Understand the TSA aviation cyber directive. Stay informed about cybersecurity measures in the aviation industry. The TSA issued an emergency cybersecurity amendment to its security programs for airport and aircraft operators. These new requirements build on existing requirements for airport and aircraft owners/operators to report significant cyber incidents, have a point of contact and create incident response plans.
These requirements include network segmentation, monitoring and access control for IT and OT systems. This will help reduce exploitation by attackers, and improve Mean-Time-To-Repair for physical security teams.
Requirements for Pre-Approved Implementation Plans
In this notice of proposed rulemaking, TSA requests input from pipeline and rail transportation industry stakeholders on the best way to strengthen cybersecurity resiliency requirements for their systems. TSA is particularly interested in feedback from pipeline and rail transportation sector associations, third-party cybersecurity subject matter experts, and insurers and underwriters who analyze the cyber risks of these transportation sectors.
This request for information is part of the administration’s ongoing effort to secure America’s critical infrastructure. TSA has already taken several steps to support the National Cybersecurity Strategy, including introducing new security requirements for airports and aircraft operators. TSA will continue to work closely with CISA, the Department of Transportation and other federal agencies to enhance the resiliency of our nation’s aviation, surface transportation and maritime systems.
Using input from stakeholders, TSA will develop and propose new requirements to address the most pressing needs in each of these transportation modes. The agency recognizes that each mode has unique infrastructure and operations and will require unique solutions. TSA seeks to ensure that requirements do not have unintended operational impacts on these critical transportation assets.
TSA will also consider how best to protect the physical and cyber security of each transportation mode’s unique operating environment. In addition, TSA will evaluate the impact of these requirements on existing regulatory programs, including those of other federal and state agencies.
Lastly, TSA will seek input on the need for TSA to protect critical surface transportation infrastructure through a separate and dedicated division. This would include providing the dedicated resources and expertise necessary to ensure the safety and security of each mode’s unique infrastructure and operations.
Airports are critical to our country’s economy and provide essential services to the traveling public. However, their complex network of IT and OT systems make them an attractive target for hackers. Disruption of these systems could significantly impact airport operations and lead to flight delays and cancellations.
TSA is taking a proactive approach to addressing these security concerns by hosting on average 12 TSO hiring events each month at large and priority designated airports. This is an important step in addressing the demand for TSO positions, which has exceeded available resources.
Requirements for Network Segmentation
TSA-regulated airports and aircraft operators must create a network architecture that separates critical operational technology (OT) from non-critical IT systems. This network segmentation ensures that OT systems continue to function even if an IT system is compromised or goes down.
This is just the latest step in a larger push to make aviation assets less of a lucrative target for cyber attackers. Other recent TSA measures impose requirements on air traffic control centers, rail carriers, and power generation companies to improve their cybersecurity resilience. The common thread connecting these efforts is the recognition that organizations can only defend against cyberattacks if they have an understanding of their entire attack surface, including OT systems and the interconnected devices they depend on.
While implementing these changes, airports and aircraft operators must also consider the impact on the wider supply chain. They must work with suppliers and partners to provide training, develop new security tools, and implement best practices to support OT cybersecurity resiliency. It’s a significant undertaking, but one that’s critical to protecting the safety of airlines and their passengers.
The TSA’s emergency directive also requires that regulated aviation entities update their existing cyber risk management programs. This includes establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan, and conducting a cyber vulnerability assessment. Similar requirements were recently announced for passenger and freight railroad carriers, and will soon be introduced for marine vessels.
These cybersecurity requirements are a necessary response to the growing threat to surface transportation infrastructure. Attacks on these systems can degrade, disrupt, or destroy them and may impact the national and economic security of the United States.
The new requirements are not only designed to prevent such attacks, but also to detect them and reduce the time attackers have to exploit vulnerabilities. In particular, these new measures require OT cybersecurity teams to continuously monitor for signs of cyberattacks and implement a continuous monitoring and detection program. They must also develop a process for applying important patches to operating systems, applications, drivers and firmware on critical cyber systems using a risk-based approach.
