proposed FAA regulations for safeguarding aviation systems and their cyber-physical networks. Read more to discover key points, challenges, and potential solutions for each use case.

Overview of FAA Rules 2024

Objective

The goal of the Federal Aviation Administration amended rules is to create new design standards that protect airplane systems from intentional unauthorized electronic interactions (IUEI), which can pose safety risks. The timely motivation for this goal is due to the ongoing trend in aircraft design, which features a growing integration of airplane, engine, and propeller systems, along with expanded connectivity to both internal and external data networks and services.

“This proposed rulemaking would impose new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers. The intended effect of this proposed action is to standardize the FAA’s criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety provided by current special conditions.” (1)

Background

Increasing integration of aircraft systems with internal and external networks raises cybersecurity vulnerability concerns.

Key vulnerabilities include:  

  • Field Loadable Software
  • Maintenance laptops
  • Public networks (e.g., Internet)
  • Wireless sensors
  • USB devices
  • Satellite communications
  • Portable devices and flight bags  

Requirements for Applicants

Applicants seeking design approval must:

  • Provide isolation or protection from unauthorized access
  • Prevent inadvertent or malicious changes to aircraft systems
  • Establish procedures to maintain cybersecurity protections

Purpose

“These changes would introduce type certification and continued airworthiness requirements to protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI)1 that could create safety hazards. Design approval applicants would be required to identify, assess, and mitigate such hazards, and develop Instructions for Continued Airworthiness (ICA) that would ensure such protections continue in service.” (1)

Key points:

  • Introduce new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers.
  • Aim to reduce certification costs and time while maintaining safety levels similar to current special conditions

Applicant Responsibilities for Identifying, Assessing, and Mitigating IUEI Risks

The proposed rule requires applicants to safeguard airplanes, engines, and propellers from intentional unauthorized electronic interactions (IUEI). To do this, they must:

  1. Identify and assess risks: Find and evaluate any potential electronic threats that could harm safety.
  2. Mitigate risks: Take steps to prevent these threats from causing problems, ensuring the aircraft remain safe and functional.

Let’s break down each of the requirements:

Performing risk analysis

“For such identification and assessment of security risk, the applicant would be required to perform a security risk analysis to identify all threat conditions associated with the system, architecture, and external or internal interfaces.”(3)

Challenge

The complexity and variety of OT devices make it difficult and time-consuming to identify and associate CVEs with assets. Security teams face several challenges:

  • Prioritization Issues: Sifting through extensive CVE lists to prioritize efforts is a struggle.
  • Patch Complications: Finding corresponding patches is complicated by manufacturer delays and design flaws.
  • Operational Constraints: Limited maintenance windows and the need for continuous operations make it hard to address vulnerabilities, often leaving them unresolved for years.
  • Inadequate Assessments: Standard CVE assessments may not fully capture the risks associated with increased connectivity, underscoring the need for a contextualized risk assessment approach.

This highlights the need for a more effective and tailored approach to managing vulnerabilities in OT environments.

Assessing severity of risks

“The FAA would expect such risk analysis to assess the severity of the effect of threat conditions on associated assets (system, architecture, etc.), consistent with the means of compliance the applicant has been using to meet the FAA’s special conditions on this topic.” (3)

Challenge

As shown by the MITRE ATT&CK® Techniques for ICS matrices, threat actors can exploit many avenues beyond just CVEs. To effectively defend against these threats, security teams need a broader perspective, considering lateral movement and multi-stage attacks.

Challenges in Vulnerability Management (VM) cycles include:

  • Initiation: VM cycles often start with email updates from the Cybersecurity and Infrastructure Security Agency (CISA), listing new CVEs from the NIST database.
  • Communication: Security practitioners must survey and forward CVE lists to networking teams at facilities that might be running the affected assets. Responses from these teams are inconsistent, leading vulnerability managers to push patches that may not fit within limited maintenance windows.
  • Asset Tracking: At many OT locations, determining if a company is running a specific firmware version can be extremely time-consuming. Teams often rely on spreadsheets and must perform manual checks by physically visiting production floors ("sneaker-netting").
  • Coordination: Plant engineers and centralized security teams must exchange information to validate asset details and manually score vulnerabilities, further complicating and delaying remediation efforts.

Determine likelihood of exploitation

“Such assessment would also need to analyze these vulnerabilities for the likelihood of exploitation.” (3)

Challenge

Even when a vulnerability is identified, its actual impact can vary significantly based on the specific configurations, processes, and technologies in use within the organization. This creates challenges for OT security practitioners:

  • Risk Assessment: Accurately assessing and prioritizing the risk becomes difficult without a clear understanding of how the vulnerability affects their unique systems.
  • Decision-Making: Practitioners may struggle to determine whether immediate action is necessary, balancing the risk of operational downtime against the need for security.
  • Potential Consequences: This uncertainty can lead to either leaving critical systems exposed or causing unnecessary disruptions by applying measures that aren't truly needed.

