The Transportation Security Administration (TSA) has tapped into emergency powers to force the aviation sector to upgrade its digital defenses, creating new cybersecurity requirements that will apply to planes and airports.
The new requirements are aimed at flight resilience in the event that systems are partially compromised by cyber attacks, but also push the aviation sector to do better in terms of basic security hygiene items such as patching and implementing access control systems.
New cybersecurity requirements follow breaches, DDoS attacks
Security has been a central focus of the Biden administration, with efforts really ramping up after a string of attacks on critical infrastructure in 2021. But instead of handing the issue off to Congress, usually a contentious and slow process in terms of accomplishing anything new, the approach has been to use whatever unilateral powers are available to bolster cybersecurity requirements for particular industries. In some cases this has been via executive order; in the case of the aviation sector, a federal agency is directly setting new parameters for the industry that it regulates.
The order to the aviation sector is part of this general blitz of new cybersecurity requirements among critical infrastructure companies, but also comes as the industry is seeing increasing amounts of attacks. A copy of the “no fly” list, something that is supposed to be highly secure, was recently leaked via a data breach at a US carrier. And airports have been peppered with distributed denial of service (DDoS) attacks since the Russian invasion of Ukraine began a year ago. While there have yet to be incidents that negatively impact flights, hackers are managing to create inconveniences for travelers and access sensitive personal information.
The TSA has told the aviation sector it wants to see redundant systems and the ability to continue fully functioning if part of its networks is taken out by something like ransomware, but this order is about more than backups. The new cybersecurity requirements also include the things that need to be done to prevent breaches in the first place, such as “timely” patching of known vulnerabilities and training for personnel that may be impacted by these attacks (such as recognizing phishing attempts and understanding individual responsibilities in an attack response plan).
Aviation sector next one up as critical infrastructure gradually targeted for improvements
The TSA order breaks down the aviation sector’s new cybersecurity requirements into four basic categories: redundancy and network segregation, detection and monitoring, access control, and patching.
The aviation sector has been rapidly modernizing in recent years, but training on the cyber front is not necessarily keeping pace. Something similar has been happening in the railroad transportation industry, which the TSA issued a very similar order to in October 2022. Both industries now have expanded reporting requirements that loop in the Cybersecurity and Infrastructure Security Agency (CISA) in the case of serious incidents, and are also required to conduct regular vulnerability assessments and have incident response plans on hand.