TSA issues emergency cybersecurity orders for airports and aircraft operators

The Transportation Security Administration handed down new emergency cybersecurity protocols for airports and aircraft operators that require them to have pre-approved implementation plans for increased security measures.

The TSA said it was issuing the cybersecurity amendments “because of persistent cybersecurity threats against U.S. critical infrastructure, including the aviation sector” but did not respond to requests for comment about what specific issues prompted the measure.

“This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure,” said TSA Administrator David Pekoske.

Pekoske added that they would work with companies to “reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel.”

The new rules require companies to have plans that describe specific efforts being made to improve cybersecurity resilience, prevent disruptions and stop degradation of infrastructure.

Companies must also develop network segmentation policies that separate IT systems from operational ones so that in the event of a cyberattack, services can continue. Access control measures must also be instituted alongside continuous monitoring systems that can “defend against, detect, and respond to cybersecurity threats and anomalies.”

TSA added that a “risk-based” system needs to be created for applying important patches to operating systems, applications, drivers and firmware on critical systems.

‘Stuck in a cycle’

Danielle Jablanski, an operational technology cybersecurity strategist at Nozomi Networks, said the new rules were necessary because companies are “stuck in a limited cycle of equip, buy a product, run a table-top exercise, and check compliance boxes.”

She explained that these companies typically skip key steps and almost never test what a complete system failure or real emergency might require.

“The TSA guidance for the airline industry is working to clear these hurdles, introducing new training offerings and expanding the understanding for why segmentation and detection are important components for avoiding worst case cyber scenarios,” she said.

“Learning from other major attacks, the weakest link in an organization may be a compromised cyber-physical system, broad access to a component of operations that enables remote access or unnecessary internet connectivity, or an IT system critical for business operations.”

The emergency measures follow guidelines issued in October 2021 that mandated the creation of a cybersecurity coordinator position and the reporting of all cyber incidents to the Cybersecurity and Infrastructure Security Agency within 24 hours. TSA-regulated aviation organizations also had to develop cybersecurity incident response plans and complete cybersecurity vulnerability assessments.

The rules faced significant backlash from airline companies and industry groups who balked at having to report every incident — which could range from cyberattacks and ransomware incidents to the kind of nation-state system scanning that has become increasingly common.

TSA issued identical guidelines for passenger and freight railroad carriers in October 2022.

This is the second emergency TSA directive issued to airlines this year after one was handed down in January following an attack on regional airline CommuteAir that led to the leak of the U.S. no-fly list.

A TSA spokesperson told The Record in January that the agency reached out to all domestic airlines to warn them about the prospect of further breaches.

The security directive reinforced “existing requirements on handling sensitive security information and personally identifiable information,” the spokesperson said.

The agency ordered the carriers to review their systems and take immediate action to ensure files were protected.

“We will continue to work with partners to ensure that they implement security requirements to safeguard systems and networks from cyberattacks,” the spokesperson said.

The White House has organized meetings with aviation industry leaders in recent months as it seeks to bolster cybersecurity protections in key sectors. One lawmaker called for federal agencies to investigate cybersecurity vulnerabilities in all systems underpinning air travel.

A recent report found that there were 62 ransomware attacks on global aviation stakeholders in 2020 alone, and the value of ransom demands broke records in 2021.

The European Air Traffic Management Computer Emergency Response Team (EATM-CERT) found the number of reported cyberattacks among airline industry organizations grew 530% from 2019 to 2020. The organization has tracked dozens of attacks against airports and airlines over the last six months.

Tuesday’s directive followed announcements last week that the U.S. government planned to issue more cybersecurity regulations for critical infrastructure due to several industries’ refusal to improve protections.

The U.S. Environmental Protection Agency was the first to issue new directives last Friday, ordering state audits of public water systems to include cybersecurity.