This complexity underscores the challenge of making informed, timely decisions in OT security environments.

Vulnerability mitigation

“The proposed regulation would then require each applicant to 'mitigate' the vulnerabilities, and the FAA expects such mitigation would occur through the applicant’s installation of single or multilayered protection mechanisms or process controls to ensure functional integrity, i.e., protection.” (3)

Challenge

OT security practitioners face a constant challenge in balancing security needs with the requirement to maintain operational uptime. In many OT environments, especially in critical infrastructure, applying security patches can be risky:

  • Risk of Downtime: Patching can disrupt essential processes, leading to significant financial losses or even safety hazards.
  • Operational Continuity vs. Security: Practitioners often prioritize operational continuity, sometimes delaying timely security updates.
  • Alternative Strategies: To protect systems without direct patching, they must implement compensating controls, further complicating security efforts.

This delicate balance between security and uptime adds complexity to the already challenging task of securing OT environments.

Establishing procedures/playbooks

“Finally, each applicant would be required to include the procedures within their instructions for continued airworthiness necessary to maintain such protections.” (3)

Challenge

SOC teams typically have a lag before their response, leading to a higher dwell time and bigger overall costs. On average, only 15% of the total cost of ransomware is affiliated with the ransom itself (2). The rest is cost from business interruption. This means it's crucial that organizations can respond and recover earlier. 

Darktrace / OT enabling compliance and enhanced cybersecurity

Darktrace's OT solution addresses the complex challenges of cybersecurity compliance in Operational Technology (OT) environments by offering a comprehensive approach to risk management and mitigation.

Key risk management features include:

  • Contextualized Risk Analysis: Darktrace goes beyond traditional vulnerability scoring, integrating IT, OT, and CVE data with MITRE techniques to map critical attack paths. This helps in identifying and prioritizing vulnerabilities based on their exposure, difficulty of exploitation, and network impact.
  • Guidance on Remediation: When patches are unavailable, Darktrace provides alternative strategies to bolster defenses around vulnerable assets, ensuring unpatched systems are not left exposed—a critical need in OT environments where operational continuity is essential.
  • AI-Driven Adaptability: Darktrace's AI continuously adapts to your organization as it grows; refining incident response playbooks bespoke to your environment in real-time. This ensures that security teams have the most up-to-date, tailored strategies, reducing response times and minimizing the impact of security incidents.

Ready to learn more?  

Darktrace / OT doesn’t just offer risk management capabilities. It is the only solution  
that leverages Self-Learning AI to understand your normal business operations, allowing you to detect and stop insider, known, unknown, and zero-day threats at scale.  

Dive deeper into how Darktrace / OT secures critical infrastructure organizations with in-depth insights on its advanced capabilities. Download the Darktrace / OT Solution Brief to explore the technology behind its AI-driven protection and see how it can transform your OT security strategy.

Curious about how Darktrace / OT enhances aviation security? Explore our customer story on Brisbane Airport to see how our solution is transforming security operations in the aviation sector.  

References

  1. https://research-information.bris.ac.uk/ws/portalfiles/portal/313646831/Catch_Me_if_You_Can.pdf
  1. https://www.bleepingcomputer.com/news/security/ransom-payment-is-roughly-15-percent-of-the-total-cost-of-ransomware-attacks/
  1. https://public-inspection.federalregister.gov/2024-17916.pdf?mod=djemCybersecruityPro&tpl=cs
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Daniel Simonds
Director of Operational Technology
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

Email

/

March 19, 2025

Global Technology Provider Transforms Email Threat Detection with Darktrace

Default blog imageDefault blog image

At a glance

  • Within just one month of using Darktrace / EMAIL, the volume of suspicious emails requiring analyst attention dropped by 75%, saving analysts 45 hours per month on analysis and investigation.
  • By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on developing new capabilities and tackling more complex, rewarding projects.
  • Darktrace recently detected and blocked a highly sophisticated and personalized phishing email that spoofed a Microsoft SharePoint and Teams website and used advanced engineering to impersonate the school of an employee’s family member.
  • The transition from the incumbent solution to Darktrace / EMAIL was seamless and undetectable to the company’s vast of customers and partners, reinforcing the security organization’s role as a business enabler—protecting the company and reducing risk without adding friction.

Securing a complex, distributed business without disruption

The company remains at the forefront of technological innovation and transformation; however, its success and ambitions come with the challenges of managing a distributed global business—balancing digital advancements, existing technology investments, and evolving compliance requirements.

