The Transportation Security Administration used its emergency powers to amend security directives for airport and aircraft operators, citing “persistent cybersecurity threats against U.S. infrastructure, including the aviation sector.”
According to a TSA release, the amendment will compel regulated entities in the aviation sector to develop plans for hardening resilience to their digital networks and infrastructure in the face of an ongoing cyberattack.
The required actions include segmenting network activity to ensure IT and operational technology systems can continue operating if one or the other is compromised, putting access controls around sensitive systems, implementing continuous monitoring and detection for cybersecurity threats and ensuring timely patching of vulnerable systems. They must also test the effectiveness of any protections put in place.
“Protecting our nation’s transportation system is our highest priority and TSA will continue to work closely with industry stakeholders across all transportation modes to reduce cybersecurity risks and improve cyber resilience to support safe, secure and efficient travel,” said TSA Administrator David Pekoske in a statement. “This amendment to the aviation security programs extends similar performance-based requirements that currently apply to other transportation system critical infrastructure.”
A TSA spokesperson told SC Media "the emergency amendment has been coordinated with other federal agencies during the policy development process and becomes effective immediately upon issuance."
Like many industries in critical infrastructure, airports have embraced the internet age in ways that have made them more coordinated and convenient but also more exposed. A 2019 Atlantic Council report found that airports assets are "increasingly connected and digitized, with many of these services also having remote or wireless connections" that could potentially be exploited by malicious hackers.
"These range from access-control and airside systems such as maintenance, tugs, and high-speed wireless links between the aircraft and docking gate," wrote authors Pete Cooper, Simon Handler and Safa Shahwan Edwards. "All of these digitized services exist against a backdrop of complex airport management and accountability, making it difficult to holistically define and defend such an attack surface."
The move represents the latest effort by federal agencies under the Biden administration to establish baseline cybersecurity rules for critical infrastructure sectors that underpin essential services to Americans. TSA established a host of new regulations in 2021 for the oil, gas and pipeline sectors following a ransomware attack against Colonial Pipeline that led to temporary gas shortages up and down the East Coast.
It also comes after pro-Russian hackers hit a handful of U.S. airport websites with Distributed Denial-of-Service attacks last year, temporarily disrupting their availability. The websites were quickly restored and the attacks did not have any impact on actual airport operational IT or operational technology infrastructure.
The rules are nearly identical to ones placed on the passenger and freight sectors las year. Airports and aircraft operators have already been subjected to new rules mandating the creation of proactive incident response plans, vulnerability assessments and a designated point of contact for cyber issues, while legislation passed by Congress last year requires the aviation sector and other critical infrastructure to report hacks and ransom payments to the Cybersecurity and Infrastructure Security Agency. The TSA also put similar rules in place for the passenger and freight railroad sector in late 2021.
It's the second concrete example of federal cyber rules to emerge after the White House released a national cyber strategy last week that leans heavily on using existing regulatory authorities to set higher security standards within critical infrastructure. Last week, the Environmental Protection Agency clarified that a law mandating states take certain steps to ensure safe drinking water must now include evaluations of cybersecurity vulnerabilities as well as physical ones.