Experts push back on TSA’s 24-hour cybersecurity incident reporting rule for aviation industry
Aviation sector companies are pushing back on efforts by the Transportation Security Administration (TSA) to mandate that all cybersecurity incidents are reported to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.
TSA — which is within the Department of Homeland Security (DHS) — has begun to get feedback from the industry about new cybersecurity regulations handed down in December.
The agency’s updates to its aviation security programs required each airport and airline operator to designate a cybersecurity coordinator and report cybersecurity incidents to CISA within 24 hours.
TSA faced significant backlash this year over cybersecurity regulations handed down for the pipeline industry, which experts called overly prescriptive. The agency eventually revised those pipeline rules in June, telling The Record that they wanted to provide the “flexibility needed to ensure cybersecurity advances with improvements in technology.”
Cybersecurity experts working with airlines said they expect companies in the aviation sector will take issue with the 24-hour reporting rule. The rule — which has also been applied to pipeline operators as well — originally set a 12-hour time limit but was doubled following pipeline industry backlash.
Padraic O'Reilly, co-founder of cyber risk management firm CyberSaint, is working with several aviation companies who “still find that timeline too brief to classify whether something is an incident.”
As they increasingly try to impose stricter guidelines, many governments have struggled to define what kinds of attacks would meet the reporting threshold.
For example, the level of scanning – whereby hackers survey systems but do not steal anything – done by nation-states and cybercriminals would make reporting every incident an unnecessary burden on resource-strapped government agencies, several trade groups told the Indian government in May after it instituted a 6-hour incident reporting measure for major tech companies.
Many companies also do not have full-time security staff, so it can be unclear when the actual 24-hour clock would begin.
O'Reilly explained that the other provisions in the measure — requiring a cyber coordinator, an incident response plan and vulnerability gap assessments — were “either in place already, or relatively uncontroversial.”
The International Air Transport Association (IATA), the largest trade body representing airlines in the world, has been a powerful voice in the debate over the industry's approach to cybersecurity.
It is in the process of developing an industry-wide Aviation Cyber Security Strategy and has created several formal and informal aviation cybersecurity working groups.
IATA’s Perry Flint told The Record that effective cybersecurity “requires close and meaningful collaboration among industry and government stakeholders.”
“Unfortunately in the case of TSA’s recent cyber security directive, while there was outreach and consultation, it is not clear that the industry’s input and expertise found its way into the directive,” he said.
“For example, the definitions of certain terms are not aligned with international guidance and recommendations, even though the US is a member of the International Civil Aviation Organization (ICAO).”
Flint would not elaborate further about which terms were at issue or other problems the association may have with TSA’s measures.
A recent report found that there were 62 ransomware attacks on global aviation stakeholders in 2020 alone, and the value of ransom demands broke records in 2021.
O'Reilly noted that TSA is in the early stages of pushing out regulations for the aviation industry, and has yet to send out directives for aviation organizations that resemble the kind of prescriptive requirements issued for pipelines.
He suggested that the first round of rules were an attempt by TSA to get buy-in before releasing more stringent rules.
Grant Geyer, chief product officer at operational technology security company Claroty, said for pipelines TSA was focused largely on the implementation of segmentation, access control, and monitoring, while the rail and air directives are focused more on personnel availability, incident reporting, and incident response plans.
Part of the emphasis on segmentation is due to real world events: one reason the Colonial Pipeline attack wasn’t worse was the separation of the business network and the pipeline operational technology networks.
The airline industry faces a more varied threat landscape of ransomware groups seeking to cripple operations, nation-states interested in stealing customer data and scammers spoofing websites.
“For rail and air, the goal was to improve response and remediation efforts, while the pipeline directive was in direct response to a specific crisis (the ransomware attack on Colonial Pipeline),” Geyer said.
“That crisis shined a bright light on the pipeline sector’s ties to economic and national security. That being said, the rail and air sectors could have a similarly huge impact on national security, economic security, and population safety if there were a compromise akin to Colonial Pipeline.”
CyberSaint’s O'Reilly said the aviation industry faces the same kinds of threats as other sectors but noted the particular fears around ransomware due to the ramifications of extended downtime potentially caused by attacks.
The European Air Traffic Management Computer Emergency Response Team (EATM-CERT) found the number of reported cyberattacks among airline industry organizations grew 530% from 2019 to 2020. The organization has tracked dozens of attacks against airports and airlines over the last six months.
Accelya — a technology firm providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, American Airlines and many more — confirmed on Tuesday that it was suffering from a ransomware attack affecting its systems. Accelya provides passenger, cargo, and industry analytics platforms for airline retailing and works with more than 250 airlines across nine countries.
In May, SpiceJet Airline in India and a Canadian fighter jet supplier were both hit with ransomware attacks.
One factor affecting TSA’s rulemaking is the makeup of operational technology environments, which vary greatly from sector to sector, according to Geyer. Despite the differences, he said, TSA will need to provide more standardized recommendations across all critical infrastructure sectors, as well as reconcile the differences between its two directives.
Overall, the rules will give TSA and CISA more visibility into the state of cybersecurity and threat actor activity inside the industry, O'Reilly explained.
The data will allow the agencies to further tailor their support based on the kind of attacks organizations face, which can help the sector maturity-wise.
“It really is a feedback loop,” he said. “If the industry is able to step up their reporting, then CISA will be able to get resources and information out to the other players sooner.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.