Optimizing a complex tech stack for scalable growth

The organization operates a diverse technology stack spanning Windows, Mac, Linux, and multiple cloud environments, creating a complex and challenging IT landscape. The company’s Chief Information Security Officer (CISO) emphasizes the need for efficiency and agility. “Our goal is to scale and deliver new capabilities without increasing headcount, ensuring that costs remain proportionate to growth.”

Balancing security, governance, and business agility

Committed to responsible practices, this industry leader prioritizes secure and trustworthy technology for its customers who rely on its solutions. “Balancing business agility with governance is a constant challenge," said the CISO. "There’s always a natural push and pull, which I believe is healthy—but achieving the right balance is delicate.”

Protecting critical workflows without impacting productivity

For the organization, email is much more than just a communication tool. “Email plays a critical role in our engineering workflows and is fundamental to how we build our products.” Because of this, the company is extremely cautious about implementing any solution that could introduce friction or disrupt productivity. “There is zero tolerance for disruption, which is why we take a deliberate and methodical approach when evaluating, selecting, and deploying our tools and solutions,” he said.  

More than a vendor: A security partner invested in success

To ensure an optimal security infrastructure, the enterprise security team regularly evaluates market technologies to their existing solutions. With the rapidly evolving threat landscape, the CISO said they “wanted to validate whether we still had best-in-class protection and the right controls in place to secure our organization. It was about assessing whether we could do better in our ongoing effort to fine-tuning our approach to achieve the best possible outcome.”

The team evaluated 15 different email security vendors based on the following criteria:

  1. Efficacy to detect threats
  2. Ability to integrate with existing tooling
  3. Ease of use
  4. A vendor’s approach to partnership  

They initially narrowed the list to five vendors, conducting demo sessions for deeper evaluations before selecting three finalists for a proof of value (POV). We analyzed actual malicious emails with each vendor to assess the accuracy of their detections, allowing for an objective comparison,” said the CISO. Through this rigorous process, the Darktrace / EMAIL security solution emerged as the best fit for their business. “Darktrace’s product performed well and showed a genuine commitment to partnering with us in the long-term to ensure our success.”

The team objectively understood where there were gaps across the different vendors, where they were strong, and where they could use improvement. “Based on the analysis, we knew that Darktrace / EMAIL could deliver as the data supported it, in our specific use cases.  

Partnership, integrity and respect

Throughout the evaluation process, the importance of partnership and mutual respect remained an essential factor to the CISO. “I wanted a company we could develop a long-term strategic partnership with, one that could extend far deeper than just email.” A key factor in choosing Darktrace was the commitment and engagement of its team at every level of the organization. “Darktrace showed integrity, patience and a genuine investment in building a strong relationship with my team.  That's why we're here today.”

“Together, we've delivered some fantastic outcomes”

For the organization, Darktrace / EMAIL has played a crucial role in reducing risk, empowering analysts, and enabling a lean, effective security strategy. “Together, we've delivered some fantastic outcomes,” said the CISO.  

Reducing risk. Empowering analysts

“Within that first month, we saw a 75% drop in suspicious emails that that required manual review, which reduced the time my team spent analyzing and investigating by 45 hours per month,” said the CISO. The security team values Darktrace / EMAIL not only for its ease of use but also for the time it frees up for more meaningful work. “Giving my team the opportunity to tackle complex challenges they enjoy and find more stimulating is important to me.” As they continue to fine-tune and optimize balance levels within Darktrace / EMAIL, he expects even greater efficiency gains in the coming months.

Maximizing protection while staying lean

It’s important for the security group to be proportionate with their spending, said the CISO. “It's all about what is enough security to enable the business. And that means, as our organization grows, it's important that we are as lean and as efficient as possible to deliver the best outcomes for the business.”  Embracing an AI-powered automated approach is an essential component to achieving that goal. By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on more strategic and proactive initiatives that enable the business.  

Protecting employees from advanced social engineering threats

Recently, Darktrace detected a malicious email targeting an employee, disguised as a spoofed Microsoft SharePoint and Teams website. What made this attack particularly sophisticated was its personalization — it impersonated the school where the employee’s family member attended. Unlike mass malicious emails sent to thousands of people, this was a highly targeted attack, leveraging advanced social engineering tactics to exploit connections within the education system and between family members.  

Protecting without disrupting

A seamless migration is often overlooked but is critical to success for any organization, said the CISO. With a wide ecosystem of partners, email is a highly visible, business-critical function for the organization — "any friction or downtime would have an immediate impact and could throttle the entire business,” he said. However, the transition from their previous solution to Darktrace / EMAIL was exceptionally smooth. “No one realized we changed providers because there was no disruption — no incidents at all. I cannot emphasize just how important that is when I'm trying to position our security organization as an enabling function for the business that protects and reduces risk without adding friction.”

