Following an increase in cyberattacks against US airports in recent years, The Transportation Security Administration (TSA) has introduced a minimum level of cybersecurity for all airports.
In this blog, we will cover everything you need to know about the TSA’s new requirements, how they can help you increase cyber resilience, and how to foster a culture of compliance and proactive risk management. These updates are key to staying compliant and safeguarding against the increasing cyber threats in the aviation field.
For actionable guidance on how to comply with the new requirements, we recommend you watch our latest webinar: How to Comply with the New TSA Cybersecurity Requirements.
What is the current threat landscape for airports and aircraft operators?
Who do the new TSA regulations apply to?
What are the new cybersecurity requirements from the TSA?
Monitoring and detection
Complying with TSA requirements
What Is the Current Threat Landscape for Airports and Aircraft Operators?
In the last twelve months, we have seen a 24% increase in cyber-attacks against the aviation sector. This may not be surprising given the high-profile attacks you may have seen in recent news. Just two months ago, at the Long Beach Airport in California, we saw an attack which brought down their website and compromised their payment portals. Around the same time, we also saw Boeing fall victim to a data breach where 43GB of data was stolen.
These attacks are a part of a wider trend that we are seeing in the industry; cyberattacks are becoming more sophisticated and, as a result, we are seeing customer information being exposed, fines being issued by regulators, and reputational damage to the victims of these attacks.
In response to the surge in cyberattacks, the TSA has issued a directive to airports and aircraft operators, setting a robust security baseline for the industry. This directive introduces regulations in the United States that mirror the stringent cybersecurity measures already in place across Europe and Canada. The objective of these requirements is clear: to significantly reduce the incidence of cyberattacks and enhance the cybersecurity defenses of airports throughout the US.
The new TSA regulations aim to enhance cybersecurity resilience within the aviation sector. This directive requires all TSA-regulated airports and aircraft operators to develop and implement a plan detailing measures to improve cybersecurity resilience. These steps are designed to defend against, detect, and respond to cybersecurity threats, ensuring operational continuity even in the event of a compromise.
The regulations make it clear that the aviation sector companies will be expected to stay on top of both hardware and software patches using risk-based methodology.
The focus of these new regulations is across four areas:
Monitoring and detection
Let us look at each of these in turn, understanding what they mean in the context of the TSA requirements.
Network segmentation is a crucial cybersecurity strategy designed to protect your organization's infrastructure by dividing it into separate segments. This division is key to ensuring that, in the event of a cyberattack, the breach is contained within a single segment, preventing the entire network from being compromised. The core idea is to limit the spread of an attack, allowing your organization to maintain critical operations without the need for a complete shutdown. This approach is fundamental in safeguarding against the lateral movement of threats across your network, ensuring that essential services can continue uninterrupted, even during a security incident.
A network without segmentation presents a significant risk. Should a bad actor gain entry to any part of the network, the entire system becomes vulnerable. This not only makes it easier for an attacker to move undetected within the network but also complicates the process of incident response. The attacker can maintain their presence, collecting sensitive information and preparing for further attacks from within the shadows of the network. This scenario highlights the danger of an unsegmented network, where a single breach can lead to widespread disruption and potential data loss.
Implementing network segmentation changes the game by creating barriers that limit an attacker's access. For example, if an attacker breaches the network segment containing your payment systems, they are prevented from moving freely to other critical areas, such as your servers or backup systems. This isolation of network segments significantly reduces the overall attack surface, limiting the effectiveness of an attack and preventing it from escalating and causing more extensive damage. Moreover, it enables more targeted and effective incident response, as security teams can focus on the compromised segment without the need to address a network-wide threat.
In essence, network segmentation is not just a technical control but a strategic approach to cybersecurity. It enhances your organization's resilience against attacks by compartmentalizing risks and enabling continued operation despite targeted breaches. By adopting this strategy, you create a more secure and resilient network environment, where threats can be isolated and managed more efficiently, protecting your operations and sensitive data from the far-reaching consequences of cyber-attacks.
