The Transportation Security Administration (TSA) announced a new set of cybersecurity requirements this week for airport and aircraft operators. The initiative constitutes "an emergency action," the TSA explained in a press release, urgent "because of persistent cybersecurity threats against US critical infrastructure, including the aviation sector."
This announcement comes hot on the heels of the White House's National Cybersecurity Strategy, published March 2. It's all part of a broader government effort to increase cyber resilience across critical industries.
Back in July, for example, the TSA issued near word-for-word similar requirements for the rail industry. As Robert Carter Langston, press secretary for the TSA, tells Dark Reading: "This amendment to the aviation security programs extends similar cybersecurity performance-based requirements that currently apply to other transportation system critical infrastructure."
"It's good that the TSA is codifying these requirements," says Mike Parkin, senior technical engineer at Vulcan Cyber, "though it remains to be seen how it will affect airline passengers."
New Cyber Guidelines for Airports and Airlines
This isn't TSA's first set of cyber rules of the road for airport and airline operators. In years prior, the TSA instituted requirements for operators to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA), establish cybersecurity points of contact, develop incident response plans, and complete vulnerability assessments.
The new set of rules states that TSA-regulated organizations must develop and assess "an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure," the agency wrote. TSA described four primary measures:
- Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, noted that the guidelines are timely, and that TSA's "emergency" designation could be well warranted.
"I think it is wise of the TSA to require airport and aircraft operators to improve their cybersecurity resilience as attacks and geopolitical tension have continued to escalate over the years," he said in an emailed statement. "Airports and aircraft operators have also been caught in the cross hairs of Russian and Iranian cyber crews. This is why the aviation industry needs to protect all digital controls because they can and will be hacked. I truly believe that the cyber 9/11 is coming, which is why operators must invest in proactive cybersecurity measures."
Will TSA's New Rules Make a Difference?
Whether these new guidelines will make any real, material difference in airline security remains to be seen, but researchers welcomed them nonetheless.
On one hand, the details of exactly what will be considered sufficient security, from airports and airlines, and how compliance will be enforced, are still hazy. According to Langston, the details of how each organization will implement these measures "will be coordinated directly with TSA's stakeholders."
Even if airlines and airports do take heed, though, will the effects be significant? TSA's initiative "does fall in line with, and reinforces, the new National Cybersecurity Strategy document, and makes sense from multiple angles," Parkin says, but neither network segmentation nor access control, monitoring, or patching are particularly groundbreaking ideas.
As Parkin points out, "None of these requirements aren't already considered industry best practice[s] and things the airport authorities and airline operators shouldn't be doing already."
Kellerman, however, noted that some advanced tools fall under the broad umbrella of TSA's broader language in the requirements. Those include "micro-segmentation of networks, managed detection and response services (MDR), runtime application self-protection (RASP), and multifactor authentication (MFA) to protect against future intrusions," he noted. "They should also consider moving to secure cloud environments that deploy serverless application security. If we have learned anything from ongoing attacks, it is that cybersecurity is a functionality of conducting business, not an expense, and that TSA cannot protect operators from growing ephemeral threats."