This month, the Transportation Security Administration (TSA) issued a new cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators. It followed similar measures announced last October for passenger and freight railroad carriers. It is part of the Department of Homeland Security’s (DHS’s) efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
It followed the March 2, White House announcement of the National Cybersecurity Strategy, which called for greater efforts to secure the digital ecosystem of the United States. As part of this amendment and other ongoing efforts, TSA announced it would continue to work closely with the Department of Transportation (DoT), Cybersecurity and Infrastructure Security Agency (CISA), and industry partners to strengthen the cybersecurity resilience of the nation’s critical infrastructure.
For more than two decades, air travelers in the United States have already seen a much higher level of physical security at the nation’s airports. That was the result of the 9/11 terrorist attacks, which saw four U.S. commercial airlines hijacked. Two of those airliners were flown in New York City’s World Trade Center, while a third struck the Pentagon outside of Washington, D.C.
A fourth aircraft crashed in rural Pennsylvania after passengers bravely attempted to regain control from the hijackers.
In the more than 20 years since the creation of DHS and the TSA, a number of security measures have been instituted, including full-body scanners, electronic device restrictions, and explosive screening.
Some critics have suggested that cyber has been overlooked.
Addressing the Cyber Threats
Though the TSA is most known for its role in U.S. airports, the agency is also responsible for other transportation-related regulations, including those that don’t involve passengers. The TSA was actually charged with setting up cybersecurity regulations after the Colonial Pipeline ransomware attack that occurred in May 2021.
Last year it issued revised cybersecurity directives for oil and gas providers that had been previously more focused on performance-based measures. As part of the directive, the agency required pipeline owners and operators to establish a cybersecurity implementation plan; develop an incident response plan to respond to attacks; and establish a longer-term assessment program to proactively test and audit cybersecurity measures.
“The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” Pekoske had said in a prior statement last July. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”
This month, the TSA announced it had taken emergency action because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector. The new emergency amendment required that impacted TSA-regulated entities would need to develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their respective infrastructure.
In addition, the TSA has called for regulated entities to proactively assess the effectiveness of these measures. This included the following actions:
*Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
*Create access control measures to secure and prevent unauthorized access to critical cyber systems;
*Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
*Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
This is now the latest TSA effort to require that critical transportation sector operators continue to enhance their ability to defend against cybersecurity threats. Previous requirements for TSA-regulated airport and aircraft operators had called for measures that included reporting significant cybersecurity incidents to the CISA, establishing a cybersecurity point of contact, developing and adopting a cybersecurity incident response plan and completing a cybersecurity vulnerability assessment.