Access control is about more than just ‘guarding the gates’ to your organization with passwords. While they are important, it is also about knowing who ‘holds the keys’ and why they have access. Many organizations overlook this and give everyone the same amount of access, which can increase the likelihood of a breach. A better approach is to look at access control as having three areas: technical controls, administrative controls, and physical controls.
Technical controls are the mechanisms and systems that directly manage access to an organization's technology infrastructure. These controls serve as the first line of defense in preventing unauthorized access to networks and systems. Through the use of identification and authentication methods, such as passwords, biometric scans, and security tokens, technical controls ensure that only authorized individuals can access sensitive information and critical systems. This layer of security is crucial in protecting against external threats and mitigating the risk of data breaches.
Administrative controls focus on the governance of security policies and procedures within an organization. This area involves the establishment of rules, roles, and responsibilities regarding how access to information and resources is granted and managed. The challenge for many organizations lies in crafting clear, enforceable policies that dictate who has access to what resources and how that access is facilitated. Effective administrative controls include comprehensive documentation and policies that guide the implementation of security measures, facilitate auditing processes, and provide a basis for analyzing and improving security postures after an incident.
Physical controls, often underestimated in their importance, are about the tangible measures taken to prevent unauthorized physical access to an organization's facilities and resources. This includes locks, security personnel, badge access systems, and surveillance cameras. In specific settings, like airports, physical controls might also involve protocols such as requiring escorts in certain areas to enhance security. These controls are essential in protecting physical assets, including servers, workstations, and sensitive documents from theft, vandalism, and unauthorized access.
Together, these three types of controls create a robust security framework that addresses a wide range of vulnerabilities and threats. By integrating technical, administrative, and physical controls, organizations can establish a multi-layered defense strategy that protects against both digital and physical intrusions, ensuring the safety and integrity of their critical assets.
Monitoring and Detection
Monitoring and detection are essential in defending against cyber threats, particularly due to the unpredictable timing of cyber-attacks. Bad actors often launch attacks outside of standard working hours, targeting organizations during weekends and holidays when cybersecurity teams are less likely to be on guard. A strategic response to this challenge is the implementation of continuous monitoring. Deploying a managed detection and response (MDR) system ensures comprehensive surveillance and the proactive identification of suspicious activities across your network around the clock.
The new TSA directive identifies monitoring and detection as its most comprehensive requirement, presenting significant challenges for airports. This aspect of cybersecurity encompasses several critical components, including the integration of security log analysis, the execution of digital forensics, and the capacity for rapid incident response. Despite the complexity and effort required to establish these capabilities, the investment is invaluable. Such vigilance enables airports to pre-emptively address cyber threats, safeguarding the organization before any real damage occurs.
Moreover, the implementation of sophisticated monitoring and detection strategies offers profound benefits that significantly surpass the initial investment and effort. By establishing these advanced systems, airports can significantly enhance their cybersecurity posture. This not only ensures the protection of operations from the evolving landscape of cyber threats but also underpins the integrity and reliability of crucial infrastructure. This proactive stance is vital for minimizing potential disruptions and maintaining operational and safety standards.
While adopting comprehensive monitoring and detection measures in line with TSA mandates may seem challenging, the long-term advantages make it a necessary endeavor. Such measures not only fortify airports against immediate threats but also contribute to a resilient cybersecurity framework capable of adapting to future challenges. This ensures ongoing protection against potential cyber incidents that could otherwise compromise both operations and safety.
When was the last time you updated your laptop or phone? Installing updates is something we often push back, delaying it until it is absolutely necessary. Unfortunately, this is often the case within the aviation sector. Network infrastructure, computers, and other devices within your network also require frequent updates to address security vulnerabilities before they can be exploited by bad actors.
Ensuring that systems are patched and done so in a timely manner requires knowing what software and hardware are being used across the organization. Like monitoring and detection, this comes with its own set of challenges, including having accurate device inventory, testing potential updates to ensure that they do not create new vulnerabilities, and procedures to ensure updates are rolled out across the airport on a regular basis without resulting in downtime.
Complying with the TSA Requirements
For guidance on how to meet these requirements in your airport, see our latest webinar: How to Comply with the New TSA Cybersecurity Requirements. You can also get in touch with a member of our team, who will be able to advise you on where to get started.