Requirements for Continuous Monitoring and Detection
TSA’s latest amendment to its aviation security protocols calls for pre-approved implementation plans that outline increased security measures. These include developing network segmentation policies and controls to ensure OT systems can continue to operate safely if IT systems are compromised; access control measures to secure and prevent unauthorized access to critical cyber systems; continuous monitoring and detection policies and procedures; and application of patches and updates to operating systems, applications, drivers and firmware using a risk-based approach.
The requirements may seem stringent, but they are not without precedent. In 2021 and 2022, TSA issued security directives to surface transportation owner/operators that required them to designate primary and alternate cybersecurity coordinators, report cyber incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency, and develop and implement cybersecurity incident response plans and perform cybersecurity vulnerability assessments. These directives were in direct response to the increasing risk of cyberattacks on surface transportation systems and related infrastructure, and the potential for significant harm to national security and economic stability resulting from the degradation, disruption or destruction of those systems and associated infrastructure.
To satisfy these requirements, pipeline and rail owner/operators must use the most current technologies and threat intelligence to assess their security posture and continuously evaluate whether their defenses are in line with those threats. However, the absence of a common referenceable OT cybersecurity standard makes it challenging to compare the competency level of the various owner/operators in this space and determine which of them is capable of implementing these new requirements.
As the TSA’s emergency cyber protocol continues to evolve, we expect that it will take a similar performance-based approach in future. This will likely be driven by the need to improve the overall cybersecurity posture of US industries, as outlined in President Biden’s recent National Cybersecurity Strategy.
To successfully comply with TSA’s new requirements, airports and aircraft operators need a comprehensive understanding of the critical OT cyber systems that are relied upon for normal operations. Having this visibility allows them to identify the crown jewels of their infrastructure and the critical endpoints that are responsible for these systems’ normal operation. This insight can then be used to design and implement the necessary security controls needed to mitigate vulnerabilities in those systems. Learn how Claroty’s OT cybersecurity platform xDome and Continuous Threat Detection (CTD) solutions can help you fulfill TSA’s new requirements and optimize your industrial cybersecurity journey.
Requirements for Patching
The new TSA cybersecurity amendments for airports and aircraft operators mark a major shift from compliance-based to performance-based measures. This move is consistent with the TSA’s October 2022 security directive for passenger and freight railroad carriers, which also focused on reducing vulnerabilities through a performance-based approach.
The amendments require airports to develop a plan for ensuring the safe operation of their OT systems in the event that IT systems are compromised, as well as establish access control measures that secure and prevent unauthorized access to critical cyber systems. They also must create continuous monitoring and detection policies, as well as a system for applying important security patches in a timely manner using a risk-based methodology.
Implementing these plans and systems can be a challenge for airport physical security teams. First, they face a knowledge gap that stems from the fact that physical security professionals are usually trained in safety rather than IT. Second, they often lack the resources and budget to invest in the technologies and processes needed for compliance. This can lead to gaps in OT visibility, scalability and functionality. And finally, they need to align their OT security practices with IT standards. Bringing these functions up to speed can help shorten Mean-Time-to-Repair (MTTR), which is essential in the airline industry, where every minute counts.
Adding to this is the fact that airports are national security assets and any lapse in protection can threaten our country’s safety. This makes them a prime target for both sophisticated nation-state adversaries and run-of-the-mill ransomware criminals. The urgency for improved security has never been clearer, and the TSA’s new requirements can be a game-changer for the airport industry.
While the new requirements can place significant short-term stress on airport physical security departments, they will ultimately result in more effective, cost-efficient and unbreakable security supporting air travel and cargo. As an industrial cyber solutions provider, Claroty looks forward to working with TSA and other stakeholders in the pipeline and rail industries to help them make this shift from compliance to performance.
