Similar to a recent move made by the EPA to bolster cybersecurity requirements for the state water utilities it has authority over, the Transportation Security Administration (TSA) is using emergency powers to force the aviation sector to develop cyber resiliency plans.
The new TSA cybersecurity requirements will apply to airports and airplane operators. Impacted parties will need to demonstrate that planes can continue to safely operate in the event of compromise by a cyber attack, and will be subject to new standards in access control and monitoring of their networks.
Aviation sector latest in the critical infrastructure family to face cybersecurity orders
The aviation sector is looking at new cybersecurity requirements in four fundamental areas: network segmentation and redundancy, access control, monitoring and detection of threats, and timely patching.
The move comes as the Biden administration is pushing for all aspects of critical infrastructure cyber defense to be bolstered, but also as the aviation sector rapidly onboards new elements of digitization. There is general concern about how the expansion of 5G and smart devices will create new vulnerabilities throughout homes and businesses, but concerns are particularly acute in the aviation industry. The people who handle critical day-to-day functions, such as the pilots and air traffic controllers, generally have little to no training in handling cyber incidents. And the threat surface has expanded more rapidly in this sector than in others, due to rapid digital transformation of everything from air traffic management systems to the assorted functions of airports.
The aviation sector’s new cybersecurity requirements are also something of an outgrowth of similar rules the TSA placed on the railroads in October 2022. The Biden administration appears to be taking the tack of avoiding Congressional debates through a combination of executive orders and turning to the existing oversight powers of agencies connected to these critical infrastructure sectors. The latter approach is stronger, as it is much tougher to challenge and overturn if a new administration should choose to in 2025 (or beyond).
Vulnerable systems see rapid modernization of cybersecurity requirements due to recent pressures
The order to the aviation sector is part of a general blitz of cybersecurity requirements that was most directly prompted by the Colonial Pipeline and JBS incidents of 2021, in which criminal hackers managed to cause extensive real-world damage and disruption via ransomware for the first time. But it is also a response to both the rapid modernization of the aviation sector and some specific high-profile failings, most notably the January exposures of a 2019 version of the “no-fly” and selectee lists due to a misconfigured public-facing server.
Though outdated by several years, the no-fly list was nevertheless complete (for its time of publication) sporting some 1.5 million names. Sensitive personal information for about 900 airline employees was also included. The breach was caused by CommuteAir, a US-based carrier that also flies to Canada and Mexico, which claimed that the list had been sitting on a “development server” used for “testing purposes.” The hacker who discovered it said they stumbled across it merely by playing with the Shodan search engine; if true, it could very well have been discovered by others before the airline became aware of the issue.
Elements such as the no-fly list are controversial, and were justified by claims that they were necessary to prevent another terrorist attack of the magnitude of the September 11 plane hijackings. Tom Kellermann, SVP of cyber strategy at Contrast Security, sees the next incident of that type as being very likely to originate from cyberspace: “I truly believe that the cyber 9/11 is coming , which is why operators must invest in proactive cybersecurity measures, such as micro-segmentation of networks, managed detection and response services (MDR), runtime application self-protection (RASP), and multi-factor authentication (MFA) to protect against future intrusions. They should also consider moving to secure cloud environments that deploy serverless application security. If we have learned anything from ongoing attacks, it is that cybersecurity is a functionality of conducting business, not an expense, and that TSA cannot protect operators from growing ephemeral threats.”
Public details on exactly what the new cybersecurity requirements entail are kept general and somewhat thin, but the amendment does make clear that aviation sector companies will be expected to keep on top of both hardware and software patches and to do so in a “timely manner” using a “risk-based methodology.” The mandated network segmentation plans will also require both operational technology and information technology systems to be able to function independently if one side of the equation is compromised by an attack.
Erich Kron, security awareness advocate at KnowBe4, describes some of the methods that are likely to be implemented as aviation sector companies become serious about defending against cyber attacks: “Segmentation of systems, the act of separating access between them, is a very effective technique to keep ransomware and bad actors with system access from spreading to other areas of the network. This helps ensure that in the event of a cyber attack, systems can function independently of each other. In addition, organizations should ensure that policies and procedures to deal with outages exist and have been tested in order to avoid issues like we saw late last year. In addition to having strong controls to deal with an attack after the bad actors have gained access to the network and an attack has started, it is critical that organizations also focus on preventing the access in the first place. Educating employees on how to spot and report email phishing attacks, one of the primary methods for initial network access, is very important as are controls such as multi factor authentication (MFA) and strong password and access management controls.”
Aviation sector industry groups have yet to register any real complaints about the new cybersecurity requirements. The International Air Transport Association had previously pushed back against the idea of TSA implementing new cyber requirements, but has yet to comment on this latest development. Prior changes by the TSA that have been rolled out since 2020 include direct reporting of “significant” cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA), having an incident response plan on file and primary point of contact for cyber incidents appointed, and completing a cybersecurity vulnerability assessment.