A security partnership for the future

“To survive as a business over the next few years, adopting AI is no longer optional—it’s essential,” said the CISO. However, with the cybersecurity market becoming increasingly saturated, selecting the right solutions and vendors can be overwhelming. He stresses the importance of choosing strategic partners who not only deliver the outcomes you need, but also deeply understand your organization’s unique environment. “You’re only as strong as your partners. Technology innovation and the cybersecurity market are always changing.  At some point every solution will face a challenge—it’s inevitable. The differentiator will be how people respond when that happens.”  

Continue reading
About the author
The Darktrace Community

Blog

/

AI

/

March 19, 2025

Survey findings: How is AI Impacting the SOC?

Default blog imageDefault blog image

There’s no question that AI is already impacting the SOC – augmenting, assisting, and filling the gaps left by staff and skills shortages. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes to AI cybersecurity in 2025. Our findings revealed striking trends in how AI is changing the way security leaders think about hiring and SOC transformation. Download the full report for the big picture, available now.

Download the full report to explore these findings in depth

The AI-human conundrum

Let’s start with some context. As the cybersecurity sector has rapidly evolved to integrate AI into all elements of cyber defense, the pace of technological advancement is outstripping the development of necessary skills. Given the ongoing challenges in security operations, such as employee burnout, high turnover rates, and talent shortages, recruiting personnel to bridge these skills gaps remains an immense challenge in today’s landscape.

But here, our main findings on this topic seem to contradict each other.

There’s no question over the impact of AI-powered threats – nearly three-quarters (74%) agree that AI-powered threats now pose a significant challenge for their organization.  

When we look at how security leaders are defending against AI-powered threats, over 3 out of 5 (62%) see insufficient personnel to manage tools and alerts as the biggest barrier.  

Yet at the same time, increasing cyber security staff is at the bottom of the priority list for survey participants, with only 11% planning to increase cybersecurity staff in 2025 – less than in 2024. What 64% of stakeholders are committed to, however, is adding new AI-powered tools onto their existing security stacks.

With burnout pervasive, the talent deficit reaching a new peak, and growing numbers of companies unable to fill cybersecurity positions, it may be that stakeholders realize they simply cannot hire enough personnel to solve this problem, no matter how much they may want to. As a result, leaders are looking for methods beyond increasing staff to overcome security obstacles.

Meanwhile, the results show that defensive AI is becoming integral to the SOC as a means of augmenting understaffed teams.

How is AI plugging skills shortages in the SOC?

As explored in our recent white paper, the CISO’s Guide to Navigating the Cybersecurity Skills Shortage, 71% of organizations report unfilled cybersecurity positions, leading to the estimation that less than 10% of alerts are thoroughly vetted. In this scenario, AI has become an essential multiplier to relieve the burden on security teams.

95% of respondents agree that AI-powered solutions can significantly improve the speed and efficiency of their defenses. But how?

The area security leaders expect defensive AI to have the biggest impact is on improving threat detection, followed by autonomous response to threats and identifying exploitable vulnerabilities.

Interestingly, the areas that participants ranked less highly (reducing alert fatigue and running phishing simulation), are the tasks that AI already does well and can therefore be used already to relieve the burden of manual, repetitive work on the SOC.

Different perspectives from different sides of the SOC

CISOs and SecOps teams aren’t necessarily aligned on the AI defense question – while CISOs tend to see it as a strategic game-changer, SecOps teams on the front lines may be more sceptical, wary of its real-world reliability and integration into workflows.  

From the data, we see that while less than a quarter of execs doubt that AI-powered solutions will block and automatically respond to AI threats, about half of SecOps aren’t convinced. And only 17% of CISOs lack confidence in the ability of their teams to implement and use AI-powered solutions, whereas over 40% those in the team doubt their own ability to do so.

This gap feeds into the enthusiasm that executives share about adding AI-driven tools into the stack, while day-to-day users of the tools are more interested in improving security awareness training and improving cybersecurity tool integration.

Levels of AI understanding in the SOC

AI is only as powerful as the people who use it, and levels of AI expertise in the SOC can make or break its real-world impact. If security leaders want to unlock AI’s full potential, they must bridge the knowledge gap—ensuring teams understand not just the different types of AI, but where it can be applied for maximum value.

Only 42% of security professionals are confident that they fully understand all the types of AI in their organization’s security stack.

This data varies between job roles – executives report higher levels of understanding (60% say they know exactly which types of AI are being used) than participants in other roles. Despite having a working knowledge of using the tools day-to-day, SecOps practitioners were more likely to report having a “reasonable understanding” of the types of AI in use in their organization (42%).  

Whether this reflects a general confidence in executives rather than technical proficiency it’s hard to say, but it speaks to the importance of AI-human collaboration – introducing AI tools for cybersecurity to plug the gaps in human teams will only be effective if security professionals are supported with the correct education and training.  

Download the full report to explore these findings in depth

The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.  

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI