The Transportation Security Administration (TSA) has issued a new cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced in October 2022 for passenger and freight railroad carriers. These directives are part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners.
Airlines are subjected to almost constant attack with the European air safety agency Eurocontrol reporting in 2021 that cyber attackers target airlines on a weekly basis. One of the most recent of these being the attack on SAS – Scandinavian Airlines last month. SAS said at the time that it expects more attempted attacks to follow. And in October 2022, Russian hackers claimed responsibility for outages at Los Angeles, Chicago O’Hare, and Atlanta Hartsfield-Jackson airports in the U.S.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
TSA is taking this emergency action because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector. The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure. They must also proactively assess the effectiveness of these measures, which include the following actions:
- Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
This is the latest in TSA’s efforts to require that critical transportation sector operators continue to enhance their ability to defend against cybersecurity threats. Previous requirements for TSA-regulated airport and aircraft operators included measures such as reporting significant cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment.
Like the new aviation security directive, the October 2022 security directive for passenger and freight railroad carriers also includes network segmentation policies and controls, access control measures to secure and prevent unauthorized access to critical cyber systems; continuous monitoring and detection policies and procedures; and the application of security patches and updates. In addition, it calls for passenger and freight railroad carriers to establish and execute a TSA-approved Cybersecurity Implementation Plan that describes the specific cybersecurity measures the passenger and freight rail carriers are utilizing to achieve the security outcomes set forth in the security directive. The rail carriers are also tasked with establishing a Cybersecurity Assessment Program to proactively test and regularly audit the effectiveness of cybersecurity measures and identify and resolve vulnerabilities within devices, networks, and systems.
Soon after the rail directive was issued, TSA sought input regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail sectors via an advance notice of proposed rulemaking, which closed for comments on January 17, 2023.
TSA works with the Department of Transportation (DOT), the Cybersecurity and Infrastructure Security Agency and industry partners to strengthen the cybersecurity resilience of the nation’s critical infrastructure. In November, the Office of Inspector General at DOT initiated an audit into the department’s implementation of continuous monitoring tools for improving cybersecurity. Previous OIG audits have found myriad cybersecurity weaknesses at DOT, which the department is working to fix.
In response to a December 2022 Government Accountability Office report on critical infrastructure cybersecurity, the Department of Homeland Security (DHS) said that TSA, in coordination with the U.S. Coast Guard and DOT, was developing a draft sector-specific plan that is to include metrics for measuring effectiveness of efforts to enhance the cybersecurity of the sector’s Internet of Things (IoT) and Operational Technology (OT) environments. DHS also stated then that TSA had incorporated cybersecurity issues including OT and IoT in its sector risk assessment and noted that it would continue efforts to include IoT and OT devices in risk assessments. DHS estimated that these efforts would be completed by June 28, 2024.
On March 2, the Biden-Harris Administration announced the National Cybersecurity Strategy which calls for building new and innovative capabilities that allow owners and operators of critical infrastructure to effectively collaborate with each other at speed and scale. This includes establishing cybersecurity regulations in critical sectors, harmonizing and streamlining new and existing regulations, helping regulated entities absorb cybersecurity costs, enhancing public-private collaboration, and modernizing federal systems.
