A closer look at TSA’s new cybersecurity requirements for aviation
The Transportation Security Administration (TSA) recently issued new cybersecurity requirements for the aviation industry, which follows last year’s announcement for railroad operators. Both announcements are part of the Department of Homeland Security’s effort to improve the nation’s cybersecurity resiliency and align with the National Cybersecurity Strategy released by the White House earlier this month. While the strategy is not perfect, it draws attention to the importance of zero trust within our nation’s critical infrastructure.
Just like any other critical infrastructure sector, the aviation industry is a prime target for cyberattacks due to the critical nature of its operations and the potential for significant financial and reputational damage. Within the TSA emergency amendment are four actions that TSA-regulated aviation entities must take to mitigate cybersecurity threats:
- Network segmentation
- Creation of access control measures
- Implementation of continuous monitoring and detection, and
- Reduction of risk of exploited unpatched systems
By constantly verifying and monitoring user and device activity, aviation organizations can achieve a higher level of security and better manage their cyber risk.
In the aviation industry, operational technology (OT) systems are used to control a variety of critical processes, such as air traffic control, aircraft maintenance, and flight operations. These systems include sensors, control systems, communication networks, and other devices that are used to collect data and provide real-time information about aircrafts and their surroundings.
In many industries, OT is air-gapped to ensure isolation from networks connected to the outside world. However, conventional air gaps are no longer secure as informational technology (IT)/OT convergence evolves and organizations demand connectivity and data analytics from these industrial or highly secured environments.
TSA’s requirement is in accordance with cybersecurity best practices established by NIST and CISA, where using one-way gateways or data diodes to segment networks where possible is preferred. CISA guidance specifically states: “Use one-way communication diodes to prevent external access wherever possible” and “Implement a network topology for ICS that has multiple layers, with the most critical communication occurring in the most secure and reliable layer.” One-way gateways or data diodes are an effective way to isolate OT/industrial control systems (ICS) assets and protect against threats that originate with IT.
The second requirement TSA outlines is to “create access control measures to secure and prevent unauthorized access to critical cyber systems.” Access control is a fundamental security practice that regulates who is allowed to access specific resources, such as data, applications, systems, or physical locations that any organization within critical infrastructure should have in place. It also ensures the confidentiality, integrity, and availability of critical IT and OT functions.
Zero trust network access (ZTNA) is emerging as a standard for secure access and access control – especially with a vulnerable software supply chain and distributed workforce – where all users, devices and applications are assumed to be potentially malicious and must be checked and verified before granted access. The aviation industry’s investment in zero trust network access solutions would allow operators to secure cloud, remote, and on-prem access to their critical cyber systems and operations.
In the aviation industry, asset visibility and monitoring are particularly important for ensuring the safety and security of passengers, crew, and aircraft. Continuous monitoring and detection of OT assets through visibility solutions enables operators to not only see what is connected to their networks but also be alerted should nefarious activity occur. Also, after assessing people, processes, and the risk of impact to operations, asset visibility and monitoring is often the next step when building a cybersecurity program and achieving better maturity.
This TSA requirement will help aviation organizations identify and assess potential security risks and vulnerabilities in their IT infrastructure, including those associated with OT systems, and identify and respond quickly should a breach or attack occur. By implementing robust asset visibility and monitoring practices, organizations can help to reduce the risk of cyberattacks and other security breaches that could compromise the safety and security of air travel.
Endpoint management and protection
The fourth action in TSA’s requirement is to “reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.”
Simply installing security patches and updates is not enough to ensure cybersecurity. Operators must also take steps to ensure that their systems are properly configured and secured. Endpoint protection solutions can help detect vulnerabilities, deploy automated patches, and enforce endpoint compliance and updates when necessary – which will be crucial for compliance among aviation organizations.
TSA’s cybersecurity requirements for the aviation industry are a necessary step in improving the nation’s cybersecurity resiliency, especially with digital connectivity bridging the digital and physical worlds. And, as part of the National Cybersecurity Strategy, we can expect to see similar requirements in other industries in the coming months.