Flying The Secure Skies: TSA's Cyber Regulations Safeguarding Aviation

Aug. 14, 2023
The TSA is utilizing emergency powers to enforce cybersecurity regulations in the aviation industry, following a similar approach taken by the EPA with state water utilities.

The Transportation Security Administration (TSA) is utilizing emergency powers to enforce cybersecurity regulations in the aviation industry, following a similar approach taken by the Environmental Protection Agency (EPA) with state water utilities. These new TSA regulations specifically target airports and airplane operators, focusing on network segmentation, redundancy, access control, threat monitoring, and timely patching.

This move aligns with the Biden administration's commitment to bolstering cybersecurity across critical infrastructure sectors. As the aviation industry undergoes rapid digitization and faces concerns over vulnerabilities introduced by 5G and smart devices, the need for enhanced cyber defense measures becomes paramount. However, the industry presents unique challenges, as key personnel like pilots and air traffic controllers lack adequate training to handle cyber incidents. Furthermore, expanding the sector's threat surface due to digital transformation raises further concerns.

Drawing inspiration from the regulations imposed on railroads in 2022, the TSA's cybersecurity requirements for the aviation sector aim to establish long-lasting regulations through executive orders and agency oversight powers, bypassing lengthy congressional debates. Although this approach does carry the risk of future administrations reversing the measures, a strategy for long-term security and resilience is needed.

These cybersecurity measures respond to real-world disruptions such as the Colonial Pipeline and JBS ransomware incidents in 2021 and the MOVEit attack in 2023. They also address specific vulnerabilities, exemplified by the exposure of a misconfigured server containing sensitive information related to "no-fly" and selectee lists. This incident highlights the urgent need for proactive cybersecurity measures to prevent cyberattacks with severe consequences.

While specific details of the new requirements are still limited, companies in the aviation sector will be expected to promptly apply hardware and software patches using a risk-based methodology. Network segmentation plans will require operational and information technology systems to operate independently during an attack. Aviation industry companies must adopt effective cybersecurity practices, including system segmentation, employee education on phishing attacks, multi-factor authentication, and robust password and access management controls. These measures help prevent and mitigate the impact of cyberattacks.

Industry groups within the aviation sector have not yet strongly opposed the new cybersecurity requirements, although significant costs will be associated with the implementation. The International Air Transport Association, which previously resisted the idea of TSA imposing cyber regulations, has not provided any comments on this latest development. Previous TSA changes have included incident reporting, incident response planning, and cybersecurity vulnerability assessments.

The TSA's cybersecurity requirements address critical areas in the defense of the aviation sector against cyber threats. These measures align with broader efforts to safeguard critical infrastructure. Given the industry's need for rapid modernization and vulnerabilities, proactive measures are essential to ensure cyber resilience and maintain safe operations.

The TSA has established cybersecurity requirements for the aviation industry to mitigate the risks associated with digital threats Companies in the sector should stay updated on emerging cybersecurity best practices and comply with the requirements to enhance their cyber defenses and maintain the safety and security of their operations.

The requirements encompass various aspects of cybersecurity, including network security, access control, threat monitoring, and patch management. For example, one specific and simple requirement is the implementation of multi-factor authentication (MFA) for accessing critical systems and sensitive data. This helps prevent unauthorized access and reduces the risk of data breaches.

In addition, the TSA emphasizes the importance of continuous monitoring and threat detection. Aviation companies must implement robust monitoring systems to detect and respond to cyber threats in real time. This may involve intrusion detection systems, security information, event management (SIEM) solutions, and threat intelligence platforms. By actively monitoring their networks and systems, aviation companies can identify and mitigate potential cybersecurity incidents before they cause significant harm.

Patch management is another critical requirement outlined by the TSA. Aviation companies must establish processes for promptly applying security patches and updates to their software and hardware systems. This helps address vulnerabilities and ensures systems are updated with the latest security fixes. Failure to keep systems patched can expose them to known exploits and increase the risk of cyberattacks.

Compliance with these regulations should be a top priority for aviation companies, just as safety has been for decades. By aligning with the TSA's cybersecurity requirements, aviation organizations can ensure cyber resilience and maintain safe operations in an increasingly interconnected world regardless of organization size. Organizations should start with MFA, performing gap assessments and developing a road map to address the gaps and risks to address compliance.

Through public and private collaboration, the aviation industry can work together with the TSA to establish a future of a secure, reliable, and resilient aviation sector. By staying informed about emerging cybersecurity best practices and actively complying with the TSA's regulations, aviation companies can protect their critical infrastructure, safeguard national security, and uphold the integrity of the industry.

Jeffrey Wells applies more than 35 years of military, intelligence and commercial expertise to his role at Sigma7. He has extensive experience in helping organizations to design and operationalize cyber risk and resiliency strategies, programs, incident response and instituting business continuity worldwide. As a founding partner of the NIST’s National Cybersecurity Center of Excellence and a Visiting Fellow at the National Security Institute, Jeffrey is proficient in deploying and operationalizing cybersecurity standards and best practices in the full spectrum of IT/OT and infrastructure ecosystems.

Jeff Esper is the Vice President of Risk Solutions at Sigma7, working with clients, risk managers, brokers, consultants, and attorneys to deliver risk solutions for a wide variety of exposures. His expertise is in developing solutions for clients in the area of loss control engineering, risk quantification, integrated risks, and loss recovery.