Fortifying Airport Cybersecurity: Meeting the Four Requirements of the TSA’s Directive

The aviation industry has once again become the target of sophisticated bad actors. The notorious hacker known as IntelBroker claimed another cyber victim in February 2024, and this time it was the thriving hub of Los Angeles International Airport. The breach involved 2.5 million records being leaked, including full names, CPA numbers, company names and plane model numbers. This latest event in a series of attacks, which also included the website of Long Beach Airport being brought down, has encouraged preventative action. 

With a 24% increase in attacks against the sector in the space of 12 months, the Transportation Security Administration (TSA) has incorporated a minimum level of cybersecurity for all airports. This directive covers airports and aircraft operators, and sets a comprehensive security baseline for the entire industry in the US. The aim of the directive is simple: to reduce the incidence of cyberattacks and strengthen the defenses of airports across the country. 

To meet the requirements, there are four key checklist items that airports will need to tick off: network segmentation, access control, monitoring & detection and patch management. It’s important to understand each in turn and the value they bring to airports.

 Dividing Up the Network

Airports that lack sufficient cybersecurity posture are likely to have underlying networks that are not segmented. A network that isn’t broken up into different chunks is risky, as if a bad actor breaches any part of it, the entire system becomes vulnerable. An attacker can move freely across each segment, often undetected, and it makes the incident process much more complicated. Once attackers take refuge in the network’s shadows, it’s difficult to smoke them out.

The idea behind network segmentation is that, in the event of a cyberattack, the breach remains contained in one area. These barriers can limit access for hackers. As an example, if an attacker breaches the payment systems in one network segment, they are unable to move into other critical areas, such as backup systems or servers. 

The attack surface is much smaller and any breaches become stifled, preventing any more extensive damage. The rest of the network remains unaffected, meaning that the airport can maintain critical operations and avoid a complete shutdown. The next stage of incident and response then becomes much more targeted and simpler for the business.

Network segmentation is ideal for gaining control and enhancing resilience against attacks. The result is a more secure network environment. Threats are managed more efficiently and operations are protected from the far-reaching consequences of a breach. 

Who Holds the Keys?

Segmentation of the network is vital to prevent bad actors from accessing critical areas of the business, but what about those who already hold the keys to every section of the network? Organizations often make the error of giving every professional the same permissions, but this can increase the risk of a breach. Instead, airports need to consider access controls across technical, administrative and physical aspects.

Technical controls involve the mechanisms and systems that are responsible for an organization’s technology infrastructure. These are the initial gatekeepers that prevent unauthorized users from accessing networks and systems. This may include passwords, security tokens and, more often as technology has evolved, biometric scans. 

But alongside these technologies are administrative controls, which detail the rules, roles and responsibilities in relation to how information and resources are both accessed and managed. Often, the problem is having the ability to define clear policies that explain exactly who has access to what, and how this access is enabled.

Finally, physical controls, such as locks, badge access systems, security personnel and surveillance cameras, are often underestimated in their ability to prevent unauthorized physical access to resources. Escorts to certain areas can also be highly effective in airport environments to protect sensitive physical assets. Bringing all these controls together can help airports build a multi-layered defense strategy against bad actors.

 The Ability to Monitor and Detect

Cyberattacks can take place at any time; hackers don’t work to office hours. For a 24/7 operation such as an airport, a managed detection and response (MDR) system is a necessity to ensure round-the-clock surveillance and proactively identify any suspicious activities.

Of the requirements defined in the TSA directive, monitoring and detection is the most comprehensive. Airports need to consider how they implement several critical technologies, such as digital forensics and security log analysis. While these are complex and labor-intensive to implement, airports will quickly see a return on investment. 

By being able to pre-emptively address cyber threats, operations can be safeguarded before any real damage occurs. This proactive approach not only safeguards mission-critical operations from the ever-evolving cyber threat landscape, but also underpins the reliability and integrity of essential infrastructure assets. 

Opting for an outsourced MDR service, backed by a fully outsourced or hybrid SOC, gives airports the expertise and resources to mitigate, contain and remediate threats across the entire technology stack. Modern and impactful MDR solutions are typically comprised of three key components: strong expertise and experience, modern and proactive processes, such as threat hunting and automation, and the ability to integrate modern extended detection and response (XDR) along with IT and OT assets.

Keeping to the Latest Patches

Installation of updates on devices can often be deferred by users until it’s no longer an option. If this practice takes place at airports, there’s myriad infrastructure components with well-known security vulnerabilities that can be exploited by bad actors.

Airports will need to ensure that every system is patched as soon as updates become available. But this requires knowledge as to what software and hardware is being used across the organization. Much like monitoring and detection, it’s not an easy task. Employing external expertise can help airports devise an accurate device inventory to keep track of update statuses. 

It’s also important that teams have the ability to test potential updates to ensure that they don’t create any new vulnerabilities. Procedures must be in place to ensure that wide-scale updates can be applied to a number of devices without incurring any downtime, and on a regular basis.

Safeguarding Mission-Critical Operations

The escalating cyber threats facing the aviation industry demand a robust and proactive cybersecurity posture. The TSA's directive mandating minimum cybersecurity standards for airports and aircraft operators is a crucial step in fortifying the sector against malicious actors. By implementing the four key requirements of network segmentation, access control, monitoring and detection and patch management, airports can significantly enhance their cyber resilience.

Network segmentation limits the potential spread of breaches, containing threats within isolated segments and preventing lateral movement across the entire network. Access controls, encompassing technical, administrative and physical measures, ensure that only authorized personnel can access critical systems and resources. Comprehensive monitoring and detection capabilities, backed by round-the-clock surveillance and rapid incident response strategies, enable airports to proactively identify and mitigate cyber threats before they can cause significant damage. Lastly, diligent patch management practices are essential to address known vulnerabilities promptly, closing potential entry points for attackers.

While implementing these measures may seem challenging, the long-term benefits of safeguarding mission-critical operations, protecting sensitive data, and upholding the integrity of essential infrastructure far outweigh the initial investment and effort. By embracing the TSA's directive and adopting a multi-layered approach to cyber defense, the aviation industry can foster a resilient and secure environment, ensuring the safety and continuity of operations while instilling confidence in travelers and stakeholders.