On March 7, 2023, the Transportation Security Administration (TSA) announced new cybersecurity regulations for certain TSA-regulated airport and aircraft operators. The security directives aim to enhance cybersecurity resilience across the aviation industry.
Which aviation companies are impacted?
The security directives apply to certain TSA-regulated airport and aircraft operators. There is limited public guidance available specific, named companies. However, using previous security directives for the rail and pipeline industries as a guide, informed assumptions can be made about the aviation companies that will be directly impacted. The rail industry directive focused on the largest seven rail operators and those operating in Highly Trafficked Urban Areas (HTUA). The pipeline industry directive was focused on roughly 80 of the largest pipeline operators in the U.S. We expect large airports near urban centers and the largest airlines to be subject to the new regulations.
Why is this necessary?
The largest pipeline system for refined oil products in the U.S., Colonial Pipeline, suffered a ransomware attack in May 2021. The cyberattack caused major impact to Colonial’s pipeline operations and slowed the delivery of energy products to consumers, including airports and airlines.
Following the Colonial Pipeline hack, the Biden administration released an Executive Order on improving cybersecurity for critical infrastructure control systems. The TSA subsequently released security directives in July 2021 that were applicable to a risk informed set of companies that own natural gas and hazardous liquid transmission pipeline systems, natural gas distribution pipeline systems, liquefied natural gas facility operations, and/or transport toxic inhalation hazards (TIH) to protect oil and natural gas industry against cybersecurity risks.
The TSA has an established regulatory relationship with airports and airline operators, given the importance of the industry and likelihood of airlines and airports being targeted by nation state adversaries.
What is included in the security directives?
The main requirements for aviation operators are outlined in the TSA’s press release, focusing on network segmentation, access control, continuous monitoring and patch management. While the TSA did not include a security directive like pipeline and rail industries, it specifically referenced the “similar measures announced in October 2022 for passenger and freight railroad carriers.”
- Develop network segmentation policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised, and vice versa;
- Review Incident Response Plans and ensure there are provisions in place with regards to isolation of networks in the event of a cybersecurity incident. A prerequisite to this activity is knowing what operational technology (OT) systems are and how they are architected within the network. Knowing roles and responsibilities in shared environments like airports is critical for operators.
- Create access control measures to secure and prevent unauthorized access to critical cyber systems;
- Previous security directives issued by the TSA have focused on multi-factor controls to workstations that manage OT systems and ensuring that credentials are managed and rotated across critical systems. The term critical cyber system was introduced in the Security Directive 02C for the pipeline industry, defined as “any Information or Operational Technology system or data that, if compromised or exploited, could result in operational disruption.” For airports and aircraft operators, the focus should begin first in identifying critical operations and then looking at access controls related to systems supporting critical operations.
- Implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats and anomalies that affect critical cyber system operations; and
- If previous industry security directives are a starting point, the TSA will be looking at capabilities to identify malicious activity on critical cyber systems, alert on access to external networks from OT networks and ability to prevent malicious email from impacting operations. Policies and procedures to collect/analyze log data and respond to security alerts from OT environments should also be in place. Building OT specific IR procedures and testing the escalation paths to the SOC are best practices to ensure OT threats are identified and response activities are known.
- Reduce the risk of exploitation of unpatched systems through the application of security patches and updates for operating systems, applications, drivers and firmware on critical cyber systems in a timely manner using a risk-based methodology.
- Developing OT specific patch management procedures that use a risk-based methodology is a good starting point. Previous directives have focused on operators’ ability to prioritize vulnerabilities in CISA’s Known Exploited Vulnerability Catalog, written procedures that outline how risk-based patching decisions are made and capabilities to proactively identify missing patches on critical cyber systems.
What are the next steps?
Through Protiviti’s work helping pipeline and rail companies navigate TSA regulations, we have learned it is important to follow the following steps:
- Identify if the organization is subject to regulations
- If an organization was previously required to establish a cybersecurity point of contact with the TSA and complete a cybersecurity vulnerability assessment, there’s a good chance it is subject to the new regulations, or if it operates a large airport or airline. It is important to note that even though the organization might not be subject to the directives now, the scope of TSA’s regulations could expand in the future as referenced in an Information Circular sent to all pipeline companies that are not currently required to comply with the security directives. It is important for owner/operators to start considering the cybersecurity measures included and creating a roadmap to implement them into their organization to increase the resilience, safety, and security of critical operations.
- Become familiar with TSA’s security directives
- Once it is determined the directives are applicable, become familiar with the requirements outlined in previous security directives. Consistent communication with regulators and regular attendance at webinars are a necessity to fully understand the requirements and how TSA will interpret responses. Involve legal counsel (internal or external) early in the process to validate scoping and to review correspondence to regulators.
- Form a task force and perform a self-assessment
- It is important to form a task force of individuals throughout the organization dedicated to meeting the TSA regulations and aligning resources/funding. One of the previous requirements of the TSA was to designate a cybersecurity coordinator and alternate who is required to be available to TSA and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and serve as a main point of contact. Cybersecurity coordinators should understand their responsibilities for what to submit to the TSA and how, as well as requirements for incident notification.
- Once a dedicated team is formed and has become familiar with the security directives, perform a self-assessment or external assessment of where the organization stands in compliance with the directives. Take a risk-based approach in the self-assessment to ensure that gaps in the cybersecurity posture do not go unnoticed.
While new regulations are often intimidating, it is important to understand, the purpose of the TSA security directives are to prevent cybersecurity threats and harm to the critical infrastructure of the U.S. The TSA has been open to working with the industry to revise previous security directives and has aligned on a process they are comfortable with as they add more industries under their regulatory review. The TSA’s Security Operations organizational description states, “Security Operations is also responsible for TSA’s global compliance mission, with key officials and Inspectors in offices around the world ensuring all modes of transportation, including mass transit, passenger and freight rail, highway and motor carrier, maritime, pipeline, and air cargo, are in compliance with domestic and international regulatory requirements.” Industries that transport sensitive materials should take note of the lessons learned from the pipeline and rail industries, as they may be next.
How Protiviti can help
Protiviti has assisted clients in navigating the TSA security directives, through initial assessments to understand gaps, drafting regulatory responses (e.g., cybersecurity implementation plan, cybersecurity assessment program), and implementing controls to address gaps and meeting implementation plans. Protiviti is experienced with the regulations and how the TSA has prioritized requirements for onsite inspections.
Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War
To learn more about our cybersecurity solutions, contact us.